Method and apparatus for detecting malicious software through contextual convictions

US 9,218,461 B2
Filed: 11/30/2011
Issued: 12/22/2015
Est. Priority Date: 12/01/2010
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for making a determination concerning whether a software application is benign or malicious comprising:

extracting metadata about the application;

gathering a first set of contextual information concerning the system to generate a constructed infection history for a client, wherein said first set of contextual information includes recent infection history, applications running on the system, web sites visited, the geographic location of the client, the Internet Protocol (IP) address of the client, and a client identifier;

transmitting the metadata and the first set of contextual information to a server component, wherein the metadata and the first set of contextual information are encoded prior to the transmitting;

making a determination as to whether the application is benign or malicious by;

examining the metadata and determining that the application is suspicious; and

when the application is suspicious and a final determination as to whether the application is benign or malicious cannot be made without analyzing the first set of contextual information, examining the metadata based on the constructed infection history, including analyzing the metadata based on geographic parameters and web site specific parameters determined based on the constructed infection history, to determine whether the application is benign or malicious;

deriving a model based on the determination, the model encoding rules to be utilized in making future determinations when a second set of contextual information is similar to the first set of contextual information;

transmitting a response to the client containing information relating to the determination; and

making a determination as to whether to take any action concerning the application based on the information from the server component.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Novel methods, components, and systems that enhance traditional techniques for detecting malicious software are presented. More specifically, we describe methods, components, and systems that leverage important contextual information from a client system (such as recent history of events on that system) to detect malicious software that might have otherwise gone ignored. The disclosed invention provides a significant improvement with regard to detection capabilities compared to previous approaches.

49 Citations

23 Claims

1. A computer-implemented method for making a determination concerning whether a software application is benign or malicious comprising:
- extracting metadata about the application;
  
  gathering a first set of contextual information concerning the system to generate a constructed infection history for a client, wherein said first set of contextual information includes recent infection history, applications running on the system, web sites visited, the geographic location of the client, the Internet Protocol (IP) address of the client, and a client identifier;
  
  transmitting the metadata and the first set of contextual information to a server component, wherein the metadata and the first set of contextual information are encoded prior to the transmitting;
  
  making a determination as to whether the application is benign or malicious by;
  
  examining the metadata and determining that the application is suspicious; and
  
  when the application is suspicious and a final determination as to whether the application is benign or malicious cannot be made without analyzing the first set of contextual information, examining the metadata based on the constructed infection history, including analyzing the metadata based on geographic parameters and web site specific parameters determined based on the constructed infection history, to determine whether the application is benign or malicious;
  
  deriving a model based on the determination, the model encoding rules to be utilized in making future determinations when a second set of contextual information is similar to the first set of contextual information;
  
  transmitting a response to the client containing information relating to the determination; and
  
  making a determination as to whether to take any action concerning the application based on the information from the server component.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method according to claim 1, wherein said extracted metadata is selected from the group consisting of traditional fingerprints and generic signatures.
  - 3. The method according to claim 1, wherein said server component and said client reside on the same computing device.
  - 4. The method according to claim 1, wherein said server component and said client reside on separate and remote computing devices.
  - 5. The method according to claim 1, wherein said client continuously gathers contextual information, the first set of contextual information being from a first period of time and the second set of contextual information being from a second period of time.

6. Non-transitory computer-readable storage medium containing computer readable instructions operable to make a determination concerning whether a software application is benign or malicious, said instructions comprising instructions operable to:
- extract metadata about the application;
  
  gather a first set of contextual information concerning the system to generate a constructed infection history for a client, wherein said first set of contextual information includes recent infection history, applications running on the system, web sites visited, the geographic location of the client, the Internet Protocol (IP) address of the client, and a client identifier;
  
  transmit the metadata and the first set of contextual information to a server component, wherein the metadata and the a first set of contextual information is encoded prior to the transmitting;
  
  make a determination as to whether the application is benign or malicious by;
  
  examining the metadata and determining that the application is suspicious; and
  
  when the application is suspicious and a final determination as to whether the application is benign or malicious cannot be made without analyzing the first set of contextual information, examining the metadata based on the constructed infection history, including analyzing the metadata based on geographic parameters and web site specific parameters determined based on the constructed infection history, to determine whether the application is benign or malicious;
  
  derive a model based on the determination, the model encoding rules to be utilized in making future determinations when a second set of contextual information is similar to the first set of contextual information;
  
  transmit a response to the client containing information relating to the determination; and
  
  make a determination as to whether to take any action concerning the application based on the information from the server component.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The non-transitory computer-readable storage medium according to claim 6, wherein said extracted metadata is selected from the group consisting of traditional fingerprints and generic signatures.
  - 8. The non-transitory computer-readable storage medium according to claim 6, wherein said server component and said client reside on the same computing device.
  - 9. The non-transitory computer-readable storage medium according to claim 6, wherein said server component and said client reside on separate and remote computing devices.
  - 10. The non-transitory computer-readable storage medium according to claim 6, wherein said client continuously gathers contextual information, the first set of contextual information being from a first period of time and the second set of contextual information being from a second period of time.

11. Non-transitory computer-readable storage medium containing instructions operable to make a determination concerning whether a software application is benign or malicious, said instructions comprising instructions operable to:
- extract metadata about the application;
  
  gather a first set of contextual information concerning the system to generate a constructed infection history for a client, wherein said first set of contextual information includes recent infection history, applications running on the system, web sites visited, the geographic location of the client, the Internet Protocol (IP) address of the client, and a client identifier;
  
  transmit the metadata and the first set of contextual information to a server component, wherein the metadata and the first set of contextual information are encoded prior to the transmitting;
  
  receive a response from the server component relating to a determination as to whether the application is benign or malicious based on the metadata and the first set of contextual information, wherein said determination as to whether the application is benign or malicious is made by;
  
  examining the metadata and determining that the application is suspicious;
  
  when the application is suspicious and a final determination as to whether the application is benign or malicious cannot be made without analyzing the first set of contextual information, examining the metadata based on the constructed infection history, including analyzing the metadata based on geographic parameters and web site specific parameters determined based on the constructed infection history, to determine whether the application is benign or malicious; and
  
  derive a model based on the determination, the model encoding rules to be utilized in making future determinations when a second set of contextual information is similar to the first set of contextual information; and
  
  take an action with respect to the application based on the information received from the server component.
- View Dependent Claims (12, 13, 14, 23)
- - 12. The non-transitory computer-readable storage medium according to claim 11, wherein said server component and said client reside on the same computing device.
  - 13. The non-transitory computer-readable storage medium according to claim 11, wherein said server component and said client reside on separate and remote computing devices.
  - 14. The non-transitory computer-readable storage medium according to claim 11, wherein said client continuously gathers contextual information, the first set of contextual information being from a first period of time and the second set of contextual information being from a second period of time.
  - 23. The non-transitory computer-readable storage medium according to claim 11, wherein said extracted metadata is selected from the group consisting of traditional fingerprints and generic signatures.

15. Non-transitory computer-readable storage medium containing instructions operable to make a determination concerning whether a software application is benign or malicious, said instructions comprising instructions operable to:
- receive metadata about the application and a first set of contextual information concerning the system to generate a constructed infection history for a client, wherein the metadata and the first set of contextual information are encoded prior to being received, and wherein said first set of contextual information includes recent infection history, applications running on the system, web sites visited, the geographic location of the client, the Internet Protocol (IP) address of the client, and a client identifier;
  
  make a determination as to whether the application is benign or malicious by;
  
  examining the metadata and determining that the application is suspicious; and
  
  when the application is suspicious and a final determination as to whether the application is benign or malicious cannot be made without analyzing the first set of contextual information, examining the metadata based on the constructed infection history, including analyzing the metadata based on geographic parameters and web site specific parameters determined based on the constructed infection history, to determine whether the application is benign or malicious;
  
  derive a model based on the determination, the model encoding rules to be utilized in making future determinations when a second set of contextual information is similar to the first set of contextual information; and
  
  transmit a response to the client containing information relating to the determination.
- View Dependent Claims (16, 17)
- - 16. The non-transitory computer-readable storage medium according to claim 15, wherein said metadata is selected from the group consisting of traditional fingerprints and generic signatures.
  - 17. The non-transitory computer-readable storage medium according to claim 15, wherein said client continuously gathers contextual information, the first set of contextual information being from a first period of time and the second set of contextual information being from a second period of time.

18. A computer system configured to determine whether a software application is benign or malicious, comprising:
- a first non-transitory computer-readable storage medium containing instructions operable to;
  
  extract metadata about the application;
  
  gather a first set of contextual information concerning the system to generated a constructed infection history for a client, wherein said first set of contextual information includes recent infection history, applications running on the system, web sites visited, the geographic location of the client, the Internet Protocol (IP) address of the client, and a client identifier; and
  
  transmit the metadata and the first set of contextual information to a server component, wherein the metadata and the first set of contextual information are encoded prior to being transmitted; and
  
  a second non-transitory computer-readable storage medium containing instructions operable to;
  
  make a determination as to whether the application is benign or malicious by;
  
  examining the metadata and determining that the application is suspicious; and
  
  when the application is suspicious and a final determination as to whether the application is benign or malicious cannot be made without analyzing the first set of contextual information, examining the metadata based on the constructed infection history, including analyzing the metadata based on geographic parameters and web site specific parameters determined based on the constructed infection history, to determine whether the application is benign or malicious;
  
  derive a model based on the determination, the model encoding rules to be utilized in making future determinations when a second set of contextual information is similar to the first set of contextual information; and
  
  transmit a response to the client containing information relating to the determination.
- View Dependent Claims (19, 20, 21, 22)
- - 19. The computer system according to claim 18, wherein said extracted metadata is selected from the group consisting of traditional fingerprints and generic signatures.
  - 20. The computer system according to claim 18, wherein said server component and said client reside on the same computing device.
  - 21. The computer system according to claim 18, wherein said server component and said client reside on separate and remote computing devices.
  - 22. The computer system according to claim 18, wherein said client continuously gathers contextual information, the first set of contextual information being from a first period of time and the second set of contextual information being from a second period of time.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sourcefire Incorporated (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Friedrichs, Oliver, Huger, Alfred, O'Donnell, Adam
Primary Examiner(s)
Zecher, Dede
Assistant Examiner(s)
CHIANG, JASON

Application Number

US13/308,528
Publication Number

US 20130139261A1
Time in Patent Office

1,483 Days
Field of Search

726/23
US Class Current

1/1
CPC Class Codes

G06F 21/00   Security arrangements for p...

G06F 21/56   Computer malware detection ...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/033   Test or assess software

H04L 63/14   for detecting or protecting...

Method and apparatus for detecting malicious software through contextual convictions

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

49 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for detecting malicious software through contextual convictions

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

49 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links