Lineage-based reputation system

US 8,510,836 B1
Filed: 07/06/2010
Issued: 08/13/2013
Est. Priority Date: 07/06/2010
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of determining a reputation score for a file, the method comprising:

using a computer to performs steps comprising;

receiving a plurality of lineage reports from a plurality of clients, a lineage report specifying a lineage relationship for a file created at a client, the lineage report identifying a parent file and a child file created by the parent file at the client;

generating a plurality of lineage scores for the file using a plurality of lineage metrics based on the plurality of lineage reports;

aggregating the plurality of lineage scores for the file to produce an aggregated lineage score for the file, the aggregating comprising computing a proportion indicating how often the file is created by malware; and

generating a reputation score for the file based at least in part on the aggregated lineage score, the reputation score indicating a likelihood that the file is malware.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer generates a reputation score for a file based at least in part on the lineage of the file. A security module on a client monitors file creations on the client and identifies a parent file creating a child file. The security module provides a lineage report describing the lineage relationship to a security server. The security server uses lineage reports from the client to generate one or more lineage scores for the files identified by the reports. The security server aggregates the lineage scores for files reported by multiple clients. The aggregated lineage scores are used by the security server to generate reputation scores for files. The reputation score for a file indicates a likelihood that the file is malicious. The security server reports the reputation scores to the clients, and the clients use the reputation scores to determine whether files detected at the clients are malicious.

103 Citations

View as Search Results

19 Claims

1. A computer-implemented method of determining a reputation score for a file, the method comprising:
- using a computer to performs steps comprising;
  
  receiving a plurality of lineage reports from a plurality of clients, a lineage report specifying a lineage relationship for a file created at a client, the lineage report identifying a parent file and a child file created by the parent file at the client;
  
  generating a plurality of lineage scores for the file using a plurality of lineage metrics based on the plurality of lineage reports;
  
  aggregating the plurality of lineage scores for the file to produce an aggregated lineage score for the file, the aggregating comprising computing a proportion indicating how often the file is created by malware; and
  
  generating a reputation score for the file based at least in part on the aggregated lineage score, the reputation score indicating a likelihood that the file is malware.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 18, 19)
- - 2. The method of claim 1, wherein generating the plurality of lineage scores comprises generating one or more lineage metrics from a set of metrics consisting of:
    - a “
      
      created by known malware”
      
      metric indicating whether the file was created by known malware at the client;
      
      a “
      
      created known malware”
      
      metric indicating whether the file created malware at the client;
      
      a “
      
      created by known introduction vector”
      
      metric indicating whether the file was created at the client by a parent file known to be a malware introduction vector;
      
      a “
      
      created by known legitimate installer”
      
      metric indicating whether the file was created at the client by a parent file known to be used to install legitimate applications;
      
      a “
      
      created known legitimate file”
      
      metric indicating whether the file created a known legitimate file at the client;
      
      a “
      
      sibling of known malware”
      
      metric indicating whether the file was created by a same parent that also created a known malware file; and
      
      a “
      
      sibling of known legitimate file”
      
      metric indicating whether the file was created by a same parent that also created a known legitimate file.
  - 3. The method of claim 2, wherein:
    - the “
      
      created by known malware”
      
      metric indicates a count of a number of times the file was created by known malware at the client;
      
      the “
      
      created known malware”
      
      metric indicates a count of a number of times the file created malware at the client;
      
      the “
      
      created by known introduction vector”
      
      metric indicates a count of a number of times the file was created at the client by a parent file known to be a malware introduction vector;
      
      the “
      
      created by known legitimate installer”
      
      metric indicates a count of a number of times the file was created at the client by a parent file known to be used to install legitimate applications;
      
      the “
      
      created known legitimate file”
      
      metric indicates a count of a number of times the file created a known legitimate file at the client; and
      
      the “
      
      sibling of known malware”
      
      metric indicates a count of a number of times the file was a sibling of known malware; and
      
      the “
      
      sibling of known legitimate file”
      
      metric indicates a count of a number of times the file was a sibling of a known legitimate file.
  - 4. The method of claim 1, wherein computing the proportion indicating how often the file is created by malware comprises:
    - computing a percentage of time that the file is created by malware by calculating a number of times that a file was created by known malware divided by a total number of times the file was created.
  - 5. The method of claim 1, wherein generating the reputation score for the file based at least in part on the aggregated lineage score comprises:
    - identifying other reputation information associated with the file, the other reputation information describing characteristics of the client; and
      
      using a machine learning technique to generate the reputation score for the file based on the aggregated lineage score and the other reputation information.
  - 6. The method of claim 5, wherein using a machine learning technique comprises:
    - training a classifier using lineage information associated with known malicious files to generate the reputation score.
  - 7. The method of claim 1, further comprising:
    - reporting the reputation score associated with the file to the client, wherein the client is adapted to use the reputation score to identify malware at the client.
  - 18. The method of claim 1, wherein a lineage metric on which a lineage score for the file is based comprises a file distance metric describing file creation behavior for multiple generations of files.
  - 19. The method of claim 1, wherein a lineage metric on which a lineage score for the file is based is adjusted by an amount that is a function of a distance of the file to known malware.

8. A non-transitory computer-readable storage medium storing executable computer program instructions for determining a reputation score for a file, comprising computer program instructions for:
- receiving a plurality of lineage reports from a plurality of clients, a lineage report specifying a lineage relationship for a file created at a client, the lineage report identifying a parent file and a child file created by the parent file at the client;
  
  generating a plurality of lineage scores for the file using a plurality of lineage metrics based on the plurality of lineage reports;
  
  aggregating the plurality of lineage scores for the file to produce an aggregated lineage score for the file, the aggregating comprising computing a proportion indicating how often the file is created by malware; and
  
  generating a reputation score for the file based at least in part on the aggregated lineage score, the reputation score indicating a likelihood that the file is malware.
- View Dependent Claims (9, 10, 11, 12, 16)
- - 9. The computer-readable storage medium of claim 8, wherein the computer program instructions for generating the plurality of lineage scores comprise computer program instructions for generating one or more lineage metrics from a set of metrics consisting of:
    - a “
      
      created by known malware”
      
      metric indicating whether the file was created by known malware at the client;
      
      a “
      
      created known malware”
      
      metric indicating whether the file created malware at the client;
      
      a “
      
      created by known introduction vector”
      
      metric indicating whether the file was created at the client by a parent file known to be a malware introduction vector;
      
      a “
      
      created by known legitimate installer”
      
      metric indicating whether the file was created at the client by a parent file known to be used to install legitimate applications; and
      
      a “
      
      created known legitimate file”
      
      metric indicating whether the file created a known legitimate file at the client;
      
      a “
      
      sibling of known malware”
      
      metric indicating whether the file was created by a same parent that also created a known malware file; and
      
      a “
      
      sibling of known legitimate file”
      
      metric indicating whether the file was created by a same parent that also created a known legitimate file.
  - 10. The computer-readable storage medium of claim 9, wherein:
    - the “
      
      created by known malware”
      
      metric indicates a count of a number of times the file was created by known malware at the client;
      
      the “
      
      created known malware”
      
      metric indicates a count of a number of times the file created malware at the client;
      
      the “
      
      created by known introduction vector”
      
      metric indicates a count of a number of times the file was created at the client by a parent file known to be a malware introduction vector;
      
      the “
      
      created by known legitimate installer”
      
      metric indicates a count of a number of times the file was created at the client by a parent file known to be used to install legitimate applications; and
      
      the “
      
      created known legitimate file”
      
      metric indicates a count of a number of times the file created a known legitimate file at the client;
      
      the “
      
      sibling of known malware”
      
      metric indicates a count of a number of times the file was a sibling of known malware; and
      
      the “
      
      sibling of known legitimate file”
      
      metric indicates a count of a number of times the file was a sibling of a known legitimate file.
  - 11. The computer-readable storage medium of claim 8, wherein the computer program instructions for generating the reputation score for the file based at least in part on the aggregated lineage score comprise computer program instructions for:
    - identifying other reputation information associated with the file, the other reputation information describing characteristics of the client; and
      
      using a machine learning technique to generate the reputation score for the file based on the aggregated lineage score and the other reputation information.
  - 12. The computer-readable storage medium of claim 8, further comprising computer program instructions for:
    - reporting the reputation score associated with the file to the client, wherein the client is adapted to use the reputation score to identify malware at the client.
  - 16. The computer-readable storage medium of claim 8, wherein the computer program instructions for computing the proportion indicating how often the file is created by malware comprise computer program instructions for:
    - computing a percentage of time that the file is created by malware by calculating a number of times that a file was created by known malware divided by a total number of times the file was created.

13. A computer system for determining a reputation score for a file, the system comprising:
- a non-transitory computer-readable storage medium storing executable computer program instructions comprising instructions for;
  
  receiving a plurality of lineage reports from a plurality of clients, a lineage report specifying a lineage relationship for a file created at a client, the lineage report identifying a parent file and a child file created by the parent file at the client;
  
  generating a plurality of lineage scores for the file using a plurality of lineage metrics based on the plurality of lineage reports;
  
  aggregating the plurality of lineage scores for the file to produce an aggregated lineage score for the file, the aggregating comprising computing a proportion indicating how often the file is created by malware; and
  
  generating a reputation score for the file based at least in part on the aggregated lineage score, the reputation score indicating a likelihood that the file is malware; and
  
  a computer processor configured to execute the computer program instructions.
- View Dependent Claims (14, 15, 17)
- - 14. The system of claim 13, wherein the computer program instructions for generating the plurality of lineage scores comprises computer program instructions for generating one or more lineage metrics from a set of metrics consisting of:
    - a “
      
      created by known malware”
      
      metric indicating whether the file was created by known malware at the client;
      
      a “
      
      created known malware”
      
      metric indicating whether the file created malware at the client;
      
      a “
      
      created by known introduction vector”
      
      metric indicating whether the file was created at the client by a parent file known to be a malware introduction vector;
      
      a “
      
      created by known legitimate installer”
      
      metric indicating whether the file was created at the client by a parent file known to be used to install legitimate applications; and
      
      a “
      
      created known legitimate file”
      
      metric indicating whether the file created a known legitimate file at the client;
      
      a “
      
      sibling of known malware”
      
      metric indicating whether the file was created by a same parent that also created a known malware file; and
      
      a “
      
      sibling of known legitimate file”
      
      metric indicating whether the file was created by a same parent that also created a known legitimate file.
  - 15. The system of claim 13, wherein the computer program instructions for generating the reputation score for the file based at least in part on the aggregated lineage score comprises computer program instructions for:
    - identifying other reputation information associated with the file, the other reputation information describing characteristics of the client; and
      
      using a machine learning technique to generate the reputation score for the file based on the aggregated lineage score and the other reputation information.
  - 17. The system of claim 13, wherein the computer program instructions for computing the proportion indicating how often the file is created by malware comprise computer program instructions for:
    - computing a percentage of time that the file is created by malware by calculating a number of times that a file was created by known malware divided by a total number of times the file was created.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Nachenberg, Carey S.
Primary Examiner(s)
Nalven, Andrew L.
Assistant Examiner(s)
FIELDS, COURTNEY D

Application Number

US12/831,004
Time in Patent Office

1,134 Days
Field of Search

726/23, 726/22, 726/24, 726/25, 726/27, 709/203, 709/223, 706/12
US Class Current

726/23
CPC Class Codes

G06F 21/565   by checking file integrity

H04L 51/212   using filtering or selectiv...

H04L 63/145   the attack involving the pr...

Lineage-based reputation system

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

103 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Lineage-based reputation system

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

103 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links