Method, computer software, and system for providing end to end security protection of an online transaction

US 8,931,097 B2
Filed: 04/09/2012
Issued: 01/06/2015
Est. Priority Date: 08/30/2002
Status: Expired due to Fees

First Claim

Patent Images

1. A method, comprising:

while a program is running on an information handling system in a manner that permits the program to infect the information handling system, the information handling system calculating a first score and a second score, wherein the first score is indicative of the likelihood that the program is malicious, wherein the second score is indicative of the likelihood that the program is valid, and wherein the calculating includes running a detection routine that performs a call to an application programming interface (API) of an operating system of the information handling system to gather information about the program, wherein the first score is calculated based on weighted results of those ones of a first plurality of detection routines that indicate a likelihood that the program is malicious, and wherein the second score is calculated based on weighted results of those ones of a second plurality of detection routines that indicate a likelihood that the program is valid; and

the information handling system categorizing the program with respect to the likelihood of the program infecting the information handling system, wherein the categorizing includes categorizing the program as valid code based on the second score being above a threshold value, regardless of the first score.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for categorizing programs running on an information handling system. One method includes, while a program is running on an information handling system in a manner that permits the program to infect the information handling system, calculating a first score and a second score. The first score is indicative of the likelihood that the program is malicious; the second score is indicative of the likelihood that the program is valid. This method further includes categorizing the program with respect to the likelihood of the program infecting the information handling system, including by categorizing the program as valid code based on the second score being above a threshold value, regardless of the first score.

80 Citations

18 Claims

1. A method, comprising:
- while a program is running on an information handling system in a manner that permits the program to infect the information handling system, the information handling system calculating a first score and a second score, wherein the first score is indicative of the likelihood that the program is malicious, wherein the second score is indicative of the likelihood that the program is valid, and wherein the calculating includes running a detection routine that performs a call to an application programming interface (API) of an operating system of the information handling system to gather information about the program, wherein the first score is calculated based on weighted results of those ones of a first plurality of detection routines that indicate a likelihood that the program is malicious, and wherein the second score is calculated based on weighted results of those ones of a second plurality of detection routines that indicate a likelihood that the program is valid; and
  
  the information handling system categorizing the program with respect to the likelihood of the program infecting the information handling system, wherein the categorizing includes categorizing the program as valid code based on the second score being above a threshold value, regardless of the first score.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein the threshold value is a valid threshold value, the method further comprising categorizing another program running on the information handling system as malicious code based on its first score being above a malicious threshold value and its second score being below the valid threshold value.
  - 3. The method of claim 1, further comprising repeating the calculating and the categorizing with respect to each of a plurality of other programs running on the information handling system.
  - 4. The method of claim 1, wherein calculating the first score includes running the detection routine and running another routine that examines a binary image of the program, wherein results of the detection routines are used to calculate the first score.
  - 5. The method of claim 1, further comprising categorizing another program running on the information handling system as suspicious code based on corresponding first and second scores for the other program, wherein the suspicious code is code that is not identifiable as malicious code or valid code.
  - 6. The method of claim 1, wherein the program is a thread.

7. A non-transitory computer-readable storage medium storing instructions executable by a computer system to:
- calculate a first score and a second score, wherein the first score is indicative of a likelihood that a program running on the computer system is malicious, wherein the first score is calculated based on weighted results of those ones of a first plurality of detection routines that indicate a likelihood that the program is malicious, wherein the second score is indicative of a likelihood that the program is valid, wherein the second score is calculated based on weighted results of those ones of a second plurality of detection routines that indicate a likelihood that the program is valid, and wherein calculating the first score or the second score is based on a result from running a detection routine that performs a call to an application programming interface (API) of an operating system of the computer system to gather information about the program; and
  
  categorize the program as valid code based on a comparison of the second score to a valid threshold value, regardless of the first score.
- View Dependent Claims (8, 9, 10, 11)
- - 8. The non-transitory computer-readable storage medium of claim 7, wherein the instructions do not prevent infection of the computer system by the program, and wherein the instructions are executable to calculate the second score based on weighted results of those ones of a plurality of detection routines that indicate that the program is valid.
  - 9. The non-transitory computer-readable storage medium of claim 7, wherein the instructions do not prevent infection of the computer system by the program, and wherein the first score is based at least in part on a result of a first detection routine that is executable to examine a binary image of the program.
  - 10. The non-transitory computer-readable storage medium of claim 7, wherein the instructions are executable to categorize the program as valid based on the second score exceeding the valid threshold value, regardless of whether the first score exceeds a malicious threshold value.
  - 11. The non-transitory computer-readable storage medium of claim 7, wherein the instructions are executable to categorize the program as malicious based on a comparison of the first score to a malicious threshold value and a comparison of the second score to the valid threshold value.

12. A non-transitory computer-readable storage medium storing instructions that, if executed by a computing device, cause the computing device to:
- perform a plurality of detection routines to gather information relating to a program running on the computing device, wherein the plurality of detection routines includes a detection routine that performs a call to an application programming interface (API) of an operating system to gather information about the program;
  
  calculate a first score based on weighted results of those ones of the plurality of detection routines that indicate a likelihood that the program is malicious;
  
  calculate a second score based on weighted results of those ones of the plurality of detection routines that indicate a likelihood that the program is valid; and
  
  categorize the program as valid based on a comparison of the second score to a valid threshold value, regardless of the first score.
- View Dependent Claims (13, 14, 15, 16, 17, 18)
- - 13. The non-transitory computer-readable storage medium of claim 12, wherein the instructions are not executable to prevent infection of the computing device by the program, and wherein the instructions are executable to categorize the program as valid based on determining that the second score is above the valid threshold value, regardless of whether the first score is above or below a malicious threshold value.
  - 14. The non-transitory computer-readable storage medium of claim 12, wherein the instructions are further executable by the computing device to:
    - categorize the program as malicious based on a comparison of the first score to the malicious threshold value and a comparison of the second score to the valid threshold value.
  - 15. The non-transitory computer-readable storage medium of claim 14, wherein the instructions are executable to categorize the program as malicious based on the first score exceeding the malicious threshold value and the second score not exceeding the valid threshold value.
  - 16. The non-transitory computer-readable storage medium of claim 12, wherein the instructions are executable by the computing device to categorize the program as suspicious based at least in part on the first and second scores.
  - 17. The non-transitory computer-readable storage medium of claim 12, wherein the instructions are executable by the computing device to calculate the second score based on a first detection routine that evaluates a binary image of the program.
  - 18. The non-transitory computer-readable storage medium of claim 17, wherein the instructions are executable by the computing device to calculate the second score also based on a second detection routine that gathers information about the program from an operating system of the computing device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Symantec Corporation (NortonLifeLock Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Alagna, Michael Tony, Obrecht, Mark, Payne, Andy, Norwood, Peter
Primary Examiner(s)
Zecher, Dede
Assistant Examiner(s)
Almamun, Abdullah

Application Number

US13/442,624
Publication Number

US 20120198552A1
Time in Patent Office

1,002 Days
Field of Search

726 22- 24, 713/150, 713/165, 713187-189
US Class Current

726/23
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/566   Dynamic detection, i.e. det...

G06Q 20/40   Authorisation, e.g. identif...

Method, computer software, and system for providing end to end security protection of an online transaction

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

80 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Method, computer software, and system for providing end to end security protection of an online transaction

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

80 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links