System and method for detecting a file embedded in an arbitrary location and determining the reputation of the file

US 8,650,638 B2
Filed: 10/18/2011
Issued: 02/11/2014
Est. Priority Date: 10/18/2011
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving a plurality of packets associated with a file at a node, which comprises a sensor that is to interact with a reputation system, wherein the file is an executable file embedded in a second file in a network flow;

identifying a file format identifier associated with a beginning of the file;

parsing the file based on the file format identifier to identify an end of the file, wherein only the file is parsed to identify the end of the file, and wherein portions of the second file that do not include the file are not parsed to identify the end of the file;

calculating a hash value from the beginning of the file to the end of the file;

sending the hash value to the reputation system;

receiving a reputation value associated with the hash value from the reputation system; and

taking a policy action based on the reputation value, wherein the policy action includes quarantining the file.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is provided in one example embodiment that includes identifying a file format identifier associated with a beginning of a file, parsing the file based on the file format identifier until an end of the file is identified, and calculating a hash from the beginning of the file to the end of the file. The method may also include sending the hash to a reputation system and taking a policy action based on the hash'"'"'s reputation received from the reputation system.

15 Citations

View as Search Results

15 Claims

1. A method, comprising:
- receiving a plurality of packets associated with a file at a node, which comprises a sensor that is to interact with a reputation system, wherein the file is an executable file embedded in a second file in a network flow;
  
  identifying a file format identifier associated with a beginning of the file;
  
  parsing the file based on the file format identifier to identify an end of the file, wherein only the file is parsed to identify the end of the file, and wherein portions of the second file that do not include the file are not parsed to identify the end of the file;
  
  calculating a hash value from the beginning of the file to the end of the file;
  
  sending the hash value to the reputation system;
  
  receiving a reputation value associated with the hash value from the reputation system; and
  
  taking a policy action based on the reputation value, wherein the policy action includes quarantining the file.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the file is a binary file.
  - 3. The method of claim 1, wherein:
    - the file format identifier is a string comprising “
      
      MZ.”
  - 4. The method of claim 1, wherein:
    - the file format identifier is a string comprising “
      
      PE00.”
  - 5. The method of claim 1, wherein parsing the file comprises parsing a header in the file to determine a size of the file.
  - 6. The method of claim 1, wherein:
    - the file format identifier is a string comprising “
      
      MZ”
      
      ; and
      
      parsing the file comprises parsing a header in the file to determine a size of the file.
  - 7. The method of claim 1, wherein parsing the file comprises parsing a header in the file to detect a certificate associated with the file.
  - 8. The method of claim 1, wherein the hash value is calculated with a hash function selected to minimize a false positive match with malware if the hash value is incorrect.

9. Logic encoded in one or more non-transitory media that includes code for execution and when executed by one or more processors is operable to perform operations comprising:
- receiving a plurality of packets associated with a file at a node, which comprises a sensor that is to interact with a reputation system, wherein the file is an executable file embedded in a second file in a network flow;
  
  identifying a file format identifier associated with a beginning of the file;
  
  parsing the file based on the file format identifier to identify an end of the file, wherein only the file is parsed to identify the end of the file, and wherein portions of the second file that do not include the file are not parsed to identify the end of the file;
  
  calculating a hash value from the beginning of the file to the end of the file;
  
  sending the hash value to the reputation system;
  
  receiving a reputation value associated with the hash value; and
  
  taking a policy action based on the reputation value, wherein the policy action includes quarantining the file.
- View Dependent Claims (10, 11, 12)
- - 10. The encoded logic of claim 9, wherein the file is a binary file.
  - 11. The encoded logic of claim 9, wherein:
    - the file format identifier is a string comprising “
      
      MZ.”
  - 12. The encoded logic of claim 9, wherein:
    - the file format identifier is a string comprising “
      
      PE00.”

13. A node, comprising:
- one or more processors;
  
  a memory; and
  
  a sensor that is to interact with a reputation system, wherein the apparatus is configured for;
  
  receiving a plurality of packets associated with a file at the node, wherein the file is an executable file embedded in a second file in a network flow;
  
  identifying a file format identifier associated with a beginning of the file;
  
  parsing the file based on the file format identifier to identify an end of the file, wherein only the file is parsed to identify the end of the file, and wherein portions of the second file that do not include the file are not parsed to identify the end of the file;
  
  calculating a hash value from the beginning of the file to the end of the file;
  
  sending the hash value to the reputation system;
  
  receiving a reputation value associated with the hash value; and
  
  taking a policy action based on the reputation value, wherein the policy action includes quarantining the file.
- View Dependent Claims (14, 15)
- - 14. The node of claim 13, wherein the file is a binary file.
  - 15. The node of claim 13, wherein:
    - the file format identifier is a string comprising “
      
      MZ.”

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Ma, Denys Lok Hang, Mahadik, Vinay, Pathak, Swapnil
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Durham, Imhotep

Application Number

US13/276,197
Publication Number

US 20130097661A1
Time in Patent Office

847 Days
Field of Search

713/187, 713/188, 726/1, 726/22
US Class Current

726/22
CPC Class Codes

G06F 21/56   Computer malware detection ...

H04L 63/145   the attack involving the pr...

H04L 63/20   for managing network securi...

System and method for detecting a file embedded in an arbitrary location and determining the reputation of the file

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

15 Citations

15 Claims

Specification

Use Cases

Quick Links

Others

System and method for detecting a file embedded in an arbitrary location and determining the reputation of the file

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

15 Citations

15 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others