Evaluating whether data is safe or malicious

US 8,881,292 B2
Filed: 01/15/2013
Issued: 11/04/2014
Est. Priority Date: 10/21/2008
Status: Active Grant

First Claim

Patent Images

1. In a mobile communications device having a network interface for receiving and sending data, a memory and a microprocessor, and further having software components for processing, analyzing and storing data, including at least a known good component for identifying data that is recognizably safe, a known bad component for identifying data that is recognizably malicious, and a decision component for evaluating whether data is safe or malicious, a method comprising:

providing data on the mobile communications device;

applying a hash function to the data to create a hash identifier for the data; and

comparing by the known good component, the data hash identifier against a database of identifiers of known good data stored in the mobile communications device memory;

if the comparison by the known good component results in a positive match, then allowing the data to be processed by the mobile communications device;

if the comparison by the known good component does not result in a positive match, then comparing by the known bad component, the data hash identifier against a database of identifiers of known bad data stored in the mobile communications device memory; and

if the comparison by the known bad component does not result in a positive match, then transmitting a signal from the mobile communications device to a server to indicate that an analysis of the data by a mobile communications device security component has not been able to characterize the data as recognizably safe or malicious.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

“Known bad” data, “known good” data, or both can be stored in a database. A technique for evaluating data compares the data to the “known bad” data, “known good” data, or both. Based on the comparison, the data may or may not be allowed to be processed by a mobile device.

319 Citations

20 Claims

1. In a mobile communications device having a network interface for receiving and sending data, a memory and a microprocessor, and further having software components for processing, analyzing and storing data, including at least a known good component for identifying data that is recognizably safe, a known bad component for identifying data that is recognizably malicious, and a decision component for evaluating whether data is safe or malicious, a method comprising:
- providing data on the mobile communications device;
  
  applying a hash function to the data to create a hash identifier for the data; and
  
  comparing by the known good component, the data hash identifier against a database of identifiers of known good data stored in the mobile communications device memory;
  
  if the comparison by the known good component results in a positive match, then allowing the data to be processed by the mobile communications device;
  
  if the comparison by the known good component does not result in a positive match, then comparing by the known bad component, the data hash identifier against a database of identifiers of known bad data stored in the mobile communications device memory; and
  
  if the comparison by the known bad component does not result in a positive match, then transmitting a signal from the mobile communications device to a server to indicate that an analysis of the data by a mobile communications device security component has not been able to characterize the data as recognizably safe or malicious.
- View Dependent Claims (2, 3)
- - 2. The method of claim 1, wherein the step of if the comparison by the known good component does not result in a positive match, then comparing by the known bad component, the data hash identifier against the database of identifiers of known bad data stored in the mobile communications device memory further comprises:
    - comparing by the known bad component the data hash identifier against a database of known bad data signatures stored in the mobile communications device memory, or against a database of known bad data patterns stored in the mobile communications device memory; and
      
      if the comparison by the known bad component results in a positive match, then rejecting the data from being processed by the mobile communications device.
  - 3. The method of claim 1, further comprising:
    - if the comparison by the known bad component does not result in a positive match, instead of transmitting a signal from the mobile communication device to a server to indicate that an analysis of the data by the mobile communication device security component has not been able to characterize te data as recognizably safe or malicious, then using the decision component, performing an analysis on the data by the decision component to determine if the data is safe or malicious;
      
      if the analysis determines that the data is safe, then allowing the data to be processed by the mobile communications device; and
      
      if the analysis determines that the data is malicious, then rejecting the data from being processed by the mobile communications device.

4. In a mobile communications device having a network interface for receiving and sending data, a memory and a microprocessor, and further having software components for processing, analyzing and storing data, including at least a known good component for identifying data that is recognizably safe, a known bad component for identifying data that is recognizably malicious, and a decision component for evaluating whether data is safe or malicious, a method comprising:
- providing data on the mobile communications device;
  
  applying by the known good component, logic on the data to determine if the data is safe;
  
  if the known good component logic determines that the data is safe, then allowing the data to be processed by the mobile communications device;
  
  if the known good component does not determine that the data is safe, then applying by the known bad component, logic on the data to determine if the data is malicious;
  
  if the known bad component logic determines that the data is malicious, then rejecting the data from being processed by the mobile communications device; and
  
  if the known bad component logic does not determine that the data is malicious, then transmitting a signal from the mobile communications device to a server to indicate that an analysis of the data by a mobile communications device security component has not been able to characterize the data as recognizably safe or malicious.
- View Dependent Claims (5)
- - 5. The method of claim 4, further comprising:
    - if the known bad component logic does not determine that the data is malicious, instead of transmitting a signal from the mobile communications device to a server to indicate that an analysis of the data by a mobile communications device security component has not been able to characterize the data as recognizably safe or malicious, thenusing the decision component, performing an analysis on the data by the decision component to determine if the data is safe or malicious;
      
      if the analysis shows that the data is safe, then allowing the data to be processed by the mobile communications device; and
      
      if the analysis shows that the data is malicious, then rejecting the data from being processed by the mobile communications device.

6. In a mobile communications device having a network interface for receiving and sending data, a memory and a microprocessor, and further having software components for processing, analyzing and storing data, including at least a known good component for identifying data that is recognizably safe, a known bad component for identifying data that is recognizably malicious, and a decision component for evaluating whether data is safe or malicious, a method comprising:
- providing data on the mobile communications device;
  
  applying by the known good component, logic on the data to determine if the data is safe;
  
  if the known good component logic determines that the data is safe, then allowing the data to be processed by the mobile communications device;
  
  if the known good component logic does not determine that the data is safe, then applying, by the known bad component, logic on the data to determine if the data is malicious;
  
  if the known bad component logic determines that the data is malicious, then rejecting the data from being processed by the mobile communications device; and
  
  if the known bad component logic does not determine that the data is malicious, then transmitting a signal from the mobile communications device to a server to indicate that an analysis of the data by a mobile communications device security component has not been able to characterize the data as recognizably safe or malicious.
- View Dependent Claims (7)
- - 7. The method of claim 6, further comprising:
    - if the known bad component logic does not determine that the data is malicious, instead of transmitting a signal from the mobile communications device to a server to indicate that an analysis of the data by a mobile communications device security component has not been able to characterize the data as recognizable safe or malicious, thenusing the decision component, performing an analysis on the data by the decision component to determine if the data is safe or malicious;
      
      if the analysis determines that the data is safe, then allowing the data to be processed by the mobile communications device; and
      
      if the analysis determines that the data is malicious, then rejecting the data from being processed by the mobile communications device.

8. In a mobile communications device having a network interface for receiving and sending data, a memory and a microprocessor, and further having software components for processing, analyzing and storing data, including at least a known good component for identifying data that is recognizably safe, a known bad component for identifying data that is recognizably malicious, and a decision component for evaluating whether data is safe or malicious, a method comprising:
- providing data on the mobile communications device;
  
  comparing by the known good component, the data against a database of characteristics for known good data stored in the mobile communications device; and
  
  if the comparison by the known good component does not result in a positive match, then rejecting the data from being processed by the mobile communications device;
  
  if the comparison by the known good component does result in a positive match, then comparing by the known bad component, the data against a database of characteristics for known bad data stored in the mobile communications device; and
  
  if the comparison by the known bad component does not result in a positive match, then transmitting a signal from the mobile communications device to a server to indicate that an analysis of the data by a mobile communications device security component has not been able to characterize the data as recognizably safe or malicious.
- View Dependent Claims (9, 10)
- - 9. The method of claim 8, further comprising:
    - if the comparison by the known good component results in a positive match, then comparing by the known bad component, the data against either a database of characteristics for known bad data stored in the mobile communications device memory, or against a database of known bad data signatures stored in the mobile communications device memory, or against a database of known bad data patterns stored in the mobile communications device memory; and
      
      if the comparison by the known bad component results in a positive match, then rejecting the data from being processed by the mobile communications device.
  - 10. The method of claim 9, further comprising:
    - if the comparison by the known bad component does not result in a positive match, then using the decision component, performing an analysis on the data by the decision component to determine if the data is safe or malicious;
      
      if the analysis shows that the data is safe, then allowing the data to be processed by the mobile communications device; and
      
      if the analysis shows that the data is malicious, then rejecting the data from being processed by the mobile communications device.

11. In a mobile communications device having a network interface for receiving and sending data, a memory and a microprocessor, and further having software components for processing, analyzing and storing data, including at least a known good component for identifying data that is recognizably safe, a known bad component for identifying data that is recognizably malicious, and a decision component for evaluating whether data is safe or malicious, a method comprising:
- providing data on the mobile communications device;
  
  applying a hash function to the data to create a hash identifier for the data; and
  
  comparing by the known good component, the data hash identifier against a database of identifiers of known good data stored in the mobile communications device memory;
  
  if the comparison by the known good component does not result in a positive match, then rejecting the data from being processed by the mobile communications device;
  
  if the comparison by the known good component does result in a positive match, then comparing by the known bad component, the data hash identifier against a database of identifiers for known bad data stored in the mobile communications device memory; and
  
  if the comparison by the known bad component does not result in a positive match, then transmitting a signal from the mobile communications device to a server to indicate that an analysis of the data by a mobile communications device security component has not been able to characterize the data as recognizably safe or malicious.
- View Dependent Claims (12, 13)
- - 12. The method of claim 11, further comprising:
    - if the comparison by the known good component results in a positive match, then comparing by the known bad component, the data hash identifier against a database of identifiers of known bad data stored in the mobile communications device memory, or against a database of known bad data signatures stored in the mobile communications device memory, or against a database of known bad data patterns stored in the mobile communications device memory; and
      
      if the comparison by the known bad component results in a positive match, then rejecting the data from being processed by the mobile communications device.
  - 13. The method of claim 12, further comprising:
    - if the known bad component does not result in a positive match, instead of transmitting a signal from the mobile communications device to a server to indicate that an analysis of the data by a mobile communications device security component has not been able to characterize the data as recognizable safe or malicious, thenusing the decision component, performing an analysis on the data by the decision component to determine if the data is safe or malicious;
      
      if the analysis shows that the data is safe, then allowing the data to be processed by the mobile communications device; and
      
      if the analysis shows that the data is malicious, then rejecting the data from being processed by the mobile communications device.

14. In a mobile communications device having a network interface for receiving and sending data, a memory and a microprocessor, and further having software components for processing, analyzing and storing data, including at least a known good component for identifying data that is recognizably safe, a known bad component for identifying data that is recognizably malicious, and a decision component for evaluating whether data is safe or malicious, a method comprising:
- providing data on the mobile communications device;
  
  applying by the known good component, logic on the data to determine if the data is not safe;
  
  if the known good component logic determines that the data is not safe, then rejecting the data from being processed by the mobile communications device;
  
  if the known good component logic does not determine that the data is not safe, then applying by the known bad component, logic on the data to determine if the data is malicious; and
  
  if the known bad component does not determine that the data is malicious, then transmitting a signal from the mobile communications device to a server to indicate that an analysis of the data by a mobile communications device security component has not been able to characterize the data as recognizably safe or malicious.
- View Dependent Claims (15, 16)
- - 15. The method of claim 14, wherein the step of if the known good component logic does not determine that the data is not safe, applying by the known bad component, logic on the data to determine if it is malicious further comprises:
    - if the known bad component determines that the data is malicious, then rejecting the data from being processed by the mobile communications device.
  - 16. The method of claim 15, further comprising:
    - if the known bad component does not determine that the data is malicious, instead of transmitting a signal from the mobile communications device to a server to indicate that an analysis of the data by a mobile communications device security component has not been able to characterize the data as recognizably safe or malicious, thenusing the decision component, performing an analysis on the data by the decision component to determine if the data is safe or malicious;
      
      if the analysis shows that the data is safe, then allowing the data to be processed by the mobile communications device; and
      
      if the analysis shows that the data is malicious, then rejecting the data from being processed by the mobile communications device.

17. On a server having a network interface for receiving from and sending data to a mobile communications device having software components for processing and analyzing data, a method comprising:
- when the mobile communications device receives data, creates a hash identifier for the data, compares the data hash identifier against a database of known good data stored on the mobile communications device, does not obtain a positive match, compares the data hash identifier against a database stored on the mobile communications device containing hash identifiers of known bad data, and does not obtain a positive match, receiving the data at the server, wherein the data is a signal from the mobile communications device that an analysis of the data by a mobile communications device security component has not been able to characterize the data as recognizably safe or malicious;
  
  at the server, using a decision component, performing an analysis on the data to determine if the data is safe or malicious;
  
  if the analysis by the decision component at the server determines that the data is safe, then sending an instruction from the server to the mobile communications device to allow the data to be processed by the mobile communications device; and
  
  if the analysis by the decision component at the server determines that the data is malicious, then sending an instruction from the server to the mobile communications device to reject the data from being processed by the mobile communications device.

18. On a server having a network interface for receiving from and sending data to a mobile communications device having software components for processing and analyzing data, a method comprising:
- after the mobile communications device receives data, creates a hash identifier for the data, using a known bad component, compares the received data hash identifier against a database stored in the mobile communications device memory containing hash identifiers of known bad data, does not obtain a positive match, then compares the data hash identifier against a database of known good data stored on the mobile communications device and does not obtain a positive match, receiving the data at the server, wherein the data is a signal from the mobile communications device that an analysis of the data by the mobile communications device security component has not been able to characterize the data as recognizably safe or malicious;
  
  at the server, using a decision component, performing an analysis on the data to determine if the data is safe or malicious;
  
  if the analysis by the decision component at the server determines that the data is safe, then sending an instruction from the server to the mobile communications device to allow the data to be processed by the mobile communications device; and
  
  if the analysis by the decision component at the server determines that the data is malicious, then sending an instruction from the server to the mobile communications device to reject the data from being processed by the mobile communications device.

19. On a server having a network interface for receiving from and sending data to a mobile communications device having software components for processing and analyzing data, a method comprising:
- when the mobile communications device receives data, applies by a known good component logic on the data to determine if the data is safe, does not obtain a positive match, applies by a known bad component logic on the data to determine if the data is recognizably malicious, and does not obtain a positive match, receiving the data from the mobile communications device at the server, wherein the data is a signal from the mobile communications device that an analysis of the data by a mobile communications device security component has not been able to characterize the data as recognizably safe or malicious;
  
  at the server, using a decision component, performing an analysis on the received data to determine if the data is safe or malicious;
  
  if the analysis by the decision component at the server determines that the data is safe, then sending an instruction from the server to the mobile communications device to allow the data to be processed by the mobile communications device; and
  
  if the analysis by the decision component at the server determines that the data is malicious, then sending an instruction from the server to the mobile communications device to reject the data from being processed by the mobile communications device.

20. On a server having a network interface for receiving from and sending data to a mobile communications device having software components for processing and analyzing data, a method comprising:
- after the mobile communications device receives data, applying by a known bad component logic to the data to determine whether the data is recognizably malicious, does not obtain a positive match, then applying by known good component logic to the data to determine whether the data is safe and does not obtain a positive match, receiving the data at the server, wherein the data is a signal from the mobile communications device that an analysis of the data by a mobile communications device security component has not been able to characterize the data as recognizably safe or malicious;
  
  at the server, applying by a decision component logic to the data for performing an analysis on the data to determine if the data is safe or malicious;
  
  if the determination by the decision component at the server determines that the data is safe, then sending an instruction from the server to the mobile communications device to allow the data to be processed by the mobile communications device; and
  
  if the determination by the decision component at the server determines that the data is malicious, then sending an instruction from the server to the mobile communications device to reject the data from being processed by the mobile communications device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lookout Incorporated
Original Assignee
Lookout Incorporated
Inventors
Mahaffey, Kevin Patrick
Primary Examiner(s)
CHEN, SHIN HON

Application Number

US13/741,988
Publication Number

US 20130133070A1
Time in Patent Office

658 Days
Field of Search
US Class Current

726/25
CPC Class Codes

G06F 21/562   Static detection

G06F 21/564   by virus signature recognition

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/034   Test or assess a computer o...

H04W 12/08   Access security

Evaluating whether data is safe or malicious

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

319 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Evaluating whether data is safe or malicious

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

319 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links