Malware detection using file names

US 8,621,233 B1
Filed: 01/13/2010
Issued: 12/31/2013
Est. Priority Date: 01/13/2010
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of determining whether a computer file contains malicious software, comprising:

identifying a computer file stored on a plurality of different endpoints, the computer file having a plurality of different names on the endpoints;

analyzing the plurality of different names for the computer file to generate a score, the score indicating a confidence that the computer file contains malicious software, wherein the analysis comprises;

determining an amount of dissimilarity among the plurality of different names for the computer file by comparing pairs of different names for the computer file to determine dissimilarity of character strings forming the names in the pairs;

generating the score responsive to the amount of dissimilarity among the plurality of different names for the computer file, wherein a greater amount of dissimilarity correlates with a greater confidence that the computer file contains malicious software; and

weighting the score for age and/or prevalence of the computer file, wherein the age weight for the score is inversely proportional to a length of time that the computer file has been stored on an endpoint and the prevalence weight for the score is inversely proportional to a prevalence of the computer file among the plurality of different endpoints; and

determining whether the computer file contains malicious software responsive at least in part to the score.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Descriptions of files detected at endpoints are submitted to a security server. The descriptions describe the names of the files and unique identifiers of the files. The security server uses the unique identifiers to identify files having different names at different endpoints. For a given file having multiple names, the names are processed to account for name differences unlikely to have been caused by malware. The processed names for the file are analyzed to determine the amount of dissimilarity among the names. This analysis is used to generate a score indicating a confidence that the computer file contains malicious software, where a greater amount of dissimilarity among the names generally indicates a greater confidence that the computer file contains malicious software. The score is weighted based on file name frequency, the age of the file, and the prevalence of the file. The weighted score is used to determine whether the computer file contains malicious software.

40 Citations

View as Search Results

17 Claims

1. A computer-implemented method of determining whether a computer file contains malicious software, comprising:
- identifying a computer file stored on a plurality of different endpoints, the computer file having a plurality of different names on the endpoints;
  
  analyzing the plurality of different names for the computer file to generate a score, the score indicating a confidence that the computer file contains malicious software, wherein the analysis comprises;
  
  determining an amount of dissimilarity among the plurality of different names for the computer file by comparing pairs of different names for the computer file to determine dissimilarity of character strings forming the names in the pairs;
  
  generating the score responsive to the amount of dissimilarity among the plurality of different names for the computer file, wherein a greater amount of dissimilarity correlates with a greater confidence that the computer file contains malicious software; and
  
  weighting the score for age and/or prevalence of the computer file, wherein the age weight for the score is inversely proportional to a length of time that the computer file has been stored on an endpoint and the prevalence weight for the score is inversely proportional to a prevalence of the computer file among the plurality of different endpoints; and
  
  determining whether the computer file contains malicious software responsive at least in part to the score.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising:
    - receiving, from the plurality of different endpoints via a computer network, descriptions of computer files stored at the endpoints, the descriptions describing names, paths, and unique identifiers of the computer files; and
      
      identifying the computer file having the plurality of different names using the unique identifiers received from the plurality of different endpoints;
      
      wherein the analyzing comprises analyzing the names and paths for the computer file to generate the score.
  - 3. The method of claim 1, further comprising:
    - receiving, from the plurality of different endpoints via a computer network, descriptions of computer files stored at the endpoints, the descriptions describing names and unique identifiers of the computer files;
      
      identifying the computer file having the plurality of different names using the unique identifiers received from the plurality of different endpoints; and
      
      processing the plurality of different names to account for name differences unlikely to have been caused by malicious software by canonicalizing the plurality of different names into a standard representation;
      
      wherein the analyzing analyzes the processed names.
  - 4. The method of claim 1, wherein analyzing the plurality of different names for the computer file comprises:
    - for a pair of different names of the plurality of different names for the computer file;
      
      applying a string similarity metric to the pair of different names, the metric producing a similarity score indicating a measure of dissimilarity between the pair of different names;
      
      determining file system paths of endpoints on which instances of the file having a name from the pair of different names reside;
      
      setting a threshold for the similarity score responsive to the file system paths; and
      
      quantizing the similarity score for the metric to indicate either similarity or dissimilarity responsive to the threshold.
  - 5. The method of claim 4, further comprising:
    - determining whether an instance of the file having a name from the pair of different names has a file system path to a directory in which file names are expected to vary across endpoints; and
      
      setting the threshold to require a greater measure of dissimilarity to quantize the similarity score to indicate dissimilarity if the instance of the file having a name from the pair of different names has a file system path to a directory in which file names are expected to vary across endpoints than if the instance of the file having a name from the pair of different names has a file system path to a directory in which file names are not expected to vary across endpoints.
  - 6. The method of claim 1, wherein analyzing the plurality of different names for the computer file comprises:
    - for a pair of different names of the plurality of different names for the computer file;
      
      applying a string similarity metric to the pair of different names, the metric producing a similarity score indicating a measure of dissimilarity between the pair of different names; and
      
      weighting the similarity score responsive to a frequency distribution of instances of the computer file having a name of the pair of different names among the plurality of endpoints, wherein the similarity score receives a higher weight if a frequency distribution evidences a uniform random distribution of file names among the endpoints than if the frequency distribution evidences a different distribution.
  - 7. The method of claim 1, wherein the analysis further comprises:
    - applying a plurality of metrics to a compared pair of different names of the plurality of different names to generate a plurality of metric scores;
      
      quantizing each of the plurality of metric scores to a binary value indicating similarity or dissimilarity to produce a plurality of quantized scores; and
      
      combining the plurality of quantized scores to produce a similarity score for the compared pair of different names, wherein the score indicating the confidence that the computer file contains malicious software is generated responsive to the similarity score.
  - 8. The method of claim 1, wherein the analysis further comprises:
    - generating a similarity score responsive to a comparison of a pair of different names of the plurality of different names;
      
      weighting the similarity score based on a frequency distribution of the names in the pair to produce a weighted similarity score;
      
      combining the weighted similarity score with other weighted similarity scores to produce a normalized score; and
      
      producing the score indicating the confidence that the computer file contains malicious software using the normalized score.
  - 9. The method of claim 8,wherein the normalized score is weighted to account for the age and/or prevalence of the file.

10. A computer system for determining whether a computer file contains malicious software, comprising:
- a non-transitory computer-readable storage medium storing executable computer program instructions comprising instructions for;
  
  identifying a computer file stored on a plurality of different endpoints, the computer file having a plurality of different names on the endpoints;
  
  analyzing the plurality of different names for the computer file to generate a score, the score indicating a confidence that the computer file contains malicious software, wherein the analysis comprises;
  
  determining an amount of dissimilarity among the plurality of different names for the computer file by comparing pairs of different names for the computer file to determine dissimilarity of character strings forming the names in the pairs;
  
  generating the score responsive to the amount of dissimilarity among the plurality of different names for the computer file, wherein a greater amount of dissimilarity correlates with a greater confidence that the computer file contains malicious software; and
  
  weighting the score for age and/or prevalence of the computer file, wherein the age weight for the score is inversely proportional to a length of time that the computer file has been stored on an endpoint and the prevalence weight for the score is inversely proportional to a prevalence of the computer file among the plurality of different endpoints; and
  
  determining whether the computer file contains malicious software responsive at least in part to the score; and
  
  a processor for executing the computer program instructions.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The computer system of claim 10, further comprising instructions for:
    - receiving, from the plurality of different endpoints via a computer network, descriptions of computer files stored at the endpoints, the descriptions describing names, paths, and unique identifiers of the computer files; and
      
      identifying the computer file having the plurality of different names using the unique identifiers received from the plurality of different endpoints;
      
      wherein the analyzing comprises analyzing the names and paths for the computer file to generate the score.
  - 12. The computer system of claim 10, further comprising instructions for:
    - receiving, from the plurality of different endpoints via a computer network, descriptions of computer files stored at the endpoints, the descriptions describing names and unique identifiers of the computer files;
      
      identifying the computer file having the plurality of different names using the unique identifiers received from the plurality of different endpoints; and
      
      processing the plurality of different names to account for name differences unlikely to have been caused by malicious software by canonicalizing the plurality of different names into a standard representation;
      
      wherein the analyzing analyzes the processed names.
  - 13. The computer system of claim 10, wherein analyzing the plurality of different names for the computer file comprises:
    - for a pair of different names of the plurality of different names for the computer file;
      
      applying a string similarity metric to the pair of different names, the metric producing a similarity score indicating a measure of dissimilarity between the pair of different names;
      
      determining file system paths of endpoints on which instances of the file having a name from the pair of different names reside;
      
      setting a threshold for the similarity score responsive to the file system paths; and
      
      quantizing the similarity score for the metric to indicate either similarity or dissimilarity responsive to the threshold.
  - 14. The computer system of claim 13, further comprising instructions for:
    - determining whether an instance of the file having a name from the pair of different names has a file system path to a directory in which file names are expected to vary across endpoints; and
      
      setting the threshold to require a greater measure of dissimilarity to quantize the similarity score to indicate dissimilarity if the instance of the file having a name from the pair of different names has a file system path to a directory in which file names are expected to vary across endpoints than if the instance of the file having a name from the pair of different names has a file system path to a directory in which file names are not expected to vary across endpoints.
  - 15. The computer system of claim 10, wherein analyzing the plurality of different names for the computer file comprises:
    - for a pair of different names of the plurality of different names for the computer file;
      
      applying a string similarity metric to the pair of different names, the metric producing a similarity score indicating a measure of dissimilarity between the pair of different names; and
      
      weighting the similarity score responsive to a frequency distribution of instances of the computer file having a name of the pair of different names among the plurality of endpoints, wherein the similarity score receives a higher weight if a frequency distribution evidences a uniform random distribution of file names among the endpoints than if the frequency distribution evidences a different distribution.

16. A non-transitory computer-readable storage medium storing executable computer program instructions for determining whether a computer file contains malicious code, the instructions comprising instructions for:
- submitting file descriptions describing attributes of computer files detected on an endpoint to a security server, the attributes comprising unique identifiers of the computer files and names of the computer files;
  
  receiving, from the security server, an indication of whether a computer file contains malicious software, the indication determined responsive to an analysis of unique identifiers and names of computer files described by file descriptions submitted by a plurality of different endpoints, wherein the analysis comprises;
  
  determining an amount of dissimilarity among a plurality of different names for the computer file by comparing pairs of different names for the computer file to determine dissimilarity of character strings forming the names in the pairs;
  
  generating a score responsive to the amount of dissimilarity among the plurality of different names for the computer file, wherein a greater amount of dissimilarity correlates with a greater confidence that the computer file contains malicious software; and
  
  weighting the score for age and/or prevalence of the computer file, wherein the age weight for the score is inversely proportional to a length of time that the computer file has been on an endpoint of the plurality of different endpoints and the prevalence weight for the score is inversely proportional to a prevalence of the computer file among the plurality of different endpoints, and the indication is determined responsive to the weighted score; and
  
  responsive to the received indication indicating that the computer file contains malicious software, remediating the malicious software.
- View Dependent Claims (17)
- - 17. The computer-readable storage medium of claim 16, wherein the analysis further comprises:
    - for a pair of different names of the plurality of different names for the computer file;
      
      applying a string similarity metric to the pair of different names, the metric producing a similarity score indicating a measure of dissimilarity between the pair of different names; and
      
      quantizing the similarity score for the metric to indicate either similarity or dissimilarity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Kennedy, Mark Kevin, Ramzan, Zulfikar, Manadhata, Pratyusa K.
Primary Examiner(s)
Shiferaw, Eleni
Assistant Examiner(s)
CALLAHAN, PAUL E

Application Number

US12/687,071
Time in Patent Office

1,448 Days
Field of Search

726/22, 726/24, 726/25, 709/224, 713/188
US Class Current

713/188
CPC Class Codes

G06F 21/56 Computer malware detection ...

Malware detection using file names

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

40 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Malware detection using file names

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

40 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links