Method and apparatus for detecting malicious software through contextual convictions
First Claim
Patent Images
1. A computer-implemented method for making a determination concerning whether a software application is benign or malicious comprising:
- extracting metadata about the application;
gathering a first set of contextual information concerning the system to generate a constructed infection history for a client, wherein said first set of contextual information includes recent infection history, applications running on the system, web sites visited, the geographic location of the client, the Internet Protocol (IP) address of the client, and a client identifier;
transmitting the metadata and the first set of contextual information to a server component, wherein the metadata and the first set of contextual information are encoded prior to the transmitting;
making a determination as to whether the application is benign or malicious by;
examining the metadata and determining that the application is suspicious; and
when the application is suspicious and a final determination as to whether the application is benign or malicious cannot be made without analyzing the first set of contextual information, examining the metadata based on the constructed infection history, including analyzing the metadata based on geographic parameters and web site specific parameters determined based on the constructed infection history, to determine whether the application is benign or malicious;
deriving a model based on the determination, the model encoding rules to be utilized in making future determinations when a second set of contextual information is similar to the first set of contextual information;
transmitting a response to the client containing information relating to the determination; and
making a determination as to whether to take any action concerning the application based on the information from the server component.
5 Assignments
0 Petitions
Accused Products
Abstract
Novel methods, components, and systems that enhance traditional techniques for detecting malicious software are presented. More specifically, we describe methods, components, and systems that leverage important contextual information from a client system (such as recent history of events on that system) to detect malicious software that might have otherwise gone ignored. The disclosed invention provides a significant improvement with regard to detection capabilities compared to previous approaches.
-
Citations
23 Claims
-
1. A computer-implemented method for making a determination concerning whether a software application is benign or malicious comprising:
-
extracting metadata about the application; gathering a first set of contextual information concerning the system to generate a constructed infection history for a client, wherein said first set of contextual information includes recent infection history, applications running on the system, web sites visited, the geographic location of the client, the Internet Protocol (IP) address of the client, and a client identifier; transmitting the metadata and the first set of contextual information to a server component, wherein the metadata and the first set of contextual information are encoded prior to the transmitting; making a determination as to whether the application is benign or malicious by; examining the metadata and determining that the application is suspicious; and when the application is suspicious and a final determination as to whether the application is benign or malicious cannot be made without analyzing the first set of contextual information, examining the metadata based on the constructed infection history, including analyzing the metadata based on geographic parameters and web site specific parameters determined based on the constructed infection history, to determine whether the application is benign or malicious; deriving a model based on the determination, the model encoding rules to be utilized in making future determinations when a second set of contextual information is similar to the first set of contextual information; transmitting a response to the client containing information relating to the determination; and making a determination as to whether to take any action concerning the application based on the information from the server component. - View Dependent Claims (2, 3, 4, 5)
-
-
6. Non-transitory computer-readable storage medium containing computer readable instructions operable to make a determination concerning whether a software application is benign or malicious, said instructions comprising instructions operable to:
-
extract metadata about the application; gather a first set of contextual information concerning the system to generate a constructed infection history for a client, wherein said first set of contextual information includes recent infection history, applications running on the system, web sites visited, the geographic location of the client, the Internet Protocol (IP) address of the client, and a client identifier; transmit the metadata and the first set of contextual information to a server component, wherein the metadata and the a first set of contextual information is encoded prior to the transmitting; make a determination as to whether the application is benign or malicious by; examining the metadata and determining that the application is suspicious; and when the application is suspicious and a final determination as to whether the application is benign or malicious cannot be made without analyzing the first set of contextual information, examining the metadata based on the constructed infection history, including analyzing the metadata based on geographic parameters and web site specific parameters determined based on the constructed infection history, to determine whether the application is benign or malicious; derive a model based on the determination, the model encoding rules to be utilized in making future determinations when a second set of contextual information is similar to the first set of contextual information; transmit a response to the client containing information relating to the determination; and make a determination as to whether to take any action concerning the application based on the information from the server component. - View Dependent Claims (7, 8, 9, 10)
-
-
11. Non-transitory computer-readable storage medium containing instructions operable to make a determination concerning whether a software application is benign or malicious, said instructions comprising instructions operable to:
-
extract metadata about the application; gather a first set of contextual information concerning the system to generate a constructed infection history for a client, wherein said first set of contextual information includes recent infection history, applications running on the system, web sites visited, the geographic location of the client, the Internet Protocol (IP) address of the client, and a client identifier; transmit the metadata and the first set of contextual information to a server component, wherein the metadata and the first set of contextual information are encoded prior to the transmitting; receive a response from the server component relating to a determination as to whether the application is benign or malicious based on the metadata and the first set of contextual information, wherein said determination as to whether the application is benign or malicious is made by; examining the metadata and determining that the application is suspicious; when the application is suspicious and a final determination as to whether the application is benign or malicious cannot be made without analyzing the first set of contextual information, examining the metadata based on the constructed infection history, including analyzing the metadata based on geographic parameters and web site specific parameters determined based on the constructed infection history, to determine whether the application is benign or malicious; and derive a model based on the determination, the model encoding rules to be utilized in making future determinations when a second set of contextual information is similar to the first set of contextual information; and take an action with respect to the application based on the information received from the server component. - View Dependent Claims (12, 13, 14, 23)
-
-
15. Non-transitory computer-readable storage medium containing instructions operable to make a determination concerning whether a software application is benign or malicious, said instructions comprising instructions operable to:
-
receive metadata about the application and a first set of contextual information concerning the system to generate a constructed infection history for a client, wherein the metadata and the first set of contextual information are encoded prior to being received, and wherein said first set of contextual information includes recent infection history, applications running on the system, web sites visited, the geographic location of the client, the Internet Protocol (IP) address of the client, and a client identifier; make a determination as to whether the application is benign or malicious by; examining the metadata and determining that the application is suspicious; and when the application is suspicious and a final determination as to whether the application is benign or malicious cannot be made without analyzing the first set of contextual information, examining the metadata based on the constructed infection history, including analyzing the metadata based on geographic parameters and web site specific parameters determined based on the constructed infection history, to determine whether the application is benign or malicious; derive a model based on the determination, the model encoding rules to be utilized in making future determinations when a second set of contextual information is similar to the first set of contextual information; and transmit a response to the client containing information relating to the determination. - View Dependent Claims (16, 17)
-
-
18. A computer system configured to determine whether a software application is benign or malicious, comprising:
-
a first non-transitory computer-readable storage medium containing instructions operable to; extract metadata about the application; gather a first set of contextual information concerning the system to generated a constructed infection history for a client, wherein said first set of contextual information includes recent infection history, applications running on the system, web sites visited, the geographic location of the client, the Internet Protocol (IP) address of the client, and a client identifier; and transmit the metadata and the first set of contextual information to a server component, wherein the metadata and the first set of contextual information are encoded prior to being transmitted; and a second non-transitory computer-readable storage medium containing instructions operable to; make a determination as to whether the application is benign or malicious by; examining the metadata and determining that the application is suspicious; and when the application is suspicious and a final determination as to whether the application is benign or malicious cannot be made without analyzing the first set of contextual information, examining the metadata based on the constructed infection history, including analyzing the metadata based on geographic parameters and web site specific parameters determined based on the constructed infection history, to determine whether the application is benign or malicious; derive a model based on the determination, the model encoding rules to be utilized in making future determinations when a second set of contextual information is similar to the first set of contextual information; and transmit a response to the client containing information relating to the determination. - View Dependent Claims (19, 20, 21, 22)
-
Specification