Systems and methods for curating file clusters for security analyses

US 9,842,219 B1
Filed: 06/09/2015
Issued: 12/12/2017
Est. Priority Date: 06/09/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for curating file clusters for security analyses, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:

identifying a suspicious file that exists on at least one computing system within a computing community;

clustering a set of files that includes the suspicious file into a file cluster based at least in part on at least one characteristic shared by the set of files, wherein clustering the set of files comprises;

measuring a degree of similarity among the set of files;

determining that the degree of similarity among the set of files is above a similarity threshold; and

clustering the set of files into the file cluster due at least in part to the degree of similarity among the files being above the similarity threshold;

prioritizing at least one file included in the file cluster based at least in part on a contextual value of the file relative to the file cluster by ranking the file higher than at least one other file included in the file cluster due at least in part to the contextual value of the file;

providing, for presentation to a security analyst, a graphical representation of the file cluster that;

highlights the prioritized file relative to the file cluster; and

is organized as an ordered list that corresponds to the ranking;

receiving feedback from the security analyst in connection with the graphical representation of the file cluster provided for presentation to the security analyst; and

performing at least one security action on the suspicious file based at least in part on feedback received from the security analyst in connection with the graphical representation of the file cluster provided for presentation to the security analyst.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The disclosed computer-implemented method for curating file clusters for security analyzes may include (1) identifying a suspicious file that exists on at least one computing system within a computing community, (2) clustering a set of files that includes the suspicious file into a file cluster based at least in part on at least one characteristic shared by the set of files, (3) prioritizing at least one file included in the file cluster based at least in part on a contextual value of the file relative to the file cluster, (4) providing, for presentation to a security analyst, a graphical representation of the file cluster that highlights the prioritized file relative to the file cluster, and then (5) performing at least one security action on the suspicious file based at least in part on feedback received from the security analyst. Various other methods, systems, and computer-readable media are also disclosed.

Citations

12 Claims

1. A computer-implemented method for curating file clusters for security analyses, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- identifying a suspicious file that exists on at least one computing system within a computing community;
  
  clustering a set of files that includes the suspicious file into a file cluster based at least in part on at least one characteristic shared by the set of files, wherein clustering the set of files comprises;
  
  measuring a degree of similarity among the set of files;
  
  determining that the degree of similarity among the set of files is above a similarity threshold; and
  
  clustering the set of files into the file cluster due at least in part to the degree of similarity among the files being above the similarity threshold;
  
  prioritizing at least one file included in the file cluster based at least in part on a contextual value of the file relative to the file cluster by ranking the file higher than at least one other file included in the file cluster due at least in part to the contextual value of the file;
  
  providing, for presentation to a security analyst, a graphical representation of the file cluster that;
  
  highlights the prioritized file relative to the file cluster; and
  
  is organized as an ordered list that corresponds to the ranking;
  
  receiving feedback from the security analyst in connection with the graphical representation of the file cluster provided for presentation to the security analyst; and
  
  performing at least one security action on the suspicious file based at least in part on feedback received from the security analyst in connection with the graphical representation of the file cluster provided for presentation to the security analyst.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein identifying the suspicious file comprises:
    - detecting at least one security event in connection with the suspicious file; and
      
      determining that the file is suspicious based at least in part on the detected security event.
  - 3. The method of claim 1, wherein measuring the degree of similarity among the set of files comprises calculating the degree of similarity among the set of files based at least in part on at least one of:
    - whether the set of files co-exist with one another on a certain amount of computing systems within the computing community;
      
      whether the set of files are typically created or modified within a certain amount of time of one another on computing systems within the computing community;
      
      whether the set of files have filenames whose similarity exceeds a certain threshold;
      
      whether the set of files are signed by a common entity;
      
      whether the set of files exhibit common behavioral patterns; and
      
      whether the set of files have at least one library linkage dependency in common.
  - 4. The method of claim 1, wherein providing the graphical representation of the file cluster for presentation to the security analyst comprises organizing the graphical representation of the file cluster as an ordered list that corresponds to the ranking.
  - 5. The method of claim 1, wherein providing the graphical representation of the file cluster for presentation to the security analyst comprises:
    - formulating a summary of the file cluster that highlights at least one of;
      
      a file included in the file cluster that has a contextually meaningful file type;
      
      a file included in the file cluster whose reputation is highest relative to the file cluster;
      
      a file included in the file cluster whose reputation is lowest relative to the file cluster; and
      
      a file included in the file cluster whose filename is most descriptive; and
      
      generating a graphical representation of the file cluster that portrays the summary of the file cluster.
  - 6. The method of claim 5, wherein the summary of the file cluster comprises at least one of:
    - a histogram that illustrates reputations of the set of files clustered into the file cluster;
      
      a histogram that illustrates hygiene levels of computing systems that include the set of files within the computing community;
      
      a count of certain file types included in the file cluster; and
      
      a histogram that illustrates a number of times that the suspicious file has been downloaded from at least one online source.
  - 7. The method of claim 1, wherein providing the graphical representation of the file cluster for presentation to the security analyst comprises formatting the graphical representation of the file cluster as a collapsible/expandable list.
  - 8. The method of claim 1, wherein clustering the set of files into the file cluster comprises:
    - determining that the set of files represent portions of a single software package; and
      
      clustering the set of files into the file cluster due at least in part to the set of files representing portions of the single software package.
  - 9. The method of claim 1, wherein the security action comprises at least one of:
    - classifying the suspicious file or the file cluster as malicious;
      
      classifying the suspicious file or the file cluster as non-malicious;
      
      directing the computing system within the computing community to quarantine the suspicious file or the file cluster;
      
      directing at least one additional computing system within the computing community to quarantine the suspicious file or the file cluster; and
      
      preventing at least one other computing system within the computing community from accessing the suspicious file or the file cluster.

10. A system for curating file clusters for security analyses, the system comprising:
- a clustering module, stored in memory, that;
  
  identifies a suspicious file that exists on at least one computing system within a computing community; and
  
  clusters a set of files that includes the suspicious file into a file cluster based at least in part on at least one characteristic shared by the set of files, wherein the clustering module clusters the set of files by;
  
  measuring a degree of similarity among the set of files;
  
  determining that the degree of similarity among the set of files is above a similarity threshold; and
  
  determining that the degree of similarity among the set of files is above a similarity threshold; and
  
  clustering the set of files into the file cluster due at least in part to the degree of similarity among the files being above the similarity threshold;
  
  a prioritization module, stored in memory, that prioritizes at least one file included in the file cluster based at least in part on a contextual value of the file relative to the file cluster by ranking the file higher than at least one other file included in the file cluster due at least in part to the contextual value of the file;
  
  a presentation module, stored in memory, that provides, for presentation to a security analyst, a graphical representation of the file cluster that;
  
  highlights the prioritized file relative to the file cluster; and
  
  is organized as an ordered list that corresponds to the ranking;
  
  a security module, stored in memory, that;
  
  receives feedback from the security analyst in connection with the graphical representation of the file cluster provided for presentation to the security analyst; and
  
  performs at least one security action on the suspicious file based at least in part on feedback received from the security analyst in connection with the graphical representation of the file cluster provided for presentation to the security analyst; and
  
  at least one physical processor configured to execute the clustering module, the prioritization module, the presentation module, and the security module.
- View Dependent Claims (11)
- - 11. The system of claim 10, wherein the clustering module identifies the suspicious file by:
    - detecting at least one security event in connection with the suspicious file; and
      
      determining that the file is suspicious based at least in part on the detected security event.

12. A non-transitory computer-readable medium comprising one or more computer-executable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
- identify a suspicious file that exists on at least one computing system within a computing community;
  
  cluster a set of files that includes the suspicious file into a file cluster based at least in part on at least one characteristic shared by the set of files, wherein clustering the set of files comprises;
  
  measuring a degree of similarity among the set of files;
  
  determining that the degree of similarity among the set of files is above a similarity threshold; and
  
  clustering the set of files into the file cluster due at least in part to the degree of similarity among the files being above the similarity threshold;
  
  prioritize at least one file included in the file cluster based at least in part on a contextual value of the file relative to the file cluster by ranking the file higher than at least one other file included in the file cluster due at least in part to the contextual value of the file;
  
  provide, for presentation to a security analyst, a graphical representation of the file cluster that;
  
  highlights the prioritized file relative to the file cluster; and
  
  is organized as an ordered list that corresponds to the ranking;
  
  receive feedback from the security analyst in connection with the graphical representation of the file cluster provided for presentation to the security analyst; and
  
  perform at least one security action on the suspicious file based at least in part on feedback received from the security analyst in connection with the graphical representation of the file cluster provided for presentation to the security analyst.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Gen Digital Inc.
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Gates, Christopher, Roundy, Kevin, Viljoen, Petrus Johannes
Primary Examiner(s)
Ho, Dao

Application Number

US14/733,983
Time in Patent Office

917 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/552 involving long-term monitor...

G06F 21/562 Static detection

Systems and methods for curating file clusters for security analyses

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for curating file clusters for security analyses

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links