Systems and methods for using acquisitional contexts to prevent false-positive malware classifications

US 8,627,469 B1
Filed: 03/14/2012
Issued: 01/07/2014
Est. Priority Date: 03/14/2012
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for using acquisitional contexts to prevent false-positive malware classifications, at least a portion of the method being performed by a server-side computing device comprising at least one processor, the method comprising:

receiving, from at least one client-side computing device within a community of users, contextual information associated with a file, wherein the contextual information;

identifies a context in which the client-side computing device acquired the file;

indicates that the client-side computing device exonerated the file due to the context in which the client-side computing device acquired the file after receiving, from the server-side computing device, reputation information for the file that indicated that the file should not be trusted due to the file'"'"'s low prevalence within the community;

using, based at least in part on the file having been exonerated at the client-side computing device due to the context in which the client-side computing device acquired the file after receiving reputation information for the file that indicated that the file should not be trusted due to the file'"'"'s low prevalence within the community, the context in which the client-side computing device acquired the file to determine a reputation rating for the file;

providing the reputation rating for the file to at least one additional client-side computing device within the community in order to prevent the additional client-side computing device from falsely classifying the file as untrustworthy due to acquiring an additional instance of the file via a context that is insufficient to determine that the additional instance of the file is trustworthy.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for using acquisitional contexts to prevent false-positive malware classifications. The method may include (1) receiving, from at least one client-side computing device within a community of users, contextual information associated with a file, (2) determining, based at least in part on the contextual information received from the client-side computing device, a reputation rating for the file, and (3) providing the reputation rating for the file to at least one additional client-side computing device within the community in order to prevent the additional client-side computing device from falsely classifying the file as untrustworthy due to acquiring an additional instance of the file via a context that is insufficient to determine that the additional instance of the file is trustworthy. Various other methods and systems are also disclosed.

Citations

20 Claims

1. A computer-implemented method for using acquisitional contexts to prevent false-positive malware classifications, at least a portion of the method being performed by a server-side computing device comprising at least one processor, the method comprising:
- receiving, from at least one client-side computing device within a community of users, contextual information associated with a file, wherein the contextual information;
  
  identifies a context in which the client-side computing device acquired the file;
  
  indicates that the client-side computing device exonerated the file due to the context in which the client-side computing device acquired the file after receiving, from the server-side computing device, reputation information for the file that indicated that the file should not be trusted due to the file'"'"'s low prevalence within the community;
  
  using, based at least in part on the file having been exonerated at the client-side computing device due to the context in which the client-side computing device acquired the file after receiving reputation information for the file that indicated that the file should not be trusted due to the file'"'"'s low prevalence within the community, the context in which the client-side computing device acquired the file to determine a reputation rating for the file;
  
  providing the reputation rating for the file to at least one additional client-side computing device within the community in order to prevent the additional client-side computing device from falsely classifying the file as untrustworthy due to acquiring an additional instance of the file via a context that is insufficient to determine that the additional instance of the file is trustworthy.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the context in which the client-side computing device acquired the file comprises at least one of:
    - a trusted source from which the client-side computing device acquired the file;
      
      a trusted domain name from which the client-side computing device acquired the file;
      
      a trusted hostname from which the client-side computing device acquired the file;
      
      a trusted uniform resource locator from which the client-side computing device acquired the file.
  - 3. The method of claim 1, wherein using the context in which the client-side computing device acquired the file to determine the reputation rating for the file comprises:
    - identifying a reputation rating associated with the context in which the client-side computing device acquired the file;
      
      calculating, based at least in part on the reputation rating associated with the context in which the client-side computing device acquired the file, the reputation rating for the file.
  - 4. The method of claim 1, wherein using the context in which the client-side computing device acquired the file to determine the reputation rating for the file comprises:
    - calculating a hash that represents the file;
      
      associating the reputation rating for the file with the hash that represents the file.
  - 5. The method of claim 1, wherein using the context in which the client-side computing device acquired the file to determine the reputation rating for the file comprises verifying that the file is not a known-malicious file.
  - 6. The method of claim 1, wherein the client-side computing device exonerated the file based at least in part on reputation information associated with the context in which the client-side computing device acquired the file.
  - 7. The method of claim 1, wherein the client-side computing device exonerated the file due to the context in which the client-side computing device acquired the file by:
    - obtaining reputation information for a source from which the client-side computing device acquired the file that indicates that the source was trustworthy;
      
      determining, based at least in part on the reputation information for the source from which the client-side computing device acquired the file, that the file was trustworthy.

8. A computer-implemented method for using acquisitional contexts to prevent false-positive malware classifications, at least a portion of the method being performed by a client-side computing device comprising at least one processor, the method comprising:
- identifying, at the client-side computing device, a file;
  
  requesting a reputation rating for the file from a server-side computing device;
  
  receiving the reputation rating for the file from the server-side computing device, wherein the server-side computing device determined the reputation rating for the file by;
  
  analyzing contextual information received from at least one other client-side computing device within a community of users that indicates that the other client-side computing device exonerated a prior instance of the file due to a context in which the other client-side computing device acquired the prior instance of the file after receiving, from the server-side computing device, reputation information for the prior instance of the file that indicated that the prior instance of the file should not be trusted due to the prior instance of the file'"'"'s low prevalence within the community;
  
  using, based at least in part on the prior instance of the file having been exonerated at the other client-side computing device due to the context in which the other client-side computing device acquired the prior instance of the file after receiving reputation information for the prior instance of the file that indicated that the prior instance of the file should not be trusted due to the prior instance of the file'"'"'s low prevalence within the community, the context in which the other client-side computing device acquired the prior instance of the file to determine the reputation rating for the file;
  
  determining, based at least in part on the reputation rating received from the server-side computing device, that the file is trustworthy despite the client-side computing device having acquired the file via a context that is insufficient to determine that the file is trustworthy.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method of claim 8, wherein the context in which the other client-side computing device acquired the prior instance of the file comprises at least one of:
    - a trusted source from which the other client-side computing device acquired the prior instance of the file;
      
      a trusted domain name from which the other client-side computing device acquired the prior instance of the file;
      
      a trusted hostname from which the other client-side computing device acquired the prior instance of the file;
      
      a trusted uniform resource locator from which the other client-side computing device acquired the prior instance of the file.
  - 10. The method of claim 8, wherein the server-side computing device determined the reputation rating for the file by:
    - identifying a reputation rating associated with the context in which the other client-side computing device acquired the prior instance of the file;
      
      calculating, based at least in part on the reputation rating associated with the context in which the other client-side computing device acquired the prior instance of the file, the reputation rating for the file.
  - 11. The method of claim 8, wherein the server-side computing device determined the reputation rating for the file by:
    - calculating a hash that represents the prior instance of the file and the file;
      
      associating the reputation rating for the file with the hash that represents the prior instance of the file and the file.
  - 12. The method of claim 8, wherein the server-side computing device determined the reputation rating for the file by verifying that the prior instance of the file was not a known-malicious file.
  - 13. The method of claim 8, wherein the other client-side computing device exonerated the prior instance of the file based at least in part on reputation information associated with the context in which the other client-side computing device acquired the prior instance of the file.
  - 14. The method of claim 8, wherein the other client-side computing device exonerated the prior instance of the file due to the context in which the other client-side computing device acquired the prior instance of the file by:
    - obtaining reputation information for a source from which the other client-side computing device acquired the prior instance of the file that indicates that the source was trustworthy;
      
      determining, based at least in part on the reputation information for the source from which the other client-side computing device acquired the prior instance of the file, that the prior instance of the file was trustworthy.

15. A system for using acquisitional contexts to prevent false-positive malware classifications, the system comprising:
- a context-receiving module programmed to receive, at a server-side computing device from at least one client-side computing device within a community of users, contextual information associated with a file, wherein the contextual information;
  
  identifies a context in which the client-side computing device acquired the file;
  
  indicates that the client-side computing device exonerated the file due to the context in which the client-side computing device acquired the file after receiving, from the server-side computing device, reputation information for the file that indicated that the file should not be trusted due to the file'"'"'s low prevalence within the community;
  
  a reputation-determining module programmed to use, based at least in part on the file having been exonerated at the client-side computing device due to the context in which the client-side computing device acquired the file after receiving reputation information for the file that indicated that the file should not be trusted due to the file'"'"'s low prevalence within the community, the context in which the client-side computing device acquired the file to determine a reputation rating for the file;
  
  a providing module programmed to provide the reputation rating for the file to at least one additional client-side computing device within the community in order to prevent the additional client-side computing device from falsely classifying the file as untrustworthy due to acquiring an additional instance of the file via a context that is insufficient to determine that the additional instance of the file is trustworthy;
  
  at least one processor configured to execute the context-receiving module, the reputation-determining module, and the providing module.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system of claim 15, further comprising:
    - a file-identification module programmed to identify, at the additional client-side computing device, the additional instance of the file;
      
      a reputation-requesting module programmed to request a reputation rating for the additional instance of the file from the server-side computing device;
      
      a reputation-receiving module programmed to receive the reputation rating for the additional instance of the file from the server-side computing device;
      
      a trust-determining module programmed to determine, based at least in part on the reputation rating received from the server-side computing device, that the additional instance of the file is trustworthy despite the additional client-side computing device having acquired the additional instance of the file via a context that is insufficient to determine that the additional instance of the file is trustworthy, wherein the processor is further configured to execute the file-identification module, the reputation-requesting module, the reputation-receiving module, and the trust-determining module.
  - 17. The system of claim 15, wherein the context in which the client-side computing device acquired the file comprises at least one of:
    - a trusted source from which the client-side computing device acquired the file;
      
      a trusted domain name from which the client-side computing device acquired the file;
      
      a trusted hostname from which the client-side computing device acquired the file;
      
      a trusted uniform resource locator from which the client-side computing device acquired the file.
  - 18. The system of claim 15, wherein the determination module is programmed to use the context in which the client-side computing device acquired the file to determine the reputation rating for the file by:
    - identifying a reputation rating associated with the context in which the client-side computing device acquired the file;
      
      calculating, based at least in part on the reputation rating associated with the context in which the client-side computing device acquired the file, the reputation rating for the file.
  - 19. The system of claim 15, wherein the determination module is programmed to use the context in which the client-side computing device acquired the file to determine the reputation rating for the file by:
    - calculating a hash that represents the file;
      
      associating the reputation rating for the file with the hash that represents the file.
  - 20. The system of claim 15, wherein the client-side computing device exonerated the file based at least in part on reputation information associated with the context in which the client-side computing device acquired the file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Chen, Joseph, Wilhelm, Jeffrey
Primary Examiner(s)
Zecher, Cordelia

Application Number

US13/420,492
Time in Patent Office

664 Days
Field of Search

726/22
US Class Current

726/22
CPC Class Codes

G06F 21/567 using dedicated hardware

H04L 63/145 the attack involving the pr...

Systems and methods for using acquisitional contexts to prevent false-positive malware classifications

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for using acquisitional contexts to prevent false-positive malware classifications

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links