Determining file risk based on security reputation of associated objects

US 9,231,969 B1
Filed: 05/28/2010
Issued: 01/05/2016
Est. Priority Date: 05/28/2010
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method for tracking security risks of a polymorphic file by tracking static objects generated by the polymorphic file, the method comprising the steps of:

tracking, by a computer, a first object created by a first mutation of a polymorphic file at a first time wherein the polymorphic file has not been previously identified as comprising malware and said first object is tracked for performing a malware service;

determining whether a security reputation for the first object meets a security threshold;

determining, by a computer, a security risk of the polymorphic file that created the first object based on the security reputation of the first object, wherein, responsive to a determination that the security reputation for the first object meets the predetermined security threshold, the polymorphic file is determined to comprise malware if it meets a security threshold determined based on at least one of;

the number of distinct first objects created by the polymorphic file and the number of times a distinct first object is created by the polymorphic file;

storing, by a computer, the security reputation for the first object in a database;

linking, by a computer, a second mutation of the polymorphic file to the first mutation by subsequently identifying the first object created by a second mutation of the polymorphic file at a second time; and

receiving, by a computer, the security risk of the polymorphic file that created the first object at the first and second times based on the determined security reputation of the first object.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The creations of objects by files that have not been previously identified as malware are tracked. The security reputations of specific created objects are determined. Based on the determined security reputations of specific created objects, the security risks concerning the specific files that created the objects are determined. Responsive to whether a determined security risk concerning a specific creating file meets a given threshold, it is determined whether the specific creating file comprises malware. Responsive to determining that a specific creating file comprises malware, the creating file is blocked from performing the activity associated with the creation of the associated object. Responsive to determining that a creating file comprises malware, the creating file can be disabled, and an alert concerning the creating file can be transmitted to a central security server.

Citations

20 Claims

1. A computer implemented method for tracking security risks of a polymorphic file by tracking static objects generated by the polymorphic file, the method comprising the steps of:
- tracking, by a computer, a first object created by a first mutation of a polymorphic file at a first time wherein the polymorphic file has not been previously identified as comprising malware and said first object is tracked for performing a malware service;
  
  determining whether a security reputation for the first object meets a security threshold;
  
  determining, by a computer, a security risk of the polymorphic file that created the first object based on the security reputation of the first object, wherein, responsive to a determination that the security reputation for the first object meets the predetermined security threshold, the polymorphic file is determined to comprise malware if it meets a security threshold determined based on at least one of;
  
  the number of distinct first objects created by the polymorphic file and the number of times a distinct first object is created by the polymorphic file;
  
  storing, by a computer, the security reputation for the first object in a database;
  
  linking, by a computer, a second mutation of the polymorphic file to the first mutation by subsequently identifying the first object created by a second mutation of the polymorphic file at a second time; and
  
  receiving, by a computer, the security risk of the polymorphic file that created the first object at the first and second times based on the determined security reputation of the first object.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 wherein determining, by a computer, whether a security reputation for the first object meets a security threshold, further comprises:
    - retrieving, by a computer, the security reputation for the first object from an object reputation database.
  - 3. The method of claim 1 further comprising:
    - responsive to determining that a polymorphic file comprises malware, blocking, by a computer, an attempt by the polymorphic file to perform an activity associated with an associated object.
  - 4. The method of claim 3 wherein blocking, by a computer, an attempt by a polymorphic file to perform an activity associated with an associated created object further comprises:
    - responsive to determining that the polymorphic file comprises malware, blocking, by a computer, an attempt by the polymorphic file to register itself with an operating system in order to be automatically started when the operating system is booted.
  - 5. The method of claim 1 further comprising:
    - responsive to determining that a polymorphic file comprises malware, disabling, by a computer, the polymorphic file.
  - 6. The method of claim 1 further comprising:
    - responsive to determining that a polymorphic file comprises malware, transmitting, by a computer, an alert concerning the polymorphic files to a central security server.
  - 7. The method of claim 1 further comprising:
    - storing, by a computer, security reputations concerning a plurality of created objects, each security reputation concerning for a first object being based at least partially on at least one security reputation of at least one associated polymorphic file.
  - 8. The method of claim 7 further comprising:
    - adjusting, by a computer, a stored security reputation for a first object, based on associated polymorphic file activity concerning the first object.
  - 9. The method of claim 7 wherein determining, by a computer, whether a security reputation for the first object meets a security threshold further comprises:
    - retrieving, by a computer, a stored security reputation of the first object.

10. At least one non-transitory computer readable storage medium storing a computer program product for tracking security risks of a polymorphic file by tracking static objects generated by the polymorphic file, the computer program product comprising:
- program code for tracking a first object created by a first mutation of a polymorphic file at a first time wherein the polymorphic file has not been previously identified as comprising malware and said first object is tracked for performing a malware service;
  
  program code for determining whether a security reputation for the first object meets a security threshold;
  
  program code for determining a security risk of the polymorphic file that created the first object based on the security reputation of the first object, wherein, responsive to a determination that the security reputation for the first object meets the predetermined security threshold, the polymorphic file is determined to comprise malware if it meets a security threshold determined based on at least one of;
  
  the number of distinct first objects created by the polymorphic file and the number of times a distinct first object is created by the polymorphic file;
  
  program code for storing the security reputation for the first object in a database;
  
  program code for linking a second mutation of the polymorphic file to the first mutation by subsequently identifying the first object created by a second mutation of the polymorphic file at a second time; and
  
  program code for receiving the security risk of the polymorphic file that created the first object at the first and second times based on the determined security reputation of the first object.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The computer program product of claim 10 wherein the program code for determining whether a security reputation for the first object meets a security threshold further comprises:
    - program code for retrieving the security reputation for the first object from an object reputation database.
  - 12. The computer program product of claim 10, further comprising:
    - program code for, responsive to determining that a polymorphic file comprises malware, blocking an attempt by the polymorphic file to perform an activity associated with an associated object.
  - 13. The computer program product of claim 12 wherein the program code for blocking an attempt by a polymorphic file to perform an activity associated with an associated created object further comprises:
    - program code for, responsive to determining that the polymorphic file comprises malware, blocking an attempt by the polymorphic file to register itself with an operating system in order to be automatically started when the operating system is booted.
  - 14. The computer program product of claim 10 further comprising:
    - program code for, responsive to determining that a polymorphic file comprises malware, disabling the polymorphic file.
  - 15. The computer program product of claim 10 further comprising:
    - program code for, responsive to determining that a polymorphic file comprises malware, transmitting an alert concerning the polymorphic files to a central security server.
  - 16. The computer program product of claim 10 further comprising:
    - program code for storing security reputations concerning a plurality of created objects, each security reputation concerning a first object being based at least partially on at least one security reputation of at least one associated polymorphic file.
  - 17. The computer program product of claim 16 further comprising:
    - program code for adjusting a stored security reputation for a first object, based on associated polymorphic file activity concerning the first object.
  - 18. The computer program product of claim 16 wherein the program code for determining whether a security reputation for the first object meets a security threshold further comprises:
    - program code for retrieving a stored security reputation for the first object.

19. A computer system for tracking security risks of a polymorphic file by tracking static objects generated by the polymorphic file, the computer system comprising:
- means for tracking a first object created by a first mutation of a polymorphic file at a first time wherein the polymorphic file has not been previously identified as comprising malware and said first object is tracked for performing a malware service;
  
  means for determining whether a security reputation for the first object meets a security threshold;
  
  means for determining a security risk of the polymorphic file that created the first object based on the security reputation of the first object, wherein, responsive to a determination that the security reputation for the first object meets the predetermined security threshold, the polymorphic file is determined to comprise malware if it meets a security threshold determined based on at least one of;
  
  the number of distinct first objects created by the polymorphic file and the number of times a distinct first object is created by the polymorphic file;
  
  means for storing the security reputation for the first object in a database;
  
  means for linking a second mutation of the polymorphic file to the first mutation by subsequently identifying the first object created by a second mutation of the polymorphic file at a second time; and
  
  means for receiving the security risk of the polymorphic file that created the first object at the first and second times based on the determined security reputation of the first object.
- View Dependent Claims (20)
- - 20. The computer system of claim 19 further comprising:
    - means for, responsive to determining that a polymorphic file comprises malware, blocking an attempt by the polymorphic file to perform an activity associated with an associated object.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Satish, Sourabh
Primary Examiner(s)
Tran, Ellen

Application Number

US12/790,610
Time in Patent Office

2,048 Days
Field of Search

726/22, 726/23, 726/25, 726/26
US Class Current

1/1
CPC Class Codes

G06F 21/51   at application loading time...

G06F 21/562   Static detection

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

Determining file risk based on security reputation of associated objects

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Determining file risk based on security reputation of associated objects

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links