Malware detection using file heritage data
First Claim
1. A computer-implemented method of using heritage data to detect malicious software (malware), the method comprising:
- receiving heritage data reports from a plurality of clients, the heritage data reports containing heritage data describing parent files detected at the clients and child files created by the parent files at the clients;
aggregating the heritage data in the heritage data reports from the plurality of clients;
analyzing the aggregated heritage data to categorize a parent file described by the heritage data as an expected executable file creator or an executable file creator of interest based on a typical behavior of the parent file as described by the aggregated heritage data, wherein the parent file is categorized as an executable file creator of interest responsive to a determination that it is anomalous for the parent file to create an executable child file; and
reporting the categorization of the parent file to the plurality of clients;
wherein the clients are adapted to use the categorization of the parent file to detect malware at the clients.
2 Assignments
0 Petitions
Accused Products
Abstract
A security module on a client monitors file creations at the client and reports heritage data describing the monitored file creations to a security server. A file categorization module at the security server receives file heritage data reports from a plurality of clients. The heritage data reports identify parent files that created executable child files at the clients. The file categorization module filters the heritage data to identify and prioritize parent files that are not categorized. The file categorization module analyzes the uncategorized files in priority order to categorize the files as “expected executable file creators” or “executable file creators of interest.” The file categorization module reports the file categorization data to the security modules of the clients. The security modules use the file categorization data to identify malware at the clients.
109 Citations
19 Claims
-
1. A computer-implemented method of using heritage data to detect malicious software (malware), the method comprising:
-
receiving heritage data reports from a plurality of clients, the heritage data reports containing heritage data describing parent files detected at the clients and child files created by the parent files at the clients; aggregating the heritage data in the heritage data reports from the plurality of clients; analyzing the aggregated heritage data to categorize a parent file described by the heritage data as an expected executable file creator or an executable file creator of interest based on a typical behavior of the parent file as described by the aggregated heritage data, wherein the parent file is categorized as an executable file creator of interest responsive to a determination that it is anomalous for the parent file to create an executable child file; and reporting the categorization of the parent file to the plurality of clients; wherein the clients are adapted to use the categorization of the parent file to detect malware at the clients. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A non-transitory computer-readable storage medium storing executable computer program instructions for using heritage data to detect malicious software (malware), the computer program instructions comprising instructions for:
-
receiving heritage data reports from a plurality of clients, the heritage data reports containing heritage data describing parent files detected at the clients and child files created by the parent files at the clients; aggregating the heritage data in the heritage data reports from the plurality of clients; analyzing the aggregated heritage data to categorize a parent file described by the heritage data as an expected executable file creator or an executable file creator of interest based on a typical behavior of the parent file as described by the aggregated heritage data, wherein the parent file is categorized as an executable file creator of interest responsive to a determination that it is anomalous for the parent file to create an executable child file; and reporting the categorization of the parent file to the plurality of clients; wherein the clients are adapted to use the categorization of the parent file to detect malware at the clients. - View Dependent Claims (9, 10, 11, 12, 13)
-
-
14. A system of using heritage data to detect malicious software (malware) comprising:
-
a non-transitory computer-readable storage medium storing executable computer program modules comprising; a server interaction module for receiving heritage data reports from a plurality of clients, the heritage data reports containing heritage data describing parent files detected at the clients and child files created by the parent files at the clients; a data analysis module for aggregating the heritage data in the heritage data reports from the plurality of clients and analyzing the aggregated heritage data to categorize a parent file described by the heritage data as an expected executable file creator or an executable file creator of interest based on a typical behavior of the parent file as described by the aggregated heritage data, wherein the parent file is categorized as an executable file creator of interest responsive to a determination that it is anomalous for the parent file to create an executable child file; the server interaction module for reporting the categorization of the parent file to the plurality of clients; wherein the clients are adapted to use the categorization of the parent file to detect malware at the clients; and a processor for executing the computer program modules. - View Dependent Claims (15, 16, 17, 18, 19)
-
Specification