Malware detection using file heritage data

US 8,413,235 B1
Filed: 09/10/2010
Issued: 04/02/2013
Est. Priority Date: 09/10/2010
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of using heritage data to detect malicious software (malware), the method comprising:

receiving heritage data reports from a plurality of clients, the heritage data reports containing heritage data describing parent files detected at the clients and child files created by the parent files at the clients;

aggregating the heritage data in the heritage data reports from the plurality of clients;

analyzing the aggregated heritage data to categorize a parent file described by the heritage data as an expected executable file creator or an executable file creator of interest based on a typical behavior of the parent file as described by the aggregated heritage data, wherein the parent file is categorized as an executable file creator of interest responsive to a determination that it is anomalous for the parent file to create an executable child file; and

reporting the categorization of the parent file to the plurality of clients;

wherein the clients are adapted to use the categorization of the parent file to detect malware at the clients.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security module on a client monitors file creations at the client and reports heritage data describing the monitored file creations to a security server. A file categorization module at the security server receives file heritage data reports from a plurality of clients. The heritage data reports identify parent files that created executable child files at the clients. The file categorization module filters the heritage data to identify and prioritize parent files that are not categorized. The file categorization module analyzes the uncategorized files in priority order to categorize the files as “expected executable file creators” or “executable file creators of interest.” The file categorization module reports the file categorization data to the security modules of the clients. The security modules use the file categorization data to identify malware at the clients.

109 Citations

19 Claims

1. A computer-implemented method of using heritage data to detect malicious software (malware), the method comprising:
- receiving heritage data reports from a plurality of clients, the heritage data reports containing heritage data describing parent files detected at the clients and child files created by the parent files at the clients;
  
  aggregating the heritage data in the heritage data reports from the plurality of clients;
  
  analyzing the aggregated heritage data to categorize a parent file described by the heritage data as an expected executable file creator or an executable file creator of interest based on a typical behavior of the parent file as described by the aggregated heritage data, wherein the parent file is categorized as an executable file creator of interest responsive to a determination that it is anomalous for the parent file to create an executable child file; and
  
  reporting the categorization of the parent file to the plurality of clients;
  
  wherein the clients are adapted to use the categorization of the parent file to detect malware at the clients.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising:
    - filtering the heritage data to identify parent files described by the heritage data and not previously categorized as expected executable file creators or executable file creators of interest.
  - 3. The method of claim 1, further comprising:
    - filtering the heritage data to prioritize the parent files described by the heritage data into a priority order, wherein the analyzing analyzes the parent files in the priority order.
  - 4. The method of claim 3, wherein the filtering prioritizes the parent files based on one or more of:
    - a number of clients on which the parent files were detected;
      
      a frequency at which the parent files create executable files at the clients, and whether the child files created at the clients by the parent files are known malware.
  - 5. The method of claim 1, wherein theanalysis categorizes the parent file based at least in part on whether the aggregated heritage data indicate that the parent file creates malicious executable child files at the clients.
  - 6. The method of claim 1, wherein reporting the categorization of the parent file to the plurality of clients comprises:
    - providing the clients with a behavioral policy signature, wherein a client is adapted to use the behavioral policy signature to detect if the parent file attempts to create an executable child file at the client.
  - 7. The method of claim 3, further comprising:
    - responsive to detecting a large number of executable files created by a parent file not previously categorized as an expected executable file creator or an executable file creator of interest, elevating priority of the parent file.

8. A non-transitory computer-readable storage medium storing executable computer program instructions for using heritage data to detect malicious software (malware), the computer program instructions comprising instructions for:
- receiving heritage data reports from a plurality of clients, the heritage data reports containing heritage data describing parent files detected at the clients and child files created by the parent files at the clients;
  
  aggregating the heritage data in the heritage data reports from the plurality of clients;
  
  analyzing the aggregated heritage data to categorize a parent file described by the heritage data as an expected executable file creator or an executable file creator of interest based on a typical behavior of the parent file as described by the aggregated heritage data, wherein the parent file is categorized as an executable file creator of interest responsive to a determination that it is anomalous for the parent file to create an executable child file; and
  
  reporting the categorization of the parent file to the plurality of clients;
  
  wherein the clients are adapted to use the categorization of the parent file to detect malware at the clients.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The computer-readable storage medium of claim 8, further comprising computer program instructions for:
    - filtering the heritage data to identify parent files described by the heritage data and not previously categorized as expected executable file creators or executable file creators of interest.
  - 10. The computer-readable storage medium of claim 8, further comprising computer program instructions for:
    - filtering the heritage data to prioritize the parent files described by the heritage data into a priority order, wherein the analyzing analyzes the parent files in the priority order.
  - 11. The computer-readable storage medium of claim 10, wherein the computer program instructions for filtering comprise instructions for prioritizing the parent files based on one or more of:
    - a number of clients on which the parent files were detected;
      
      a frequency at which the parent files create executable files at the clients, and whether the child files created at the clients by the parent files are known malware.
  - 12. The computer-readable storage medium of claim 8, wherein theanalysis categorizes the parent file based at least in part on whether the aggregated heritage data indicate that the parent file creates malicious executable child files at the clients.
  - 13. The computer-readable storage medium of claim 8, wherein the computer program instructions for reporting the categorization of the parent file to the plurality of clients comprise instructions for:
    - providing the clients with a behavioral policy signature, wherein a client is adapted to use the behavioral policy signature to detect if the parent file attempts to create an executable child file at the client.

14. A system of using heritage data to detect malicious software (malware) comprising:
- a non-transitory computer-readable storage medium storing executable computer program modules comprising;
  
  a server interaction module for receiving heritage data reports from a plurality of clients, the heritage data reports containing heritage data describing parent files detected at the clients and child files created by the parent files at the clients;
  
  a data analysis module for aggregating the heritage data in the heritage data reports from the plurality of clients and analyzing the aggregated heritage data to categorize a parent file described by the heritage data as an expected executable file creator or an executable file creator of interest based on a typical behavior of the parent file as described by the aggregated heritage data, wherein the parent file is categorized as an executable file creator of interest responsive to a determination that it is anomalous for the parent file to create an executable child file;
  
  the server interaction module for reporting the categorization of the parent file to the plurality of clients;
  
  wherein the clients are adapted to use the categorization of the parent file to detect malware at the clients; and
  
  a processor for executing the computer program modules.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The system of claim 14, wherein the computer-readable storage medium further comprises a filtering module for:
    - filtering the heritage data to identify parent files described by the data and not previously categorized as expected executable file creators or executable file creators of interest.
  - 16. The system of claim 15, wherein the filtering module is further for:
    - filtering the heritage data to prioritize the parent files described by the heritage data into a priority order, wherein the analyzing analyzes the parent files in the priority order.
  - 17. The system of claim 16, wherein the filtering prioritizes the parent files based on one or more of:
    - a number of clients on which the parent files were detected;
      
      a frequency at which the parent files create executable files at the clients, and whether the child files created at the clients by the parent files are known malware.
  - 18. The system of claim 14, wherein the data analysis modulecategorizes the parent file based at least in part on whether the aggregated heritage data indicate that the parent file creates malicious executable child files at the clients.
  - 19. The system of claim 14, wherein reporting the categorization of the parent file to the plurality of clients comprises:
    - providing the clients with a behavioral policy signature, wherein a client is adapted to use the behavioral policy signature to detect if the parent file attempts to create an executable child file at the client.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Peterson, Christopher James, Chen, Joseph Huaning
Primary Examiner(s)
Reza, Mohammad W

Application Number

US12/879,831
Time in Patent Office

935 Days
Field of Search

726/22, 726/24, 726/25, 713/188
US Class Current

726/22
CPC Class Codes

G06F 21/552 involving long-term monitor...

Malware detection using file heritage data

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

109 Citations

19 Claims

Specification

Use Cases

Quick Links

Others

Malware detection using file heritage data

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

109 Citations

19 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others