Method and apparatus for detecting malicious software using generic signatures

US 9,100,425 B2
Filed: 11/30/2011
Issued: 08/04/2015
Est. Priority Date: 12/01/2010
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method for determining whether a software application is likely malicious, comprising:

receiving, at a server component, both a specific fingerprint and a generic fingerprint computed at a client component for a software application received at the client component;

storing, at the server component, a blacklist comprising a plurality of specific fingerprints of software applications known to be malicious;

storing, at the server component, a data structure comprising a plurality of known generic fingerprints and, for each known generic fingerprint, a set of specific fingerprints associated with the known generic fingerprint;

determining whether the software application is conclusively malicious by comparing the received specific fingerprint to the blacklist of specific fingerprints;

in the event the software application is not determined to be conclusively malicious from comparing the received specific fingerprint to the blacklist of specific fingerprints, determining that the software application is conclusively malicious in response to the number of malicious specific fingerprints associated with one of the known generic fingerprints that matches the received generic fingerprint exceeding a predetermined threshold; and

transmitting to the client component an indication of whether the software application is malicious or benign from processing the received specific fingerprint and the received generic fingerprint.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Novel methods, components, and systems for automatically detecting malicious software are presented. More specifically, methods, components, and systems for the automated deployment of generic signatures to detect malicious software. Even more specifically, computer implemented methods for determining whether a software application is likely malicious including computing at a client component a generic fingerprint for a software application, transmitting the generic fingerprint data to a server component, receiving at the client component information from the server component relating to the generic fingerprint of the software application, and following a prescribed set of actions based on the information received from the server.

14 Citations

View as Search Results

18 Claims

1. A computer implemented method for determining whether a software application is likely malicious, comprising:
- receiving, at a server component, both a specific fingerprint and a generic fingerprint computed at a client component for a software application received at the client component;
  
  storing, at the server component, a blacklist comprising a plurality of specific fingerprints of software applications known to be malicious;
  
  storing, at the server component, a data structure comprising a plurality of known generic fingerprints and, for each known generic fingerprint, a set of specific fingerprints associated with the known generic fingerprint;
  
  determining whether the software application is conclusively malicious by comparing the received specific fingerprint to the blacklist of specific fingerprints;
  
  in the event the software application is not determined to be conclusively malicious from comparing the received specific fingerprint to the blacklist of specific fingerprints, determining that the software application is conclusively malicious in response to the number of malicious specific fingerprints associated with one of the known generic fingerprints that matches the received generic fingerprint exceeding a predetermined threshold; and
  
  transmitting to the client component an indication of whether the software application is malicious or benign from processing the received specific fingerprint and the received generic fingerprint.
- View Dependent Claims (4, 5, 6, 7, 8)
- - 4. The computer implemented method according to claim 1, wherein:
    - in the event the software application is not determined to be conclusively malicious from comparing the received specific fingerprint to the blacklist of specific fingerprints, determining that the software application is possibly malicious in response to the number of malicious specific fingerprints associated with the known generic fingerprint that matches the received generic fingerprint being one or more but being less than the predetermined threshold.
  - 5. The computer implemented method according to claim 1, further comprising:
    - storing, at the server component, a whitelist comprising a plurality of specific fingerprints of software applications known to be benign;
      
      determining whether the software application is conclusively benign by comparing the received specific fingerprint to the whitelist of specific fingerprints; and
      
      transmitting to the client component an indication that software application is benign in response to determining that the specific fingerprint is conclusively benign.
  - 6. The computer implemented method according to claim 5, wherein the determination of whether the software application is conclusively malicious based on the received generic fingerprint is performed only in the event the software application is determined neither to be conclusively benign nor conclusively malicious from comparing the received specific fingerprint to the whitelist and blacklist of specific fingerprints.
  - 7. The computer implemented method according to claim 5, wherein:
    - in the event the software application is determined neither to be conclusively benign nor conclusively malicious from comparing the received specific fingerprint to the whitelist and blacklist of specific fingerprints, determining whether the software application is conclusively benign in response to the number of benign specific fingerprints associated with the known generic fingerprint that matches the received generic fingerprint exceeding another predetermined threshold and none of the specific fingerprints associated with the known generic fingerprint that matches the received generic fingerprint being malicious.
  - 8. The computer implemented method according to claim 5, wherein:
    - in the event the software application is determined neither to be conclusively benign nor conclusively malicious from comparing the received specific fingerprint to the whitelist and blacklist of specific fingerprints, determining whether the software application is possibly benign in response to one or more specific fingerprints associated with the known generic fingerprint that matches the received generic fingerprint being benign.

2. A non-transitory computer readable storage medium, provided at a server component, encoded with software comprising computer executable instructions and when the software is executed operable to:
- receive both a specific fingerprint and a generic fingerprint computed at a client component for a software application received at the client component;
  
  store in a memory a blacklist comprising a plurality of specific fingerprints of software applications known to be malicious;
  
  store in the memory a data structure comprising a plurality of known generic fingerprints and, for each known generic fingerprint, a set of specific fingerprints associated with the known generic fingerprint;
  
  determine whether the software application is conclusively malicious by comparing the received specific fingerprint to the blacklist of specific fingerprints;
  
  in the event the software application is not determined to be conclusively malicious from comparing the received specific fingerprint to the blacklist of specific fingerprints, determine that the software application is conclusively malicious in response to the number of malicious specific fingerprints associated with one of the known generic fingerprints that matches the received generic fingerprint exceeding a predetermined threshold; and
  
  transmit to the client component an indication of whether the software application is malicious or benign from processing the received specific fingerprint and the received generic fingerprint.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The non-transitory computer readable storage medium according to claim 2, further comprising computer executable instructions operable to:
    - determine, in the event the software application is not determined to be conclusively malicious from comparing the received specific fingerprint to the blacklist of specific fingerprints, that the software application is possibly malicious in response to the number of malicious specific fingerprints associated with the known generic fingerprint that matches the received generic fingerprint being one or more but being less than the predetermined threshold.
  - 10. The non-transitory computer readable storage medium according to claim 2, further comprising computer executable instructions operable to:
    - store a whitelist comprising a plurality of specific fingerprints of software applications known to be benign;
      
      determine whether the software application is conclusively benign by comparing the received specific fingerprint to the whitelist of specific fingerprints; and
      
      transmit to the client component an indication that software application is benign in response to determining that the specific fingerprint is conclusively benign.
  - 11. The non-transitory computer readable storage medium according to claim 10, wherein the computer executable instructions that determine whether the software application is conclusively malicious based on the received generic fingerprint are executed only in the event the software application is determined neither to be conclusively benign nor conclusively malicious from the computer executable instructions that compare the received specific fingerprint to the whitelist and blacklist of specific fingerprints.
  - 12. The non-transitory computer readable storage medium according to claim 10, further comprising computer executable instructions operable to:
    - determine, in the event the software application is determined neither to be conclusively benign nor conclusively malicious from comparing the received specific fingerprint to the whitelist and blacklist of specific fingerprints, whether the software application is conclusively benign in response to the number of benign specific fingerprints associated with the known generic fingerprint that matches the received generic fingerprint exceeding another predetermined threshold and none of the specific fingerprints associated with the known generic fingerprint that matches the received generic fingerprint being malicious.
  - 13. The non-transitory computer readable storage medium according to claim 10, further comprising computer executable instructions operable to:
    - determine, in the event the software application is determined neither to be conclusively benign nor conclusively malicious from comparing the received specific fingerprint to the whitelist and blacklist of specific fingerprints, whether the software application is possibly benign in response to one or more specific fingerprints associated with the known generic fingerprint that matches the received generic fingerprint being benign.

3. An apparatus, comprising:
- a memory configured to store a blacklist comprising a plurality of specific fingerprints of software applications known to be malicious and to store a data structure comprising a plurality of known generic fingerprints and, for each known generic fingerprint, a set of specific fingerprints associated with the known generic fingerprint; and
  
  a processor configured to;
  
  receive both a specific fingerprint and a generic fingerprint computed at a client component for a software application received at the client component;
  
  determine whether the software application is conclusively malicious by comparing the received specific fingerprint to the blacklist of specific fingerprints;
  
  in the event the software application is not determined to be conclusively malicious from comparing the received specific fingerprint to the blacklist of specific fingerprints, determine that the software application is conclusively malicious in response to the number of malicious specific fingerprints associated with one of the known generic fingerprints that matches the received generic fingerprint exceeding a predetermined threshold; and
  
  transmit to the client component an indication of whether the software application is malicious or benign from processing the received specific fingerprint and the received generic fingerprint.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The apparatus according to claim 3, wherein the processor is further configured to determine, in the event the software application is not determined to be conclusively malicious from comparing the received specific fingerprint to the blacklist of specific fingerprints, that the software application is possibly malicious in response to the number of malicious specific fingerprints associated with the known generic fingerprint that matches the received generic fingerprint being one or more but being less than the predetermined threshold.
  - 15. The apparatus according to claim 3, wherein the processor is further configured to:
    - store a whitelist comprising a plurality of specific fingerprints of software applications known to be benign;
      
      determine whether the software application is conclusively benign by comparing the received specific fingerprint to the whitelist of specific fingerprints; and
      
      transmit to the client component an indication that software application is benign in response to determining that the specific fingerprint is conclusively benign.
  - 16. The apparatus according to claim 15, wherein the processor is further configured to determine whether the software application is conclusively malicious based on the received generic fingerprint only in the event the software application is determined neither to be conclusively benign nor conclusively malicious from comparing the received specific fingerprint to the whitelist and blacklist of specific fingerprints.
  - 17. The apparatus according to claim 15, wherein the processor is further configured to:
    - determine, in the event the software application is determined neither to be conclusively benign nor conclusively malicious from comparing the received specific fingerprint to the whitelist and blacklist of specific fingerprints, whether the software application is conclusively benign in response to the number of benign specific fingerprints associated with the known generic fingerprint that matches the received generic fingerprint exceeding another predetermined threshold and none of the specific fingerprints associated with the known generic fingerprint that matches the received generic fingerprint being malicious.
  - 18. The apparatus according to claim 15, wherein the processor is further configured to:
    - determine, in the event the software application is determined neither to be conclusively benign nor conclusively malicious from comparing the received specific fingerprint to the whitelist and blacklist of specific fingerprints, whether the software application is possibly benign in response to one or more specific fingerprints associated with the known generic fingerprint that matches the received generic fingerprint being benign.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sourcefire Incorporated (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Friedrichs, Oliver, Huger, Alfred, O'Donnell, Adam J.
Primary Examiner(s)
PERUNGAVOOR, VENKATANARAY

Application Number

US13/308,522
Publication Number

US 20120210422A1
Time in Patent Office

1,343 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/564 by virus signature recognition

H04L 63/1416 Event detection, e.g. attac...

Method and apparatus for detecting malicious software using generic signatures

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

14 Citations

18 Claims

Specification

Use Cases

Quick Links

Others

Method and apparatus for detecting malicious software using generic signatures

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

14 Citations

18 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others