Providing a network-accessible malware analysis

US 9,003,532 B2
Filed: 09/15/2011
Issued: 04/07/2015
Est. Priority Date: 09/15/2011
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

providing, at a malware analysis system, a web services interface implemented by a malware analysis module running as a web service, the web services interface being arranged to enable a user at a first computer system to access the malware analysis system through a web services module and to request malware analysis of a file by the malware analysis system;

determining a file type of the first file including analyzing portions of file content of the first file and analyzing characters in a header file associated with the first file to determine the type of file even if a file extension of the first file has been falsified;

comparing the determined file type of the first file to a plurality of file types in a first policy file to determine whether the first file is to be analyzed by the malware analysis system;

receiving, from a first computer system via the web services interface, a first malware analysis request, the first malware analysis request comprising a first file to be analyzed for malware by the malware analysis system, a type of malware analysis to be performed on the first file, and an indication of the manner in which the first file was added to the first computer system;

initiating a malware analysis, by the malware analysis module running as a web service on the malware analysis system, of the first file for malware, the malware analysis including the type specified in the analysis request and the malware analysis based on the manner in which the first file was added to the first computer system; and

communicating, to the first computer system via the web services interface implemented by the malware analysis module running as a web service on the malware analysis system, a response for the first file determined by the malware analysis system, the response comprising an indication of whether the first file comprises malware.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In certain embodiments, a computer-implemented method comprises receiving, via a computer network and from a first computer system, a first malware analysis request. The first malware analysis request comprises a file to be analyzed for malware by a malware analysis system. The method includes initiating a malware analysis by the malware analysis system of the first file for malware. The method includes communicating to the first computer system a response for the first file determined by the malware analysis system to the first computer system. The response comprises an indication of whether the first file comprises malware.

21 Citations

View as Search Results

10 Claims

1. A computer-implemented method, comprising:
- providing, at a malware analysis system, a web services interface implemented by a malware analysis module running as a web service, the web services interface being arranged to enable a user at a first computer system to access the malware analysis system through a web services module and to request malware analysis of a file by the malware analysis system;
  
  determining a file type of the first file including analyzing portions of file content of the first file and analyzing characters in a header file associated with the first file to determine the type of file even if a file extension of the first file has been falsified;
  
  comparing the determined file type of the first file to a plurality of file types in a first policy file to determine whether the first file is to be analyzed by the malware analysis system;
  
  receiving, from a first computer system via the web services interface, a first malware analysis request, the first malware analysis request comprising a first file to be analyzed for malware by the malware analysis system, a type of malware analysis to be performed on the first file, and an indication of the manner in which the first file was added to the first computer system;
  
  initiating a malware analysis, by the malware analysis module running as a web service on the malware analysis system, of the first file for malware, the malware analysis including the type specified in the analysis request and the malware analysis based on the manner in which the first file was added to the first computer system; and
  
  communicating, to the first computer system via the web services interface implemented by the malware analysis module running as a web service on the malware analysis system, a response for the first file determined by the malware analysis system, the response comprising an indication of whether the first file comprises malware.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The computer-implemented method of claim 1, further comprising:
    - receiving, at the web services interface and prior to receiving the first malware analysis request comprising the first file, a preliminary malware analysis request, the preliminary malware analysis request comprising file identification information for the first file;
      
      determining, based on the received file identification information, that one or more of the following is true;
      
      a malware analysis of the first file has not already been performed by the malware analysis system; and
      
      a malware analysis of the first file currently is not being performed by the malware analysis system; and
      
      sending, by the web services interface, a notification notifying the first computer system to send the first file to the malware analysis system.
  - 3. The computer-implemented method of claim 2, wherein the first malware analysis request is communicated by the first computer system to the web services interface, in response to the notification for the first computer system to send the first file to the malware analysis system.
  - 4. The computer-implemented method of claim 2, wherein the file identification information for the first file comprises a hash value representing a hash of the first file.
  - 5. The computer-implemented method of claim 1, further comprising:
    - receiving, at the web services interface, a second malware analysis request from the first computer system, the second malware analysis request comprising second file identification information for a second file;
      
      determining, by the web services interface, that one or more of the following is true based on the file identification for the second file;
      
      a malware analysis of the second file has already been performed by the malware analysis system; and
      
      a malware analysis of the second file currently is being performed by the malware analysis system; and
      
      notifying the first computer system by the web services interface not to send the second file for malware analysis to the malware analysis system.
  - 6. The computer-implemented method of claim 1, further comprising receiving at the web services interface the results from the malware analysis system including information accessible by a human analyst using an analysis console and an advanced malware analysis workflow to be followed by a human analyst when the first file is determined to be suspected malware.
  - 7. The computer-implemented method of claim 1, further comprising:
    - receiving from the first computer system at the web services interface, a callback request comprising an address and port number of the first computer system to use for communicating with the first computer system; and
      
      communicating, to the first computer system by the web services interface, the response for the first file comprising the indication of whether the first file comprises malware using the address for communicating with the first computer system via the web services interface.
  - 8. The computer-implemented method of claim 1, further comprising:
    - receiving, from the first computer system at the web services interface and subsequent to receiving the first malware analysis request comprising the first file, a second malware analysis request, the second malware analysis request being a status request and comprising file identification information for the first file; and
      
      determining, by the web services interface in response to the second malware analysis request, whether the first file has been analyzed by the malware analysis system;
      
      the communicating to the first computer system of the response for the first file being in response to a determination by the web services interface that the first file has been analyzed by the malware analysis system.
  - 9. The computer-implemented method of claim 1, wherein the providing, by the web services interface, the first malware analysis request and the first file to the malware analysis system for initiating a malware analysis by the malware analysis system further comprises communicating the first file by the web services interface to the malware analysis system for the malware analysis to be performed by the malware analysis system on the first file.
  - 10. The computer-implemented method of claim 1, further comprising authenticating the first computer system by the web services interface prior to receiving the first malware analysis request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Forcepoint Federal Holdings LLC (Forcepoint LLC)
Original Assignee
Raytheon Company (Rtx Corporation)
Inventors
McDougal, Monty D., Ford, Bradley T., Sterns, William E.
Primary Examiner(s)
WILLIAMS, JEFFERY L

Application Number

US13/233,804
Publication Number

US 20130074185A1
Time in Patent Office

1,300 Days
Field of Search

None
US Class Current

726/24
CPC Class Codes

G06F 21/561 Virus type analysis

Providing a network-accessible malware analysis

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

21 Citations

10 Claims

Specification

Solutions

Use Cases

Quick Links

Providing a network-accessible malware analysis

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

21 Citations

10 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links