Executable download tracking system

US 8,959,624 B2
Filed: 10/31/2007
Issued: 02/17/2015
Est. Priority Date: 10/31/2007
Status: Active Grant

First Claim

Patent Images

1. A method of monitoring computer-readable instructions, comprising:

identifying an executable portion of the computer-readable instructions received on a computer network from a source;

determining, by a central system configured to perform an analysis to identify a risk, that the executable portion of the computer-readable instructions is a risk;

responsive to determining by the central system that the executable portion of the computer-readable instructions is a risk, transmitting the executable portion to an internal antivirus software on a computing device for analysis and transmitting the results of the central system analysis to the computing device;

analyzing, by the computing device, the executable portion by the internal antivirus software;

comparing the transmitted results of the central system analysis with results of the internal antivirus software analysis to determine whether the central system and internal antivirus software obtained the same results, the comparing being performed by the computing device to which the executable portion was transmitted from the central system;

responsive to determining, based on the comparison between the results of the central system analysis and the results of the internal antivirus software analysis, that the central system and internal antivirus software obtained the same results, marking the executable portion for continuous monitoring until the identified risk is neutralized;

responsive to determining, based on the comparison between the results of the central system analysis and the results of the internal antivirus software analysis, that the central system and internal antivirus software obtained different results, flagging the results as conflicting and further analyzing the different results, including;

identifying a level of importance of the conflicting results;

neutralizing the risk on the computer network; and

identifying a source of the risk; and

generating a report that includes the risk, wherein the report includes a name of the risk, information about the risk'"'"'s signature, a version of the risk, a type of solution that was used to neutralize the risk, a file size of the risk, and a latest update to anti-virus software,wherein the report is used to create a risk signature dictionary that includes information about signatures of a plurality of riskswherein the report is updated at least once a week; and

using the report to update a data file that identifies future risks,wherein user identification and a password are required for access to the data file,wherein the data file includes characteristics of known risks, a date and time at which the risk was identified, an action required to neutralize the risk, a source of the risk, and related risks.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are disclosed for monitoring executable software applications on a computer network. Executable software applications and data files may be monitored by a risk monitoring system. The executable software application and data files may attempt to access a computer network and/or a computing device and a monitoring process may identify risks associated with the executable software application and/or data file. A suspicious characteristic of the executable software application may be identified during the monitoring process. The suspicious characteristic may be malware and may be neutralized before it causes damage to the computer network and/or computing device.

110 Citations

19 Claims

1. A method of monitoring computer-readable instructions, comprising:
- identifying an executable portion of the computer-readable instructions received on a computer network from a source;
  
  determining, by a central system configured to perform an analysis to identify a risk, that the executable portion of the computer-readable instructions is a risk;
  
  responsive to determining by the central system that the executable portion of the computer-readable instructions is a risk, transmitting the executable portion to an internal antivirus software on a computing device for analysis and transmitting the results of the central system analysis to the computing device;
  
  analyzing, by the computing device, the executable portion by the internal antivirus software;
  
  comparing the transmitted results of the central system analysis with results of the internal antivirus software analysis to determine whether the central system and internal antivirus software obtained the same results, the comparing being performed by the computing device to which the executable portion was transmitted from the central system;
  
  responsive to determining, based on the comparison between the results of the central system analysis and the results of the internal antivirus software analysis, that the central system and internal antivirus software obtained the same results, marking the executable portion for continuous monitoring until the identified risk is neutralized;
  
  responsive to determining, based on the comparison between the results of the central system analysis and the results of the internal antivirus software analysis, that the central system and internal antivirus software obtained different results, flagging the results as conflicting and further analyzing the different results, including;
  
  identifying a level of importance of the conflicting results;
  
  neutralizing the risk on the computer network; and
  
  identifying a source of the risk; and
  
  generating a report that includes the risk, wherein the report includes a name of the risk, information about the risk'"'"'s signature, a version of the risk, a type of solution that was used to neutralize the risk, a file size of the risk, and a latest update to anti-virus software,wherein the report is used to create a risk signature dictionary that includes information about signatures of a plurality of riskswherein the report is updated at least once a week; and
  
  using the report to update a data file that identifies future risks,wherein user identification and a password are required for access to the data file,wherein the data file includes characteristics of known risks, a date and time at which the risk was identified, an action required to neutralize the risk, a source of the risk, and related risks.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, where the source is an Internet Protocol address.
  - 3. The method of claim 1, further comprising blocking the source of the risk from accessing the computer network.
  - 4. The method of claim 1, where the neutralizing the risk includes analyzing the executable portion of the computer-readable instructions with the anti-virus software.
  - 5. The method of claim 1, where the risk is malware.
  - 6. The method of claim 5, where the malware is at least one of a computer virus, a worm, a keylogger, and a Trojan.
  - 7. The method of claim 1, where the risk is saved in a data store.
  - 8. The method of claim 1, where the risk is identified as an urgent risk.
  - 9. The method of claim 8, where the urgent risk causes the report to be updated.
  - 10. The method of claim 1, where the neutralizing the risk occurs after the risk is identified.

11. A method of monitoring data files on a computer network, comprising:
- receiving an executable software application on a first computer network from a second computer network;
  
  identifying at least one suspicious characteristic of the executable software application;
  
  determining, by a central system configured to perform analysis to identify risk, whether the at least one suspicious characteristic of the executable software application is malware;
  
  responsive to determining by the central system that the at least one suspicious characteristic of the executable software application is malware, transmitting the executable software application to an internal antivirus software on a computing device for analysis and transmitting the results of the central system analysis to the computing device;
  
  analyzing, by the computing device, the executable software application by the internal antivirus software;
  
  comparing the transmitted results of the central system analysis with results of the internal antivirus software analysis to determine whether the central system and internal antivirus software obtained the same results, the comparing being performed by the computing device to which the executable software application was transmitted from the central system;
  
  responsive to determining, based on the comparison between the results of the central system analysis and the results of the internal antivirus software analysis, that the central system and internal antivirus software obtained the same results, marking the executable software application for continuous monitoring until the identified malware is neutralized;
  
  responsive to determining, based on the comparison between the results of the central system analysis and the results of the internal antivirus software analysis, that the central system and internal antivirus software obtained different results, flagging the results as conflicting and further analyzing the conflicting results, including;
  
  identifying a level of importance of the conflicting results; and
  
  preventing the malware from contaminating the first computer network by at least one of;
  
  deleting, quarantining, repairing, cleaning, blocking, rejecting, and neutralizing; and
  
  generating a report that identifies the malware, wherein the report includes a name of the malware, information about the malware'"'"'s signature, a version of the malware, a type of solution that was used to perform the preventing, a file size of the malware, and a latest update to anti-virus software,wherein the report is used to create a malware signature dictionary that includes information about signatures of a plurality of malwarewherein the report is updated at least once a week; and
  
  using the report to update a data file that identifies future malware,wherein user identification and a password are required for access to the data file,wherein the data file includes characteristics of known malware, a date and time at which the malware was identified, an action required to perform the preventing, a source of the malware, and related malware.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. The method of claim 11, further comprising authenticating the executable software application based at least in part on analyzing the suspicious characteristic.
  - 13. The method of claim 11, further comprising identifying a source of the malware.
  - 14. The method of claim 13, where the malware is at least one of a computer virus, a worm, a keylogger, and a Trojan.
  - 15. The method of claim 13, where the source is an Internet Protocol address.
  - 16. The method of claim 11, where the determining whether the at least one suspicious characteristic of the executable software application is malware includes an analysis of the executable software application by the anti-virus software.
  - 17. The method of claim 16, where the analysis by the anti-virus software is at least partially performed on the computer network.

18. A risk monitoring system, comprising:
- at least one computing device that contains computer readable instructions for authenticating an executable software application received on a computer network;
  
  a receiver for receiving data associated with the executable software application;
  
  a server comprising memory for storing the data in a data file; and
  
  a processor for executing the computer-executable instructions to perform a method, comprising;
  
  receiving the executable software application on a first computer network from a second computer network;
  
  identifying at least one suspicious characteristic of the executable software application;
  
  determining, by a central system configured to perform analysis to identify a risk, whether the at least one suspicious characteristic of the executable software application is malware;
  
  responsive to determining by the central system that the at least one suspicious characteristic of the executable software application is malware, transmitting the executable software application to an internal antivirus software on a computing device for analysis and transmitting the results of the central system analysis to the computing device;
  
  analyzing, by the computing device, the executable software application by the internal antivirus software;
  
  comparing the transmitted results of the central system analysis with results of the internal antivirus software analysis to determine whether the central system and internal antivirus software obtained the same results, the comparing being performed by the computing device to which the executable portion was transmitted from the central system;
  
  responsive to determining, based on the comparison between the results of the central system analysis and the results of the internal antivirus software analysis, that the central system and internal antivirus software obtained the same results, marking the executable software application for continuous monitoring until the identified malware is neutralized;
  
  responsive to determining, based on the comparison between the results of the central system analysis and the results of the internal antivirus software analysis, that the central system and internal antivirus software obtained different results, flagging the results as conflicting and further analyzing the different results, including;
  
  identifying a level of importance of the conflicting results; and
  
  preventing the malware from contaminating the first computer network by at least one of;
  
  filtering, blocking, rejecting, and neutralizing; and
  
  generating a report that identifies the malware, wherein the report includes a name of the malware, information about the malware'"'"'s signature, a version of the malware, a type of solution that was used to perform the preventing, a file size of the malware, and a latest update to anti-virus software,wherein the report is used to create a malware signature dictionary that includes information about signatures of a plurality of malwarewherein the report is updated at least once a week; and
  
  using the report to update the data file that identifies future malware,wherein user identification and a password are required for access to the data file,wherein the data file includes characteristics of known malware, a date and time at which the malware was identified, an action required to perform the preventing, a source of the malware, and related malware.

19. A method comprising:
- identifying an executable portion of the computer-readable instructions received on a computer network from an Internet Protocol address,wherein the identifying occurs by comparing the executable portion of the computer-readable instructions with known computer viruses,wherein the executable portion of the computer-readable instructions includes a phone home type of computer virus structure where internal information on the computer network is at risk of exposure to a remote unauthorized user;
  
  using a centralized server, analyzing the executable portion and classifying the executable portion of the computer-readable instructions as a computer virus;
  
  transmitting from the centralized server, the executable portion and the results of the analysis to a computing device including internal antivirus software;
  
  wherein the computer virus is given a severity level,wherein the classifying occurs when at least one suspicious characteristic is associated with the executable portion of the computer-readable instructions,wherein the at least one suspicious characteristic includes generating multiple copies of a portion of the executable portion of the computer-readable instructions, sending the copies to several computing devices on the computer network without user intervention, monitoring a user'"'"'s keystrokes, attempting to write instructions to another executable program, and a morphing of a signature of the computer virus;
  
  tagging, by the computing device, the executable portion of the computer-readable instructions for further analysis by an internal antivirus software;
  
  analyzing the tagged executable portion of the computer-readable instructions with the internal antivirus software stored in memory local to a system, wherein the anti-virus software examines the computer virus by comparing the signature of the computer virus with signatures of known computer viruses;
  
  comparing the transmitted results of the centralized server analysis with results of the internal antivirus software analysis to determine whether the centralized server and internal antivirus software obtained the same results, the comparing being performed by the computing device to which the executable portion was transmitted from the central system;
  
  responsive to determining, based on the comparison between the results of the central system analysis and the results of the internal antivirus software analysis, that the centralized server and the internal antivirus software obtained the same results, marking the executable portion for continuous monitoring until the identified computer virus is neutralized;
  
  responsive to determining, based on the comparison between the results of the central system analysis and the results of the internal antivirus software analysis, that the centralized server and the internal antivirus software obtained different results, flagging the results as conflicting and further analyzing the different results, including;
  
  identifying a level of importance of the conflicting results;
  
  identifying a source of the computer virus;
  
  blocking the source of the computer virus from accessing the computer network; and
  
  neutralizing the computer virus on the computer network,wherein the neutralizing the computer virus includes analyzing the executable portion of the computer-readable instructions with the anti-virus software, and further includes deleting the computer virus,generating a report that identifies the computer virus, wherein the report includes a name of the computer virus, information about the computer virus'"'"'s signature, a version of the computer virus, a type of solution that was used to neutralize the computer virus, a file size of the computer virus, and a latest update to the anti-virus software,wherein the report is used to create a computer virus signature dictionary that includes information about signatures of a plurality of computer viruseswherein the report is updated at least once a week; and
  
  using the report to update a data file that identifies a future computer virus,wherein user identification and a password are required for access to the data file,wherein the data file includes characteristics of known computer viruses, a date and time at which the computer virus was identified, an action required to neutralize the computer virus, a source of the computer virus, and related computer viruses.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Bank of America Corp., Hexcel Corporation
Original Assignee
Bank of America Corp.
Inventors
Gray, Robert, Morris, Anthony
Primary Examiner(s)
Kim, Jung
Assistant Examiner(s)
Ho, Thomas

Application Number

US11/932,510
Publication Number

US 20090113548A1
Time in Patent Office

2,666 Days
Field of Search

726/1, 726/22, 726/23, 726/24, 726/25
US Class Current

726/22
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/56   Computer malware detection ...

H04L 2209/60   Digital content management,...

Executable download tracking system

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

110 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Executable download tracking system

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

110 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links