Malware detection via reputation system
First Claim
Patent Images
1. A method of filtering digital electronic content, comprising:
- accessing a digital file;
extracting a plurality of high level features from the digital file;
evaluating the plurality of high level features using a classifier on a first computer system to make an initial determination of whether the digital file is benign or malicious, the classifier on the first computer system using a first classification model;
sending a hash of the digital file over a network to a reputation server computerized system for the reputation server to make a secondary determination of whether the digital file is benign or malicious, the secondary determination using a second classification model, wherein the reputation server tracks one or more characteristics of the hash of the digital file, the one or more characteristics comprising query volume per hash, time since first appearance of the hash, number of clients querying the hash, and distribution of clients querying the hash; and
receiving at the first computer system from the reputation server an indication of the secondary determination, wherein the secondary determination is made after the initial determination, wherein the first classification model has a higher false positive rate than the second classification model.
10 Assignments
0 Petitions
Accused Products
Abstract
A computer network device receives a digital file and extracts a plurality of high level features from the file. The plurality of high level features are evaluated using a classifier to determine whether the file is benign or malicious. The file is forwarded to a requesting computer if the file is determined to be benign, and blocked if the file is determined to be malicious.
55 Citations
25 Claims
-
1. A method of filtering digital electronic content, comprising:
-
accessing a digital file; extracting a plurality of high level features from the digital file; evaluating the plurality of high level features using a classifier on a first computer system to make an initial determination of whether the digital file is benign or malicious, the classifier on the first computer system using a first classification model; sending a hash of the digital file over a network to a reputation server computerized system for the reputation server to make a secondary determination of whether the digital file is benign or malicious, the secondary determination using a second classification model, wherein the reputation server tracks one or more characteristics of the hash of the digital file, the one or more characteristics comprising query volume per hash, time since first appearance of the hash, number of clients querying the hash, and distribution of clients querying the hash; and receiving at the first computer system from the reputation server an indication of the secondary determination, wherein the secondary determination is made after the initial determination, wherein the first classification model has a higher false positive rate than the second classification model. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A computer network device, comprising:
-
a network connection operable to access a digital file; an extraction module operable to extract a plurality of high level features from the digital file; and an evaluation module operable to evaluate the plurality of high level features using a classifier to make an initial determination of whether the digital file is benign or malicious, the classifier using a first classification model; a transmission function operable to send a hash of the digital file over the network connection to a reputation server computerized system for the reputation server to make a secondary determination of whether the digital file is benign or malicious, the secondary determination using a second classification model, wherein the reputation server tracks one or more characteristics of the hash of the digital file, the one or more characteristics comprising query volume per hash, time since first appearance of the hash, number of clients querying the hash, and distribution of clients querying the hash; and a reception function operable to receive from the reputation server an indication of the secondary determination, wherein the secondary determination is made after the initial determination, wherein the first classification model has a higher false positive rate than the second classification model. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
-
-
18. A non-transitory machine-readable medium with instructions stored thereon, the instructions when executed operable to cause a computerized system to:
-
access a digital file; extract a plurality of high level features from the digital file; and evaluate the plurality of high level features using a classifier on a first computer system to make an initial determination of whether the digital file is benign or malicious, the classifier on the first computer system using a first classification model; send a hash of the digital file over a network to a reputation server computerized system for the reputation server to make a secondary determination of whether the digital file is benign or malicious, the secondary determination using a second classification model, wherein the reputation server tracks one or more characteristics of the hash of the digital file, the one or more characteristics comprising query volume per hash, time since first appearance of the hash, number of clients querying the hash, and distribution of clients querying the hash; and receive at the first computer system from the reputation server an indication of the secondary determination, wherein the secondary determination is made after the initial determination, wherein the first classification model has a higher false positive rate than the second classification model. - View Dependent Claims (19, 20, 21, 22, 23, 24, 25)
-
Specification