Using telemetry to reduce malware definition package size

US 9,613,213 B2
Filed: 07/25/2014
Issued: 04/04/2017
Est. Priority Date: 11/20/2012
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of providing malicious software (malware) definitions to clients, wherein the clients are electronic devices, comprising:

receiving telemetry data from a plurality of clients, the telemetry data describing files created on the clients;

analyzing the telemetry data to identify malware that is currently spreading among the plurality of clients, the analysis based at least in part on whether a particular type of malware is detected on a threshold number of clients within a predetermined time period and an amount of damage caused by the particular type of malware;

identifying a subset of a set of cloud malware definitions responsive to the analysis of the telemetry data, the identified subset containing malware definitions for malware identified as currently spreading among the plurality of clients; and

providing the identified subset of the cloud malware definitions as a set of local malware definitions to the plurality of clients, wherein the plurality of clients are adapted to store the local malware definitions and use the set of local malware definitions to detect malware at the clients.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Clients send telemetry data to a cloud server, where the telemetry data includes security-related information such as file creations, timestamps and malware detected at the clients. The cloud server analyzes the telemetry data to identify malware that is currently spreading among the clients. Based on the analysis of the telemetry data, the cloud server segments malware definitions in a cloud definition database into a set of local malware definitions and a set of cloud malware definitions. The cloud server provides the set of local malware definitions to the clients as a local malware definition update, and replies to cloud definition lookup requests from clients with an indication of whether a file identified in a request contains malware. If the file is malicious, the client remediates the malware using local malware definition update.

10 Citations

14 Claims

1. A computer-implemented method of providing malicious software (malware) definitions to clients, wherein the clients are electronic devices, comprising:
- receiving telemetry data from a plurality of clients, the telemetry data describing files created on the clients;
  
  analyzing the telemetry data to identify malware that is currently spreading among the plurality of clients, the analysis based at least in part on whether a particular type of malware is detected on a threshold number of clients within a predetermined time period and an amount of damage caused by the particular type of malware;
  
  identifying a subset of a set of cloud malware definitions responsive to the analysis of the telemetry data, the identified subset containing malware definitions for malware identified as currently spreading among the plurality of clients; and
  
  providing the identified subset of the cloud malware definitions as a set of local malware definitions to the plurality of clients, wherein the plurality of clients are adapted to store the local malware definitions and use the set of local malware definitions to detect malware at the clients.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein receiving telemetry data from the plurality of clients comprises:
    - determining whether a file created on a client of the plurality of clients matches a malware definition in the set of malware definitions; and
      
      replying to a cloud definition lookup request from the client indicating whether the created file matches a malware definition in the set of malware definitions.
  - 3. The method of claim 1, wherein the telemetry data describes at least some files that do not match any known malware.
  - 4. The method of claim 1, further comprising:
    - maintaining a cloud definition database storing the set of cloud malware definitions.
  - 5. The method of claim 1, further comprising:
    - removing a malware definition from the set of local malware definitions responsive to a determination that malware corresponding to the malware definition is not currently spreading among the plurality of clients.

6. A non-transitory computer-readable storage medium storing executable computer program instructions for providing malicious software (malware) definitions to clients, the computer program instructions comprising instructions for:
- receiving telemetry data from a plurality of clients, the telemetry data describing files created on the clients;
  
  analyzing the telemetry data to identify malware that is currently spreading among the plurality of clients, the analysis based at least in part on whether a particular type of malware is detected on a threshold number of clients within a predetermined time period and an amount of damage caused by the particular type of malware;
  
  identifying a subset of a set of cloud malware definitions responsive to the analysis of the telemetry data, the identified subset containing malware definitions for malware identified as currently spreading among the plurality of clients; and
  
  providing the identified subset of the cloud malware definitions as a set of local malware definitions to the plurality of clients, wherein the plurality of clients are adapted to store the local malware definitions and use the set of local malware definitions to detect malware at the clients.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The computer-readable storage medium of claim 6, wherein the computer program instructions for receiving telemetry data from the plurality of clients comprise instructions for:
    - determining whether a file created on a client of the plurality of clients matches a malware definition in the set of malware definitions; and
      
      replying to a cloud definition lookup request from the client indicating whether the created file matches a malware definition in the set of malware definitions.
  - 8. The computer-readable storage medium of claim 6, wherein the telemetry data describes at least some files that do not match any known malware.
  - 9. The computer-readable storage medium of claim 6, further comprising computer program instructions for:
    - maintaining a cloud definition database storing the set of cloud malware definitions.
  - 10. The computer-readable storage medium of claim 6, further comprising computer program instructions for:
    - removing a malware definition from the set of local malware definitions responsive to a determination that malware corresponding to the malware definition is not currently spreading among the plurality of clients.

11. A system for providing malicious software (malware) definitions to clients, the system comprising:
- a processor for executing computer program instructions; and
  
  a non-transitory computer-readable storage medium storing executable computer program instructions, the computer program instructions comprising instructions for;
  
  receiving telemetry data from a plurality of clients, the telemetry data describing files created on the clients;
  
  analyzing the telemetry data to identify malware that is currently spreading among the plurality of clients, the analysis based at least in part on whether a particular type of malware is detected on a threshold number of clients within a predetermined time period and an amount of damage caused by the particular type of malware;
  
  identifying a subset of a set of cloud malware definitions responsive to the analysis of the telemetry data, the identified subset containing malware definitions for malware identified as currently spreading among the plurality of clients; and
  
  providing the identified subset of the cloud malware definitions as a set of local malware definitions to the plurality of clients, wherein the plurality of clients are adapted to store the local malware definitions and use the set of local malware definitions to detect malware at the clients.
- View Dependent Claims (12, 13, 14)
- - 12. The system of claim 11, wherein the telemetry data describes at least some files that do not match any known malware.
  - 13. The system of claim 11, further comprising computer program instructions for:
    - maintaining a cloud definition database storing the set of cloud malware definitions.
  - 14. The system of claim 11, further comprising computer program instructions for:
    - removing a malware definition from the set of local malware definitions responsive to a determination that malware corresponding to the malware definition is not currently spreading among the plurality of clients.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NortonLifeLock Inc.
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Pereira, Shane, Nachenberg, Carey S.
Primary Examiner(s)
WILLIAMS, JEFFERY L

Application Number

US14/341,183
Publication Number

US 20140337979A1
Time in Patent Office

984 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/564   by virus signature recognition

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/14   for detecting or protecting...

Using telemetry to reduce malware definition package size

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

10 Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Using telemetry to reduce malware definition package size

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

10 Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links