Statistical analytic method for the determination of the risk posed by file based content

US 9,729,564 B2
Filed: 03/28/2016
Issued: 08/08/2017
Est. Priority Date: 11/26/2014
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a computer;

a memory in the computer;

a database stored in the memory, the database including;

a plurality of checks organized into a plurality of categories, each of the plurality of checks used to check when an electronic file conforms to some purported file format for the electronic file and therefore is known to be good; and

for each of the plurality of categories, a weight assigned to the category, the weights assigned to the plurality of categories including default weights assigned to the plurality of categories;

a receiver to receive the electronic file and to receive second weights from a user to assign to the plurality of categories;

an analyser to analyse the electronic file using the plurality of checks in the database;

a threat calculator to calculate a risk assessment for the electronic file using a result from the analyser and the weights assigned to the plurality of categories; and

an electronic sandbox, the electronic file placed in the electronic sandbox when the risk assessment for the file does not exceed a threshold score,wherein the system is operative to deliver the electronic file to a second user when an observed operation of the electronic sandbox indicates that the electronic file is not a threat.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for calculating a risk assessment for an electronic file is described. A database of checks, organized into categories, can be used to scan electronic files. The categories of checks can include weights assigned to them. An analyzer can analyze electronic files using the checks. Issues identified by the analyzer can be weighted using the weights to determine a risk assessment for the electronic file.

86 Citations

View as Search Results

34 Claims

1. A system, comprising:
- a computer;
  
  a memory in the computer;
  
  a database stored in the memory, the database including;
  
  a plurality of checks organized into a plurality of categories, each of the plurality of checks used to check when an electronic file conforms to some purported file format for the electronic file and therefore is known to be good; and
  
  for each of the plurality of categories, a weight assigned to the category, the weights assigned to the plurality of categories including default weights assigned to the plurality of categories;
  
  a receiver to receive the electronic file and to receive second weights from a user to assign to the plurality of categories;
  
  an analyser to analyse the electronic file using the plurality of checks in the database;
  
  a threat calculator to calculate a risk assessment for the electronic file using a result from the analyser and the weights assigned to the plurality of categories; and
  
  an electronic sandbox, the electronic file placed in the electronic sandbox when the risk assessment for the file does not exceed a threshold score,wherein the system is operative to deliver the electronic file to a second user when an observed operation of the electronic sandbox indicates that the electronic file is not a threat.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. A system according to claim 1, wherein:
    - the database further includes for each of the plurality of checks, a second weight assigned to the check; and
      
      the threat calculator is operative to calculate the risk assessment for the electronic file using the result from the analyser and the second weights assigned to the plurality of checks.
  - 3. A system according to claim 1, wherein the receiver is operative to receive the weights assigned to the plurality of categories from a user.
  - 4. A system according to claim 1, wherein:
    - the weights assigned to the plurality of categories include default weights assigned to the plurality of categories;
      
      the analyser is operative to analyse a first corpus of files with known non-conformities to produce a first result and to analyse a second corpus of safe files to produce a second result; and
      
      the system further comprises a statistical analyser to statistically review the first result and the second result and to adjust the default weights assigned to the plurality of categories so that a first calculated risk assessment for the first corpus of files is higher than a second calculated risk assessment for the second corpus of files.
  - 5. A system according to claim 1, further comprising a statistical analyser to use the result from the analyser to adjust the weights.
  - 6. A system according to claim 1, wherein the system is operative to deliver the electronic file to a second user when the calculated risk assessment is greater than a pre-determined threshold.
  - 7. A system according to claim 1, wherein the risk assessment for the electronic file does not depend on an identity of a recipient of the electronic file.

8. A method, comprising:
- receiving an electronic file;
  
  analysing the electronic file using a plurality of checks to determine when the electronic file conforms to an expected format and therefore is known to be good, the plurality of checks organized into a plurality of categories;
  
  determining a weight for each of the plurality of categories, including;
  
  receiving a default weight to assign to each of the plurality of categories; and
  
  adjusting the default weight assigned to each of the plurality of categories according to instruction from a user; and
  
  calculating a final risk assessment of the electronic file using the plurality of categories and the weights assigned to each of the plurality of categories, including, when the final risk assessment of the electronic file does not exceed a threshold score;
  
  placing the electronic file in a sandbox;
  
  detonating the electronic file in the sandbox;
  
  observing the operation of the sandbox after detonating the electronic file; and
  
  when the observed operation of the sandbox indicates that the electronic file is not a threat, delivering the electronic file to the user.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
- - 9. A method according to claim 8, wherein:
    - analysing the electronic file using a plurality of categories to determine when the electronic file conforms to an expected format includes analysing the electronic file using a second plurality of checks from one of the plurality of categories;
      
      determining a weight for each of the plurality of categories includes determining a second weight for each of the second plurality of checks from the one of the plurality of categories; and
      
      calculating a final risk assessment of the electronic file using the plurality of categories and the weights assigned to each of the plurality of categories includes calculating the final risk assessment of the electronic file using the plurality of checks from the one of the plurality of categories and the second weights assigned to each of the plurality of checks.
  - 10. A method according to claim 8, further comprising receiving the weight assigned to each of the plurality of categories from a user.
  - 11. A method according to claim 8, wherein receiving a default weight to assign to each of the plurality of categories includes:
    - receiving a first corpus of files with known non-conformities and a second corpus of safe files;
      
      scanning the first corpus of files to produce a first result and the second corpus of files to produce a second result;
      
      statistically analysing the first result and the second result; and
      
      using the analysis of the first result and the second result to adjust the default weight assigned to each of the plurality of categories so that a first calculated risk assessment for the first corpus of files is higher than a second calculated risk assessment for the second corpus of files.
  - 12. A method according to claim 8, further comprising using the final risk assessment of the electronic file to adjust the weights assigned to each of the plurality of categories.
  - 13. A method according to claim 12, wherein using the final risk assessment of the electronic file to adjust the weights assigned to each of the plurality of categories includes automatically using the final risk assessment of the electronic file to adjust the weights assigned to each of the plurality of categories.
  - 14. A method according to claim 8, wherein calculating a final risk assessment of the electronic file using the plurality of categories and the weights assigned to each of the plurality of categories includes:
    - calculating a threat score for the electronic file using the plurality of categories and the weights assigned to each of the plurality of categories;
      
      comparing the threat score with the threshold score; and
      
      when the threat score exceeds the threshold score;
      
      determining that the electronic file is likely not a threat; and
      
      delivering the electronic file to a user.
  - 15. A method according to claim 14, wherein calculating a final risk assessment of the electronic file using the plurality of categories and the weights assigned to each of the plurality of categories further includes, when the threat score does not exceed the threshold score, determining that the electronic file is likely a threat.

16. A non-transitory computer-readable medium storing instructions that, when executed by a machine, result in:
- receiving an electronic file;
  
  analysing the electronic file using a plurality of checks to determine when the electronic file conforms to an expected format and therefore is known to be good, the plurality of checks organized into a plurality of categories;
  
  determining a weight for each of the plurality of categories, including;
  
  receiving a default weight to assign to each of the plurality of categories; and
  
  adjusting the default weight assigned to each of the plurality of categories according to instruction from a user; and
  
  calculating a final risk assessment of the electronic file using the plurality of categories and the weights assigned to each of the plurality of categories, including, when the final risk assessment of the electronic file does not exceed a threshold score;
  
  placing the electronic file in a sandbox;
  
  detonating the electronic file in the sandbox;
  
  observing the operation of the sandbox after detonating the electronic file; and
  
  when the observed operation of the sandbox indicates that the electronic file is not a threat, delivering the electronic file to the user.

17. A system, comprising:
- a computer;
  
  a memory in the computer;
  
  a database stored in the memory, the database including;
  
  a plurality of checks organized into a plurality of categories, each of the plurality of checks used to check when an electronic file conforms to some purported file format for the electronic file and therefore is known to be good; and
  
  for each of the plurality of categories, a weight assigned to the category;
  
  a receiver to receive the electronic file;
  
  an analyser to analyse the electronic file using the plurality of checks in the database;
  
  a threat calculator to calculate a risk assessment for the electronic file using a result from the analyser and the weights assigned to the plurality of categories;
  
  a statistical analyser to automatically use the risk assessment from the threat calculator to adjust the weights; and
  
  an electronic sandbox, the electronic file placed in the electronic sandbox when the risk assessment for the file does not exceed a pre-determined threshold,wherein the system is operative to deliver the electronic file to a second user when an observed operation of the electronic sandbox indicates that the electronic file is not a threat.
- View Dependent Claims (18, 19, 20, 21, 22, 23)
- - 18. A system according to claim 17, wherein:
    - the database further includes for each of the plurality of checks, a second weight assigned to the check; and
      
      the threat calculator is operative to calculate the risk assessment for the electronic file using the result from the analyser and the second weights assigned to the plurality of checks.
  - 19. A system according to claim 17, wherein the receiver is operative to receive the weights assigned to the plurality of categories from a user.
  - 20. A system according to claim 17, wherein:
    - the weights assigned to the plurality of categories include default weights assigned to the plurality of categories; and
      
      the receiver is operative to receive second weights from a user to assign to the plurality of categories.
  - 21. A system according to claim 17, wherein:
    - the weights assigned to the plurality of categories include default weights assigned to the plurality of categories;
      
      the analyser is operative to analyse a first corpus of files with known non-conformities to produce a first result and to analyse a second corpus of safe files to produce a second result; and
      
      the statistical analyser is operative to statistically review the first result and the second result and to adjust the default weights assigned to the plurality of categories so that a first calculated risk assessment for the first corpus of files is higher than a second calculated risk assessment for the second corpus of files.
  - 22. A system according to claim 17, wherein the system is operative to deliver the electronic file to the second user when the calculated risk assessment is greater than the pre-determined threshold.
  - 23. A system according to claim 17, wherein the risk assessment for the electronic file does not depend on an identity of a recipient of the electronic file.

24. A method, comprising:
- receiving an electronic file;
  
  analysing the electronic file using a plurality of checks to determine when the electronic file conforms to an expected format and therefore is known to be good, the plurality of checks organized into a plurality of categories;
  
  determining a weight for each of the plurality of categories;
  
  calculating a final risk assessment of the electronic file using the plurality of categories and the weights assigned to each of the plurality of categories, including, when the final risk assessment of the electronic file does not exceed a threshold score;
  
  placing the electronic file in a sandbox;
  
  detonating the electronic file in the sandbox;
  
  observing the operation of the sandbox after detonating the electronic file; and
  
  when the observed operation of the sandbox indicates that the electronic file is not a threat, delivering the electronic file to a user; and
  
  automatically using the final risk assessment of the electronic file to adjust the weights assigned to each of the plurality of categories.
- View Dependent Claims (25, 26, 27, 28, 29, 30, 31, 32, 33)
- - 25. A method according to claim 24, wherein:
    - analysing the electronic file using a plurality of categories to determine when the electronic file conforms to an expected format includes analysing the electronic file using a second plurality of checks from one of the plurality of categories;
      
      determining a weight for each of the plurality of categories includes determining a second weight for each of the second plurality of checks from the one of the plurality of categories; and
      
      calculating a final risk assessment of the electronic file using the plurality of categories and the weights assigned to each of the plurality of categories includes calculating the final risk assessment of the electronic file using the plurality of checks from the one of the plurality of categories and the second weights assigned to each of the plurality of checks.
  - 26. A method according to claim 24, further comprising receiving the weight assigned to each of the plurality of categories from a second user.
  - 27. A method according to claim 24, wherein determining a weight for each of the plurality of categories includes receiving a default weight to assign to each of the plurality of categories.
  - 28. A method according to claim 27, wherein determining a weight for each of the plurality of categories further includes adjusting the default weight assigned to each of the plurality of categories according to instruction from a second user.
  - 29. A method according to claim 27, wherein receiving a default weight to assign to each of the plurality of categories includes:
    - receiving a first corpus of files with known non-conformities and a second corpus of safe files;
      
      scanning the first corpus of files to produce a first result and the second corpus of files to produce a second result;
      
      statistically analysing the first result and the second result; and
      
      using the analysis of the first result and the second result to adjust the default weight assigned to each of the plurality of categories so that a first calculated risk assessment for the first corpus of files is higher than a second calculated risk assessment for the second corpus of files.
  - 30. A method according to claim 24, wherein calculating a final risk assessment of the electronic file using the plurality of categories and the weights assigned to each of the plurality of categories includes:
    - calculating a threat score for the electronic file using the plurality of categories and the weights assigned to each of the plurality of categories;
      
      comparing the threat score with the threshold score; and
      
      when the threat score exceeds the threshold score;
      
      determining that the electronic file is likely not a threat; and
      
      delivering the electronic file to a user.
  - 31. A method according to claim 30, wherein calculating a final risk assessment of the electronic file using the plurality of categories and the weights assigned to each of the plurality of categories further includes, when the threat score does not exceed the threshold score, determining that the electronic file is likely a threat.
  - 32. A method according to claim 31, wherein determining that the electronic file is likely a threat includes:
    - placing the electronic file in a sandbox;
      
      detonating the electronic file in the sandbox; and
      
      observing the operation of the sandbox after detonating the electronic file.
  - 33. A method according to claim 32, wherein determining that the electronic file is likely a threat further includes, when the observed operation of the sandbox indicates that the electronic file is not a threat, delivering the electronic file to the user.

34. A non-transitory computer-readable medium storing instructions that, when executed by a machine, result in:
- receiving an electronic file;
  
  analysing the electronic file using a plurality of checks to determine when the electronic file conforms to an expected format and therefore is known to be good, the plurality of checks organized into a plurality of categories;
  
  determining a weight for each of the plurality of categories;
  
  calculating a final risk assessment of the electronic file using the plurality of categories and the weights assigned to each of the plurality of categories, including, when the final risk assessment of the electronic file does not exceed a threshold score;
  
  placing the electronic file in a sandbox;
  
  detonating the electronic file in the sandbox;
  
  observing the operation of the sandbox after detonating the electronic file; and
  
  when the observed operation of the sandbox indicates that the electronic file is not a threat, delivering the electronic file to the user; and
  
  automatically using the final risk assessment of the electronic file to adjust the weights assigned to each of the plurality of categories.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Glasswall (Ip) Limited
Original Assignee
Glasswall (Ip) Limited
Inventors
Hutton, Samuel Harrison
Primary Examiner(s)
HO, DAO Q

Application Number

US15/082,791
Publication Number

US 20160212161A1
Time in Patent Office

498 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/24578   using ranking

G06F 16/285   Clustering or classification

G06F 21/53   by executing in a restricte...

G06F 21/55   Detecting local intrusion o...

G06F 21/56   Computer malware detection ...

G06F 21/562   Static detection

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/034   Test or assess a computer o...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

Statistical analytic method for the determination of the risk posed by file based content

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

86 Citations

34 Claims

Specification

Solutions

Use Cases

Quick Links

Statistical analytic method for the determination of the risk posed by file based content

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

86 Citations

34 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links