Malware detection system and method for limited access mobile platforms

US 9,064,115 B2
Filed: 04/06/2007
Issued: 06/23/2015
Est. Priority Date: 04/06/2006
Status: Active Grant

First Claim

Patent Images

1. A method of defining rules for detecting malware in a target application on a limited access platform, the method comprising:

extracting feature elements from non-executable portions of a plurality of applications without extracting feature elements from executable portions of the applications, wherein the non-executable portions comprise file headers of the plurality of applications, wherein the executable portions comprise portions of the applications outside of the file headers, and wherein one or more of the plurality of applications are known to be malware-infected;

forming one or more feature sets for the plurality of applications such that each of the feature sets includes one or more of the feature elements extracted from the non-executable portions of the applications;

characterizing each of the feature sets as either malware-infected or malware-free based on whether the applications from which the feature elements of the feature set were extracted are malware-infected;

defining, by a computing device, one or more rules that each specify a respective combination of the feature elements that are characteristic of the feature sets characterized as malware-infected and that are not characteristic of the feature sets characterized as malware-free, wherein when applied to a non-executable portion comprising a file header of a target application, the rules identify the target application as malware-infected when the target application has a feature set including the combination of feature elements specified by the respective rule; and

providing the rules to a mobile device comprising a limited access platform.

View all claims

15 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for detecting malware on a limited access mobile platform in a mobile network. The system and method uses one or more feature sets that describe various non-executable portions of malware-infected and malware-free applications, and compares a application on the limited access mobile platform to the features sets. A match of the features in a suspect application to one of the feature sets provides an indication as to whether the suspect application is malware-infected or malware-free.

Citations

29 Claims

1. A method of defining rules for detecting malware in a target application on a limited access platform, the method comprising:
- extracting feature elements from non-executable portions of a plurality of applications without extracting feature elements from executable portions of the applications, wherein the non-executable portions comprise file headers of the plurality of applications, wherein the executable portions comprise portions of the applications outside of the file headers, and wherein one or more of the plurality of applications are known to be malware-infected;
  
  forming one or more feature sets for the plurality of applications such that each of the feature sets includes one or more of the feature elements extracted from the non-executable portions of the applications;
  
  characterizing each of the feature sets as either malware-infected or malware-free based on whether the applications from which the feature elements of the feature set were extracted are malware-infected;
  
  defining, by a computing device, one or more rules that each specify a respective combination of the feature elements that are characteristic of the feature sets characterized as malware-infected and that are not characteristic of the feature sets characterized as malware-free, wherein when applied to a non-executable portion comprising a file header of a target application, the rules identify the target application as malware-infected when the target application has a feature set including the combination of feature elements specified by the respective rule; and
  
  providing the rules to a mobile device comprising a limited access platform.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein each of the feature elements is selected from a group consisting of:
    - an application name, an application size, an application vendor, an application version, an application description, a uniform resource locator of a source of an application, a secure one-way hash of a binary representation of the application, and a cyclic redundancy check of a binary representation of an application.
  - 3. The method of claim 1, wherein the rule contains a wildcard.
  - 4. The method of claim 1, wherein defining the rules comprises assigning weights to the feature elements of the feature set corresponding to the rule.
  - 5. The method of claim 1, further comprising providing the rules to the limited access platform using a device independent secure management protocol.
  - 6. The method of claim 1, wherein the limited access platform is a mobile device having an operating system restricting functionality of the target application.
  - 7. The method of claim 1, wherein the rule is selected from the group consisting of:
    - a rule for a feature set having the plurality of feature elements, and a rule for a feature set having a subset of the plurality of feature elements.
  - 8. The method of claim 1, further comprising:
    - extracting a feature set from a non-executable portion of a target application on a limited access platform; and
      
      applying one of the rules to the feature set of the target application to determine whether the target application is malware-infected or malware-free.
  - 9. The method of claim 2, wherein the secure one-way hash is an SHA-1 hash.

10. A method of detecting malware in a target application on a limited access platform comprising a mobile device, the method comprising:
- obtaining a plurality of rules that each identify a respective combination of feature elements extracted from non-executable portions of a plurality of applications without identifying feature elements of executable portions of the applications, wherein the non-executable portions comprise file headers of the plurality of applications, and wherein the executable portions comprise portions of the applications outside of the headers;
  
  extracting a feature set from a non-executable portion of the target application without extracting feature elements from an executable portion of the target application, wherein the non-executable portion of the target application comprises a file header of the target application, and wherein the executable portion comprises a portion of the target application outside of the file header of the target application; and
  
  applying, by the mobile device, one or more of the plurality of rules to the feature set of the target application to determine a match comparison of the extracted feature set to the rules; and
  
  determining that the target application is malware-infected when application of at least one of the plurality of rules to the extracted feature set results in a match.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The method of claim 10, further comprising prompting a user to perform an action relating to the target application.
  - 12. The method of claim 10, further comprising reporting the target application to an operational support system if the target application is malware-infected.
  - 13. The method of claim 10, further comprising receiving the rules using a device independent secure management protocol.
  - 14. The method of claim 10, wherein the limited access platform is a mobile device having an operating system restricting functionality of the target application.
  - 15. The method of claim 10, wherein the rule is selected from the group consisting of:
    - a rule for a feature set having the plurality of feature elements, and a rule for a feature set having a subset of the plurality of feature elements.

16. A limited access platform for detecting malware, the limited access platform comprising:
- a feature data store comprising a plurality of rules that each identify a respective combination of feature elements extracted from non-executable portions of a plurality of applications and that do not identify feature elements of executable portions of the applications, wherein the non-executable portions comprise file headers of the plurality of applications, and wherein the executable portions comprise portions of the applications outside of the file headers;
  
  means for extracting a feature set from a non-executable portion of a target application without extracting feature elements from an executable portion of the target application, wherein the non-executable portion of the target application comprises a file header of the target application, and wherein the executable portion comprises a portion of the target application outside of the file header of the target application;
  
  means for applying one or more of the plurality of rules to the extracted feature set of the target application on the limited access platform to determine a match comparison of the extracted feature set to the rules; and
  
  means for determining that the target application is malware-infected application of at least one of the plurality of rules to the extracted feature set results in a match.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 17. The limited access platform of claim 16, wherein the limited access platform receives the feature data store using a device independent secure management protocol.
  - 18. The limited access platform of claim 16, wherein the limited access platform is a mobile device having an operating system restricting functionality of the target application.
  - 19. The limited access platform of claim 16, wherein each of the feature elements is selected from a group consisting of:
    - an application name, an application size, an application vendor, an application version, an application description, a uniform resource locator of a source of an application, a secure one-way hash of a binary representation of the application, and a cyclic redundancy check of a binary representation of an application.
  - 20. The limited access platform of claim 16, wherein at least one of the rules contains a wildcard.
  - 21. The limited access platform of claim 16, wherein at least one of the rule comprises one or more weights, each the weight assigned to a feature element of the feature set for the at least one rule.
  - 22. The limited access platform of claim 16, further comprising a means for receiving the feature data store on the limited access platform from an operational support system.
  - 23. The limited access platform of claim 16, further comprising a means for reporting the target application to an operational support system if the target application is malware-infected.
  - 24. The limited access platform of claim 16, further comprising a means for preventing the target application from executing on the limited access platform if the means for determining determines the target application is malware-infected.
  - 25. The limited access platform of claim 16, wherein the match comparison is equal to or greater than 90%.
  - 26. The limited access platform of claim 19, wherein the secure one-way hash is an SHA-1 hash.
  - 27. The limited access platform of claim 24, wherein the means for preventing comprises a user interface configured to prompt a user to perform an action regarding to the target application.

28. A non-transitory computer-readable storage medium comprising instructions that, when executed, cause a processor to:
- extract feature elements from non-executable portions of a plurality of applications without extracting feature elements from executable portions of the applications, wherein the non-executable portions comprise file headers of the plurality of applications, wherein the executable portions comprise portions of the applications outside of the file headers, and, wherein one or more of the plurality of applications are known to be malware-infected;
  
  form one or more feature sets for the plurality of applications such that each of the feature sets includes one or more of the feature elements extracted from the applications;
  
  characterize each of the feature sets as either malware-infected or malware-free based on whether the applications from which the feature elements of the feature set were extracted are malware-infected; and
  
  defining, by a computing device, define one or more rules that each specify a respective combination of the feature elements that are characteristic of the feature sets characterized as malware-infected and that are not characteristic of the feature sets characterized as malware-free, wherein when applied to a non-executable portion comprising a file header of a target application, the rules identify the target application as malware-infected when the target application has a feature set including the combination of feature elements specified by the respective rule; and
  
  provide the rules to a mobile device comprising a limited access platform.

29. A non-transitory computer-readable storage medium comprising instructions that, when executed, cause a processor of a mobile device to:
- obtain a plurality of rules that each identify a respective combination of feature elements extracted from non-executable portions of a plurality of applications without identifying feature elements of executable portions of the applications, wherein the non-executable portions comprise file headers of the plurality of applications, and wherein the executable portions comprise portions of the applications outside of the file headers;
  
  extract a feature set from a non-executable portion of a target application without extracting feature elements from an executable portion of the target application, wherein the non-executable portion of the target application comprises a file header of the target application, and wherein the executable portion comprises a portion of the target application outside of the file header of the target application;
  
  apply one or more of the plurality of rules to the feature set of the target application to determine a match comparison of the extracted feature set to the rules; and
  
  determine that the target application is malware-infected when application of at least one of the plurality of rules to the extracted feature set results in a match.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pulse Secure, LLC (Ivanti Software, Inc.)
Original Assignee
Pulse Secure, LLC (Ivanti Software, Inc.)
Inventors
Tuvell, George, Lee, Charles
Primary Examiner(s)
Hoffman, Brandon
Assistant Examiner(s)
Salehi, Helai

Application Number

US11/697,664
Publication Number

US 20070240220A1
Time in Patent Office

3,000 Days
Field of Search

726 22- 24, 713187-194
US Class Current

1/1
CPC Class Codes

G06F 16/245   Query processing

G06F 21/56   Computer malware detection ...

G06F 21/562   Static detection

G06F 21/563   by source code analysis

G06F 21/564   by virus signature recognition

G06F 21/565   by checking file integrity

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/033   Test or assess software

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

H04W 12/10   Integrity

H04W 12/12   Detection or prevention of ...

H04W 12/128   Anti-malware arrangements, ...

Malware detection system and method for limited access mobile platforms

First Claim

15 Assignments

0 Petitions

Accused Products

Abstract

Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

Malware detection system and method for limited access mobile platforms

First Claim

15 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links