Determining malware prevention based on retrospective content scan

US 9,922,191 B1
Filed: 08/08/2017
Issued: 03/20/2018
Est. Priority Date: 01/05/2017
Status: Active Grant

First Claim

Patent Images

1. A method for retrospectively analyzing original input content to detect malicious content in a computer system having a processor, the original input content having been previously processed to create modified input content and prevented from being received by an intended recipient, the method comprising:

accessing, by the processor, the original input content or a characteristic associated with the original input content;

analyzing, by the processor, the original input content or the characteristic associated with the original input content based on a malware detection algorithm to determine whether the original input content includes suspected malicious content, wherein the malware detection algorithm includes at least one update of a signature or behavioral characteristic that was not included in the malware detection algorithm when the modified input content was created; and

when it is determined that the original input content includes suspected malicious content, analyzing, by the processor, the modified input content to determine whether the modified input content includes the suspected malicious content.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The disclosed embodiments include a method for retroactively analyzing original input content to detect malicious content in a computer system, in which the original input content has been previously processed to generate modified input content and prevented from being received by an intended recipient. The method includes accessing the original input content or a characteristic associated with the original input content, and analyzing it based on a malware detection algorithm to determine whether the original input content includes suspected malicious content, wherein the malware detection algorithm includes at least one update of a signature or behavioral characteristic that was not included in the malware detection algorithm when the modified input content was generated. When it is determined that the original input content includes suspected malicious content, the method includes analyzing the modified input content to determine whether the modified input content includes the suspected malicious content.

54 Citations

View as Search Results

22 Claims

1. A method for retrospectively analyzing original input content to detect malicious content in a computer system having a processor, the original input content having been previously processed to create modified input content and prevented from being received by an intended recipient, the method comprising:
- accessing, by the processor, the original input content or a characteristic associated with the original input content;
  
  analyzing, by the processor, the original input content or the characteristic associated with the original input content based on a malware detection algorithm to determine whether the original input content includes suspected malicious content, wherein the malware detection algorithm includes at least one update of a signature or behavioral characteristic that was not included in the malware detection algorithm when the modified input content was created; and
  
  when it is determined that the original input content includes suspected malicious content, analyzing, by the processor, the modified input content to determine whether the modified input content includes the suspected malicious content.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The method of claim 1, wherein the malware detection algorithm includes analyzing the original input content based on a set of signatures of a database of known malicious content, wherein the set of signatures includes at least one signature not included in the database when the modified input was created.
  - 3. The method of claim 1, wherein the malware detection algorithm includes analyzing the original input content based on a set of behavioral characteristics of known malicious content included in a database, wherein the set of behavioral characteristics includes at least one behavior characteristic not included in the database when the modified input content was created.
  - 4. The method of claim 3, wherein analyzing the original input content based on a set of behavioral characteristics is performed in a monitored run environment.
  - 5. The method of claim 1, wherein the analyzing the original input content is performed responsive to a trigger.
  - 6. The method of claim 5, wherein the trigger includes an update in the malware detection algorithm.
  - 7. The method of claim 5, wherein the trigger includes at least one signature being added to a database of known malicious content.
  - 8. The method of claim 5, wherein the trigger includes at least one behavioral characteristic being added to a database of behavioral characteristics of known malicious content.
  - 9. The method of claim 1, further comprising generating a notification when it is determined that the original input content includes suspected malicious content.
  - 10. The method of claim 1, further comprising generating a notification when it is determined that the modified input content does not include the suspected malicious content.
  - 11. The method of claim 10, wherein the notification includes a report indicating at least one change in a digital value of the modified input content that caused the determined suspected malicious content to be disarmed.
  - 12. The method of claim 1, wherein the original input content is stored in a storage area of the computer system configured to prevent infection of the computer system by any malicious content included in the original input content.
  - 13. The method of claim 1, wherein the original input content includes a copy or a portion of original input content received by the computer system.
  - 14. The method of claim 13, wherein the characteristic associated with the original input content includes a hash value of the original input content.
  - 15. The method of claim 1, wherein the accessing is performed responsive to receiving a selection of the original input content via an interface.
  - 16. The method of claim 15, wherein the interface is configured to:
    - display a plurality of original input content having been previously processed to generate a plurality of modified input content; and
      
      receive the selection via a user input on the interface.
  - 17. The method of claim 15, wherein the selection of the original input content is received via an application programming interface.
  - 18. The method of claim 1, wherein the original input content includes at least one of a file received by the computer system or a subset of content of the file received by the computer system.

19. A method for retrospectively analyzing original input content to detect malicious content in a computer system having a processor, the original input content having been previously processed to generate modified input content and prevented from being received by an intended recipient, the method comprising:
- accessing, by the processor, the original input content or a characteristic associated with the original input content;
  
  analyzing, by the processor, the original input content or the characteristic associated with the original input content based on a malware detection algorithm to determine whether the original input content includes or is associated with suspected malicious content, wherein the malware detection algorithm includes at least one update of a blacklist item, signature, or behavioral characteristic that was not included in the malware detection algorithm when the modified input content was generated; and
  
  when it is determined that the original input content includes or is associated with suspected malicious content, generating a report indicating that suspected malicious content was modified in the previously processed original input content.
- View Dependent Claims (20, 21, 22)
- - 20. The method of claim 19, wherein the original input content includes web content, and further wherein the modified input content includes a transformed visual representation of the web content.
  - 21. The method of claim 19, wherein the characteristic associated with the original input content includes a URL.
  - 22. The method of claim 21, wherein the malware detection algorithm includes a comparison of the URL with a blacklist of URLs associated with malicious content.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Votiro Cybersec Ltd
Original Assignee
Votiro Cybersec Ltd
Inventors
Grafi, Aviv
Primary Examiner(s)
Smithers, Matthew

Application Number

US15/672,037
Time in Patent Office

224 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/10   Protecting distributed prog...

G06F 21/316   by observing the pattern of...

G06F 21/53   by executing in a restricte...

G06F 21/55   Detecting local intrusion o...

G06F 21/564   by virus signature recognition

G06F 21/577   Assessing vulnerabilities a...

H04L 63/0236   Filtering by address, proto...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

H04L 63/1466   Active attacks involving in...

H04L 63/308   retaining data, e.g. retain...

H04L 9/006   involving public key infras...

H04L 9/14   using a plurality of keys o...

H04L 9/30   Public key, i.e. encryption...

H04L 9/3226   using a predetermined code,...

H04L 9/3247   involving digital signatures

Determining malware prevention based on retrospective content scan

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

54 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Determining malware prevention based on retrospective content scan

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

54 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links