Systems and methods for preventing targeted malware attacks

US 10,104,097 B1
Filed: 12/12/2014
Issued: 10/16/2018
Est. Priority Date: 12/12/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for preventing targeted malware attacks, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:

identifying entities that were targets of previous targeted malware attacks, the previous targeted malware attacks comprising customized attacks designed for and directed to the entities based on characteristics of the entities;

identifying, by selecting one or more of the characteristics of the entities that were the targets of the previous targeted malware attacks, a candidate risk factor for targeted malware attacks that indicates a characteristic potentially associated with being a target of a targeted malware attack;

calculating a degree of association between the candidate risk factor and the previous targeted malware attacks by comparing rates of targeted malware attacks between a group that possesses the candidate risk factor and a group that does not possess the candidate risk factor;

identifying a candidate target of a targeted malware attack by identifying an entity that possesses the candidate risk factor;

calculating, based at least in part on the degree of association between the candidate risk factor and the previous targeted malware attacks, a probability that the targeted malware attack will be directed to the candidate target;

adjusting a security policy assigned to the candidate target of the targeted malware attack based on the calculated probability; and

protecting a computing system used by the candidate target from targeted malware attacks by enforcing the adjusted security policy on the computing system.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The disclosed computer-implemented method for preventing targeted malware attacks may include (1) identifying at least one candidate risk factor for targets of previous targeted malware attacks that were directed to the targets based on characteristics of the targets, (2) calculating a degree of association between the candidate risk factor and the previous targeted malware attacks by comparing rates of targeted malware attacks between a group that possesses the risk factor and a group that does not possess the risk factor, (3) identifying a candidate target of a targeted malware attack that possesses the candidate risk factor, and (4) adjusting a security policy assigned to the candidate target of the targeted malware attack based on the calculated degree of association between the candidate risk factor and the previous targeted malware attacks. Various other methods, systems, and computer-readable media are also disclosed.

14 Citations

View as Search Results

20 Claims

1. A computer-implemented method for preventing targeted malware attacks, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- identifying entities that were targets of previous targeted malware attacks, the previous targeted malware attacks comprising customized attacks designed for and directed to the entities based on characteristics of the entities;
  
  identifying, by selecting one or more of the characteristics of the entities that were the targets of the previous targeted malware attacks, a candidate risk factor for targeted malware attacks that indicates a characteristic potentially associated with being a target of a targeted malware attack;
  
  calculating a degree of association between the candidate risk factor and the previous targeted malware attacks by comparing rates of targeted malware attacks between a group that possesses the candidate risk factor and a group that does not possess the candidate risk factor;
  
  identifying a candidate target of a targeted malware attack by identifying an entity that possesses the candidate risk factor;
  
  calculating, based at least in part on the degree of association between the candidate risk factor and the previous targeted malware attacks, a probability that the targeted malware attack will be directed to the candidate target;
  
  adjusting a security policy assigned to the candidate target of the targeted malware attack based on the calculated probability; and
  
  protecting a computing system used by the candidate target from targeted malware attacks by enforcing the adjusted security policy on the computing system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein:
    - the targets of the previous targeted malware attacks comprise organizations; and
      
      the candidate risk factor for the organizations comprises at least one of;
      
      a sector of the organizations; and
      
      a size of the organizations.
  - 3. The method of claim 1, wherein:
    - the targets of the previous targeted malware attacks comprise individuals; and
      
      the candidate risk factor for the individuals comprises at least one of;
      
      a job level of the individuals;
      
      a job type of the individuals;
      
      a geographic location of the individuals; and
      
      a number of interpersonal connections made by the individuals via a social networking site.
  - 4. The method of claim 1, wherein comparing the rates of targeted malware attacks between the group that possesses the candidate risk factor and the group that does not possess the candidate risk factor comprises identifying:
    - a ratio of individuals within the group that possesses the candidate risk factor who were not targets of the previous targeted malware attacks; and
      
      a ratio of individuals within the group that does not possess the candidate risk factor who were targets of the previous targeted malware attacks.
  - 5. The method of claim 1, wherein:
    - the candidate target comprises an individual within an organization; and
      
      adjusting the security policy comprises adjusting the security policy based further on a combination of a calculated degree of association for a candidate risk factor of the individual and a calculated degree of association for a candidate risk factor of the organization.
  - 6. The method of claim 1, wherein adjusting the security policy assigned to the candidate target is performed in response to determining that the calculated probability exceeds a predetermined threshold.
  - 7. The method of claim 1, wherein adjusting the security policy assigned to the candidate target comprises at least one of:
    - tightening existing restrictions imposed by the security policy;
      
      adding new restrictions to the security policy;
      
      relaxing existing restrictions imposed by the security policy; and
      
      removing restrictions from the security policy.
  - 8. The method of claim 1, further comprising detecting, based on the adjusted security policy, that an attacker directed the targeted malware attack to the candidate target.

9. A system for preventing targeted malware attacks, the system comprising:
- a risk factor module, stored in memory, that;
  
  identifies entities that were targets of previous targeted malware attacks, the previous targeted malware attacks comprising customized attacks designed for and directed to the entities based on characteristics of the entities; and
  
  identifies, by selecting one or more of the characteristics of the entities that were the targets of the previous targeted malware attacks, a candidate risk factor for targeted malware attacks that indicates a characteristic potentially associated with being a target of a targeted malware attack;
  
  a calculation module, stored in memory, that calculates a degree of association between the candidate risk factor and the previous targeted malware attacks by comparing rates of targeted malware attacks between a group that possesses the candidate risk factor and a group that does not possess the candidate risk factor;
  
  a target module, stored in memory, that identifies a candidate target of a targeted malware attack by identifying an entity that possesses the candidate risk factor;
  
  an adjustment module, stored in memory, that;
  
  calculates, based at least in part on the degree of association between the candidate risk factor and the previous targeted malware attacks, a probability that the targeted malware attack will be directed to the candidate target;
  
  adjusts a security policy assigned to the candidate target of the targeted malware attack based on the calculated probability; and
  
  protects a computing system used by the candidate target from targeted malware attacks by enforcing the adjusted security policy on the computing system; and
  
  at least one processor that executes the risk factor module, the calculation module, the target module, and the adjustment module.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The system of claim 9, wherein:
    - the targets of the previous targeted malware attacks comprise organizations; and
      
      the candidate risk factor for the organizations comprises at least one of;
      
      a sector of the organizations; and
      
      a size of the organizations.
  - 11. The system of claim 9, wherein:
    - the targets of the previous targeted malware attacks comprise individuals; and
      
      the candidate risk factor for the individuals comprises at least one of;
      
      a job level of the individuals;
      
      a job type of the individuals;
      
      a geographic location of the individuals; and
      
      a number of interpersonal connections made by the individuals via a social networking site.
  - 12. The system of claim 9, wherein the calculation module compares the rates of targeted malware attacks between the group that possesses the candidate risk factor and the group that does not possess the candidate risk factor by identifying:
    - a ratio of individuals within the group that possesses the candidate risk factor who were not targets of the previous targeted malware attacks; and
      
      a ratio of individuals within the group that does not possess the candidate risk factor who were targets of the previous targeted malware attacks.
  - 13. The system of claim 9, wherein:
    - the candidate target comprises an individual within an organization; and
      
      the adjustment module adjusts the security policy based further on a combination of a calculated degree of association for a candidate risk factor of the individual and a calculated degree of association for a candidate risk factor of the organization.
  - 14. The system of claim 9, wherein the adjustment module adjusts the security policy assigned to the candidate target in response to determining that the calculated probability exceeds a predetermined threshold.
  - 15. The system of claim 9, wherein the adjustment module adjusts the security policy assigned to the candidate target by at least one of:
    - tightening existing restrictions imposed by the security policy;
      
      adding new restrictions to the security policy;
      
      relaxing existing restrictions imposed by the security policy; and
      
      removing restrictions from the security policy.
  - 16. The system of claim 9, wherein the target module further detects, based on the adjusted security policy, that an attacker directed the targeted malware attack to the candidate target.

17. A non-transitory computer-readable medium comprising one or more computer-executable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
- identify entities that were targets of previous targeted malware attacks, the previous targeted malware attacks comprising customized attacks designed for and directed to the entities based on characteristics of the entities;
  
  identify, by selecting one or more of the characteristics of the entities that were the targets of the previous targeted malware attacks, a candidate risk factor for targeted malware attacks that indicates a characteristic potentially associated with being a target of a targeted malware attack;
  
  calculate a degree of association between the candidate risk factor and the previous targeted malware attacks by comparing rates of targeted malware attacks between a group that possesses the candidate risk factor and a group that does not possess the candidate risk factor;
  
  identify a candidate target of a targeted malware attack by identifying an entity that possesses the candidate risk factor;
  
  calculate, based at least in part on the degree of association between the candidate risk factor and the previous targeted malware attacks, a probability that the targeted malware attack will be directed to the candidate target;
  
  dynamically adjust a security policy assigned to the candidate target of the targeted malware attack based on the calculated probability; and
  
  protect a computing system used by the candidate target from targeted malware attacks by enforcing the adjusted security policy on the computing system.
- View Dependent Claims (18, 19, 20)
- - 18. The non-transitory computer-readable medium of claim 17, wherein:
    - the targets of the previous targeted malware attacks comprise organizations; and
      
      the candidate risk factor for the organizations comprises at least one of;
      
      a sector of the organizations; and
      
      a size of the organizations.
  - 19. The non-transitory computer-readable medium of claim 17, wherein:
    - the targets of the previous targeted malware attacks comprise individuals; and
      
      the candidate risk factor for the individuals comprises at least one of;
      
      a job level of the individuals;
      
      a job type of the individuals;
      
      a geographic location of the individuals; and
      
      a number of interpersonal connections made by the individuals via a social networking site.
  - 20. The non-transitory computer-readable medium of claim 17, wherein the one or more computer-executable instructions cause the computing device to compare the rates of targeted malware attacks between the group that possesses the candidate risk factor and the group that does not possess the candidate risk factor by identifying:
    - a ratio of individuals within the group that possesses the candidate risk factor who were not targets of the previous targeted malware attacks; and
      
      a ratio of individuals within the group that does not possess the candidate risk factor who were targets of the previous targeted malware attacks.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Gen Digital Inc.
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Yumer, Leylya, Thonnard, Olivier, Kashyap, Anand
Primary Examiner(s)
Patel, Ashok
Assistant Examiner(s)
Jones, William B

Application Number

US14/569,302
Time in Patent Office

1,404 Days
Field of Search

726 3, 726 4, 726 12, 726 23
US Class Current
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/577   Assessing vulnerabilities a...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/20   for managing network securi...

Systems and methods for preventing targeted malware attacks

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

14 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Systems and methods for preventing targeted malware attacks

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

14 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others