Systems and methods for using property tables to perform non-iterative malware scans

US 8,646,079 B2
Filed: 08/30/2012
Issued: 02/04/2014
Est. Priority Date: 03/28/2012
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for using property tables to perform non-iterative malware scans, at least a portion of the method being performed by a server-side computing device comprising at least one processor, the method comprising:

identifying at least one malware signature that identifies at least one property value for an item of malware;

accessing a property table that identifies;

property values shared by one or more application packages;

for each property value, each application package that shares the property value in question;

determining, by comparing each property value identified in the malware signature with the property table, whether any of the application packages match the malware signature without iterating through the individual property values of each application package.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method for using property tables to perform non-iterative malware scans may include (1) obtaining at least one malware signature from a security software provider that identifies at least one property value for an item of malware, (2) accessing a property table for a computing device that identifies property values shared by one or more application packages installed on the computing device and, for each property value, each application package that shares the property value in question, and (3) determining, by comparing each property value identified in the malware signature with the property table, whether any of the application packages match the malware signature without having to iterate through the individual property values of each application package. Various other methods, systems, and computer-readable media are also disclosed.

Citations

20 Claims

1. A computer-implemented method for using property tables to perform non-iterative malware scans, at least a portion of the method being performed by a server-side computing device comprising at least one processor, the method comprising:
- identifying at least one malware signature that identifies at least one property value for an item of malware;
  
  accessing a property table that identifies;
  
  property values shared by one or more application packages;
  
  for each property value, each application package that shares the property value in question;
  
  determining, by comparing each property value identified in the malware signature with the property table, whether any of the application packages match the malware signature without iterating through the individual property values of each application package.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising, prior to accessing the property table, creating the property table.
  - 3. The method of claim 1, further comprising updating the property table by:
    - identifying at least one additional application package;
      
      identifying at least one property value of the additional application package;
      
      updating the property table to indicate that the additional application package possesses the property value in question.
  - 4. The method of claim 1, wherein determining whether any of the application packages match the malware signature comprises, for each property value identified in the malware signature:
    - searching the property table for the property value;
      
      retrieving, from the property table, a list of each application package that shares the property value.
  - 5. The method of claim 4, wherein the malware signature identifies a plurality of property values and determining whether any of the application packages match the malware signature further comprises identifying any application package that appears on each retrieved list.
  - 6. The method of claim 1, wherein the property table indicates that at least one unique property value is shared by a plurality of application packages.
  - 7. The method of claim 1, wherein the property table comprises a table within a relational database.
  - 8. The method of claim 1, wherein the length of time required to determine whether any of the application packages match the malware signature is not proportional to the total number of application packages evaluated.
  - 9. The method of claim 1, further comprising:
    - identifying at least one application package that matches the malware signature;
      
      performing a security action on the application package that matches the malware signature.

10. A system for using property tables to perform non-iterative malware scans, the system comprising:
- a signature-retrieval module programmed to identify at least one malware signature that identifies at least one property value for an item of malware;
  
  a malware-detection module programmed to;
  
  access a property table that identifies property values shared by one or more application packages and, for each property value, each application package that shares the property value in question;
  
  determine, by comparing each property value identified in the malware signature with the property table, whether any of the application packages match the malware signature without iterating through the individual property values of each application package;
  
  at least one processor configured to execute the signature-retrieval module and the malware-detection module.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The system of claim 10, further comprising a table-maintenance module programmed to create the property table.
  - 12. The system of claim 10, further comprising a table-maintenance module programmed to update the property table by:
    - identifying at least one additional application package;
      
      identifying at least one property value of the additional application package;
      
      updating the property table to indicate that the additional application package possesses the property value in question.
  - 13. The system of claim 10, wherein the malware-detection module determines whether any of the application packages match the malware signature by, for each property value identified in the malware signature:
    - searching the property table for the property value;
      
      retrieving, from the property table, a list of each application package that shares the property value.
  - 14. The system of claim 13, wherein the malware signature identifies a plurality of property values and the malware-detection module determines whether any of the application packages match the malware signature further by identifying any application package that appears on each retrieved list.
  - 15. The system of claim 10, wherein the property table indicates that at least one unique property value is shared by a plurality of application packages.
  - 16. The system of claim 10, wherein the property table comprises a table within a relational database.
  - 17. The system of claim 10, wherein the length of time required by the malware-detection module to determine whether any of the application packages match the malware signature is not proportional to the total number of application packages evaluated.
  - 18. The system of claim 10, further comprising a security module programmed to:
    - identify at least one application package that matches the malware signature;
      
      perform a security action on the application package that matches the malware signature.

19. A non-transitory computer-readable medium comprising one or more computer-executable instructions that, when executed by at least one processor of a server-side computing device, cause the server-side computing device to:
- identify at least one malware signature that identifies at least one property value for an item of malware;
  
  access a property table that identifies;
  
  property values shared by one or more application packages;
  
  for each property value, each application package that shares the property value in question;
  
  determine, by comparing each property value identified in the malware signature with the property table, whether any of the application packages match the malware signature without iterating through the individual property values of each application package.
- View Dependent Claims (20)
- - 20. The non-transitory computer-readable medium of claim 19, wherein the computer-executable instructions, when executed by the processor of the server-side computing device, further cause the server-side computing device to update the property table by:
    - identifying at least one additional application package;
      
      identifying at least one property value of the additional application package;
      
      updating the property table to indicate that the additional application package possesses the property value in question.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Chen, Joseph, Hair, Allen
Primary Examiner(s)
McNally, Michael S

Application Number

US13/599,830
Publication Number

US 20130263265A1
Time in Patent Office

523 Days
Field of Search

726/23
US Class Current

726/23
CPC Class Codes

G06F 21/564 by virus signature recognition

Systems and methods for using property tables to perform non-iterative malware scans

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for using property tables to perform non-iterative malware scans

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links