Method for malware detection using deep inspection and data discovery agents

US 9,367,687 B1
Filed: 12/22/2011
Issued: 06/14/2016
Est. Priority Date: 12/22/2011
Status: Active Grant

First Claim

Patent Images

1. A method of detecting malware, the method comprising:

from a database of historic network traffic, identifying a suspect file that traveled through a network as being suspected malware;

deriving a distinctive signature based on contents of the suspect file; and

scanning a computerized device of the network for the distinctive signature to detect whether the suspect file is present on the computerized device, wherein scanning the computerized device of the network for the distinctive signature to detect whether the suspect file is present on the computerized device includes scanning the computerized device of the network for the distinctive signature to detect whether the suspect file is stored within persistent storage of the computerized device;

wherein identifying the suspect file includes;

performing file extraction on the database, the database storing packets captured from the network, to extract from the captured packets a set of executable files traversing the network;

performing file analysis on the set of executable files, assigning a suspicion score to each of the executable files based on a set of heuristic functions associated with malware; and

placing executable files whose suspicion score exceeds a predetermined threshold score in a staging directory by, on a scheduled periodic basis, for each executable file of the set of executable files;

comparing the suspicion score associated with that executable file to the predetermined threshold score; and

if and only if the suspicion score associated with that executable file exceeds the predetermined threshold score, copying that executable file to the staging directory.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of detecting malware is provided. The method includes (a) from a database of historic network traffic, identifying a suspect file that traveled through a network as being suspected malware, (b) deriving a distinctive signature based on contents of the suspect file, and (c) scanning a computerized device of the network for the distinctive signature to detect whether the suspect file is present on the computerized device. Embodiments directed to analogous computer program products and apparatuses are also provided.

37 Citations

View as Search Results

18 Claims

1. A method of detecting malware, the method comprising:
- from a database of historic network traffic, identifying a suspect file that traveled through a network as being suspected malware;
  
  deriving a distinctive signature based on contents of the suspect file; and
  
  scanning a computerized device of the network for the distinctive signature to detect whether the suspect file is present on the computerized device, wherein scanning the computerized device of the network for the distinctive signature to detect whether the suspect file is present on the computerized device includes scanning the computerized device of the network for the distinctive signature to detect whether the suspect file is stored within persistent storage of the computerized device;
  
  wherein identifying the suspect file includes;
  
  performing file extraction on the database, the database storing packets captured from the network, to extract from the captured packets a set of executable files traversing the network;
  
  performing file analysis on the set of executable files, assigning a suspicion score to each of the executable files based on a set of heuristic functions associated with malware; and
  
  placing executable files whose suspicion score exceeds a predetermined threshold score in a staging directory by, on a scheduled periodic basis, for each executable file of the set of executable files;
  
  comparing the suspicion score associated with that executable file to the predetermined threshold score; and
  
  if and only if the suspicion score associated with that executable file exceeds the predetermined threshold score, copying that executable file to the staging directory.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1 wherein deriving the distinctive signature based on the contents of the suspect file includes:
    - applying a fingerprinting hash function to each of the executable files in the staging directory to generate a set of fingerprints, the fingerprinting hash function satisfying a condition of virtual uniqueness given an expected number of executable files.
  - 3. The method of claim 2 wherein:
    - the fingerprinting hash function, when applied to two different files having similar contents, yields similar fingerprints; and
      
      scanning for the distinctive signature to detect whether the suspect file is present on the computerized device includes;
      
      applying the fingerprinting hash function to files present on the computerized device to yield a test fingerprint for each file; and
      
      generating an affirmative result if and only if a file present on the computerized device has a test fingerprint that is similar to a fingerprint of the set of fingerprints, the similarity indicating a difference between the file and an executable file of the set of executable files of less than a threshold degree.
  - 4. The method of claim 2 wherein the method further includes establishing a scan policy for the suspect file, wherein establishing the scan policy for the suspect file includes:
    - setting the threshold degree based on the suspicion score of the suspect file, such that a higher suspicion score yields a higher threshold degree, and a lower suspicion score yields a lower threshold degree.
  - 5. The method of claim 3 wherein the method further includes:
    - if the suspect file is present on the computerized device, then increasing the suspicion score for that suspect file by an amount in relation to the similarity.
  - 6. The method of claim 2 wherein:
    - the fingerprinting hash function, when applied to two files having the same contents, yields the same fingerprint; and
      
      scanning for the distinctive signature to detect whether the suspect file is present on the computerized device includes;
      
      applying the fingerprinting hash function to files present on the computerized device to yield a test fingerprint for each file; and
      
      generating an affirmative result if and only if a file present on the computerized device has a test fingerprint that matches a fingerprint of the set of fingerprints.
  - 7. The method of claim 2 wherein applying the fingerprinting hash function to each of the executable files in the staging directory is performed on a periodic schedule.
  - 8. The method of claim 1 wherein:
    - performing the file analysis is performed by a first application running on a first machine; and
      
      applying the fingerprinting hash function to each of the executable files is performed by a second application running on a second machine, the first and second applications being different and the first and second machines being different.
  - 9. The method of claim 8 wherein:
    - the computerized device is the second machine; and
      
      scanning the computerized device of the network for the distinctive signature to detect whether the suspect file is present on the computerized device includes the second application causing the second machine to locally search for the suspect file.
  - 10. The method of claim 8 wherein:
    - the computerized device is a third machine different from the first machine and the second machine; and
      
      scanning the computerized device of the network for the distinctive signature to detect whether the suspect file is present on the computerized device includes;
      
      the second application causing the second machine to send the set of fingerprints to a third application running on the third machine, the third application being different from the first and second applications;
      
      the third application causing the third machine to locally search for the suspect file running; and
      
      the third application causing the third machine to send search results back to the second application on the second machine.
  - 11. The method of claim 1 wherein scanning the computerized device of the network for the distinctive signature to detect whether the suspect file is present on the computerized device includes searching data storage of the computerized device for the suspect file at scheduled periodic intervals.
  - 12. The method of claim 11 wherein searching data storage of the computerized device for the suspect file at scheduled periodic intervals includes setting a period length of the periodic intervals based on the suspicion score of the suspect file, such that a higher suspicion score yields a shorter period length, and a lower suspicion score yields a longer period length.
  - 13. The method of claim 11 wherein searching data storage of the computerized device for the suspect file at scheduled periodic intervals further includes searching all files loaded into system memory of the computerized device as they are loaded into system memory during normal operation of the computerized device.
  - 14. The method of claim 1 wherein searching data storage of the computerized device for the suspect file at scheduled periodic intervals includes searching all files loaded into system memory of the computerized device as they are loaded into system memory during normal operation of the computerized device.
  - 15. The method of claim 1 wherein the method further includes performing a remedial action in response to detecting presence of the suspect file on the computerized device, the remedial action including an action drawn from the set of:
    - deleting the suspect file from the computerized device;
      
      moving the suspect file to a flagged file storage area;
      
      quarantining the suspect file found on the computerized device; and
      
      alerting a system administrator that the suspect file has been found on the computerized device.
  - 16. The method of claim 1 wherein assigning the suspicion score to each of the executable files based on the set of heuristic functions associated with malware includes, on a network server, for each executable file:
    - executing that executable file within a protected sandbox operating on the network server, the protected sandbox mimicking an environment of a typical computerized device, to detect behavior within the protected sandbox associated with malware; and
      
      assigning the suspicion score to that executable files based on;
      
      whether a network context of that executable file is associated with a network context associated with malware; and
      
      whether behavior associated with malware is detected within the protected sandbox while executing that executable file.

17. A system of detecting malware, comprising:
- a communications interface constructed and arranged to communicate with a computerized device;
  
  a database constructed and arranged to store historic network traffic;
  
  control circuitry coupled to the communications interface and the database, the control circuitry being constructed and arranged to;
  
  from the database of historic network traffic, identify a suspect file that traveled through a network as being suspected malware,derive a distinctive signature based on contents of the suspect file; and
  
  communicate with the computerized device, via the communications interface, to scan the computerized device for the distinctive signature to detect whether the suspect file is present on the computerized device, wherein scanning the computerized device for the distinctive signature to detect whether the suspect file is present on the computerized device includes scanning the computerized device for the distinctive signature to detect whether the suspect file is stored within persistent storage of the computerized device;
  
  wherein identifying the suspect file includes;
  
  performing file extraction on the database, the database storing packets captured from the network, to extract from the captured packets a set of executable files traversing the network;
  
  performing file analysis on the set of executable files, assigning a suspicion score to each of the executable files based on a set of heuristic functions associated with malware; and
  
  placing executable files whose suspicion score exceeds a predetermined threshold score in a staging directory by, on a scheduled periodic basis, for each executable file of the set of executable files;
  
  comparing the suspicion score associated with that executable file to the predetermined threshold score; and
  
  if and only if the suspicion score associated with that executable file exceeds the predetermined threshold score, copying that executable file to the staging directory.

18. A computer program product comprising a non-transitory computer-readable storage medium storing instructions, which, when executed by a computer, cause the computer to:
- from a database of historic network traffic, identify a suspect file that traveled through a network as being suspected malware;
  
  derive a distinctive signature based on contents of the suspect file; and
  
  communicate with a computerized device to scan the computerized device for the distinctive signature to detect whether the suspect file is present on the computerized device, wherein scanning the computerized device for the distinctive signature to detect whether the suspect file is present on the computerized device includes scanning the computerized device for the distinctive signature to detect whether the suspect file is stored within persistent storage of the computerized device;
  
  wherein identifying the suspect file includes;
  
  performing file extraction on the database, the database storing packets captured from the network, to extract from the captured packets a set of executable files traversing the network;
  
  performing file analysis on the set of executable files, assigning a suspicion score to each of the executable files based on a set of heuristic functions associated with malware; and
  
  placing executable files whose suspicion score exceeds a predetermined threshold score in a staging directory by, on a scheduled periodic basis, for each executable file of the set of executable files;
  
  comparing the suspicion score associated with that executable file to the predetermined threshold score; and
  
  if and only if the suspicion score associated with that executable file exceeds the predetermined threshold score, copying that executable file to the staging directory.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
EMC Corporation (Dell Technologies Inc.)
Inventors
Warshenbrot, Or Tzvi
Primary Examiner(s)
Arani, Taghi
Assistant Examiner(s)
Vu, Phy Anh

Application Number

US13/335,252
Time in Patent Office

1,636 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/565   by checking file integrity

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/00   Network architectures or ne...

H04L 63/1416   Event detection, e.g. attac...

Method for malware detection using deep inspection and data discovery agents

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

37 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Method for malware detection using deep inspection and data discovery agents

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

37 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links