Cooperative identification of malicious remote objects

US 8,429,180 B1
Filed: 03/31/2008
Issued: 04/23/2013
Est. Priority Date: 03/31/2008
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of cooperative identification of potentially malicious remote objects, comprising:

in response to detection of client device access to an instance of a remote object;

identifying a location associated with the instance of the remote object;

creating a unique content identification value for content associated with the instance of the remote object;

identifying content identification values associated with previous object instances of the remote object associated with the location;

comparing the created unique content identification value for the instance of the remote object to the identified content identification values to determine whether the created content identification value for the instance of the remote object does not match at least one of the identified content identification values associated with the previous object instances of the remote object;

in response to determining that the created unique content identification value for the instance of the remote object does not match at least one of the identified content identification values associated with the previous object instances of the remote object, analyzing the identified content identification values seeking to identify a legitimate reason why the created unique content identification value does not match at least one of the identified content identification values associated with the previous object instances of the remote object, the legitimate reason indicating that the instance of the remote object is not malicious due to the location returning unique content to each of a plurality of different geographical regions; and

in response to identifying no legitimate reason why the created unique identification value does not match at least one of the identified content identification values associated with the previous object instance of the remote object, labeling the instance of the remote object as potentially malicious.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer, computer program product, and method identify potentially malicious remote objects using client cooperation. A remote object access module detects client device access of a remote object instance, and an object analysis system identifies an associated location, creates a content identification value for the instance, compares it to stored content identification values for previous instances, and if anomalous, analyzes the stored content identification values to determine whether malicious. The remote object access module monitors actual traffic received by the client, and stores the information across multiple clients for comparison, allowing more accurate detection of malicious remote objects than traditional web crawling.

35 Citations

View as Search Results

20 Claims

1. A computer-implemented method of cooperative identification of potentially malicious remote objects, comprising:
- in response to detection of client device access to an instance of a remote object;
  
  identifying a location associated with the instance of the remote object;
  
  creating a unique content identification value for content associated with the instance of the remote object;
  
  identifying content identification values associated with previous object instances of the remote object associated with the location;
  
  comparing the created unique content identification value for the instance of the remote object to the identified content identification values to determine whether the created content identification value for the instance of the remote object does not match at least one of the identified content identification values associated with the previous object instances of the remote object;
  
  in response to determining that the created unique content identification value for the instance of the remote object does not match at least one of the identified content identification values associated with the previous object instances of the remote object, analyzing the identified content identification values seeking to identify a legitimate reason why the created unique content identification value does not match at least one of the identified content identification values associated with the previous object instances of the remote object, the legitimate reason indicating that the instance of the remote object is not malicious due to the location returning unique content to each of a plurality of different geographical regions; and
  
  in response to identifying no legitimate reason why the created unique identification value does not match at least one of the identified content identification values associated with the previous object instance of the remote object, labeling the instance of the remote object as potentially malicious.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein analyzing the identified content identification values comprises analyzing timestamps for the identified content identification values and the created unique content identification value to identify whether the created unique content identification value was created after a date in which a content update was performed.
  - 3. The method of claim 1, wherein the created unique content identification value and the identified content identification values comprise hash values.
  - 4. The method of claim 1, wherein the remote object comprises data providing downloadable content.
  - 5. The method of claim 4, wherein the remote object comprises one or more of:
    - a web page, a downloadable file, a script written in an interpreted language, an executable program, an image, music, or multimedia content.
  - 6. The method of claim 1, further comprising:
    - transmitting an indication that the instance of the remote object is potentially malicious to other client devices attempting to access the instance of the remote object.
  - 7. The method of claim 1, wherein the legitimate reason is further selected from a group consisting of:
    - the location returns unique content to each user and the location has performed a content update.
  - 8. The method of claim 1, wherein analyzing the identified content identification values comprises:
    - identifying geographical locations of clients corresponding to the content identification values associated with the previous object instances of the remote object;
      
      comparing the geographical locations of the clients to determine geographical trends indicative that the location returns unique content to geographical regions associated with the geographical locations of the clients.

9. A non-transitory computer-readable storage medium having computer program instructions embodied therein for cooperative identification of potentially malicious remote objects, the instructions when executed performs steps comprising:
- detecting client device access to an instance of a remote object;
  
  identifying a location associated with the instance of the remote object;
  
  creating a unique content identification value for content associated with the instance of the remote object;
  
  identifying content identification values associated with previous object instances of the remote object associated with the location;
  
  comparing the created unique content identification value for the instance of the remote object to the identified content identification values to determine whether the created content identification value for the instance of the remote object does not match at least one of the identified content identification values associated with the previous object instances of the remote object;
  
  in response to determining that the created unique content identification value for the instance of the remote object does not match at least one of the identified content identification values associated with the previous object instances of the remote object, analyzing the identified content identification values seeking to identify a legitimate reason why the created unique content identification value does not match at least one of the identified content identification values associated with the previous object instances of the remote object, the legitimate reason indicating that the instance of the remote object is not malicious due to the location returning unique content to each of a plurality of different geographical regions; and
  
  in response to identifying no legitimate reason why the created unique identification value does not match at least one of the identified content identification values associated with the previous object instance of the remote object, labeling the instance of the remote object as potentially malicious.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The computer-readable storage medium of claim 9, wherein analyzing the identified content identification values comprises analyzing timestamps for the identified content identification values and the created unique content identification value to identify whether the created unique content identification value was created after a date in which a content update was performed.
  - 11. The computer-readable storage medium of claim 9, wherein the created unique content identification value and the identified content identification values comprise hash values.
  - 12. The non-transitory computer-readable storage medium of claim 9, wherein the legitimate reason is further selected from a group consisting of:
    - the location returns unique content to each user and the location has performed a content update.
  - 13. The non-transitory computer-readable storage medium of claim 9, wherein the remote object comprises data providing downloadable content.
  - 14. The non-transitory computer-readable storage medium of claim 13, wherein the remote object comprises one or more of:
    - a web page, a downloadable file, a script written in an interpreted language, an executable program, an image, music, or multimedia content.
  - 15. The non-transitory computer-readable storage medium of claim 13, wherein the objection characterization module is further for:
    - transmitting an indication that the instance of the remote object is potentially malicious to other client devices attempting to access the instance of the remote object.
  - 16. The non-transitory computer-readable storage medium of claim 9, wherein analyzing the identified content identification values comprises:
    - identifying geographical locations of clients corresponding to the content identification values associated with the previous object instances of the remote object;
      
      comparing the geographical locations of the clients to determine geographical trends indicative that the location returns unique content to geographical regions associated with the geographical locations of the clients.

17. A computer system configured for cooperative identification of potentially malicious remote objects, the system comprising:
- a computer processor;
  
  a computer-readable storage medium storing executable code, the code when executed by the computer processor perform steps comprising;
  
  identifying a location associated with an instance of a remote object;
  
  creating a unique content identification value for content associated with the instance of the remote object;
  
  identifying content identification values associated with previous object instances of the remote object associated with the location;
  
  comparing the created unique content identification value for the instance of the remote object to the identified content identification values to determine whether the created content identification value for the instance of the remote object does not match at least one of the identified content identification values associated with the previous object instances of the remote object;
  
  in response to determining that the created unique content identification value for the instance of the remote object does not match at least one of the identified content identification values associated with the previous object instances of the remote object, analyzing the identified content identification values seeking to identify a legitimate reason why the created unique content identification value does not match at least one of the identified content identification values associated with the previous object instances of the remote object, the legitimate reason indicating that the instance of the remote object is not malicious due to the location returning unique content to each of a plurality of different geographical regions; and
  
  in response to identifying no legitimate reason why the created unique identification value does not match at least one of the identified content identification values associated with the previous object instance of the remote object, labeling the instance of the remote object as potentially malicious.
- View Dependent Claims (18, 19, 20)
- - 18. The computer system of claim 17, wherein analyzing the identified content identification values comprises analyzing timestamps for the identified content identification values and the created unique content identification value to identify whether the created unique content identification value was created after a date in which a content update was performed.
  - 19. The computer system of claim 17, wherein the created unique content identification value and the identified content identification values comprise hash values.
  - 20. The computer system of claim 17, wherein analyzing the identified content identification values comprises:
    - identifying geographical locations of clients corresponding to the content identification values associated with the previous object instances of the remote object;
      
      comparing the geographical locations of the clients to determine geographical trends indicative that the location returns unique content to geographical regions associated with the geographical locations of the clients.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Sobel, William E., McCorkendale, Bruce
Primary Examiner(s)
Chbouki, Tarek

Application Number

US12/058,941
Time in Patent Office

1,849 Days
Field of Search

707/952
US Class Current

707/758
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/56   Computer malware detection ...

H04L 63/101   Access control lists [ACL]

H04L 63/1425   Traffic logging, e.g. anoma...

Cooperative identification of malicious remote objects

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

35 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Cooperative identification of malicious remote objects

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

35 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links