Applying antimalware logic without revealing the antimalware logic to adversaries

US 8,955,133 B2
Filed: 06/09/2011
Issued: 02/10/2015
Est. Priority Date: 06/09/2011
Status: Active Grant

First Claim

Patent Images

1. In a computing environment, a method performed at least in part on at least one processor, comprising:

receiving, by at least one processor, a malware-related query at a backend service;

processing data corresponding to the malware-related query at the backend service, including via updateable detection logic that is not revealed outside of the backend service, to determine whether the data corresponding to the malware-related query corresponds to detected malware;

returning a corresponding result in response to the query indicating whether the data corresponding to the malware-related query corresponds to detected malware; and

providing noise that changes the result to indicate that the data corresponding to the malware-related query does not correspond to detected malware when the processing determined that the malware-related query does correspond to detected malware.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The subject disclosure is directed towards a technology by which antimalware detection logic is maintained and operated at a backend service, with which a customer frontend machine communicates (queries) for purposes of malware detection. In this way, some antimalware techniques are maintained at the backend service rather than revealed to antimalware authors. The backend antimalware detection logic may be based upon feature selection, and may be updated rapidly, in a manner that is faster than malware authors can track. Noise may be added to the results to make it difficult for malware authors to deduce the logic behind the results. The backend may return results indicating malware or not malware, or return inconclusive results. The backend service may also detect probing-related queries that are part of an attempt to deduce the unrevealed antimalware detection logic, with noisy results returned in response and/or other actions taken to foil the attempt.

Citations

20 Claims

1. In a computing environment, a method performed at least in part on at least one processor, comprising:
- receiving, by at least one processor, a malware-related query at a backend service;
  
  processing data corresponding to the malware-related query at the backend service, including via updateable detection logic that is not revealed outside of the backend service, to determine whether the data corresponding to the malware-related query corresponds to detected malware;
  
  returning a corresponding result in response to the query indicating whether the data corresponding to the malware-related query corresponds to detected malware; and
  
  providing noise that changes the result to indicate that the data corresponding to the malware-related query does not correspond to detected malware when the processing determined that the malware-related query does correspond to detected malware.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1 wherein processing the data corresponding to the malware-related query comprises determining that additional data is needed, requesting the additional data from the client, receiving the additional data from the client, and using at least some of the additional data as at least part of the data corresponding to the malware-related query that is processed to determine the corresponding result.
  - 3. The method of claim 1 wherein the data corresponding to the malware-related query comprises feature data, and wherein processing the data corresponding to the malware-related query comprises classifying the feature data via at least one feature-based classifier.
  - 4. The method of claim 3 further comprising, extracting the feature data at a frontend client, and sending the feature data with the malware-related query from the frontend client to the backend service.
  - 5. The method of claim 1 further comprising, updating the updateable detection logic based upon one or more updating criteria.
  - 6. The method of claim 1 wherein the updateable detection logic comprises a set of classifiers, and further comprising, updating the updateable detection logic by changing at least one classifier in the set.
  - 7. The method of claim 6 wherein the classifiers are feature-based classifiers, and further comprising selecting a subset of features based upon training data and training the classifiers based upon the selected subset of features.
  - 8. The method of claim 1, further comprising, operating the unpredictability mechanism to update the malware detection logic.
  - 9. The method of claim 1 further comprising, determining that the query is part of a probing attempt.
  - 10. The method of claim 9 further comprising, taking action to analyze program code from which the data corresponding to the malware-related query is obtained.
  - 11. The method of claim 1, further comprising, varying at least one result that is returned for the query.

12. In a computing environment, a system comprising;
- a memory, wherein the memory includes computer-useable code, and one or more processors, wherein the one or more processors executes the computer-useable code to implement a backend service, the backend service configured with malware detection logic, the malware detection logic configured to process data corresponding to queries to determine whether for each query the data corresponding to that query is indicative of malware, the backend service further configured to respond to each query with a result indicating whether the logic determined the data to be indicative of malware, or with a request for more associated data from which the result may be determined, and the backend service further comprising an unpredictability mechanism configured to operate to keep antimalware techniques in the malware detection logic from being deduced based upon the returned result.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The system of claim 12 wherein the data corresponding to the query includes feature data, and wherein the malware detection logic includes at least one feature-based classifier.
  - 14. The system of claim 12 wherein the unpredictability mechanism operates to update the malware detection logic, or to vary at least one result that is returned in response to a corresponding query, or both.
  - 15. The system of claim 12 wherein the unpredictability mechanism operates to determine when a query is part of a probe attempt, and is configured to take action with respect to a query that is determined to be part of a probe attempt.
  - 16. The system of claim 15 wherein the unpredictability mechanism takes action to vary the result of the query that is determined to be part of a probe attempt.

17. One or more computer storage devices having computer-executable instructions, which when executed perform steps of a process, comprising:
- receiving a query and associated data at a backend service, in which the associated data is received with the query or received via one or more subsequent communications, or via a combination of both;
  
  processing the associated data at the backend service to detect that the data corresponds to malware, and returning a response corresponding to the query including a result indicating that malware was detected;
  
  taking an action at the backend service that is capable of providing a different result if given another query with similar associated data;
  
  receiving another query with similar associated data at the backend service in which the similar associated data is received with the query or received via one or more subsequent communications, or via a combination of both; and
  
  returning a response corresponding to the other query including a result indicating that malware was not detected.
- View Dependent Claims (18, 19, 20)
- - 18. The one or more computer storage devices computer-readable media of claim 17 wherein taking the action comprises updating malware detection logic between processing the associated data and processing the similar associated data.
  - 19. The one or more computer storage devices computer-readable media of claim 17 wherein taking the action comprises applying a noise component that changes the result to a different result.
  - 20. The one or more computer storage devices computer-readable media of claim 17 having further computer-executable instructions comprising, detecting that the other query is part of a probing attempt, and wherein taking the action comprises applying a noise component, based upon detecting that the other query is part of a probing attempt, which changes the result to a different result.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Kumar, Ajith, Fraser, Timothy Jon, Marinescu, Adrian M., Seinfeld, Marc E., Stokes, Jack Wilson III, Thomas, Anil Francis
Primary Examiner(s)
Pwu, Jeffrey
Assistant Examiner(s)
TRUONG, THONG P

Application Number

US13/156,726
Publication Number

US 20120317644A1
Time in Patent Office

1,342 Days
Field of Search

726/23, 726/24
US Class Current

726/24
CPC Class Codes

G06F 21/552 involving long-term monitor...

G06F 21/566 Dynamic detection, i.e. det...

Applying antimalware logic without revealing the antimalware logic to adversaries

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Applying antimalware logic without revealing the antimalware logic to adversaries

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links