Malware data item analysis

US 9,785,773 B2
Filed: 03/25/2015
Issued: 10/10/2017
Est. Priority Date: 07/03/2014
Status: Active Grant

First Claim

Patent Images

1. A computer system comprising:

one or more computer readable storage devices configured to store;

a plurality of computer executable instructions; and

a plurality of data items each associated with at least one respective submission event, each submission event indicating at least one of;

a date the associated data item was submitted, oran identifier of a person who submitted the associated data item,wherein;

the plurality of data items include at least a first data item representing a suspected malware file,the first data item is associated with a first submission event, andthe first data item is further associated with a plurality of analysis information items from an analysis of the first data item, wherein the plurality of analysis information items includes at least one of;

a payload associated with the first data item, academic analysis information associated with the first data item, file execution information associated with the first data item, third-party analysis information associated with the first data item, a hash of the first data item, a size of the first data item, or a file property associated with the first data item, andone or more hardware computer processors in communication with the one or more computer readable storage devices and configured to execute the plurality of computer executable instructions in order to cause the one or more hardware computer processors to;

receive, via an upload or transmission to the computer system, a second data item, the second data item representing a suspected malware file;

perform an analysis of the second data item to determine one or more characteristics associated with the second data item;

compare at least a first characteristic associated with the second data item with a corresponding first characteristic associated with the first data item;

determine, based at least in part on comparing the first characteristic and the corresponding first characteristic, that the second data item and the first data item match;

in response to determining that the second data item and the first data item match;

associate a second submission event with the first data item, the second submission event being different from the first submission event; and

generate a displayable notification that the second data item was previously received, wherein the displayable notification includes an indication of the first submission event associated with the first data item representing a suspected malware file; and

generate a user interface including one or more user selectable portions presenting at least;

one or more of the analysis information items associated with the first data item, and information regarding the first submission event associated with the first data item.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of the present disclosure relate to a data analysis system that may automatically analyze a suspected malware file, or group of files. Automatic analysis of the suspected malware file(s) may include one or more automatic analysis techniques. Automatic analysis of may include production and gathering of various items of information related to the suspected malware file(s) including, for example, calculated hashes, file properties, academic analysis information, file execution information, third-party analysis information, and/or the like. The analysis information may be automatically associated with the suspected malware file(s), and a user interface may be generated in which the various analysis information items are presented to a human analyst such that the analyst may quickly and efficiently evaluate the suspected malware file(s). For example, the analyst may quickly determine one or more characteristics of the suspected malware file(s), whether or not the file(s) is malware, and/or a threat level of the file(s).

Citations

20 Claims

1. A computer system comprising:
- one or more computer readable storage devices configured to store;
  
  a plurality of computer executable instructions; and
  
  a plurality of data items each associated with at least one respective submission event, each submission event indicating at least one of;
  
  a date the associated data item was submitted, oran identifier of a person who submitted the associated data item,wherein;
  
  the plurality of data items include at least a first data item representing a suspected malware file,the first data item is associated with a first submission event, andthe first data item is further associated with a plurality of analysis information items from an analysis of the first data item, wherein the plurality of analysis information items includes at least one of;
  
  a payload associated with the first data item, academic analysis information associated with the first data item, file execution information associated with the first data item, third-party analysis information associated with the first data item, a hash of the first data item, a size of the first data item, or a file property associated with the first data item, andone or more hardware computer processors in communication with the one or more computer readable storage devices and configured to execute the plurality of computer executable instructions in order to cause the one or more hardware computer processors to;
  
  receive, via an upload or transmission to the computer system, a second data item, the second data item representing a suspected malware file;
  
  perform an analysis of the second data item to determine one or more characteristics associated with the second data item;
  
  compare at least a first characteristic associated with the second data item with a corresponding first characteristic associated with the first data item;
  
  determine, based at least in part on comparing the first characteristic and the corresponding first characteristic, that the second data item and the first data item match;
  
  in response to determining that the second data item and the first data item match;
  
  associate a second submission event with the first data item, the second submission event being different from the first submission event; and
  
  generate a displayable notification that the second data item was previously received, wherein the displayable notification includes an indication of the first submission event associated with the first data item representing a suspected malware file; and
  
  generate a user interface including one or more user selectable portions presenting at least;
  
  one or more of the analysis information items associated with the first data item, and information regarding the first submission event associated with the first data item.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The computer system of claim 1, wherein the indication of the first submission event includes a date that the first data item was previously submitted.
  - 3. The computer system of claim 1, wherein the indication of the first submission event includes at least both of:
    - a date the first data item was submitted; and
      
      an identifier of the person who submitted the first data item.
  - 4. The computer system of claim 1, wherein the one or more hardware computer processors are further configured to execute the plurality of computer executable instructions in order to cause the one or more hardware computer processors to:
    - in response to receiving the second data item, generate the second submission event associated with the receipt of the second data item.
  - 5. The computer system of claim 4, wherein the user interface further includes a selectable element, and wherein the one or more hardware computer processors are further configured to execute the a plurality of computer executable instructions in order to cause the one or more hardware computer processors to:
    - in response to a selection of the selectable element, generate a graphical visualization including at least;
      
      a first graphical representation of the first data item,a second graphical representation of the first submission event, anda third graphical representation of the second submission event.
  - 6. The computer system of claim 5, wherein the graphical visualization further includes:
    - a fourth graphical representation of at least one of the analysis information items.
  - 7. The computer system of claim 6, wherein the graphical visualization further includes:
    - fifth graphical representation of relationships among the first, second, third, and fourth graphical representations.
  - 8. The computer system of claim 7, wherein the first, second, third, and fourth graphical representations comprise graphical nodes, and the fifth graphical representation comprises graphical edges.
  - 9. The computer system of claim 1, wherein the one or more hardware computer processors are further configured to execute the a plurality of computer executable instructions in order to cause the one or more hardware computer processors to:
    - initiate an internal analysis of the first data item including at least calculation of a hash of the data item;
      
      initiate an external analysis of the first data item by one or more third party analysis systems; and
      
      associate results of the internal and external analyses with the first data item, the results of the internal and external analyses comprising the analysis information items.
  - 10. The computer system of claim 9, wherein the internal analysis includes analysis performed by the one or more hardware computer processors, and wherein the internal analysis further includes at least one of calculation of an MD5 hash of the first data item, calculation of a SHA-1 hash of the first data item, calculation of a SHA-256 hash of the first data item, calculation of an SSDeep hash of the first data item, or calculation of a size of the first data item.
  - 11. The computer system of claim 9, wherein the external analysis includes analysis performed by at least a second computer system, and wherein the external analysis includes execution of the first data item in a sandboxed environment and analysis of the first data item by a third-party malware analysis service.
  - 12. The computer system of claim 11, wherein any payload provided by the first data item after execution of the first data item in the sandboxed environment is associated with the first data item.
  - 13. The computer system of claim 1, wherein the one or more hardware computer processors are further configured to execute the a plurality of computer executable instructions in order to cause the one or more hardware computer processors to:
    - in response to receiving the second data item, generate the second submission event associated with the second data item.
  - 14. The computer system of claim 13, wherein the one or more hardware computer processors are further configured to execute the a plurality of computer executable instructions in order to cause the one or more hardware computer processors to:
    - receive a third data item, the third data item representing another suspected malware file;
      
      generate a third submission event associated with the receipt of the third data item;
      
      compare the third data item with at least one of the first data item or the second data item;
      
      determine that at the third data item and at least one of the first data item or the second data item match;
      
      associate the third submission event with the first data item; and
      
      provide a notification that the third data item was previously received.
  - 15. The computer system of claim 1, wherein comparing the second data item with the first data item comprises:
    - calculating a hash of the second data item and comparing the calculated hash to a previously calculated hash of the first data item.
  - 16. The computer system of claim 1, wherein the one or more hardware computer processors are further configured to execute the plurality of computer executable instructions in order to cause the one or more hardware computer processors to:
    - share the first data item and associated analysis information items with a second computer systems via a third computer system.

17. A computer-implemented method comprising:
- storing in one or more computer readable storage devices;
  
  a plurality of computer executable instructions; and
  
  a plurality of data items each associated with at least one respective submission event, each submission event indicating at least one of;
  
  a date the associated data item was submitted, oran identifier of a person who submitted the associated data item,wherein;
  
  the plurality of data items include at least a first data item representing a suspected malware file,the first data item is associated with a first submission event, andthe first data item is further associated with a plurality of analysis information items from an analysis of the first data item, wherein the plurality of analysis information items includes at least one of;
  
  a payload associated with the first data item, academic analysis information associated with the first data item, file execution information associated with the first data item, third-party analysis information associated with the first data item, a hash of the first data item, a size of the first data item, or a file property associated with the first data item, andexecuting, in one or more hardware computer processors in communication with the one or more computer readable storage devices, the plurality of computer executable instructions in order to cause the one or more hardware computer processors to;
  
  receive, via an upload or transmission to the computer system, a second data item, the second data item representing a suspected malware file;
  
  perform an analysis of the second data item to determine one or more characteristics associated with the second data item;
  
  compare at least a first characteristic associated with the second data item with a corresponding first characteristic associated with the first data item;
  
  determine, based at least in part on comparing the first characteristic and the corresponding first characteristic, that the second data item and the first data item match;
  
  in response to determining that the second data item and the first data item match;
  
  associate a second submission event with the first data item, the second submission event being different from the first submission event; and
  
  generate a displayable notification that the second data item was previously received, wherein the displayable notification includes an indication of the first submission event associated with the first data item representing a suspected malware file; and
  
  generate a user interface including one or more user selectable portions presenting at least;
  
  one or more of the analysis information items associated with the first data item, and information regarding the first submission event associated with the first data item.
- View Dependent Claims (18, 19, 20)
- - 18. The computer-implemented method of claim 17, further comprising executing, with one or more hardware computer processors in communication with the one or more computer readable storage devices, the plurality of computer executable instructions in order to cause the one or more hardware computer processors to:
    - in response to receiving the second data item, generate the second submission event associated with the receipt of the second data item.
  - 19. The computer-implemented method of claim 17, further comprising executing, with one or more hardware computer processors in communication with the one or more computer readable storage devices, the plurality of computer executable instructions in order to cause the one or more hardware computer processors to:
    - share the first data item and associated analysis information items with a second computer systems via a third computer system.
  - 20. The computer-implemented method of claim 17, further comprising executing, with the one or more hardware computer processors, the plurality of computer executable instructions in order to cause the one or more hardware computer processors to:
    - initiate an internal analysis of the first data item including at least calculation of a hash of the data item;
      
      initiate an external analysis of the first data item by one or more third party analysis systems; and
      
      associate results of the internal and external analyses with the first data item, the results of the internal and external analyses comprising the analysis information items.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palantir Technologies Incorporated
Original Assignee
Palantir Technologies Incorporated
Inventors
Falk, Matthew, Yousaf, Timothy, Staehle, Joseph, Lemanowicz, Lucas, Noury, Sebastien, Lim, Robin, Glazer, Michael
Primary Examiner(s)
Armouche, Hadi
Assistant Examiner(s)
Zarrineh, Shahriar

Application Number

US14/668,833
Publication Number

US 20160004864A1
Time in Patent Office

930 Days
Field of Search

713165
US Class Current
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/6209   to a single file or object,...

G06F 21/6218   to a system of files or obj...

G06F 2221/034   Test or assess a computer o...

H04L 63/105   Multiple levels of security

Malware data item analysis

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Malware data item analysis

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links