Risk scoring system for the prevention of malware

US 8,037,536 B2
Filed: 11/14/2007
Issued: 10/11/2011
Est. Priority Date: 11/14/2007
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

analyzing a file, by a computing device having a processor, to determine a presence or absence of each of a plurality of predefined properties in the file;

calculating a score, by the computing device, based on the presence or absence of the plurality of properties in the file, the score being reflective of a risk that the file is malicious, wherein calculating the score comprises;

generating a risk score for each property determined to be present in the file, the risk score reflecting a probability of the respective property existing in a malicious file,generating a weight score for each property, the weight score reflecting a probability of occurrence of the respective property in a non-malicious file, wherein the weight score is inversely related to the probability of occurrence of the respective property in a non-malicious file, andcalculating the score based on an aggregate of the risk scores and the weight scores; and

further processing the file based on the score, using the computing device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method suitable for detecting malicious files includes several steps. A file that is received into a computer system is analyzed to determine a presence or absence of each of a plurality of predefined properties in the file. A score is calculated based on the presence or absence of the plurality of properties in the file. This score is reflective of the risk that the file is malicious. Once the score is calculated, the file can be further processed based on the score.

33 Citations

View as Search Results

13 Claims

1. A method comprising:
- analyzing a file, by a computing device having a processor, to determine a presence or absence of each of a plurality of predefined properties in the file;
  
  calculating a score, by the computing device, based on the presence or absence of the plurality of properties in the file, the score being reflective of a risk that the file is malicious, wherein calculating the score comprises;
  
  generating a risk score for each property determined to be present in the file, the risk score reflecting a probability of the respective property existing in a malicious file,generating a weight score for each property, the weight score reflecting a probability of occurrence of the respective property in a non-malicious file, wherein the weight score is inversely related to the probability of occurrence of the respective property in a non-malicious file, andcalculating the score based on an aggregate of the risk scores and the weight scores; and
  
  further processing the file based on the score, using the computing device.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the plurality of properties comprises properties selected from the group consisting of:
    - whether a section name of the file is flagged, whether a section of the file is non-standard, whether an entry point of the file is in a code section of the file, whether an import function count of the file is low, whether an import function table for the file contains a zero ordinal value, whether a thread local storage section of the file has a defined function, and whether the file has a library export count of zero.
  - 3. The method of claim 1, wherein the analyzing, calculating, and processing are performed before loading the file into memory.
  - 4. The method of claim 1, wherein further processing the file based on the score comprises generating a notification if the score exceeds a threshold.
  - 5. The method of claim 1, wherein a first of the plurality of properties is a property of a section characteristic of the file and a second of the plurality of properties is a library property of the file.
  - 6. The method of claim 1, wherein calculating the score uses the algorithm:
  - 7. The method of claim 1, wherein the file is a portable executable file.

8. A non-transitory computer-readable medium containing computer-executable code comprising instructions configured to cause one or more processors to perform:
- analyzing a file to determine a presence or absence of each of a plurality of predefined properties in the file; and
  
  calculating a score based on the presence or absence of the plurality of properties in the file, the score being reflective of a risk that the file is malicious, wherein calculating the score comprises;
  
  generating a risk score for each property determined to be present in the file, the risk score being reflective of a probability of the respective property existing in a malicious file,generating a weight score for each property, the weight score reflecting a probability of occurrence of the respective property in a non-malicious file, wherein the weight score is inversely related to the probability of occurrence of the respective property in a non-malicious file, andcalculating the score based on an aggregate of the risk scores and the weight scores.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The computer-readable medium of claim 8, wherein the plurality of properties comprises properties selected from the group consisting of:
    - whether a section name of the file is flagged, whether a section characteristic of the file is non-standard, whether an entry point of the file is in a code section of the file, whether an import function count of the file is low, whether an import function table for the file contains a zero ordinal value, whether a thread local storage section of the file has a defined function, and whether the file has a library export count of zero.
  - 10. The computer-readable medium of claim 8, further comprising generating a notification if the score exceeds a threshold.
  - 11. The computer-readable medium of claim 8, wherein a first of the plurality of properties is a property of a section characteristic of the file and a second of the plurality of properties is a library property of the file.
  - 12. The computer-readable medium of claim 8, wherein calculating the score uses the algorithm:
  - 13. The computer-readable medium of claim 8, wherein the file is a portable executable file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Bank of America Corp.
Original Assignee
Bank of America Corp.
Inventors
Treadwell, William Scott, Zhou, Mian
Primary Examiner(s)
Flynn; Nathan
Assistant Examiner(s)
KOSOWSKI, CAROLYN M

Application Number

US11/940,062
Publication Number

US 20090126012A1
Time in Patent Office

1,427 Days
Field of Search

726/25
US Class Current

726/25
CPC Class Codes

G06F 21/51 at application loading time...

G06F 21/56 Computer malware detection ...

Risk scoring system for the prevention of malware

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

33 Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

Risk scoring system for the prevention of malware

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

33 Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links