Computer imposed countermeasures driven by malware lineage

US 9,892,261 B2
Filed: 04/28/2015
Issued: 02/13/2018
Est. Priority Date: 04/28/2015
Status: Active Grant

First Claim

Patent Images

1. A method of mitigating risk of a cyberattack on an information technology asset, comprising:

determining, by a computer system, a value of a plurality of characteristics of a malware software item, where the characteristics comprise at least two of a file path associated with the malware software item, a file name associated with the malware software item, a name of an author associated with the malware software item, an identity of a compiler used to compile the malware software item, a domain name associated with the malware software item, an internet protocol address associated with the malware software item, an email address associated with the software item, and an identity of a programming language used to create the malware software item;

determining, by the computer system, at least one hash of the malware software item;

comparing the malware software item, by the computer system, to a plurality of malware families, wherein the comparing comprises at least one of comparing each of the characteristics of the malware software item to a corresponding characteristic of each of the malware families and comparing the at least one hash of the malware software item to each corresponding hash associated with each of the malware families;

based on comparing the malware software item to the malware families, associating the malware software item to one of the malware families;

selecting, by the computer system, a countermeasure based on the malware family to which the malware software item is associated; and

causing the countermeasure to execute to mitigate vulnerability of the information technology asset to the malware software item.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system to identify and counter computer malware. The system comprises a processor, a memory, a data store comprising information about known computer malware, wherein the information about known computer malware is partitioned into a plurality of malware families, and comprising a plurality of mappings, wherein each mapping associates one malware family with at least one countermeasure for mitigating a risk to an information technology asset posed by the known computer malware associated with the malware family, and an application stored in the memory. The application analyzes a software artifact, determines characteristics of the software artifact, and determines a plurality of metrics, each metric representing a degree of match between the software artifact and one of the plurality of malware families. Based on the plurality of metrics, the application further determines a malware family that best matches the software artifact.

131 Citations

34 Claims

1. A method of mitigating risk of a cyberattack on an information technology asset, comprising:
- determining, by a computer system, a value of a plurality of characteristics of a malware software item, where the characteristics comprise at least two of a file path associated with the malware software item, a file name associated with the malware software item, a name of an author associated with the malware software item, an identity of a compiler used to compile the malware software item, a domain name associated with the malware software item, an internet protocol address associated with the malware software item, an email address associated with the software item, and an identity of a programming language used to create the malware software item;
  
  determining, by the computer system, at least one hash of the malware software item;
  
  comparing the malware software item, by the computer system, to a plurality of malware families, wherein the comparing comprises at least one of comparing each of the characteristics of the malware software item to a corresponding characteristic of each of the malware families and comparing the at least one hash of the malware software item to each corresponding hash associated with each of the malware families;
  
  based on comparing the malware software item to the malware families, associating the malware software item to one of the malware families;
  
  selecting, by the computer system, a countermeasure based on the malware family to which the malware software item is associated; and
  
  causing the countermeasure to execute to mitigate vulnerability of the information technology asset to the malware software item.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein causing the countermeasure to execute to mitigate vulnerability of the information technology asset comprises moving the malware software item to a quarantine area of memory of the information technology asset.
  - 3. The method of claim 1, wherein causing the countermeasure to execute to mitigate vulnerability of the information technology asset comprises reducing the frequency of execution of the malware software item.
  - 4. The method of claim 1, wherein causing the countermeasure to execute to mitigate vulnerability of the information technology asset comprises blocking receiving data packets received from a source internet protocol address that is identified as a characteristic of the malware family to which the malware software is associated.
  - 5. The method of claim 1, wherein causing the countermeasure to execute to mitigate vulnerability of the information technology asset comprises blocking transmission of data packets to a destination internet protocol address that is identified as a characteristic of the malware family to which the malware software is associated.
  - 6. The method of claim 1, wherein causing the countermeasure to execute to mitigate vulnerability of the information technology asset comprises blocking reception of emails from an email address that is identified as a characteristic of the malware family to which the malware software is associated.
  - 7. The method of claim 1, wherein the information technology asset is one of an application server, a web server, a database, a data store, a domain name system (DNS) server, a router, or a content server.
  - 8. The method of claim 1, wherein the computer system determines a plurality of hashes of the malware item, and wherein each of the plurality of hashes corresponds to separate blocks of the malware software item.
  - 9. The method of claim 1, wherein the comparing comprises comparing each of the characteristics of the malware software item to a corresponding characteristic of each of the malware families and comparing the at least one hash of the malware software item to each corresponding hash associated with each of the malware families.

10. A system to identify and counter computer malware, comprising:
- a processor;
  
  a memory;
  
  a first data store comprising information about known computer malware, wherein the information about each known computer malware is associated with a malware family of a plurality of malware families, and comprising a plurality of mappings, wherein each mapping associates at least one malware family with at least one countermeasure for mitigating a risk to an information technology asset posed by the known computer malware associated with the at least one malware family;
  
  a second data store comprising historical information about at least one of known malware attacks, cybercrimes, espionage, hack attacks, hacktivism; and
  
  an application stored in the memory that, when executed by the processoranalyzes a software artifact identified to be present in an information technology asset,based on the analysis of the software artifact determines a plurality of characteristics of the software artifact,determines a plurality of metrics, each metric representing a degree of match between the software artifact and one of the plurality of malware families based on the characteristics of the software artifact and on the characteristics of each of the plurality of malware families stored in the first data store,based on the plurality of metrics and based on historical information, determines a malware family that best matches the software artifact,responsive to the metric associated with the best match malware family exceeding a pre-defined threshold, determines the software artifact to be computer malware,responsive to determining the software artifact to be computer malware, selects at least one countermeasure based on the malware family that best matches the software artifact, andcauses the at least one countermeasure to be activated on the information technology asset.
- View Dependent Claims (11, 12)
- - 11. The system of claim 10, wherein the characteristics of the software artifact comprise at least one of an internet protocol address associated with the software artifact, a domain name associated with the software artifact, a uniform resource locator associated with the software artifact, malware creation information, data directory name, a registry key, an identity of a communication protocol, a function signature, a header section, a code section, a data segment section, a stack segment section, a heap segment section, a disassembly code for binaries, a language used in plaintext embedded in the software artifact, a content string, a geographic location where the software artifact was found, and information technology asset configurations.
  - 12. The system of claim 10, wherein the countermeasure is one of blocking communication relative to an internet protocol address embedded in the software artifact, blocking communication relative to a domain name embedded in the software artifact, moving the software artifact to a quarantined area of memory of the information technology asset, and blocking communication from an email address embedded in the software artifact.

13. A method of mitigating vulnerability of an information technology asset to a computer malware, comprising:
- determining, by a computer system, a value associated with each of a plurality of characteristics of a software artifact;
  
  comparing, by the computer system, the characteristics of the software artifact to the characteristics of a plurality of families of known computer malware;
  
  associating the software artifact, by the computer system, to one of the plurality of families of known computer malware based on comparing the software artifact to the families of known computer malware;
  
  selecting a countermeasure, by the computer system, from among a plurality of countermeasures based on the family of known computer malware that the software artifact is associated to and based on at least one of the characteristics of the software artifact; and
  
  commanding the selected countermeasure to execute on the information technology asset.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
- - 14. The method of claim 13, wherein comparing the characteristics of the software artifact to the characteristics of the families of known computer malware comprises:
    - determining a plurality of matching scores for each family of known computer malware, wherein each of the plurality of matching scores of a family of known computer malware is a metric representing the similarity between the value of a characteristic of the software artifact and the value of a corresponding characteristic of the family of known computer malware; and
      
      determining a sum of the plurality of matching scores for each family of known computer malware.
  - 15. The method of claim 14, wherein weights are applied to each of the plurality of matching scores for each family to produce a plurality of weighted matching scores for each family, wherein the sum of the plurality of matching scores for each family is a sum of the plurality of weighted matching scores for each family of known computer malware, and wherein the weights represent a relative importance among the different characteristics.
  - 16. The method of claim 15, wherein the weights are different for each of the families of known computer malware.
  - 17. The method of claim 15, wherein the weights are uniform for all of the families of known computer malware.
  - 18. The method of claim 15, wherein the weights are determined by a curve fitting algorithm based on scores of a plurality of malware members of each family of known computer malware.
  - 19. The method of claim 15, further comprising:
    - comparing, by the computer system, a plurality of characteristics of a second software artifact to the characteristics of the plurality of families of known computer malware; and
      
      associating the second software artifact, by the computer system, to the one of the plurality of families of known computer malware based on comparing the second software artifact to the families of known computer malware, wherein the countermeasure is selected based on the family of known computer malware that the second software artifact is associated to and based on at least one of the characteristics of the second software artifact.
  - 20. The method of claim 15, further comprising detecting the software artifact in the information technology asset prior to determining the value of each of the plurality of characteristics of the software artifact.
  - 21. The method of claim 15, further comprising determining, by the computer system, a plurality of metrics, each metric representing a degree of match between the software artifact and one of the plurality of malware families based on the characteristics of the software artifact and on the characteristics of each of the plurality of malware families, wherein the software artifact is associated to the one of the plurality of families of known computer malware based on the plurality of metrics.
  - 22. The method of claim 15, wherein the software artifact is associated to the one of the plurality of families of known computer malware in response to the metric associated with the one of the plurality of families exceeding a predefined matching threshold.
  - 23. The method of claim 15, wherein commanding the selected countermeasure to execute comprises moving the software artifact to a quarantine area of memory of the information technology asset.
  - 24. The method of claim 15, wherein the selected countermeasure comprises blocking receiving data packets received from a source internet protocol address that is identified as a characteristic of the malware family to which the software artifact is associated.
  - 25. The method of claim 15, wherein the selected countermeasure blocking transmission of data packets to a destination internet protocol address that is identified as a characteristic of the malware family to which the software artifact is associated.
  - 26. The method of claim 15, wherein commanding the selected countermeasure to execute comprises blocking communication relative to a domain name embedded in the software artifact.
  - 27. The method of claim 15, wherein commanding the selected countermeasure to execute comprises blocking communication from an email address embedded in the software artifact.
  - 28. The method of claim 15, wherein the commanding causes the selected countermeasure to execute automatically without intervention of an information technology security analyst.
  - 29. The method of claim 15, wherein the commanding comprises commanding a security agent to take manual action.

30. A method of mitigating vulnerability of an information technology asset to a computer malware, comprising:
- comparing, by a computer system, a plurality of characteristics of one or more software artifacts to the characteristics of a plurality of families of known computer malware;
  
  associating the one or more software artifacts, by the computer system, to one of the plurality of families of known computer malware based on comparing the one or more software artifacts to the families of known computer malware;
  
  selecting one or more countermeasures, by the computer system, from among a plurality of countermeasures based on the family of known computer malware that the one or more software artifacts are associated to; and
  
  commanding the selected one or more countermeasures to execute on the information technology asset.
- View Dependent Claims (31, 32, 33, 34)
- - 31. The method of claim 30, wherein the commanding causes the selected countermeasure to execute automatically without intervention of an information technology security analyst.
  - 32. The method of claim 30, further comprising determining, by the computer system, a plurality of metrics, each metric representing a degree of match between the software artifact and one of the plurality of malware families based on the characteristics of the software artifact and on the characteristics of each of the plurality of malware families, wherein the software artifact is associated to the one of the plurality of families of known computer malware based on the plurality of metrics.
  - 33. The method of claim 32, wherein the software artifact is associated to the one of the plurality of families of known computer malware in response to the metric associated with the one of the plurality of families exceeding a predefined matching threshold.
  - 34. The method of claim 30, wherein the selected one or more countermeasures comprises at least one of:
    - moving at least one of the one or more software artifacts to a quarantine area of memory of the information technology asset, blocking receiving data packets received from a source internet protocol address that is identified as a characteristic of the malware family to which the one or more software artifacts are associated, blocking transmission of data packets to a destination internet protocol address that is identified as a characteristic of the malware family to which the one or more software artifacts are associated, blocking communication relative to a domain name embedded in at least one of the one or more software artifacts, and blocking communication from an email address embedded in at least one of the one or more software artifacts.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google LLC (Alphabet Inc.)
Original Assignee
FireEye, Inc.
Inventors
Joram, Sharwan Kumar, Jha, Shyam Prakash, Hartley, William Matthew, Sonthalia, Madhav
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
WYSZYNSKI, AUBREY H

Application Number

US14/698,534
Publication Number

US 20160323295A1
Time in Patent Office

1,022 Days
Field of Search

726 23
US Class Current
CPC Class Codes

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/577   Assessing vulnerabilities a...

H04L 63/145   the attack involving the pr...

Computer imposed countermeasures driven by malware lineage

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

131 Citations

34 Claims

Specification

Solutions

Use Cases

Quick Links

Computer imposed countermeasures driven by malware lineage

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

131 Citations

34 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links