System and methods for control of applications using preliminary file filtering

US 9,043,907 B1
Filed: 06/10/2014
Issued: 05/26/2015
Est. Priority Date: 04/18/2014
Status: Active Grant

First Claim

Patent Images

1. A method of application control using file filtering, comprising:

intercepting, by a processor, an operation on a file performed by an application;

selecting at least a part of the file;

applying one or more file filters to the selected part of the file, wherein each of the one or more file filters comprises a bit mask including a sequence of bits;

determining a set of file characteristics based on outcomes of applying the one or more file filters by at least performing an AND operation between the selected part of the file and the bit mask, wherein the AND operation is performed on the selected part of the file and starting from an offset, wherein the offset is included in a file filter corresponding to the bit mask;

determining a decision, based on the set of file characteristics, whether to exclude the file from further analysis by a client of an application control system; and

based on the decision, excluding the file from the further analysis by the client of the application control system or providing the file to the client of the application control system for further analysis whether to allow or prohibit the operation on the file.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed are systems, methods and computer program products for control of applications using preliminary file filtering. An example method includes intercepting, by a processor, an operation on a file performed by an application; selecting at least a part of the file; applying one or more file filters to the selected part of the file; determining a set of file characteristics based on outcomes of the file filters; determining a decision, based on the set of file characteristics, whether to exclude the file from further analysis by a client of an application control system; and based on the decision, excluding the file from the further analysis by the client of the application control system or providing the file to the client of the application control system for further analysis whether to allow or prohibit the operation on the file.

19 Citations

View as Search Results

15 Claims

1. A method of application control using file filtering, comprising:
- intercepting, by a processor, an operation on a file performed by an application;
  
  selecting at least a part of the file;
  
  applying one or more file filters to the selected part of the file, wherein each of the one or more file filters comprises a bit mask including a sequence of bits;
  
  determining a set of file characteristics based on outcomes of applying the one or more file filters by at least performing an AND operation between the selected part of the file and the bit mask, wherein the AND operation is performed on the selected part of the file and starting from an offset, wherein the offset is included in a file filter corresponding to the bit mask;
  
  determining a decision, based on the set of file characteristics, whether to exclude the file from further analysis by a client of an application control system; and
  
  based on the decision, excluding the file from the further analysis by the client of the application control system or providing the file to the client of the application control system for further analysis whether to allow or prohibit the operation on the file.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, further comprising:
    - storing the decision and a file identifier of the file in a decision database;
      
      retrieving the decision from the decision database based on the file identifier;
      
      performing the analysis of the file by the client upon detecting that the decision indicates not to exclude the file from the analysis by the client or upon detecting that there is no decision stored in the decision database for the file identifier; and
      
      skipping the analysis of the file by the client upon detecting that the decision indicates to exclude the file from the analysis by the client.
  - 3. The method of claim 1, wherein intercepting the operation on the file is performed by using a driver filter of a file system.
  - 4. The method of claim 1, further comprising:
    - prior to applying the one or more file filters to the selected part of the file, retrieving each of the one or more file filters from a filter database based on a file identifier of the file.
  - 5. The method of claim 1, further comprising:
    - determining a file type of the file based on an outcome of the AND operation.

6. A system of application control using file filtering, comprising:
- a hardware processor configured to;
  
  intercept an operation on a file performed by an application;
  
  select at least a part of the file;
  
  apply one or more file filters to the selected part of the file, wherein each of the one or more file filters comprises a bit mask including a sequence of bits;
  
  determine a set of file characteristics based on outcomes of applying the one or more file filters by at least performing an AND operation between the selected part of the file and the bit mask, wherein the AND operation is performed on the selected part of the file and starting from an offset, wherein the offset is included in a file filter corresponding to the bit mask;
  
  determine a decision, based on the set of file characteristics, whether to exclude the file from further analysis by a client of an application control system; and
  
  based on the decision, exclude the file from the further analysis by the client of the application control system or provide the file to the client of the application control system for further analysis whether to allow or prohibit the operation on the file.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The system of claim 6, wherein the processor is further configured to:
    - store the decision and a file identifier of the file in a decision database;
      
      retrieve the decision from the decision database based on the file identifier;
      
      perform the analysis of the file by the client upon detecting that the decision indicates not to exclude the file from the analysis by the client or upon detecting that there is no decision stored in the decision database for the file identifier; and
      
      skip the analysis of the file by the client upon detecting that the decision indicates to exclude the file from the analysis by the client.
  - 8. The system of claim 6, wherein the processor is configured to intercept the operation on the file by using a driver filter of a file system.
  - 9. The system of claim 6, wherein the processor is further configured to:
    - prior to applying the file filters to the selected part of the file, retrieve the one or more file filters from a filter database based on a file identifier of the file.
  - 10. The system of claim 6, wherein the processor is further configured to:
    - determine a file type of the file based on an outcome of the AND operation.

11. A computer program product stored on a non-transitory computer-readable storage medium, the computer program product comprising computer-executable instructions for application control using file filtering, including instructions for:
- intercepting an operation on a file performed by an application;
  
  identifying a selected part of the file;
  
  applying one or more file filters to the selected part of the file, wherein each of the one or more file filters comprises a bit mask including a sequence of bits;
  
  determining a set of file characteristics based on outcomes of applying the one or more file filters by at least performing an AND operation between the selected part of the file and the bit mask, wherein the AND operation is performed on the selected part of the file and starting from an offset, wherein the offset is included in a file filter corresponding to the bit mask;
  
  determining a decision, based on the set of file characteristics, whether to exclude the file from further analysis by a client of an application control system; and
  
  based on the decision, excluding the file from the further analysis by the client of the application control system or providing the file to the client of the application control system for further analysis whether to allow or prohibit the operation on the file.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The computer program product of claim 11, further comprising instructions for:
    - storing the decision and a file identifier of the file in a decision database;
      
      retrieving the decision from the decision database based on the file identifier;
      
      performing the analysis of the file by the client upon detecting that the decision indicates not to exclude the file from the analysis by the client or upon detecting that there is no decision stored in the decision database for the file identifier; and
      
      skipping the analysis of the file by the client upon detecting that the decision indicates to exclude the file from the analysis by the client.
  - 13. The computer program product of claim 11, wherein intercepting the operation on the file is performed by using a driver filter of a file system.
  - 14. The computer program product of claim 11, further comprising instructions for:
    - prior to applying the file filters to the selected part of the file, retrieving the one or more file filters from a filter database based on a file identifier of the file.
  - 15. The computer program product of claim 11, further comprising instructions for:
    - determining a file type of the file based on an outcome of the AND operation.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kaspersky Lab ZAO
Original Assignee
Kaspersky Lab ZAO
Inventors
Levchenko, Vyacheslav I., Yudin, Maxim V., Polozov, Pavel L.
Primary Examiner(s)
Gee, Jaosn K.
Assistant Examiner(s)
BUCKNOR, OLANREWAJU J

Application Number

US14/300,878
Time in Patent Office

350 Days
Field of Search

None
US Class Current

726/22
CPC Class Codes

G06F 16/13   File access structures, e.g...

G06F 21/53   by executing in a restricte...

G06F 21/56   Computer malware detection ...

G06F 21/563   by source code analysis

G06F 21/564   by virus signature recognition

G06F 21/566   Dynamic detection, i.e. det...

G06F 8/61   Installation

H04L 63/0218   Distributed architectures, ...

H04L 63/123   received data contents, e.g...

H04L 63/145   the attack involving the pr...

System and methods for control of applications using preliminary file filtering

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

19 Citations

15 Claims

Specification

Use Cases

Quick Links

Others

System and methods for control of applications using preliminary file filtering

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

19 Citations

15 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others