Statistical analytic method for the determination of the risk posed by file based content
First Claim
Patent Images
1. A system, comprising:
- a computer;
a memory in the computer;
a database stored in the memory, the database including;
a plurality of checks organized into a plurality of categories, each of the plurality of checks used to check when an electronic file conforms to some purported file format for the electronic file and therefore is known to be good; and
for each of the plurality of categories, a weight assigned to the category, the weights assigned to the plurality of categories including default weights assigned to the plurality of categories;
a receiver to receive the electronic file and to receive second weights from a user to assign to the plurality of categories;
an analyser to analyse the electronic file using the plurality of checks in the database;
a threat calculator to calculate a risk assessment for the electronic file using a result from the analyser and the weights assigned to the plurality of categories; and
an electronic sandbox, the electronic file placed in the electronic sandbox when the risk assessment for the file does not exceed a threshold score,wherein the system is operative to deliver the electronic file to a second user when an observed operation of the electronic sandbox indicates that the electronic file is not a threat.
1 Assignment
0 Petitions
Accused Products
Abstract
A system and method for calculating a risk assessment for an electronic file is described. A database of checks, organized into categories, can be used to scan electronic files. The categories of checks can include weights assigned to them. An analyzer can analyze electronic files using the checks. Issues identified by the analyzer can be weighted using the weights to determine a risk assessment for the electronic file.
-
Citations
34 Claims
-
1. A system, comprising:
-
a computer; a memory in the computer; a database stored in the memory, the database including; a plurality of checks organized into a plurality of categories, each of the plurality of checks used to check when an electronic file conforms to some purported file format for the electronic file and therefore is known to be good; and for each of the plurality of categories, a weight assigned to the category, the weights assigned to the plurality of categories including default weights assigned to the plurality of categories; a receiver to receive the electronic file and to receive second weights from a user to assign to the plurality of categories; an analyser to analyse the electronic file using the plurality of checks in the database; a threat calculator to calculate a risk assessment for the electronic file using a result from the analyser and the weights assigned to the plurality of categories; and an electronic sandbox, the electronic file placed in the electronic sandbox when the risk assessment for the file does not exceed a threshold score, wherein the system is operative to deliver the electronic file to a second user when an observed operation of the electronic sandbox indicates that the electronic file is not a threat. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method, comprising:
-
receiving an electronic file; analysing the electronic file using a plurality of checks to determine when the electronic file conforms to an expected format and therefore is known to be good, the plurality of checks organized into a plurality of categories; determining a weight for each of the plurality of categories, including; receiving a default weight to assign to each of the plurality of categories; and adjusting the default weight assigned to each of the plurality of categories according to instruction from a user; and calculating a final risk assessment of the electronic file using the plurality of categories and the weights assigned to each of the plurality of categories, including, when the final risk assessment of the electronic file does not exceed a threshold score; placing the electronic file in a sandbox; detonating the electronic file in the sandbox; observing the operation of the sandbox after detonating the electronic file; and when the observed operation of the sandbox indicates that the electronic file is not a threat, delivering the electronic file to the user. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
-
-
16. A non-transitory computer-readable medium storing instructions that, when executed by a machine, result in:
-
receiving an electronic file; analysing the electronic file using a plurality of checks to determine when the electronic file conforms to an expected format and therefore is known to be good, the plurality of checks organized into a plurality of categories; determining a weight for each of the plurality of categories, including; receiving a default weight to assign to each of the plurality of categories; and adjusting the default weight assigned to each of the plurality of categories according to instruction from a user; and calculating a final risk assessment of the electronic file using the plurality of categories and the weights assigned to each of the plurality of categories, including, when the final risk assessment of the electronic file does not exceed a threshold score; placing the electronic file in a sandbox; detonating the electronic file in the sandbox; observing the operation of the sandbox after detonating the electronic file; and when the observed operation of the sandbox indicates that the electronic file is not a threat, delivering the electronic file to the user.
-
-
17. A system, comprising:
-
a computer; a memory in the computer; a database stored in the memory, the database including; a plurality of checks organized into a plurality of categories, each of the plurality of checks used to check when an electronic file conforms to some purported file format for the electronic file and therefore is known to be good; and for each of the plurality of categories, a weight assigned to the category; a receiver to receive the electronic file; an analyser to analyse the electronic file using the plurality of checks in the database; a threat calculator to calculate a risk assessment for the electronic file using a result from the analyser and the weights assigned to the plurality of categories; a statistical analyser to automatically use the risk assessment from the threat calculator to adjust the weights; and an electronic sandbox, the electronic file placed in the electronic sandbox when the risk assessment for the file does not exceed a pre-determined threshold, wherein the system is operative to deliver the electronic file to a second user when an observed operation of the electronic sandbox indicates that the electronic file is not a threat. - View Dependent Claims (18, 19, 20, 21, 22, 23)
-
-
24. A method, comprising:
-
receiving an electronic file; analysing the electronic file using a plurality of checks to determine when the electronic file conforms to an expected format and therefore is known to be good, the plurality of checks organized into a plurality of categories; determining a weight for each of the plurality of categories; calculating a final risk assessment of the electronic file using the plurality of categories and the weights assigned to each of the plurality of categories, including, when the final risk assessment of the electronic file does not exceed a threshold score; placing the electronic file in a sandbox; detonating the electronic file in the sandbox; observing the operation of the sandbox after detonating the electronic file; and when the observed operation of the sandbox indicates that the electronic file is not a threat, delivering the electronic file to a user; and automatically using the final risk assessment of the electronic file to adjust the weights assigned to each of the plurality of categories. - View Dependent Claims (25, 26, 27, 28, 29, 30, 31, 32, 33)
-
-
34. A non-transitory computer-readable medium storing instructions that, when executed by a machine, result in:
-
receiving an electronic file; analysing the electronic file using a plurality of checks to determine when the electronic file conforms to an expected format and therefore is known to be good, the plurality of checks organized into a plurality of categories; determining a weight for each of the plurality of categories; calculating a final risk assessment of the electronic file using the plurality of categories and the weights assigned to each of the plurality of categories, including, when the final risk assessment of the electronic file does not exceed a threshold score; placing the electronic file in a sandbox; detonating the electronic file in the sandbox; observing the operation of the sandbox after detonating the electronic file; and when the observed operation of the sandbox indicates that the electronic file is not a threat, delivering the electronic file to the user; and automatically using the final risk assessment of the electronic file to adjust the weights assigned to each of the plurality of categories.
-
Specification