System and method for attack and malware prevention

US 9,223,973 B2
Filed: 08/08/2014
Issued: 12/29/2015
Est. Priority Date: 10/21/2008
Status: Active Grant

First Claim

Patent Images

1. In a server connected through a telecommunications network to receive and send data, having a memory and a microprocessor, and further having software components for processing, analyzing and storing data, including at least a known good component for identifying data that is recognizably safe, a known bad component for identifying data that is recognizably malicious, and a decision component for analyzing whether data is safe or malicious and for determining a disposition of the data as a result of the analysis, a method comprising:

receiving data at the server from a mobile communications device;

applying by the known good component, logic on the data to determine if the data is safe;

when the known good component logic determines that the data is safe, allowing the data to be processed by the mobile communications device;

when the known good component logic does not determine that the data is safe, applying by the known bad component logic on the data to determine if the data is malicious;

when the known bad component logic determines that the data is malicious, rejecting the data from being processed by the mobile communications device;

when the known bad component does not determine that the data is malicious, performing, using the decision component, an analysis on the data to determine if the data is safe or malicious;

when the decision component determines that the data is safe, allowing the data to be processed by the mobile communications device; and

when the decision component determines that the data is malicious, rejecting the data from being processed by the mobile communications device.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for preventing malware attacks on mobile devices is presented. A server receives data from a mobile communications device and applies, by a known good component, logic on the data to determine if the data is safe. When the data is determined as being safe, the data is allowed to be processed by the mobile communications device. When the data is determined as not safe, a known bad component applies logic on the data to determine if the data is malicious. The data is rejected from being processed by the mobile communications device when the data is determined as being malicious. When the data is not malicious, a decision component performs an analysis on the data. If decision component determines the data to be safe, the data is allowed to be processed by the mobile communications device. Otherwise, the data is rejected from being processed.

302 Citations

23 Claims

1. In a server connected through a telecommunications network to receive and send data, having a memory and a microprocessor, and further having software components for processing, analyzing and storing data, including at least a known good component for identifying data that is recognizably safe, a known bad component for identifying data that is recognizably malicious, and a decision component for analyzing whether data is safe or malicious and for determining a disposition of the data as a result of the analysis, a method comprising:
- receiving data at the server from a mobile communications device;
  
  applying by the known good component, logic on the data to determine if the data is safe;
  
  when the known good component logic determines that the data is safe, allowing the data to be processed by the mobile communications device;
  
  when the known good component logic does not determine that the data is safe, applying by the known bad component logic on the data to determine if the data is malicious;
  
  when the known bad component logic determines that the data is malicious, rejecting the data from being processed by the mobile communications device;
  
  when the known bad component does not determine that the data is malicious, performing, using the decision component, an analysis on the data to determine if the data is safe or malicious;
  
  when the decision component determines that the data is safe, allowing the data to be processed by the mobile communications device; and
  
  when the decision component determines that the data is malicious, rejecting the data from being processed by the mobile communications device.

2. In a server connected through a telecommunications network to receive and send data, having a memory and a microprocessor, and further having software components for processing, analyzing and storing data, including at least a known good component for identifying data that is recognizably safe, and a known bad component for identifying data that is recognizably malicious, a method comprising:
- receiving data at the server from a mobile communications device;
  
  at the server, upon receipt of a signal from the mobile communications device that an analysis of the data by a mobile communications device security component has not been able to characterize the data as recognizably safe or malicious, applying by the known good component, logic on the data to determine if the data is safe, the logic examining the received data for valid statefulness and structure;
  
  when the known good component logic determines that the data is safe, allowing the data to be processed by the mobile communications device;
  
  when the known good component logic does not determine that the data is safe, applying by the known bad component logic on the data to determine if the data is malicious; and
  
  when the known bad component logic determines that the data is malicious, rejecting the data from being processed by the mobile communications device.
- View Dependent Claims (3)
- - 3. The method of claim 2, wherein the server further includes a decision component for evaluating whether data is safe or malicious, the method further comprising:
    - when the known bad component logic does not determine that the data is malicious, using the decision component, performing an analysis on the data by the decision component to determine if the data is safe or malicious;
      
      when the analysis shows that the data is safe, allowing the data to be processed by the mobile communications device; and
      
      when the analysis shows that the data is malicious, rejecting the data from being processed by the mobile communications device.

4. In a server connected through a telecommunications network to receive data from and send data to a mobile communications device, the server having a memory and a microprocessor, and further having software components for processing, analyzing and storing data, including at least a known good component for identifying data that is recognizably safe, a known bad component for identifying data that is recognizably malicious, and a decision component for analyzing whether data is safe or malicious and for determining a disposition of the data as a result of the analysis, a method comprising:
- receiving data at the server;
  
  applying by the known good component, logic on the data to determine if the data is safe;
  
  when the known good component logic determines that the data is safe, sending the data to be processed by the mobile communications device;
  
  when the known good component logic does not determine that the data is safe, applying by the known bad component logic on the data to determine if the data is malicious;
  
  when the known bad component logic determines that the data is malicious, rejecting the data from being sent to the mobile communications device for processing;
  
  when the known bad component does not determine that the data is malicious, using the decision component, performing an analysis on the data to determine if the data is safe or malicious;
  
  when the decision component determines that the data is safe, allowing the data to be sent to the mobile communications device for processing; and
  
  when the decision component determines that the data is malicious, rejecting the data from being sent to the mobile communications device for processing.

5. In a server connected through a telecommunications network to receive data from and send data to a mobile communications device, the server having a memory and a microprocessor, and further having software components for processing, analyzing and storing data, including at least a known good component for identifying data that is recognizably safe, a known bad component for identifying data that is recognizably malicious, and a decision component for analyzing whether data is safe or malicious and for determining a disposition of the data as a result of the analysis, a method comprising:
- receiving data at the server;
  
  sending the data to the mobile communications device;
  
  applying by the known good component, logic on the data to determine if the data is safe;
  
  when the known good component logic determines that the data is safe, sending instructions to the mobile communications device to process the data;
  
  when the known good component logic does not determine that the data is safe, applying by the known bad component logic on the data to determine if the data is malicious;
  
  when the known bad component logic determines that the data is malicious, sending instructions to the mobile communications device to not process the data;
  
  when the known bad component does not determine that the data is malicious, using the decision component, performing an analysis on the data to determine if the data is safe or malicious;
  
  when the decision component determines that the data is safe, sending instructions to the mobile communications device to process the data; and
  
  when the decision component determines that the data is malicious, sending instructions to the mobile communications device to not process the data.

6. In a server connected through a telecommunications network to receive data from and send data to a mobile communications device, the server having a memory and a microprocessor, and further having software components for processing, analyzing and storing data, including at least a known good component for identifying data that is recognizably safe, and a known bad component for identifying data that is recognizably malicious, a method comprising:
- receiving data at the server;
  
  applying by the known good component, logic on the data to determine if the data is safe;
  
  when the known good component logic determines that the data is safe, sending the data to be processed by the mobile communications device;
  
  when the known good component logic does not determine that the data is safe, rejecting the data from being sent to the mobile communications device for processing, and applying by the known bad component logic on the data to determine if the data is malicious;
  
  when the known bad component logic determines that the data is malicious, rejecting the data from being sent to the mobile communications device for processing; and
  
  when the known bad component does not determine that the data is malicious, allowing the data to be sent to the mobile communications device for processing, wherein the mobile communications device comprises a decision component for analyzing whether the data is safe or malicious and for determining a disposition of the data as a result of the analysis, the mobile communications device processing the data when the decision component determines that the data is safe, and rejecting the data from being processed when the decision component determines that the data is malicious.

7. In a server connected through a telecommunications network to receive data from and send data to a mobile communications device, the server having a memory and a microprocessor, and further having software components for processing, analyzing and storing data, including a decision component for analyzing whether data is safe or malicious and for determining a disposition of the data as a result of the analysis, a method comprising:
- receiving, from the mobile communications device, a request to process data using the decision component, wherein the mobile communications device comprises at least a known good component for identifying data that is recognizably safe, and a known bad component for identifying data that is recognizably malicious, the request being received from the mobile communications device when the known good component of the mobile communications device does not determine that the data is safe, and the known bad component of the mobile communications device does not determine that the data is malicious;
  
  at the server, performing, using the decision component, an analysis on the data to determine if the data is safe or malicious;
  
  when the decision component determines that the data is safe, sending instructions to the mobile communications device to process the data; and
  
  when the decision component determines that the data is malicious, sending instructions to the mobile communications device to not process the data.

8. In a mobile communications device having a network interface for receiving and sending data, a memory and a microprocessor, and further having software components for processing, analyzing and storing data, including a decision component for analyzing whether data is safe or malicious and for determining a disposition of the data as a result of the analysis, a method comprising:
- receiving, from a server, data and a request to analyze the data using the decision component, wherein the server comprises at least a known good component for identifying data that is recognizably safe, and a known bad component for identifying data that is recognizably malicious, the request being received from the server when the known good component of the server does not determine that the data is safe, and the known bad component of the server does not determine that the data is malicious;
  
  performing, using the decision component, an analysis on the data to determine if the data is safe or malicious; and
  
  when the decision component determines that the data is safe, processing the data.
- View Dependent Claims (9, 10)
- - 9. The method of claim 8, further comprising logging, on the mobile communications device, the determination made by the decision component.
  - 10. The method of claim 8, further comprising transmitting to the server the determination made by the decision component.

11. In a mobile communications device having a network interface for receiving and sending data, a memory and a microprocessor, and further having software components for processing, analyzing and storing data, including at least a known good component for identifying data that is recognizably safe, and a known bad component for identifying data that is recognizably malicious, a method comprising:
- providing data on the mobile communications device;
  
  applying a hash function to the data to create a hash identifier for the data;
  
  comparing by the known good component, the data hash identifier against a database of hash identifiers of known good data stored in the mobile communications device memory;
  
  when the comparison by the known good component results in a positive match, allowing the data to be processed by the mobile communications device;
  
  when the comparison by the known good component does not result in a positive match, comparing by the known bad component, the data hash identifier against a database stored in the mobile communications device memory containing hash identifiers of known bad data;
  
  when the comparison by the known bad component results in a positive match, rejecting the data from being processed by the mobile communications device;
  
  when the comparison by the known bad component does not result in a positive match, sending the data to a server for processing, wherein the server comprises a decision component for analyzing whether the data is safe and for determining a disposition of the data as a result of the analysis, the server sending instructions to process the data when the decision component determines that the data is safe; and
  
  when the instructions to process the data is received from the server, processing the data.

12. In a mobile communications device having a network interface for receiving and sending data, a memory and a microprocessor, and further having software components for processing, analyzing and storing data, including at least a known good component for identifying data that is recognizably safe, and a known bad component for identifying data that is recognizably malicious, a method comprising:
- providing data on the mobile communications device;
  
  applying by the known good component, logic on the data to determine if the data is safe;
  
  when the known good component logic determines that the data is safe, allowing the data to be processed by the mobile communications device;
  
  when the known good component does not determine that the data is safe, applying by the known bad component, logic on the data to determine if the data is malicious;
  
  when the known bad component logic determines that the data is malicious, rejecting the data from being processed by the mobile communications devicewhen the known bad component does not determine that the data is malicious, sending the data to a server for processing, wherein the server comprises a decision component for analyzing whether the data is safe and for determining a disposition of the data as a result of the analysis, the server sending instructions to process the data when the decision component determines that the data is safe; and
  
  when the instructions to process the data is received from the server, processing the data.

13. In a mobile communications device having a network interface for receiving and sending data, a memory and a microprocessor, and further having software components for processing, analyzing and storing data, including at least a known good component for identifying data that is recognizably safe, and a known bad component for identifying data that is recognizably malicious, a method comprising:
- providing data on the mobile communications device;
  
  comparing by the known good component, the data against a database of characteristics for known good data stored in the mobile communications device;
  
  when the comparison by the known good component does not result in a positive match, rejecting the data from being processed by the mobile communications device;
  
  when the comparison by the known good component results in a positive match, comparing by the known bad component, the data against a database stored in the mobile communications device memory containing at least one of the data selected from the group consisting of characteristics for known bad data, known bad data signatures, and known bad data patterns;
  
  when the comparison by the known bad component results in a positive match, rejecting the data from being processed by the mobile communications device;
  
  when the comparison by the known bad component does not result in a positive match, sending the data to a server for processing, wherein the server comprises a decision component for analyzing whether the data is safe and for determining a disposition of the data as a result of the analysis, the server sending instructions to process the data when the decision component determines that the data is safe; and
  
  when the instructions to process the data is received from the server, processing the data.

14. In a mobile communications device having a network interface for receiving and sending data, a memory and a microprocessor, and further having software components for processing, analyzing and storing data, including at least a known good component for identifying data that is recognizably safe, a known bad component for identifying data that is recognizably malicious, and a decision component for analyzing whether data is safe or malicious and for determining a disposition of the data as a result of the analysis, a method comprising:
- providing data on the mobile communications device;
  
  applying a hash function to the data to create a hash identifier for the data;
  
  comparing by the known good component, the data hash identifier against a database of hash identifiers of known good data stored in the mobile communications device memory;
  
  when the comparison by the known good component results in a positive match, allowing the data to be processed by the mobile communications device;
  
  when the comparison by the known good component does not result in a positive match, comparing by the known bad component, the data hash identifier against a database stored in the mobile communications device memory containing hash identifiers of known bad data;
  
  when the comparison by the known bad component results in a positive match, rejecting the data from being processed by the mobile communications device;
  
  when the comparison by the known bad component does not result in a positive match, using the decision component, performing an analysis on the data by the decision component to determine whether the data is from a legitimate origin or is a potential social engineering attack;
  
  when the analysis determines that the data is from a legitimate origin, allowing the data to be processed by the mobile communications device; and
  
  when the analysis determines that the data is a potential social engineering attack, rejecting the data from being processed by the mobile communications device.
- View Dependent Claims (15)
- - 15. The method of claim 14, wherein the potential social engineering attach is at least one of a phishing attack, a short message service (SMS) phishing attack, and a Bluetooth device name manipulation attack.

16. In a server connected through a telecommunications network to receive data from and send data to a mobile communications device, the server having a memory and a microprocessor, and further having software components for processing, analyzing and storing data, including at least a known good component for identifying data that is recognizably safe, a known bad component for identifying data that is recognizably malicious, and a decision component for analyzing whether data is safe or malicious and for determining a disposition of the data as a result of the analysis, a method comprising:
- receiving, by the server, a hash identifier for the data to be analyzed from the mobile communications device;
  
  comparing, by the known good component, the data hash identifier against a database of hash identifiers of known good data stored in memory associated with the server;
  
  when the comparison by the known good component results in a positive match, sending an instruction to the mobile communications device to allow the data to be processed by the mobile communications device;
  
  when the comparison by the known good component does not result in a positive match, comparing by the known bad component the data hash identifier against a database stored in memory associated with the server containing hash identifiers of known bad data;
  
  when the comparison by the known bad component results in a positive match, sending an instruction to the mobile communications to reject the data from being processed by the mobile communications device;
  
  when the comparison by the known bad component does not result in a positive match, receiving the data from the mobile communications device;
  
  using the decision component, performing an analysis on the data by the decision component to determine whether the received data is from a legitimate origin or is a potential social engineering attack;
  
  when the analysis determines that the data is from a legitimate origin, then sending an instruction to the mobile communications device to allow the data to be processed by the mobile communications device; and
  
  when the analysis determines that the data is a potential social engineering attack, then sending an instruction to the mobile communications device to reject the data from being processed by the mobile communications device.
- View Dependent Claims (17)
- - 17. The method of claim 16, wherein the potential social engineering attach is at least one of a phishing attack, a short message service (SMS) phishing attack, and a Bluetooth device name manipulation attack.

18. In a mobile communications device having a network interface for receiving and sending data, a memory and a microprocessor, and further having software components for processing, analyzing and storing data, including at least a known good component for identifying data that is recognizably safe, a known bad component for identifying data that is recognizably malicious, and a decision component for analyzing whether data is safe or malicious and for determining a disposition of the data as a result of the analysis, a method comprising:
- providing data on the mobile communications device;
  
  comparing by the known good component, the data against a database of characteristics for known good data stored in the mobile communications device;
  
  when the comparison by the known good component does not result in a positive match, rejecting the data from being processed by the mobile communications device;
  
  when the comparison by the known good component results in a positive match, applying a hash function to the data to create a hash identifier for the data, and comparing by the known bad component, the data hash identifier against a database stored in the mobile communications device memory containing hash identifiers of known bad data;
  
  when the comparison by the known bad component results in a positive match, then rejecting the data from being processed by the mobile communications device;
  
  when the comparison by the known bad component does not result in a positive match, then using the decision component, performing an analysis on the data to determine if the data is safe or malicious;
  
  when the analysis by the decision component shows that the data is safe, allowing the data to be processed by the mobile communications device; and
  
  when the analysis by the decision component shows that the data is malicious, rejecting the data from being processed by the mobile communications device.

19. In a mobile communications device having a network interface for receiving and sending data, a memory and a microprocessor, and further having software components for processing, analyzing and storing data, including at least a known good component for identifying data that is recognizably safe, a known bad component for identifying data that is recognizably malicious, and a decision component for analyzing whether data is safe or malicious and for determining a disposition of the data as a result of the analysis, a method comprising:
- providing data on the mobile communications device;
  
  applying a hash function to the data to create a hash identifier for the data;
  
  comparing by the known good component, the data hash identifier against a database of hash identifiers of known good data stored in the mobile communications device memory;
  
  when the comparison by the known good component does not result in a positive match, rejecting the data from being processed by the mobile communications device;
  
  when the comparison by the known good component results in a positive match, comparing by the known bad component, the data against a database stored in the mobile communications device memory containing at least one of the data selected from the group consisting of characteristics for known bad data, known bad data signatures, and known bad data patterns;
  
  when the comparison by the known bad component results in a positive match, then rejecting the data from being processed by the mobile communications device;
  
  when the comparison by the known bad component does not result in a positive match, then using the decision component, performing an analysis on the data to determine if the data is safe or malicious;
  
  when the analysis by the decision component shows that the data is safe, allowing the data to be processed by the mobile communications device; and
  
  when the analysis by the decision component shows that the data is malicious, rejecting the data from being processed by the mobile communications device.

20. In a mobile communications device having a network interface for receiving and sending data, a memory and a microprocessor, and further having software components for processing, analyzing and storing data, including at least a known good component for identifying data that is recognizably safe, a known bad component for identifying data that is recognizably malicious, and a decision component for analyzing whether data is safe or malicious and for determining a disposition of the data as a result of the analysis, a method comprising:
- providing data on the mobile communications device;
  
  applying a hash function to the data to create a hash identifier for the data;
  
  comparing by the known good component, the data hash identifier against a database of hash identifiers of known good data stored in the mobile communications device memory;
  
  when the comparison by the known good component does not result in a positive match, rejecting the data from being processed by the mobile communications device;
  
  when the comparison by the known good component results in a positive match, applying by the known bad component, logic on the data to determine if the data is malicious;
  
  when the known bad component logic determines that the data is malicious, rejecting the data from being processed by the mobile communications devicewhen the known bad component does not determine that the data is malicious, using the decision component, performing an analysis on the data to determine if the data is safe or malicious;
  
  when the analysis by the decision component shows that the data is safe, allowing the data to be processed by the mobile communications device; and
  
  when the analysis by the decision component shows that the data is malicious, rejecting the data from being processed by the mobile communications device.

21. In a mobile communications device having a network interface for receiving and sending data, a memory and a microprocessor, and further having software components for processing, analyzing and storing data, including at least a known good component for identifying data that is recognizably safe, a known bad component for identifying data that is recognizably malicious, and a decision component for analyzing whether data is safe or malicious and for determining a disposition of the data as a result of the analysis, a method comprising:
- providing data on the mobile communications device;
  
  applying by the known good component, logic on the data to determine if the data is safe;
  
  when the known good component logic determines that the data is safe, allowing the data to be processed by the mobile communications device;
  
  when the known good component does not determine that the data is safe, applying by the known bad component, a hash function to the data to create a hash identifier for the data, and comparing by the known bad component, the data hash identifier against a database stored in the mobile communications device memory containing hash identifiers of known bad data;
  
  when the comparison by the known bad component results in a positive match, then rejecting the data from being processed by the mobile communications device;
  
  when the comparison by the known bad component does not result in a positive match, then using the decision component, performing an analysis on the data to determine if the data is safe or malicious;
  
  when the analysis by the decision component shows that the data is safe, allowing the data to be processed by the mobile communications device; and
  
  when the analysis by the decision component shows that the data is malicious, rejecting the data from being processed by the mobile communications device.

22. In a mobile communications device having a network interface for receiving and sending data, a memory and a microprocessor, and further having software components for processing, analyzing and storing data, including at least a known good component for identifying data that is recognizably safe, a known bad component for identifying data that is recognizably malicious, and a decision component for analyzing whether data is safe or malicious and for determining a disposition of the data as a result of the analysis, a method comprising:
- providing data on the mobile communications device;
  
  comparing by the known good component, the data against a database of characteristics for known good data stored in the mobile communications device;
  
  when the comparison by the known good component does not result in a positive match, rejecting the data from being processed by the mobile communications device;
  
  when the comparison by the known good component results in a positive match, applying by the known bad component, logic on the data to determine if the data is malicious;
  
  when the known bad component logic determines that the data is malicious, rejecting the data from being processed by the mobile communications devicewhen the known bad component does not determine that the data is malicious, using the decision component, performing an analysis on the data to determine if the data is safe or malicious;
  
  when the analysis by the decision component shows that the data is safe, allowing the data to be processed by the mobile communications device; and
  
  when the analysis by the decision component shows that the data is malicious, rejecting the data from being processed by the mobile communications device.

23. In a mobile communications device having a network interface for receiving and sending data, a memory and a microprocessor, and further having software components for processing, analyzing and storing data, including at least a known good component for identifying data that is recognizably safe, a known bad component for identifying data that is recognizably malicious, and a decision component for analyzing whether data is safe or malicious and for determining a disposition of the data as a result of the analysis, a method comprising:
- providing data on the mobile communications device;
  
  applying by the known good component, logic on the data to determine if the data is safe;
  
  when the known good component logic determines that the data is safe, allowing the data to be processed by the mobile communications device;
  
  when the known good component does not determine that the data is safe, comparing by the known bad component, the data against a database stored in the mobile communications device memory containing at least one of the data selected from the group consisting of characteristics for known bad data, known bad data signatures, and known bad data patterns;
  
  when the comparison by the known bad component results in a positive match, then rejecting the data from being processed by the mobile communications device;
  
  when the comparison by the known bad component does not result in a positive match, then using the decision component, performing an analysis on the data to determine if the data is safe or malicious;
  
  when the analysis by the decision component shows that the data is safe, allowing the data to be processed by the mobile communications device; and
  
  when the analysis by the decision component shows that the data is malicious, rejecting the data from being processed by the mobile communications device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lookout Incorporated
Original Assignee
Lookout Incorporated
Inventors
Mahaffey, Kevin Patrick
Primary Examiner(s)
CHEN, SHIN HON

Application Number

US14/455,787
Publication Number

US 20150106929A1
Time in Patent Office

508 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 21/562   Static detection

G06F 21/564   by virus signature recognition

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/034   Test or assess a computer o...

H04W 12/08   Access security

System and method for attack and malware prevention

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

302 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for attack and malware prevention

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

302 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links