Methods and apparatus for dealing with malware

US 8,726,389 B2
Filed: 07/08/2012
Issued: 05/13/2014
Est. Priority Date: 06/30/2005
Status: Active Grant

- Alert
- Pin

Associated Cases

Associated Defendants

First Claim

Patent Images

1. A method of classifying a computer object as malware, the method comprising:

at a base computer, receiving data about a computer object from a first remote computer on which the computer object or similar computer objects are stored, wherein said data includes information about events initiated or involving the computer object when the computer object is created, configured or runs on the first remote computer, said information including at least an identity of an object initiating the event, the event type, and an identity of an object or other entity on which the event is being performed;

at the base computer, receiving data about the computer object from a second remote computer on which the computer object or similar computer objects are stored, wherein said data includes information about events initiated or involving the computer object when the computer object is created, configured, or runs on the second remote computer, said information including at least an identity of an object initiating the event, the event type, and an identity of an object or other entity on which the event is being performed;

storing, at the base computer, said data received from the first and second remote computers;

correlating, by the base computer, at least a portion of the data about the computer object received from the first remote computer to at least a portion of the data about the computer object received from the second remote computer;

comparing, by the base computer, the correlated data about the computer object received from the first and second remote computers to other objects or entities to identify relationships between the correlated data and the other objects or entities; and

classifying, by the base computer, the computer object as malware on the basis of said comparison.

View all claims

11 Assignments

Timeline View

Assignment View

Litigations

4 Petitions

Accused Products

Abstract

In one aspect, a method of classifying a computer object as malware includes receiving at a base computer data about a computer object from each of plural remote computers on which the object or similar objects are stored. The data about the computer object received from the plural computers is compared in the base computer. The computer object is classified as malware on the basis of said comparison. In one embodiment, the data about the computer object includes one or more of: executable instructions contained within or constituted by the object; the size of the object; the name of the object; the logical storage location or path of the object on the respective remote computers; the vendor of the object; the software product and version associated with the object; and, events initiated by or involving the object when the object is created, configured or runs on the respective remote computers.

86 Citations

View as Search Results

30 Claims

1. A method of classifying a computer object as malware, the method comprising:
- at a base computer, receiving data about a computer object from a first remote computer on which the computer object or similar computer objects are stored, wherein said data includes information about events initiated or involving the computer object when the computer object is created, configured or runs on the first remote computer, said information including at least an identity of an object initiating the event, the event type, and an identity of an object or other entity on which the event is being performed;
  
  at the base computer, receiving data about the computer object from a second remote computer on which the computer object or similar computer objects are stored, wherein said data includes information about events initiated or involving the computer object when the computer object is created, configured, or runs on the second remote computer, said information including at least an identity of an object initiating the event, the event type, and an identity of an object or other entity on which the event is being performed;
  
  storing, at the base computer, said data received from the first and second remote computers;
  
  correlating, by the base computer, at least a portion of the data about the computer object received from the first remote computer to at least a portion of the data about the computer object received from the second remote computer;
  
  comparing, by the base computer, the correlated data about the computer object received from the first and second remote computers to other objects or entities to identify relationships between the correlated data and the other objects or entities; and
  
  classifying, by the base computer, the computer object as malware on the basis of said comparison.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 29, 30)
- - 2. A method according to claim 1, wherein the relationship is between objects related directly, or between objects related via other objects.
  - 3. A method according to claim 1, wherein where an object and other objects are found to have a relationship, monitoring those related objects as a homogenous entity and identifying a common object of the homogenous entity as a malware object.
  - 4. A method according to claim 1, comprising deducing an object to be malware based on the behaviour of a related object.
  - 5. A method according to claim 1, wherein if at least one other object to which said computer object is related is classed as malware, then classifying said computer object as malware.
  - 6. A method according to claim 1, wherein said other objects include the object or similar objects stored on at least one of the first and second remote computers.
  - 7. A method according to claim 1, wherein said other objects include other objects that are parent objects or child objects or otherwise process-related objects to said computer object.
  - 8. A method according to claim 1, wherein the data about the computer object that is sent from the respective remote computer to the base computer and that is used in the comparison includes one or more of:
    - executable instructions contained within or constituted by the computer object;
      
      the size of the computer object;
      
      the current name of the computer object;
      
      the physical and folder location of the computer object on disk;
      
      the original name of the computer object;
      
      the creation and modification dates of the computer object;
      
      vendor, product and version and any other information stored within the computer object; and
      
      the computer object header or header held by the respective remote computer.
  - 9. A method according to claim 1, wherein the data is sent in the form of a key that is obtained by a hashing process carried out in respect of the objects on the respective remote computer.
  - 10. A method according to claim 9, wherein the key has at least one component that represents executable instructions contained within or constituted by the computer object.
  - 11. A method according to claim 9, wherein the key has at least one component that represents data about said computer object.
  - 12. A method according to claim 11, wherein said data about said computer object includes at least one of:
    - the current name of the computer object;
      
      the physical and folder location of the computer object on disk;
      
      the original name of the computer object;
      
      the creation and modification dates of the computer object;
      
      vendor, product and version and any other information stored within the computer object;
      
      the computer object header or header held by the respective remote computer; and
      
      ,events initiated by or involving the computer object when the computer object is created, configured or runs on the respective remote computers.
  - 13. A method according to claim 9, wherein the key has at least one component that represents the physical size of the computer object.
  - 14. A method according to claim 1, comprising initially classifying a computer object as not malware, generating a mask for said computer object that defines acceptable behaviour for the computer object, monitoring an operation of the computer object on at least one of the first and second remote computers and reclassifying the computer object as malware if the actual monitored behaviour extends beyond that permitted by the mask.
  - 29. A computer program recorded on non-transitory computer readable medium comprising program instructions for causing a computer to perform the method of claim 1.
  - 30. A method according to claim 1, wherein the data received about the computer object from the first remote computer is different than the data received about the computer object from the second remote computer.

15. An apparatus for classifying a computer object as malware, the apparatus comprising:
- a base computer constructed and arranged to receive data about a computer object from a first remote computer on which the computer object or similar computer objects are stored, wherein said data includes information about events initiated or involving the computer object when the computer object is created, configured, or runs on the first remote computer, said information including at least an identity of an object initiating the event, the event type, and an identity of an object or other entity on which the event is being performed;
  
  the base computer being constructed and arranged to receive data about the computer object from a second remote computer on which the computer object or similar computer objects re stored, wherein said data includes information about events initiated or involving the computer object when the computer object is created, configured, or runs on the second remote computer, said information including at least an identity of an object initiating the event, the event type, and an identity of an object or other entity on which the event is being performed;
  
  the base computer being constructed and arranged to correlate at least a portion of the data about the computer object received from the first remote computer to at least a portion of the data about the computer object received from the second remote computer;
  
  the base computer being constructed and arranged to compare the data about the computer object received from the first and second remote computers to other objects or entities to identify relationships between the correlated data and the other objects or entities; and
  
  the base computer being constructed and arranged to classify the computer object as malware on the basis of said comparison.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 16. Tha apparatus according to claim 15, wherein the base computer is constructed and arranged so as to identify the relationship between objects related directly, or between objects related via other objects.
  - 17. The apparatus according to claim 15, wherein the base computer is constructed and arranged so as, where an object and other objects are found to have a relationship, to monitor those related objects as a homogenous entity and identify a common object of the homogenous entity as a malware object.
  - 18. The apparatus according to claim 15, wherein the base computer is constructed and arranged so as to deduce an object to be malware based on the behaviour of a related object.
  - 19. The apparatus according to claim 15, wherein the base computer is constructed and arranged so that if at least one other object to which said object is related is classed as malware, then said object is classified as malware.
  - 20. The apparatus according to claim 15, wherein the base computer is constructed and arranged so that said other objects include the object or similar objects stored on at least one of the first and second remote computers.
  - 21. The apparatus according to claim 15, wherein the base computer is constructed and arranged so that said other objects include other objects that are parent objects or child objects or otherwise process-related objects to said object.
  - 22. The apparatus according to claim 15, wherein the base computer is constructed and arranged so as to compare the data where the data includes one or more of:
    - executable instructions contained within or constituted by the computer object;
      
      the size of the computer object;
      
      the current name of the computer object;
      
      the physical and folder location of the computer object on disk;
      
      the original name of the computer object;
      
      the creation and modification dates of the computer object;
      
      vendor, product, and version and any other information stored within the computer object; and
      
      the computer object header or header held by the respective remote computer.
  - 23. The apparatus according to claim 15, wherein the base computer is constructed and arranged so as to be able to process data that is sent in the form of a key that is obtained by a hashing process carried out in respect of the objects on said respective remote computer.
  - 24. The apparatus according to claim 23, wherein the key has at least one component that represents executable instructions contained within or constituted by the computer object.
  - 25. The apparatus according to claim 23, wherein the key has at least one component that represents data about said computer object.
  - 26. Apparatus according to claim 25, wherein said data about said object includes at least one of:
    - the current name of the computer object;
      
      the physical and folder location of the computer object on disk;
      
      the original name of the comptuer object;
      
      the creation and modification dates of the computer object;
      
      vendor, product, and version and any other information stored within the computer object;
      
      the computer object header or header held by the respective remote computer; and
      
      events initiated by or involving the computer object when the computer object is created, configured, or runs on the respective remote computers.
  - 27. The apparatus according to claim 23, wherein the key has at least one component that represents the physical size of the computer object.
  - 28. The apparatus according to claim 15, wherein the base computer is constructed and arranged to generate a mask for a computer object that is initially classed not as malware, said mask defining acceptable behaviour for the computer object, and the base computer is constructed and arranged to monitor an operation of the computer object on at least one of the first and second remote computers and to reclassify the computer object as malware if the actual monitored behaviour extends beyond that permitted by the mask.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
Carbonite LLC (Open Text Corporation)
Original Assignee
Webroot Solutions Ltd. (Open Text Corporation)
Inventors
Morris, Melvyn, Stubbs, Paul, Hartwig, Markus, Harter, Darren
Primary Examiner(s)
Zecher, Cordelia
Assistant Examiner(s)
DOAN, TRANG T

Application Number

US13/543,866
Publication Number

US 20120278895A1
Time in Patent Office

674 Days
Field of Search

None
US Class Current

726/24
CPC Class Codes

G06F 21/56 Computer malware detection ...

G06F 21/577 Assessing vulnerabilities a...

Methods and apparatus for dealing with malware

First Claim

11 Assignments

Litigations

4 Petitions

Accused Products

Abstract

86 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and apparatus for dealing with malware

First Claim

11 Assignments

Subscription Required

Subscription Required

Litigations

4 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

86 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links