News Column

Researchers Submit Patent Application, "Method and Apparatus for Retroactively Detecting Malicious Or Otherwise Undesirable Software as Well as Clean...

July 3, 2014



Researchers Submit Patent Application, "Method and Apparatus for Retroactively Detecting Malicious Or Otherwise Undesirable Software as Well as Clean Software through Intelligent Rescanning", for Appr

By a News Reporter-Staff News Editor at Computer Weekly News -- From Washington, D.C., VerticalNews journalists report that a patent application by the inventors FRIEDRICHS, Oliver (Woodside, CA); HUGER, Alfred (Calgary, CA); RAMZAN, Zulfikar (San Mateo, CA), filed on July 15, 2013, was made available online on June 19, 2014.

No assignee for this patent application has been made.

News editors obtained the following quote from the background information supplied by the inventors: "It is known in the art that each day, many tens of thousands of new malicious or otherwise undesirable software programs are discovered. These programs can compromise the security of general computing devices. Possible security violations include, but are not limited to, the theft of data from the system, the usurping of the system for other nefarious purpose (like sending spam email), and, in general, the remote control of the system for other malicious actions.

"One popular technique in the art for detecting malicious software comprises the following steps: a. Establishing through some independent means that the application is malicious (e.g., by manually analyzing it). This step is typically carried out by a vendor of anti-malware technology. b. Constructing a signature for this piece of software. A signature comprises a set of characteristics that can be used to identify that piece of software (and pieces of software that are related to it). One example of a signature is a cryptographic hash or fingerprint. A hash is a mathematical transformation that takes the underlying binary contents of a software application and produces a relatively short string, with the idea being that two different applications will, with overwhelmingly high probability, have distinct fingerprint values. Common functions for performing this fingerprinting or hashing step include SHA-256, SHA-1, MD5, and others. A signature can also include a set of strings that are contained in the file in question. c. Publishing this signature so that it is accessible to end-users operating a general purpose computing device. d. Having the device cross reference the files it contains against the published signatures to determine if there is a match. e. Applying a set of steps or a given policy if the fingerprints match (e.g., blocking the installation of the application, removing it from the system if it is already installed, etc.). f. The above technique is geared towards situations when the signature was known ahead of time (i.e., before an actual piece of malicious or unwanted software arrived on an actual end-user system). In some cases, a piece of malware may have already infiltrated a system, and only subsequent to its infiltration will there be new evidence to suggest that the file was malicious.

"Aside from that, an anti-malware vendor might initially deem a software application to be malicious, but later garner new intelligence to determine that the application was, in fact, clean (i.e., this determination was made in error and the particular application is actually benign). Even if a vendor has such new intelligence, it would need to cross reference that intelligence against all the files that it knows about to identify the files on which an error was made. Then there is no easy way for the vendor to retroactively undo its mistakes on end user systems without forcing users to scan their entire system for threats or clean files each time new intelligence on threats or clean files is discovered. Such an approach is prohibitively expensive, especially considering the large number of files on a given end-user system as well as the rate at which new intelligence can be gathered.

"There is, accordingly, a need in the art to develop methods, components, and systems for intelligently rescanning the files a vendor knows about to identify if any of them are potentially malware (or can be determined to be conclusively clean). The naive approach is to cross reference every file against every known signature. This approach is, however, expensive to carry out since a vendor might have a copious number of files and large amount of file data. Instead, one improved approach would be to identify a subset of files that were initially marked as non-malicious, but now appear to have a higher propensity of being malicious, thereby making them good candidates for re-examining. Along these lines, analogous methods can be applied to files that were initially deemed malicious, but now appear to have a higher propensity of actually being benign."

As a supplement to the background information on this patent application, VerticalNews correspondents also obtained the inventors' summary information for this patent application: "In summarizing the invention, a system-level view is given, and then the components comprising that system as well as the methods to be executed on those components are described. It is to be understood that the in addition to the overall system, the invention being disclosed also comprises the individual underlying components used in the system as well as individual methods that would be executed on those components.

"According to one aspect of the present invention, a system is provided that can be used to intelligently identify files that are likely to be malicious and hence are better candidates for rescanning. Using analogous approaches, such a system could be used to identify files that are likely to be non-malicious (even though they had previously been marked as malicious) and hence are good candidates for rescanning. The system comprises a client and server component, which communicate. The client provides the server with information about files that are on it as well as what it knows about these files. The server tracks this information and periodically rescans a subset of these files against any new intelligence it gathers. If a discrepancy is found (i.e., a file that had been called malicious, but that is actually benign or a file that was previously called benign, but that is now believed to be malicious), the server informs the client, which in turn takes an appropriate action based on this information. For example, removing files that are now believed to be malicious and restoring files that were previously thought to be malicious, but are now believed to be benign. The server updates its database of known threats to incorporate this new information.

"According to another aspect of this invention, a metadata extraction component is provided. Metadata can be extracted on a client system, a server system, or some combination of both. On a client system, the metadata extraction component can identify files of interest on the system (e.g., newly downloaded files) and extract relevant metadata from these files for the purposes of helping to determine their disposition and also subsequently rescan these files. The metadata can range from a few select features of the file all the way to the binary contents of the file itself. The metadata can also include contextual information from the system. The metadata, including possibly the whole file, is passed to a server-side component.

"According to another aspect of the present invention, a server-side logging component receives data from a meta-data extraction component and logs this information together with any additional transactional information such as a timestamp (computed by the server) for when this data was received. This server-side logging component should also receive a client identifier to help identify which system transmitted the meta data. In addition to logging the data, this component may attempt to make a direct determination about whether the file's disposition is believed to be good/benign or bad/malicious based on the current state of intelligence gathered about that file. Note that this component will effectively have a record of what software applications reside on what end user systems and more specifically, it will have relevant signature information about these applications.

"According to another aspect of the present invention is a server-side intelligent filtering module. This module examines data from the log collection component and identifies a subset of files that are good candidates for re-examining.

"According to another aspect of the present invention is a server-side rescanning module that re-examines files and file metadata from the intelligent filtering module, and updates an intelligence database accordingly. This module can also be used to identify endpoints on which a discrepancy exists and inform those endpoints about this discrepancy.

"According to another aspect of the present invention, a method is provided for extracting meta data from a file and storing it in a way that allows for intelligent rescanning of the file. This method can be executed on a client (in which case the corresponding meta-data can be transmitted to a server), or can be executed on a server (in which case the file would be transmitted from a client to a server first), or some combination thereof (e.g., some pieces of meta-data can be collected on the client, and other pieces of metadata can be extracted on a server) The method is carried out by processing logic that may comprise hardware (e.g., circuitry, dedicated logic, etc.), software (such as is run on a general purpose computer system or a dedicated machine), or a combination of both. It is to be understood, however, that the choice of where and how the method is performed is not to be limited by the present description, and it should be apparent to a person of ordinary skill in the art that many such choices exist.

"According to another aspect of the present invention, a method is provided for logging file meta data on a server and storing it in a way that facilitates intelligent rescanning. In one embodiment of the present invention, this method will be performed on the server by processing logic that may comprise hardware (e.g., circuitry, dedicated logic, etc.), software (such as is run on a general purpose computer system or a dedicated machine), or a combination of both. It is to be understood, however, that the choice of where and how the method is performed is not to be limited by the present description, and it should be apparent to a person of ordinary skill in the art that many such choices exist.

"According to another aspect of the present invention, a method is provided for filtering a file collection to identify which files are good candidates for rescanning. In one embodiment of the present invention, this method will be performed on the server by processing logic that may comprise hardware (e.g., circuitry, dedicated logic, etc.), software (such as is run on a general purpose computer system or a dedicated machine), or a combination of both. It is to be understood, however, that the choice of where and how the method is performed is not to be limited by the present description, and it should be apparent to a person of ordinary skill in the art that many such choices exist.

"According to another aspect of the present invention, a method is provided for rescanning a file and file meta-data repository for the purpose of identifying new pieces of malware as well as new clean files (along with the users who have those files). In one embodiment of the present invention, this method will be performed on the server by processing logic that may comprise hardware (e.g., circuitry, dedicated logic, etc.), software (such as is run on a general purpose computer system or a dedicated machine), or a combination of both. It is to be understood, however, that the choice of where and how the method is performed is not to be limited by the present description, and it should be apparent to a person of ordinary skill in the art that many such choices exist.

DESCRIPTION OF THE DRAWINGS

"The present invention will be understood more fully from the detailed description given below and from the accompanying drawings of various embodiments of the invention, which, however, should not be taken to limit the invention to the specific embodiments, but are for explanation and understanding only.

"The subsequent description of the preferred embodiments of the present invention refers to the attached drawings, wherein:

"FIG. 1 is a flowchart of a meta-data extraction method in accordance with an embodiment of the present invention.

"FIG. 2 shows a log collection method in accordance with an embodiment of the present invention.

"FIG. 3 is a flowchart of an intelligent filtering method in accordance with an embodiment of the present invention.

"FIG. 4 is a flowchart of an intelligent rescanning method in accordance with an embodiment of the present invention.

"FIG. 5 is a client component in accordance with an embodiment of the present invention

"FIG. 6 is a server component in accordance with an embodiment of the present invention

"FIG. 7 is a system comprising client and server components in accordance with an embodiment of the present invention

"FIG. 8 is an exemplary computer system.

"FIG. 9 is a flowchart of an information filtering system for acting upon files in accordance with an embodiment of the present invention."

For additional information on this patent application, see: FRIEDRICHS, Oliver; HUGER, Alfred; RAMZAN, Zulfikar. Method and Apparatus for Retroactively Detecting Malicious Or Otherwise Undesirable Software as Well as Clean Software through Intelligent Rescanning. Filed July 15, 2013 and posted June 19, 2014. Patent URL: http://appft.uspto.gov/netacgi/nph-Parser?Sect1=PTO2&Sect2=HITOFF&u=%2Fnetahtml%2FPTO%2Fsearch-adv.html&r=48&p=1&f=G&l=50&d=PG01&S1=20140612.PD.&OS=PD/20140612&RS=PD/20140612

Keywords for this news article include: Patents, Software.

Our reports deliver fact-based news of research and discoveries from around the world. Copyright 2014, NewsRx LLC


For more stories covering the world of technology, please see HispanicBusiness' Tech Channel



Source: Computer Weekly News


Story Tools






HispanicBusiness.com Facebook Linkedin Twitter RSS Feed Email Alerts & Newsletters