Methods and apparatus for dealing with malware

US 9,413,721 B2
Filed: 02/13/2012
Issued: 08/09/2016
Est. Priority Date: 02/15/2011
Status: Active Grant

- Alert
- Pin

Associated Cases

Associated Defendants

First Claim

Patent Images

1. A method of classifying a computer object as malware, the method comprising:

receiving, at a first threat server, details of a first computer object from a first remote computer, wherein the details of the first computer object include data uniquely identifying the first computer object;

determining, by the first threat server, whether the first computer object has been previously seen by comparing the data uniquely identifying the first computer object to a plurality of data uniquely identifying plural computer objects in a first database associated with the first threat server;

receiving additional information about the first computer object from the first remote computer when the first computer object has not been previously seen;

storing the details of the first computer object and the received additional information about the first computer object in a second database associated with the first threat server when the first computer object has not been previously seen;

providing contents of the second database to at least one database associated with a central server, wherein the contents comprise a signature of the first computer object, behavior information about the first computer object, and information about the first remote computer;

increasing a count associated with a number of times that the first computer object has been seen, and providing the increased count associated with the number of times that the first computer object has been seen to the central server; and

receiving, at a second threat server, at least a portion of the contents of the at least one database associated with the central server, wherein the at least a portion of the contents of the at least one database associated with the central server include a subset of the details of the first computer object stored in the second database.

View all claims

9 Assignments

Timeline View

Assignment View

Litigations

1 Petition

Accused Products

Abstract

Methods for classifying computer objects as malware and the associated apparatus are disclosed. An exemplary method includes, at a base computer, receiving data about a computer object from each of plural remote computers on which the object or similar objects are stored or processed wherein the base computer comprises plural threat servers arranged to receive the data from the plural remote computers and apply rules or heuristics against the data in real time to determine whether or not the object is malware and to communicate the determination to the remote computers. The base computer includes at least one central server in communication with the threat servers and arranged to receive the data about objects from the threat servers to maintain a master database of data received about objects from all threat servers.

131 Citations

View as Search Results

15 Claims

1. A method of classifying a computer object as malware, the method comprising:
- receiving, at a first threat server, details of a first computer object from a first remote computer, wherein the details of the first computer object include data uniquely identifying the first computer object;
  
  determining, by the first threat server, whether the first computer object has been previously seen by comparing the data uniquely identifying the first computer object to a plurality of data uniquely identifying plural computer objects in a first database associated with the first threat server;
  
  receiving additional information about the first computer object from the first remote computer when the first computer object has not been previously seen;
  
  storing the details of the first computer object and the received additional information about the first computer object in a second database associated with the first threat server when the first computer object has not been previously seen;
  
  providing contents of the second database to at least one database associated with a central server, wherein the contents comprise a signature of the first computer object, behavior information about the first computer object, and information about the first remote computer;
  
  increasing a count associated with a number of times that the first computer object has been seen, and providing the increased count associated with the number of times that the first computer object has been seen to the central server; and
  
  receiving, at a second threat server, at least a portion of the contents of the at least one database associated with the central server, wherein the at least a portion of the contents of the at least one database associated with the central server include a subset of the details of the first computer object stored in the second database.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method according to claim 1, further comprising storing at intervals, the contents of the second database in storage together with a timestamp and clearing the second database.
  - 3. The method according to claim 2, further comprising creating a backup central server by receiving at a second central server, all of the time-stamped blocks of data from the second database and incorporating all of the time-stamped blocks of data into at least one database associated with the second central server.
  - 4. The method according to claim 2, further comprising:
    - taking the central server off-line for a period of time such that the central server does not receive data from the first and second threat servers during that period of time;
      
      after the period of time has elapsed, updating at least one database associated with the central server with time-stamped blocks of data from the storage that have a timestamp later than the time when the central server went off-line; and
      
      bringing the central server back on line.
  - 5. The method according to claim 2, comprising:
    - rolling back at least one database associated with the central server to a point of time in the past;
      
      updating the at least one database associated with the central server with time-stamped blocks of data from storage that have a timestamp later than the past point of time; and
      
      bringing the central server back on line.
  - 6. The method according to claim 2, wherein the central server comprises:
    - a) an object database storing object signatures and metadata about objects;
      
      b) a behavior database storing object behavior information; and
      
      c) a computer-object database storing information about what objects are present on what remote computers.
  - 7. The method according to claim 6, wherein the threat and central servers are implemented using cloud computing.
  - 8. The method according to claim 1, further comprising:
    - receiving, at the second threat server, details of a second computer object from a second remote computer, wherein the details of the second computer object include data uniquely identifying the second computer object;
      
      determining, by the second threat server, whether the second computer object has been previously seen by comparing the data uniquely identifying the second computer object to a plurality of data uniquely identifying plural computer objects in a third database associated with the second threat server;
      
      determining that the second computer object has been seen before;
      
      increasing a count associated with a number of times that the second computer object has been seen and providing the increased count associated with the number of times that the second computer object has been seen to the at least one central server; and
      
      receiving, at the first threat server, a count associated with the number of times that the second computer object has been seen.

9. A system for classifying a computer object as malware, the system comprising:
- a first threat server arranged to receive details of a computer object from a first remote computer, wherein the details of the first computer object include data uniquely identifying the first computer object, wherein the first threat server is further arranged to receive the details of the computer object from the first remote computer and determine whether the first computer object has been previously seen by comparing the data uniquely identifying the first computer object to a plurality of data uniquely identifying plural computer objects in a first database associated with the first threat server, wherein the first threat server is further arranged to receive additional information about the first computer object from the first remote computer when the first computer object has not been previously seen, store the details of the first computer object and the received additional information about the first computer object in a second database associated with the first threat server when the first computer object has not been previously seen, provide contents of the second database to at least one database associated with a central server wherein the contents comprise a signature of the first computer object, behavior information about the first computer object, and information about the first remote computer, and increase a count associated with a number of times that the first computer object has been seen;
  
  the central server arranged to receive the increased count associated with the number of times that the first computer object has been seen; and
  
  a second threat server arranged to receive at least a portion of the contents of the at least one database associated with the central server, wherein the at least a portion of the contents of the at least one database associated with the central server include a subset of the details of the first computer object stored in the second database.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The system according to claim 9, wherein the first and second threat servers are arranged to store, at intervals, the contents of the second database in storage together with a timestamp and clear the database.
  - 11. The system according to claim 10, further comprising:
    - a backup central server having a database, the database of the backup central server being populated by receiving at the backup central server all of the time-stamped blocks of data from the storage and incorporating them into the database of the backup central server.
  - 12. The system according to claim 10, wherein, in the event that the central server is taken off-line for a period of time such that it does not receive updates of data from the first and second threat servers during that period of time, the central server is arranged to, after the period of time has elapsed, update at least one database with time-stamped blocks of data from the storage that have a timestamp later than the time when the central server went off-line.
  - 13. The system according to claim 10, wherein, in the event that at least one database of a central server is rolled back to a point of time in the past, the central server is arranged to update the at least one database with time-stamped blocks of data from storage that have a timestamp later than the point of time in the past.
  - 14. The system according to claim 9, wherein the central server comprises:
    - a) an object database storing object signatures and metadata about objects;
      
      b) a behavior database storing object behavior information; and
      
      c) a computer-object database storing information about what objects are present on what remote computers.
  - 15. The system according to claim 14, wherein the first and second threat servers and the central server are implemented using cloud computing.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
Carbonite LLC (Open Text Corporation)
Original Assignee
Webroot Inc. (Open Text Corporation)
Inventors
Morris, Melvyn, Jaroch, Joseph
Primary Examiner(s)
Zecher, Dede
Assistant Examiner(s)
CHIANG, JASON

Application Number

US13/372,375
Publication Number

US 20120260340A1
Time in Patent Office

1,639 Days
Field of Search

726/23
US Class Current

1/1
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/0263   Rule management

H04L 63/14   for detecting or protecting...

H04L 63/145   the attack involving the pr...

Methods and apparatus for dealing with malware

First Claim

9 Assignments

Litigations

1 Petition

Accused Products

Abstract

131 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and apparatus for dealing with malware

First Claim

9 Assignments

Subscription Required

Subscription Required

Litigations

1 Petition

Subscription Required

Accused Products

Subscription Required

Abstract

131 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links