Computer imposed countermeasures driven by malware lineage
First Claim
1. A method of mitigating risk of a cyberattack on an information technology asset, comprising:
- determining, by a computer system, a value of a plurality of characteristics of a malware software item, where the characteristics comprise at least two of a file path associated with the malware software item, a file name associated with the malware software item, a name of an author associated with the malware software item, an identity of a compiler used to compile the malware software item, a domain name associated with the malware software item, an internet protocol address associated with the malware software item, an email address associated with the software item, and an identity of a programming language used to create the malware software item;
determining, by the computer system, at least one hash of the malware software item;
comparing the malware software item, by the computer system, to a plurality of malware families, wherein the comparing comprises at least one of comparing each of the characteristics of the malware software item to a corresponding characteristic of each of the malware families and comparing the at least one hash of the malware software item to each corresponding hash associated with each of the malware families;
based on comparing the malware software item to the malware families, associating the malware software item to one of the malware families;
selecting, by the computer system, a countermeasure based on the malware family to which the malware software item is associated; and
causing the countermeasure to execute to mitigate vulnerability of the information technology asset to the malware software item.
5 Assignments
0 Petitions
Accused Products
Abstract
A system to identify and counter computer malware. The system comprises a processor, a memory, a data store comprising information about known computer malware, wherein the information about known computer malware is partitioned into a plurality of malware families, and comprising a plurality of mappings, wherein each mapping associates one malware family with at least one countermeasure for mitigating a risk to an information technology asset posed by the known computer malware associated with the malware family, and an application stored in the memory. The application analyzes a software artifact, determines characteristics of the software artifact, and determines a plurality of metrics, each metric representing a degree of match between the software artifact and one of the plurality of malware families. Based on the plurality of metrics, the application further determines a malware family that best matches the software artifact.
131 Citations
34 Claims
-
1. A method of mitigating risk of a cyberattack on an information technology asset, comprising:
-
determining, by a computer system, a value of a plurality of characteristics of a malware software item, where the characteristics comprise at least two of a file path associated with the malware software item, a file name associated with the malware software item, a name of an author associated with the malware software item, an identity of a compiler used to compile the malware software item, a domain name associated with the malware software item, an internet protocol address associated with the malware software item, an email address associated with the software item, and an identity of a programming language used to create the malware software item; determining, by the computer system, at least one hash of the malware software item; comparing the malware software item, by the computer system, to a plurality of malware families, wherein the comparing comprises at least one of comparing each of the characteristics of the malware software item to a corresponding characteristic of each of the malware families and comparing the at least one hash of the malware software item to each corresponding hash associated with each of the malware families; based on comparing the malware software item to the malware families, associating the malware software item to one of the malware families; selecting, by the computer system, a countermeasure based on the malware family to which the malware software item is associated; and causing the countermeasure to execute to mitigate vulnerability of the information technology asset to the malware software item. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A system to identify and counter computer malware, comprising:
-
a processor; a memory; a first data store comprising information about known computer malware, wherein the information about each known computer malware is associated with a malware family of a plurality of malware families, and comprising a plurality of mappings, wherein each mapping associates at least one malware family with at least one countermeasure for mitigating a risk to an information technology asset posed by the known computer malware associated with the at least one malware family; a second data store comprising historical information about at least one of known malware attacks, cybercrimes, espionage, hack attacks, hacktivism; and an application stored in the memory that, when executed by the processor analyzes a software artifact identified to be present in an information technology asset, based on the analysis of the software artifact determines a plurality of characteristics of the software artifact, determines a plurality of metrics, each metric representing a degree of match between the software artifact and one of the plurality of malware families based on the characteristics of the software artifact and on the characteristics of each of the plurality of malware families stored in the first data store, based on the plurality of metrics and based on historical information, determines a malware family that best matches the software artifact, responsive to the metric associated with the best match malware family exceeding a pre-defined threshold, determines the software artifact to be computer malware, responsive to determining the software artifact to be computer malware, selects at least one countermeasure based on the malware family that best matches the software artifact, and causes the at least one countermeasure to be activated on the information technology asset. - View Dependent Claims (11, 12)
-
-
13. A method of mitigating vulnerability of an information technology asset to a computer malware, comprising:
-
determining, by a computer system, a value associated with each of a plurality of characteristics of a software artifact; comparing, by the computer system, the characteristics of the software artifact to the characteristics of a plurality of families of known computer malware; associating the software artifact, by the computer system, to one of the plurality of families of known computer malware based on comparing the software artifact to the families of known computer malware; selecting a countermeasure, by the computer system, from among a plurality of countermeasures based on the family of known computer malware that the software artifact is associated to and based on at least one of the characteristics of the software artifact; and commanding the selected countermeasure to execute on the information technology asset. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
-
-
30. A method of mitigating vulnerability of an information technology asset to a computer malware, comprising:
-
comparing, by a computer system, a plurality of characteristics of one or more software artifacts to the characteristics of a plurality of families of known computer malware; associating the one or more software artifacts, by the computer system, to one of the plurality of families of known computer malware based on comparing the one or more software artifacts to the families of known computer malware; selecting one or more countermeasures, by the computer system, from among a plurality of countermeasures based on the family of known computer malware that the one or more software artifacts are associated to; and commanding the selected one or more countermeasures to execute on the information technology asset. - View Dependent Claims (31, 32, 33, 34)
-
Specification