Early malware detection by cross-referencing host data

US 9,117,075 B1
Filed: 11/22/2010
Issued: 08/25/2015
Est. Priority Date: 11/22/2010
Status: Active Grant

First Claim

Patent Images

1. A method of detecting malware, said method comprising:

determining that a first behavior of a first computer within an enterprise is suspected of being caused by malware;

determining that a second behavior of a second computer within said enterprise is suspected of being caused by malware;

determining, by a central management computer, that said first and second behaviors are the same and that said behaviors are not shared with any behavior of a trusted computer by comparing said behaviors to behaviors of said trusted computer, said trusted computer being a computer within said enterprise and being malware free;

determining, by said central management computer, that said first and second computers are both configured to be Web servers, both configured to be database servers, both configured to be e-mail servers, both configured to be proxy servers, both configured to be storage servers, both configured to be source code servers, or are both configured to be pattern update servers and provide a same common service function within said enterprise; and

not issuing a malware alert because of said determining that said first and second computers provide said common service function even though said behaviors on said first and second computers are not shared with said trusted computer.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer network of an enterprise includes a central management computer linking at least one trusted host computer with at least one user computer. The trusted host computer is not used for normal day-to-day activities within the enterprise, and may also not be used for reading electronic mail nor for accessing the Internet and downloading Web site content. Antivirus software on the user computer screens for suspect activity or features and, if found, the suspect activity or features are compared to rules database. If a determination of malware cannot be made, then these unresolved activities or features are sent to the central management computer to be compared to the trusted, known activities and features of the trusted computer. The suspect activities may be deemed acceptable if activities are shared amongst a certain number of user computers all configured to perform the same function. A user computer may be compared against itself over time.

103 Citations

View as Search Results

20 Claims

1. A method of detecting malware, said method comprising:
- determining that a first behavior of a first computer within an enterprise is suspected of being caused by malware;
  
  determining that a second behavior of a second computer within said enterprise is suspected of being caused by malware;
  
  determining, by a central management computer, that said first and second behaviors are the same and that said behaviors are not shared with any behavior of a trusted computer by comparing said behaviors to behaviors of said trusted computer, said trusted computer being a computer within said enterprise and being malware free;
  
  determining, by said central management computer, that said first and second computers are both configured to be Web servers, both configured to be database servers, both configured to be e-mail servers, both configured to be proxy servers, both configured to be storage servers, both configured to be source code servers, or are both configured to be pattern update servers and provide a same common service function within said enterprise; and
  
  not issuing a malware alert because of said determining that said first and second computers provide said common service function even though said behaviors on said first and second computers are not shared with said trusted computer.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. A method as recited in claim 1 further comprising:
    - determining that said first and second behaviors are caused by malware when said first behavior does not match with a white list on said trusted computer; and
      
      issuing a malware alert.
  - 3. A method as recited in claim 1 further comprising:
    - determining that said first behavior is not caused by malware when said first behavior matches with a white list on said trusted computer; and
      
      allowing said first behavior on said first computer to continue.
  - 4. A method as recited in claim 1 further comprising:
    - determining that said first and second behaviors are not caused by malware; and
      
      allowing said behaviors on said first and second computers to continue.
  - 5. A method as recited in claim 1 wherein one of said first or second computers is a rogue computer that is not managed by said enterprise, said method further comprising:
    - determining that said behaviors are indicative of malware; and
      
      issuing a malware alert.
  - 6. A method as recited in claim 1 wherein said service function is a Web service.
  - 7. A method as recited in claim 1 wherein said service function is a database service.
  - 8. A method as recited in claim 1 wherein said first and second computers are configured as end user computers and wherein said trusted computer is also configured as an end user computer.
  - 9. A method as recited in claim 1 wherein said comparing said behaviors includes comparing said behaviors to at least one white list of said trusted computer.
  - 10. A method as recited in claim 1 wherein said comparing said behaviors includes comparing DLLs loaded by a process of said first and second computers with DLLs loaded by a process of said trusted computer.
  - 11. A method as recited in claim 1 further comprising:
    - determining, by said central management computer, whether said first and second computers are both configured to provide said same common service function within said enterprise;
      
      not issuing a malware alert when it is determined that said first and second computers provide said same common service function even though said behaviors on said first and second computers are not shared with said trusted computer; and
      
      issuing a malware alert when it is determined that said first and second computers do not provide said same common service function.

12. A method of detecting malware, said method comprising:
- determining that a first behavior of a first computer within an enterprise is suspected of being caused by malware;
  
  determining that a second behavior of a second computer within said enterprise is suspected of being caused by malware;
  
  determining that a third behavior of a third computer within said enterprise is suspected of being caused by malware;
  
  determining, by a central management computer, that said first, second and third behaviors are the same and that said behaviors are not shared with any behavior of a trusted computer by comparing said behaviors to behaviors of said trusted computer, said trusted computer being a computer within said enterprise and being malware free; and
  
  determining, by said central management computer, that said first, second and third computers all are configured to be Web servers, all configured to be database servers, all configured to be e-mail servers, all configured to be proxy servers, all configured to be storage servers, all configured to be source code servers, or are all configured to be pattern update servers and provide a same common service function within said enterprise;
  
  not issuing a malware alert because of said determining that said first, second and third computers provide said common service function even though said behaviors on said first, second and third computers are not shared with said trusted computer.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
- - 13. A method as recited in claim 12 further comprising:
    - determining that said behaviors do not match with any white lists on said trusted computer.
  - 14. A method as recited in claim 12 further comprisingcomparing said first behavior to an exception rules database;
    - anddetermining that said first behavior does not match with any rule in said exception rules database.
  - 15. A method as recited in claim 12 further comprising:
    - determining that said first behavior is suspected of being caused by malware when antivirus software of said first computer cannot identify said first behavior.
  - 16. A method as recited in claim 12 wherein one of said first, second or third computers is a rogue computer that is not managed by said enterprise.
  - 17. A method as recited in claim 12 wherein said first, second and third computers are configured as end user computers and wherein said trusted computer is also configured as an end user computer.
  - 18. A method as recited in claim 12 wherein said comparing said behaviors includes comparing said behaviors to at least one white list of said trusted computer.
  - 19. A method as recited in claim 12 wherein said comparing said behaviors includes comparing DLLs loaded by a process of said first, second and third computers with DLLs loaded by a process of said trusted computer.
  - 20. A method as recited in claim 12 further comprising:
    - determining, by said central management computer, whether said first, second and third computers are all configured to provide said same common service function within said enterprise;
      
      not issuing a malware alert when it is determined that said first, second and third computers provide said same common service function even though said behaviors on said first, second and third computers are not shared with said trusted computer; and
      
      issuing a malware alert when it is determined that said first, second and third computers do not provide said same common service function.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trend Micro Inc.
Original Assignee
Trend Micro Inc.
Inventors
Yeh, Anne
Primary Examiner(s)
Lewis, Lisa
Assistant Examiner(s)
Lwin, Maung

Application Number

US12/951,785
Time in Patent Office

1,737 Days
Field of Search

726/24
US Class Current

1/1
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/567   using dedicated hardware

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

Early malware detection by cross-referencing host data

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

103 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Early malware detection by cross-referencing host data

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

103 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others