Confirming a malware infection on a client device using a remote access connection tool to identify a malicious file based on fuzzy hashes

US 9,594,906 B1
Filed: 03/31/2015
Issued: 03/14/2017
Est. Priority Date: 03/31/2015
Status: Active Grant

First Claim

Patent Images

1. A device, comprising:

one or more processors to;

receive a trigger to determine whether one or more client devices, of a set of client devices, are infected by a malicious file,a client device, of the set of client devices, being infected by the malicious file when the malicious file was executed or the malicious file is executing on the client device;

generate file identification information associated with the malicious file based on receiving the trigger to determine whether the one or more client devices are infected by the malicious file,the file identification information including a first set of fuzzy hashes associated with execution results of the malicious file;

obtain remote access to the one or more client devices using a connection tool based on receiving the trigger to determine whether the one or more client devices are infected by the malicious file,the connection tool providing access to the one or more client devices;

obtain information, associated with the one or more client devices, using the remote access,the information including one or more second sets of fuzzy hashes,each of the one or more second sets of fuzzy hashes being associated with each of the one or more client devices, respectively;

determine, based on the one or more second sets of fuzzy hashes, that the one or more client devices are infected by the malicious file;

generate, based on determining that the one or more client devices are infected by the malicious file and based on the one or more second sets of fuzzy hashes, a prioritization order for remediating the set of client devices; and

provide, based on the file identification information and the information associated with the one or more client devices, information indicating that the one or more client devices are infected by the malicious file and information indicating the prioritization order for remediating the set of client devices.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A device may receive a trigger to determine whether one or more client devices, of a set of client devices, are infected by a malicious file. The device may generate file identification information associated with the malicious file based on receiving the trigger to determine whether the one or more client devices are infected by the malicious file. The device may obtain remote access to the one or more client devices using a connection tool based on receiving the trigger to determine whether the one or more client devices are infected by the malicious file. The device may obtain information, associated with the one or more client devices, using the remote access. The device may provide information indicating whether the one or more client devices are infected by the malicious file based on the file identification information and the information associated with the one or more client devices.

32 Citations

View as Search Results

20 Claims

1. A device, comprising:
- one or more processors to;
  
  receive a trigger to determine whether one or more client devices, of a set of client devices, are infected by a malicious file,a client device, of the set of client devices, being infected by the malicious file when the malicious file was executed or the malicious file is executing on the client device;
  
  generate file identification information associated with the malicious file based on receiving the trigger to determine whether the one or more client devices are infected by the malicious file,the file identification information including a first set of fuzzy hashes associated with execution results of the malicious file;
  
  obtain remote access to the one or more client devices using a connection tool based on receiving the trigger to determine whether the one or more client devices are infected by the malicious file,the connection tool providing access to the one or more client devices;
  
  obtain information, associated with the one or more client devices, using the remote access,the information including one or more second sets of fuzzy hashes,each of the one or more second sets of fuzzy hashes being associated with each of the one or more client devices, respectively;
  
  determine, based on the one or more second sets of fuzzy hashes, that the one or more client devices are infected by the malicious file;
  
  generate, based on determining that the one or more client devices are infected by the malicious file and based on the one or more second sets of fuzzy hashes, a prioritization order for remediating the set of client devices; and
  
  provide, based on the file identification information and the information associated with the one or more client devices, information indicating that the one or more client devices are infected by the malicious file and information indicating the prioritization order for remediating the set of client devices.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The device of claim 1, wherein the one or more processors, when generating the file identification information, are to:
    - execute the malicious file in a testing environment;
      
      determine the execution results based on executing the malicious file in the testing environment; and
      
      generate the first set of fuzzy hashes based on the execution results of the malicious file.
  - 3. The device of claim 2, wherein the testing environment is a sandboxing environment.
  - 4. The device of claim 1, wherein the connection tool is a Windows management instrumentation (WMI) based connection tool.
  - 5. The device of claim 1, wherein the execution results are associated with at least one of:
    - a file generated during execution of the malicious file in a testing environment,a file modified during execution of the malicious file in the testing environment,a registry key created during execution of the malicious file in the testing environment,a registry key modified during execution of the malicious file in the testing environment, ora process operating during execution of the malicious file in the testing environment.
  - 6. The device of claim 1, where each of the one or more second sets of fuzzy hashes is based on at least one of a process, a file, or a registry key of the one or more client devices.
  - 7. The device of claim 1, where the one or more processors are further to:
    - determine a confidence score for the client device based on the file identification information and the information associated with the one or more client devices,the confidence score satisfying a threshold; and
      
      wherein the one or more processors, when providing the information indicating that the one or more client devices are infected by the malicious file and information indicating the prioritization order for remediating the set of client devices, are to;
      
      provide information indicating that the client device is infected by the malicious file based on the confidence score satisfying the threshold.

8. A non-transitory computer-readable medium storing instructions, the instructions comprising:
- one or more instructions that, when executed by one or more processors to, cause the one or more processors to;
  
  generate file identification information associated with a malicious file to determine whether one or more client devices are infected by the malicious file,a client device, of the one or more client devices, being infected by the malicious file when the malicious file was executed or the malicious file is executing on the client device, andthe file identification information including a first set of fuzzy hashes associated with executing the malicious file;
  
  obtain remote access to the one or more client devices using a connection tool to determine whether the one or more client devices are infected by the malicious file,the connection tool providing access to the one or more client devices;
  
  obtain information, associated with the one or more client devices using the remote access,the information including one or more second sets of fuzzy hashes,each of the one or more second sets of fuzzy hashes being associated with each of the one or more client devices, respectively;
  
  determine, based on the one or more second sets of fuzzy hashes, that the one or more client devices are infected by the malicious file;
  
  generate, based on determining that the one or more client devices are infected by the malicious file and based on the one or more second sets of fuzzy hashes, a prioritization order for remediating the one or more client devices; and
  
  provide, based on the file identification information and the information associated with the one or more client devices, information indicating that the one or more client devices are infected by the malicious file and information indicating the prioritization order for remediating the one or more client devices.
- View Dependent Claims (9, 10, 12, 13, 14)
- - 9. The non-transitory computer-readable medium of claim 8, wherein the one or more instructions, that cause the one or more processors to generate file identification information, cause the one or more processors to:
    - execute the malicious file in a testing environment;
      
      determine execution results from executing the malicious file in the testing environment; and
      
      generate the first set of fuzzy hashes based on the execution results.
  - 10. The non-transitory computer-readable medium of claim 9, wherein the testing environment is a sandboxing environment.
  - 12. The non-transitory computer-readable medium of claim 8, wherein the connection tool is a Windows management instrumentation (WMI) based connection tool.
  - 13. The non-transitory computer-readable medium of claim 8, where each of the one or more second sets of fuzzy hashes is based on at least one of a process, a file, or a registry key of the one or more client devices.
  - 14. The non-transitory computer-readable medium of claim 8, wherein the one or more instructions, when executed by the one or more processors, further cause the one or more processors to:
    - determine a confidence score for the client device based on the file identification information and the information associated with the one or more client devices,the confidence score satisfying a threshold; and
      
      wherein the instructions, that cause the one or more processors to provide the information indicating that the one or more client devices are infected by the malicious file and information indicating the prioritization order for remediating the one or more client devices, are to;
      
      provide information indicating that the client device is infected by the malicious file based on the confidence score satisfying the threshold.

11. The non-transitory computer-readable medium of claim wherein the execution results are associated with at least one of:
- a file generated during execution of the malicious file in the testing environment,a file modified during execution of the malicious file in the testing environment,a registry key created during execution of the malicious file in the testing environment,a registry key modified during execution of the malicious file in the testing environment, ora process operating during execution of the malicious file in the testing environment.

15. A method, comprising:
- generating, by a device, file identification information associated with a malicious file to determine whether one or more client devices are infected by the malicious file,a client device, of the one or more client devices, being infected by the malicious file when the malicious file was executed or the malicious file is executing on the client device, andthe file identification information including a first set of fuzzy hashes associated with executing the malicious file;
  
  obtaining, by the device, remote access to the one or more client devices to determine whether the one or more client devices are infected by the malicious file;
  
  obtaining, by the device, information associated with the one or more client devices using the remote access,the information including one or more second sets of fuzzy hashes,each of the one or more second sets of fuzzy hashes being associated with each of the one or more client devices, respectively;
  
  determining, by the device and based on the one or more second sets of fuzzy hashes, that the one or more client devices are infected by the malicious file;
  
  generating, by the device, based on determining that the one or more client devices are infected by the malicious file, and based on the one or more second sets of fuzzy hashes, a prioritization order for remediating the one or more client devices; and
  
  providing, by the device and based on the file identification information and the information associated with the one or more client devices, information indicating that the one or more client devices are infected by the malicious file and information indicating the prioritization order for remediating the one or more client devices.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The method of claim 15, wherein generating the file identification information comprises:
    - executing the malicious file in a testing environment;
      
      determining execution results from executing the malicious file in the testing environment; and
      
      generating the first set of fuzzy hashes based on the execution results.
  - 17. The method of claim 16, wherein the testing environment is a sandbox environment.
  - 18. The method of claim 15, further comprising:
    - determining a confidence score for the client device based on the file identification information and the information associated with the one or more client devices,the confidence score satisfying a threshold; and
      
      wherein providing the information indicating that the one or more client devices are infected by the malicious file and information indicating the prioritization order for remediating the one or more client devices comprises;
      
      providing information indicating that the client device is infected by the malicious file based on the confidence score satisfying the threshold.
  - 19. The method of claim 15, further comprising:
    - causing, based on determining that the one or more client devices are infected by the malicious file, a remediation action to be executed on the client device using the remote access.
  - 20. The method of claim 15, where each of the one or more second sets of fuzzy hashes is based on at least one of a process, a file, or a registry key of the one or more client devices.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Langton, Jacob Asher, Quinlan, Daniel J., Adams, Kyle
Primary Examiner(s)
Patel, Haresh N

Application Number

US14/675,274
Time in Patent Office

714 Days
Field of Search

726 22- 25
US Class Current

1/1
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/564   by virus signature recognition

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/034   Test or assess a computer o...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

Confirming a malware infection on a client device using a remote access connection tool to identify a malicious file based on fuzzy hashes

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

32 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Confirming a malware infection on a client device using a remote access connection tool to identify a malicious file based on fuzzy hashes

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

32 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links