Method for malware detection using deep inspection and data discovery agents
First Claim
Patent Images
1. A method of detecting malware, the method comprising:
- from a database of historic network traffic, identifying a suspect file that traveled through a network as being suspected malware;
deriving a distinctive signature based on contents of the suspect file; and
scanning a computerized device of the network for the distinctive signature to detect whether the suspect file is present on the computerized device, wherein scanning the computerized device of the network for the distinctive signature to detect whether the suspect file is present on the computerized device includes scanning the computerized device of the network for the distinctive signature to detect whether the suspect file is stored within persistent storage of the computerized device;
wherein identifying the suspect file includes;
performing file extraction on the database, the database storing packets captured from the network, to extract from the captured packets a set of executable files traversing the network;
performing file analysis on the set of executable files, assigning a suspicion score to each of the executable files based on a set of heuristic functions associated with malware; and
placing executable files whose suspicion score exceeds a predetermined threshold score in a staging directory by, on a scheduled periodic basis, for each executable file of the set of executable files;
comparing the suspicion score associated with that executable file to the predetermined threshold score; and
if and only if the suspicion score associated with that executable file exceeds the predetermined threshold score, copying that executable file to the staging directory.
9 Assignments
0 Petitions
Accused Products
Abstract
A method of detecting malware is provided. The method includes (a) from a database of historic network traffic, identifying a suspect file that traveled through a network as being suspected malware, (b) deriving a distinctive signature based on contents of the suspect file, and (c) scanning a computerized device of the network for the distinctive signature to detect whether the suspect file is present on the computerized device. Embodiments directed to analogous computer program products and apparatuses are also provided.
37 Citations
18 Claims
-
1. A method of detecting malware, the method comprising:
-
from a database of historic network traffic, identifying a suspect file that traveled through a network as being suspected malware; deriving a distinctive signature based on contents of the suspect file; and scanning a computerized device of the network for the distinctive signature to detect whether the suspect file is present on the computerized device, wherein scanning the computerized device of the network for the distinctive signature to detect whether the suspect file is present on the computerized device includes scanning the computerized device of the network for the distinctive signature to detect whether the suspect file is stored within persistent storage of the computerized device; wherein identifying the suspect file includes; performing file extraction on the database, the database storing packets captured from the network, to extract from the captured packets a set of executable files traversing the network; performing file analysis on the set of executable files, assigning a suspicion score to each of the executable files based on a set of heuristic functions associated with malware; and placing executable files whose suspicion score exceeds a predetermined threshold score in a staging directory by, on a scheduled periodic basis, for each executable file of the set of executable files; comparing the suspicion score associated with that executable file to the predetermined threshold score; and if and only if the suspicion score associated with that executable file exceeds the predetermined threshold score, copying that executable file to the staging directory. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A system of detecting malware, comprising:
-
a communications interface constructed and arranged to communicate with a computerized device; a database constructed and arranged to store historic network traffic; control circuitry coupled to the communications interface and the database, the control circuitry being constructed and arranged to; from the database of historic network traffic, identify a suspect file that traveled through a network as being suspected malware, derive a distinctive signature based on contents of the suspect file; and communicate with the computerized device, via the communications interface, to scan the computerized device for the distinctive signature to detect whether the suspect file is present on the computerized device, wherein scanning the computerized device for the distinctive signature to detect whether the suspect file is present on the computerized device includes scanning the computerized device for the distinctive signature to detect whether the suspect file is stored within persistent storage of the computerized device; wherein identifying the suspect file includes; performing file extraction on the database, the database storing packets captured from the network, to extract from the captured packets a set of executable files traversing the network; performing file analysis on the set of executable files, assigning a suspicion score to each of the executable files based on a set of heuristic functions associated with malware; and placing executable files whose suspicion score exceeds a predetermined threshold score in a staging directory by, on a scheduled periodic basis, for each executable file of the set of executable files; comparing the suspicion score associated with that executable file to the predetermined threshold score; and if and only if the suspicion score associated with that executable file exceeds the predetermined threshold score, copying that executable file to the staging directory.
-
-
18. A computer program product comprising a non-transitory computer-readable storage medium storing instructions, which, when executed by a computer, cause the computer to:
-
from a database of historic network traffic, identify a suspect file that traveled through a network as being suspected malware; derive a distinctive signature based on contents of the suspect file; and communicate with a computerized device to scan the computerized device for the distinctive signature to detect whether the suspect file is present on the computerized device, wherein scanning the computerized device for the distinctive signature to detect whether the suspect file is present on the computerized device includes scanning the computerized device for the distinctive signature to detect whether the suspect file is stored within persistent storage of the computerized device; wherein identifying the suspect file includes; performing file extraction on the database, the database storing packets captured from the network, to extract from the captured packets a set of executable files traversing the network; performing file analysis on the set of executable files, assigning a suspicion score to each of the executable files based on a set of heuristic functions associated with malware; and placing executable files whose suspicion score exceeds a predetermined threshold score in a staging directory by, on a scheduled periodic basis, for each executable file of the set of executable files; comparing the suspicion score associated with that executable file to the predetermined threshold score; and if and only if the suspicion score associated with that executable file exceeds the predetermined threshold score, copying that executable file to the staging directory.
-
Specification