Systems and methods for determining malicious-download risk based on user behavior

US 9,813,437 B2
Filed: 06/15/2015
Issued: 11/07/2017
Est. Priority Date: 06/15/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for determining malicious-download risk based on user behavior, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:

identifying a set of users that are at high risk for malicious downloads and a set of users that are at low risk for malicious downloads;

determining a high-risk pattern of download behavior that is shared by the set of high-risk users and that is not shared by the set of low-risk users;

analyzing download behavior of an uncategorized user over a predefined time period in order to categorize the download behavior as high-risk or low-risk;

categorizing the uncategorized user as a high-risk user in response to determining that the download behavior of the uncategorized user falls within a predefined similarity threshold of the high-risk pattern of download behavior, wherein the high-risk pattern of download behavior comprises downloading at least one file that is found on fewer than a predefined percentage of computing devices used by others; and

increasing a security posture of the high-risk user in order to reduce the risk of the high-risk user becoming infected with malware, wherein increasing the security posture comprises increasing a restriction of at least one of firewall settings or spam filter settings associated with the computing device.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The disclosed computer-implemented method for determining malicious-download risk based on user behavior may include (1) identifying a set of users that are at high risk for malicious downloads and a set of users that are at low risk for malicious downloads, (2) determining a high-risk pattern of download behavior that is shared by the set of high-risk users and that is not shared by the set of low-risk users, (3) analyzing download behavior of an uncategorized user over a predefined time period in order to categorize the download behavior as high-risk or low-risk, and (4) categorizing the uncategorized user as a high-risk user in response to determining that the download behavior of the uncategorized user falls within a predefined similarity threshold of the high-risk pattern of download behavior. Various other methods, systems, and computer-readable media are also disclosed. Various other methods, systems, and computer-readable media are also disclosed.

20 Citations

View as Search Results

18 Claims

1. A computer-implemented method for determining malicious-download risk based on user behavior, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- identifying a set of users that are at high risk for malicious downloads and a set of users that are at low risk for malicious downloads;
  
  determining a high-risk pattern of download behavior that is shared by the set of high-risk users and that is not shared by the set of low-risk users;
  
  analyzing download behavior of an uncategorized user over a predefined time period in order to categorize the download behavior as high-risk or low-risk;
  
  categorizing the uncategorized user as a high-risk user in response to determining that the download behavior of the uncategorized user falls within a predefined similarity threshold of the high-risk pattern of download behavior, wherein the high-risk pattern of download behavior comprises downloading at least one file that is found on fewer than a predefined percentage of computing devices used by others; and
  
  increasing a security posture of the high-risk user in order to reduce the risk of the high-risk user becoming infected with malware, wherein increasing the security posture comprises increasing a restriction of at least one of firewall settings or spam filter settings associated with the computing device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The computer-implemented method of claim 1, further comprising collecting additional data about the high-risk user in order to at least one of:
    - improve the accuracy of the high-risk pattern of download behavior at predicting malware infections;
      
      improve the accuracy of additional malware-infection-prediction systems.
  - 3. The computer-implemented method of claim 1, further comprising increasing the security posture of an organization that includes the high-risk user in order to reduce the risk of computing devices used by the organization becoming infected with malware.
  - 4. The computer-implemented method of claim 1, wherein identifying the set of high-risk users and the set of low-risk users comprises:
    - monitoring download behavior of a set of unclassified users over a predefined download monitoring time period;
      
      classifying users whose computing devices became infected with malware during the predefined download monitoring time period as the set of high-risk users;
      
      classifying users whose computing devices did not become infected with malware during the predefined download monitoring time period as the set of low-risk users.
  - 5. The computer-implemented method of claim 1, wherein the high-risk pattern of download behavior further comprises at least one of:
    - a total number of files on a computing device used by the high-risk user to download files;
      
      a reputation score that applies to at least one file on a computing device used by the high-risk user to download files and that is below a predefined reputation score threshold;
      
      a timestamp of a download of at least one file on a computing device used by the high-risk user to download files;
      
      a category of at least one file on a computing device used by the high-risk user to download files.
  - 6. The computer-implemented method of claim 1, wherein the high-risk pattern of download behavior further comprises at least one of:
    - a total number of distinct file names on a computing device used by the high-risk user to download files;
      
      a reputation score that applies to at least one distinct file name on a computing device used by the high-risk user to download files and that is below a predefined reputation score threshold;
      
      at least one distinct file name that is on a computing device used by the high-risk user to download files and that is below a predefined frequency threshold on computing devices used by other users;
      
      a timestamp of a download of at least one distinct file name on a computing device used by the high-risk user to download files.
  - 7. The computer-implemented method of claim 1, wherein the high-risk pattern of download behavior further comprises at least one of:
    - a total number of distinct file paths on a computing device used by the high-risk user to download files;
      
      a reputation score that applies to at least one distinct file path on a computing device used by the high-risk user to download files and that is below a predefined reputation score threshold;
      
      at least one distinct file path that is on a computing device used by the high-risk user to download files and that is below a predefined frequency threshold on computing devices used by other users;
      
      a timestamp of a creation of at least one distinct file path on a computing device used by the high-risk user to download files.
  - 8. The computer-implemented method of claim 1, further comprising:
    - periodically analyzing additional download behavior of a previously categorized user with an assigned risk category over an additional predefined time period in order to categorize the download behavior as high-risk or low-risk;
      
      adjusting the assigned risk category of the previously categorized user in response to determining that the download behavior of the previously categorized has changed with respect to the high-risk pattern of download behavior.
  - 9. The computer-implemented method of claim 1, further comprising:
    - identifying a new set of users that are at high risk for malicious downloads;
      
      updating the high-risk pattern of download behavior in response to at least one change in download behavior between the set of high-risk users and the new set of high-risk users.

10. A system for determining malicious-download risk based on user behavior, the system comprising:
- an identification module, stored in memory, that identifies a set of users that are at high risk for malicious downloads and a set of users that are at low risk for malicious downloads;
  
  a determination module, stored in memory, that determines a high-risk pattern of download behavior that is shared by the set of high-risk users and that is not shared by the set of low-risk users;
  
  an analysis module, stored in memory, that analyzes download behavior of an uncategorized user over a predefined time period in order to categorize the download behavior as high-risk or low-risk;
  
  a categorization module, stored in memory, that categorizes the uncategorized user as a high-risk user in response to determining that the download behavior of the uncategorized user falls within a predefined similarity threshold of the high-risk pattern of download behavior, wherein the high-risk pattern of download behavior comprises downloading at least one file that is found on fewer than a predefined percentage of computing devices used by others;
  
  a security module that increases a security posture of the high-risk user in order to reduce the risk of the high-risk user becoming infected with malware, wherein increasing the security posture comprises increasing a restriction of at least one of firewall settings or spam filter settings associated with the computing device; and
  
  at least one physical processor configured to execute the identification module, the determination module, the analysis module, and the categorization module.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The system of claim 10, wherein the security module collects additional data about the high-risk user in order to at least one of:
    - improve the accuracy of the high-risk pattern of download behavior at predicting malware infections;
      
      improve the accuracy of additional malware-infection-prediction systems.
  - 12. The system of claim 10, wherein the security module increases the security posture of an organization that includes the high-risk user in order to reduce the risk of computing devices used by the organization becoming infected with malware.
  - 13. The system of claim 10, wherein the identification module identifies the set of high-risk users and the set of low-risk users by:
    - monitoring download behavior of a set of unclassified users over a predefined download monitoring time period;
      
      classifying users whose computing devices became infected with malware during the predefined download monitoring time period as the set of high-risk users;
      
      classifying users whose computing devices did not become infected with malware during the predefined download monitoring time period as the set of low-risk users.
  - 14. The system of claim 10, wherein the high-risk pattern of download behavior further comprises at least one of:
    - a total number of files on a computing device used by the high-risk user to download files;
      
      a reputation score that applies to at least one file on a computing device used by the high-risk user to download files and that is below a predefined reputation score threshold;
      
      a timestamp of a download of at least one file on a computing device used by the high-risk user to download files;
      
      a category of at least one file on a computing device used by the high-risk user to download files.
  - 15. The system of claim 10, wherein the high-risk pattern of download behavior further comprises at least one of:
    - a total number of distinct file names on a computing device used by the high-risk user to download files;
      
      a reputation score that applies to at least one distinct file name on a computing device used by the high-risk user to download files and that is below a predefined reputation score threshold;
      
      at least one distinct file name that is on a computing device used by the high-risk user to download files and that is below a predefined frequency threshold on computing devices used by other users;
      
      a timestamp of a download of at least one distinct file name on a computing device used by the high-risk user to download files.
  - 16. The system of claim 10, wherein the high-risk pattern of download behavior further comprises at least one of:
    - a total number of distinct file paths on a computing device used by the high-risk user to download files;
      
      a reputation score that applies to at least one distinct file path on a computing device used by the high-risk user to download files and that is below a predefined reputation score threshold;
      
      at least one distinct file path that is on a computing device used by the high-risk user to download files and that is below a predefined frequency threshold on computing devices used by other users;
      
      a timestamp of a creation of at least one distinct file path on a computing device used by the high-risk user to download files.
  - 17. The system of claim 10, wherein:
    - the analysis module periodically analyzes additional download behavior of a previously categorized user with an assigned risk category over an additional predefined time period in order to categorize the download behavior as high-risk or low-risk;
      
      the categorization module adjusts the assigned risk category of the previously categorized user in response to determining that the download behavior of the previously categorized has changed with respect to the high-risk pattern of download behavior.

18. A non-transitory computer-readable medium comprising one or more computer-readable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
- identify a set of users that are at high risk for malicious downloads and a set of users that are at low risk for malicious downloads;
  
  determine a high-risk pattern of download behavior that is shared by the set of high-risk users and that is not shared by the set of low-risk users;
  
  analyze download behavior of an uncategorized user over a predefined time period in order to categorize the download behavior as high-risk or low-risk;
  
  categorize the uncategorized user as a high-risk user in response to determining that the download behavior of the uncategorized user falls within a predefined similarity threshold of the high-risk pattern of download behavior, wherein the high-risk pattern of download behavior comprises downloading at least one file that is found on fewer than a predefined percentage of computing devices used by others; and
  
  increase a security posture of the high-risk user in order to reduce the risk of the high-risk user becoming infected with malware, wherein increasing the security posture comprises increasing a restriction of at least one of firewall settings or spam filter settings associated with the computing device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Gen Digital Inc.
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Yumer, Leylya
Primary Examiner(s)
Gergiso, Techane
Assistant Examiner(s)
TRAN, TRI MINH

Application Number

US14/739,385
Publication Number

US 20160366167A1
Time in Patent Office

876 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/50   Monitoring users, programs ...

G06F 21/56   Computer malware detection ...

G06F 21/577   Assessing vulnerabilities a...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

Systems and methods for determining malicious-download risk based on user behavior

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

20 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for determining malicious-download risk based on user behavior

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

20 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links