System and method for detecting malicious mobile program code
First Claim
Patent Images
1. A method of detecting malware, comprising:
- receiving a program file;
performing, by a malware detector comprising executable instructions, analysis on the program file to identify a plurality of URLs;
associating, by the malware detector, a category with each of the plurality of URLs as a function of a URL filter database;
assigning, by the malware detector, a malware probability and a malware type to each of the plurality of URLs responsive to the category associated with each of the plurality of URLs, wherein the malware type describes a function of malware associated with the category associated with that URL;
calculating a malware type probability associated with the malware type of each of the plurality of URLs, the malware type probability comprising a probability that URLs in the category associated with that URL are associated with the malware type;
assigning an overall malware type to the program file corresponding to the malware type of a first URL of the plurality of URLs having a malware type probability that exceeds a predetermined threshold value; and
deciding how to dispose of the program file based at least in part on the overall malware type of the program file; and
wherein the malware probability and the malware type of each of the plurality of URLs are assigned without accessing content pointed to by that URL unless that URL is uncategorized by the URL filter database, in which case accessing content pointed to by that URL in order to assign the malware probability and the malware type to that URL.
12 Assignments
0 Petitions
Accused Products
Abstract
A system and method of detecting malware. A program file is received and analysis performed to identify URLs embedded in the program file. The URLs are categorized as a function of a URL filter database and a malware probability is assigned to each URL identified. A decision is made on how to dispose of the program file as a function of the malware probability of one or more of the URLs identified. In one example approach, a malware type is also assigned to the program file as a function of one or more of the URLs identified.
21 Citations
16 Claims
-
1. A method of detecting malware, comprising:
-
receiving a program file; performing, by a malware detector comprising executable instructions, analysis on the program file to identify a plurality of URLs; associating, by the malware detector, a category with each of the plurality of URLs as a function of a URL filter database; assigning, by the malware detector, a malware probability and a malware type to each of the plurality of URLs responsive to the category associated with each of the plurality of URLs, wherein the malware type describes a function of malware associated with the category associated with that URL; calculating a malware type probability associated with the malware type of each of the plurality of URLs, the malware type probability comprising a probability that URLs in the category associated with that URL are associated with the malware type; assigning an overall malware type to the program file corresponding to the malware type of a first URL of the plurality of URLs having a malware type probability that exceeds a predetermined threshold value; and deciding how to dispose of the program file based at least in part on the overall malware type of the program file; and wherein the malware probability and the malware type of each of the plurality of URLs are assigned without accessing content pointed to by that URL unless that URL is uncategorized by the URL filter database, in which case accessing content pointed to by that URL in order to assign the malware probability and the malware type to that URL. - View Dependent Claims (2, 3, 4)
-
-
5. A gateway, comprising:
-
a hardware processor; an anti-malware filter, comprising executable instructions; a URL filter database; and a malware detector, comprising executable instructions, connected to the anti-malware filter and the URL filter database; wherein the malware detector is configured to; perform analysis on a program file to identify a plurality of URLs; associate a category with each of the plurality of URLs as a function of the URL filter database; assign a malware type to each of the plurality of URLs, wherein the malware type describes a function of malware associated with the category associated with that URL; assign a malware probability to each of the plurality of URLs, based on the category associated with that URL; calculate a malware type probability associated with the malware type of each of the plurality of URLs, the malware type probability comprising a probability that URLs in the category associated with that URL are associated with the malware type; assign an overall malware type to the program file corresponding to the malware type of a first URL of the plurality of URLs having a malware type probability that exceeds a predetermined threshold value; and wherein the anti-malware filter is configured to decide, based at least in part on the overall malware type of the program file, how to dispose of the program file, and wherein the malware probability and the malware type of each of the plurality of URLs are assigned without accessing content pointed to by that URL unless that URL is uncategorized by the URL filter database, in which case accessing content pointed to by that URL in order to assign the malware probability and the malware type to that URL. - View Dependent Claims (6, 7, 8, 9, 10, 11)
-
-
12. A non-transitory machine readable medium, on which are stored instructions, comprising instructions that when executed cause a machine to:
-
identify, by a malware detector, a plurality of URLs in a program file; associate, by the malware detector, a category with each of the plurality of URLs as a function of a URL filter database; assign, by the malware detector, a malware probability and a malware type to the URL based at least in part on the category associated with that URL, wherein the malware type describes a function of malware associated with the category associated with that URL; calculate a malware type probability associated with the malware type of each of the plurality of URLs, the malware type probability comprising a probability that URLs in the category associated with that URL are associated with the malware type; assign an overall malware type to the program file corresponding to the malware type of a first URL of the plurality of URLs having a malware type probability that exceeds a predetermined threshold value; and determine how to dispose of the program file based at least in part on the overall malware type of the program file, wherein the malware probability and the malware type of each of the plurality of URLs are assigned without accessing content pointed to by that URL unless that URL is uncategorized by the URL filter database, in which case accessing content pointed to by that URL in order to assign the malware probability and the malware type to that URL. - View Dependent Claims (13, 14, 15, 16)
-
Specification