Malware data item analysis
First Claim
1. A computer system comprising:
- one or more computer readable storage devices configured to store;
a plurality of computer executable instructions; and
a plurality of data items each associated with at least one respective submission event, each submission event indicating at least one of;
a date the associated data item was submitted, oran identifier of a person who submitted the associated data item,wherein;
the plurality of data items include at least a first data item representing a suspected malware file,the first data item is associated with a first submission event, andthe first data item is further associated with a plurality of analysis information items from an analysis of the first data item, wherein the plurality of analysis information items includes at least one of;
a payload associated with the first data item, academic analysis information associated with the first data item, file execution information associated with the first data item, third-party analysis information associated with the first data item, a hash of the first data item, a size of the first data item, or a file property associated with the first data item, andone or more hardware computer processors in communication with the one or more computer readable storage devices and configured to execute the plurality of computer executable instructions in order to cause the one or more hardware computer processors to;
receive, via an upload or transmission to the computer system, a second data item, the second data item representing a suspected malware file;
perform an analysis of the second data item to determine one or more characteristics associated with the second data item;
compare at least a first characteristic associated with the second data item with a corresponding first characteristic associated with the first data item;
determine, based at least in part on comparing the first characteristic and the corresponding first characteristic, that the second data item and the first data item match;
in response to determining that the second data item and the first data item match;
associate a second submission event with the first data item, the second submission event being different from the first submission event; and
generate a displayable notification that the second data item was previously received, wherein the displayable notification includes an indication of the first submission event associated with the first data item representing a suspected malware file; and
generate a user interface including one or more user selectable portions presenting at least;
one or more of the analysis information items associated with the first data item, and information regarding the first submission event associated with the first data item.
8 Assignments
0 Petitions
Accused Products
Abstract
Embodiments of the present disclosure relate to a data analysis system that may automatically analyze a suspected malware file, or group of files. Automatic analysis of the suspected malware file(s) may include one or more automatic analysis techniques. Automatic analysis of may include production and gathering of various items of information related to the suspected malware file(s) including, for example, calculated hashes, file properties, academic analysis information, file execution information, third-party analysis information, and/or the like. The analysis information may be automatically associated with the suspected malware file(s), and a user interface may be generated in which the various analysis information items are presented to a human analyst such that the analyst may quickly and efficiently evaluate the suspected malware file(s). For example, the analyst may quickly determine one or more characteristics of the suspected malware file(s), whether or not the file(s) is malware, and/or a threat level of the file(s).
-
Citations
20 Claims
-
1. A computer system comprising:
-
one or more computer readable storage devices configured to store; a plurality of computer executable instructions; and a plurality of data items each associated with at least one respective submission event, each submission event indicating at least one of; a date the associated data item was submitted, or an identifier of a person who submitted the associated data item, wherein; the plurality of data items include at least a first data item representing a suspected malware file, the first data item is associated with a first submission event, and the first data item is further associated with a plurality of analysis information items from an analysis of the first data item, wherein the plurality of analysis information items includes at least one of;
a payload associated with the first data item, academic analysis information associated with the first data item, file execution information associated with the first data item, third-party analysis information associated with the first data item, a hash of the first data item, a size of the first data item, or a file property associated with the first data item, andone or more hardware computer processors in communication with the one or more computer readable storage devices and configured to execute the plurality of computer executable instructions in order to cause the one or more hardware computer processors to; receive, via an upload or transmission to the computer system, a second data item, the second data item representing a suspected malware file; perform an analysis of the second data item to determine one or more characteristics associated with the second data item; compare at least a first characteristic associated with the second data item with a corresponding first characteristic associated with the first data item; determine, based at least in part on comparing the first characteristic and the corresponding first characteristic, that the second data item and the first data item match; in response to determining that the second data item and the first data item match; associate a second submission event with the first data item, the second submission event being different from the first submission event; and generate a displayable notification that the second data item was previously received, wherein the displayable notification includes an indication of the first submission event associated with the first data item representing a suspected malware file; and generate a user interface including one or more user selectable portions presenting at least;
one or more of the analysis information items associated with the first data item, and information regarding the first submission event associated with the first data item. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A computer-implemented method comprising:
-
storing in one or more computer readable storage devices; a plurality of computer executable instructions; and a plurality of data items each associated with at least one respective submission event, each submission event indicating at least one of; a date the associated data item was submitted, or an identifier of a person who submitted the associated data item, wherein; the plurality of data items include at least a first data item representing a suspected malware file, the first data item is associated with a first submission event, and the first data item is further associated with a plurality of analysis information items from an analysis of the first data item, wherein the plurality of analysis information items includes at least one of;
a payload associated with the first data item, academic analysis information associated with the first data item, file execution information associated with the first data item, third-party analysis information associated with the first data item, a hash of the first data item, a size of the first data item, or a file property associated with the first data item, andexecuting, in one or more hardware computer processors in communication with the one or more computer readable storage devices, the plurality of computer executable instructions in order to cause the one or more hardware computer processors to; receive, via an upload or transmission to the computer system, a second data item, the second data item representing a suspected malware file; perform an analysis of the second data item to determine one or more characteristics associated with the second data item; compare at least a first characteristic associated with the second data item with a corresponding first characteristic associated with the first data item; determine, based at least in part on comparing the first characteristic and the corresponding first characteristic, that the second data item and the first data item match; in response to determining that the second data item and the first data item match; associate a second submission event with the first data item, the second submission event being different from the first submission event; and generate a displayable notification that the second data item was previously received, wherein the displayable notification includes an indication of the first submission event associated with the first data item representing a suspected malware file; and generate a user interface including one or more user selectable portions presenting at least;
one or more of the analysis information items associated with the first data item, and information regarding the first submission event associated with the first data item. - View Dependent Claims (18, 19, 20)
-
Specification