USRE47558E1 - System, method, and computer program product for automatically identifying potentially unwanted data as unwanted - Google Patents

System, method, and computer program product for automatically identifying potentially unwanted data as unwanted Download PDF

Info

Publication number
USRE47558E1
USRE47558E1 US14/527,749 US201414527749A USRE47558E US RE47558 E1 USRE47558 E1 US RE47558E1 US 201414527749 A US201414527749 A US 201414527749A US RE47558 E USRE47558 E US RE47558E
Authority
US
United States
Prior art keywords
data
unwanted
computer
received
source
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active, expires
Application number
US14/527,749
Inventor
Dmitry O. Gryaznov
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
JPMorgan Chase Bank NA
Morgan Stanley Senior Funding Inc
Original Assignee
McAfee LLC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by McAfee LLC filed Critical McAfee LLC
Priority to US14/527,749 priority Critical patent/USRE47558E1/en
Assigned to MCAFEE, LLC reassignment MCAFEE, LLC CHANGE OF NAME AND ENTITY CONVERSION Assignors: MCAFEE, INC.
Assigned to JPMORGAN CHASE BANK, N.A. reassignment JPMORGAN CHASE BANK, N.A. SECURITY INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: MCAFEE, LLC
Assigned to MORGAN STANLEY SENIOR FUNDING, INC. reassignment MORGAN STANLEY SENIOR FUNDING, INC. SECURITY INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: MCAFEE, LLC
Application granted granted Critical
Publication of USRE47558E1 publication Critical patent/USRE47558E1/en
Assigned to MORGAN STANLEY SENIOR FUNDING, INC. reassignment MORGAN STANLEY SENIOR FUNDING, INC. CORRECTIVE ASSIGNMENT TO CORRECT THE REMOVE PATENT 6336186 PREVIOUSLY RECORDED ON REEL 045056 FRAME 0676. ASSIGNOR(S) HEREBY CONFIRMS THE SECURITY INTEREST. Assignors: MCAFEE, LLC
Assigned to JPMORGAN CHASE BANK, N.A. reassignment JPMORGAN CHASE BANK, N.A. CORRECTIVE ASSIGNMENT TO CORRECT THE REMOVE PATENT 6336186 PREVIOUSLY RECORDED ON REEL 045055 FRAME 786. ASSIGNOR(S) HEREBY CONFIRMS THE SECURITY INTEREST. Assignors: MCAFEE, LLC
Assigned to MCAFEE, LLC reassignment MCAFEE, LLC RELEASE OF INTELLECTUAL PROPERTY COLLATERAL - REEL/FRAME 045055/0786 Assignors: JPMORGAN CHASE BANK, N.A., AS COLLATERAL AGENT
Assigned to MCAFEE, LLC reassignment MCAFEE, LLC RELEASE OF INTELLECTUAL PROPERTY COLLATERAL - REEL/FRAME 045056/0676 Assignors: MORGAN STANLEY SENIOR FUNDING, INC., AS COLLATERAL AGENT
Assigned to JPMORGAN CHASE BANK, N.A., AS ADMINISTRATIVE AGENT AND COLLATERAL AGENT reassignment JPMORGAN CHASE BANK, N.A., AS ADMINISTRATIVE AGENT AND COLLATERAL AGENT SECURITY INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: MCAFEE, LLC
Assigned to JPMORGAN CHASE BANK, N.A., AS ADMINISTRATIVE AGENT reassignment JPMORGAN CHASE BANK, N.A., AS ADMINISTRATIVE AGENT CORRECTIVE ASSIGNMENT TO CORRECT THE THE PATENT TITLES AND REMOVE DUPLICATES IN THE SCHEDULE PREVIOUSLY RECORDED AT REEL: 059354 FRAME: 0335. ASSIGNOR(S) HEREBY CONFIRMS THE ASSIGNMENT. Assignors: MCAFEE, LLC
Active legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic

Definitions

  • the present invention relates to security systems, and more particularly to identifying unwanted data.
  • Security systems have traditionally been concerned with identifying unwanted (e.g., malicious) data and acting in response thereto.
  • data which is undetermined to be malicious may be communicated to a security system, and the data may further be analyzed by the security system for determining whether the data is malicious.
  • traditional techniques for determining whether data is malicious have generally exhibited various limitations.
  • security systems that determine whether data is malicious are oftentimes in communication with multiple other devices, and therefore conventionally receive numerous requests to determine whether data is malicious from such devices.
  • numerous requests are received in this manner, significant delays by the security systems in determining whether the data is malicious and responding to the devices based on the determinations generally exist.
  • the responses generated by the security systems based on such determinations are customarily formed as updates to security systems installed on the devices.
  • a system, method, and computer program product are provided for automatically identifying potentially unwanted data as unwanted.
  • data determined to be potentially unwanted e.g. potentially malicious
  • the data is automatically identified as unwanted (e.g. malicious).
  • the data is stored for use in detecting unwanted data (e.g. malicious data).
  • FIG. 1 illustrates a network architecture, in accordance with one embodiment.
  • FIG. 2 shows a representative hardware environment that may be associated with the servers and/or clients of FIG. 1 , in accordance with one embodiment.
  • FIG. 3 shows a method for automatically identifying potentially unwanted (e.g. potentially malicious) data as unwanted (e.g. malicious), in accordance with one embodiment.
  • FIG. 4 shows a system for automatically identifying potentially unwanted (e.g. potentially malicious) data as unwanted (e.g. malicious), in accordance with another embodiment.
  • FIG. 5 shows a method for storing a hash of data with an indication of whether the data is potentially malicious or potentially clean, in accordance with yet another embodiment.
  • FIG. 6 shows a method for querying a database of hashes for identifying potentially malicious data as malicious, in accordance with still yet another embodiment.
  • FIG. 1 illustrates a network architecture 100 , in accordance with one embodiment.
  • a plurality of networks 102 is provided.
  • the networks 102 may each take any form including, but not limited to a local area network (LAN), a wireless network, a wide area network (WAN) such as the Internet, peer-to-peer network, etc.
  • LAN local area network
  • WAN wide area network
  • peer-to-peer network etc.
  • servers 104 which are capable of communicating over the networks 102 .
  • clients 106 are also coupled to the networks 102 and the servers 104 .
  • Such servers 104 and/or clients 106 may each include a desktop computer, lap-top computer, hand-held computer, mobile phone, personal digital assistant (PDA), peripheral (e.g., printer, etc.), any component of a computer, and/or any other type of logic.
  • PDA personal digital assistant
  • peripheral e.g., printer, etc.
  • any component of a computer and/or any other type of logic.
  • at least one gateway 108 is optionally coupled therebetween.
  • FIG. 2 shows a representative hardware environment that may be associated with the servers 104 and/or clients 106 of FIG. 1 , in accordance with one embodiment.
  • Such figure illustrates a typical hardware configuration of a workstation in accordance with one embodiment having a central processing unit 210 , such as a microprocessor, and a number of other units interconnected via a system bus 212 .
  • a central processing unit 210 such as a microprocessor
  • the workstation shown in FIG. 2 includes a Random Access Memory (RAM) 214 , Read Only Memory (ROM) 216 , an I/O adapter 218 for connecting peripheral devices such as disk storage units 220 to the bus 212 , a user interface adapter 222 for connecting a keyboard 224 , a mouse 226 , a speaker 228 , a microphone 232 , and/or other user interface devices such as a touch screen (not shown) to the bus 212 , communication adapter 234 for connecting the workstation to a communication network 235 (e.g., a data processing network) and a display adapter 236 for connecting the bus 212 to a display device 238 .
  • a communication network 235 e.g., a data processing network
  • display adapter 236 for connecting the bus 212 to a display device 238 .
  • the workstation may have resident thereon any desired operating system. It will be appreciated that an embodiment may also be implemented on platforms and operating systems other than those mentioned.
  • One embodiment may be written using JAVA, C, and/or C++ language, or other programming languages, along with an object oriented programming methodology.
  • Object oriented programming (OOP) has become increasingly used to develop complex applications.
  • FIG. 3 shows a method 300 for automatically identifying potentially unwanted (e.g. potentially malicious) data as unwanted (e.g. malicious), in accordance with one embodiment.
  • the method 300 may be carried out in the context of the architecture and environment of FIGS. 1 and/or 2 . Of course, however, the method 300 may be carried out in any desired environment.
  • data determined to be potentially unwanted is received.
  • the data determined to be potentially unwanted may include any data for which it is unknown whether such data is unwanted (e.g. malicious).
  • the data may be determined to be unwanted by determining that it is unknown whether the data is unwanted. It should be noted that such data may include any code, application, file, electronic message, process, thread, etc. that is potentially unwanted.
  • known wanted data e.g. data predetermined to be wanted, whitelisted data, etc.
  • known unwanted data e.g. data predetermined to be unwanted, blacklisted data, etc.
  • the potentially unwanted data may not necessarily match a hash, signature, etc. of known unwanted data.
  • the potentially unwanted data may not necessarily match a hash, signature, etc. of known wanted data.
  • Such data may be determined to be potentially unwanted based on a scan of the data (e.g., against signatures of known wanted data and/or known unwanted data, etc.), as an option.
  • the data may be determined to be potentially unwanted if it is determined that the data is suspicious based on an analysis thereof.
  • the data may be determined to have one or more characteristics of malware based on the analysis.
  • the data may be determined to be a possible new variant of existing malware.
  • the potentially unwanted data may include data that is determined to potentially include malware, spyware, adware, etc.
  • the data may be determined to be potentially unwanted based on monitoring performed with respect to the data.
  • the monitoring may include identifying the data (e.g. based on operations performed in association with the data, etc.) and performing an analysis of the data, such as the analysis described above for example.
  • the monitoring may be of an electronic messaging application [e.g. electronic mail (email) messaging application], a file transfer protocol (FTP), at least one web site, etc.
  • the data may be determined to be potentially unwanted based on a heuristic analysis. In yet another embodiment, the data may be determined to be potentially unwanted based on a behavioral analysis. In yet another embodiment, the data may be determined to be potentially unwanted based on scanning performed on the data. Of course, however, data may be determined to be potentially unwanted in any desired manner.
  • the data may be determined to be potentially unwanted by a remote source.
  • the data determined to be potentially unwanted may be received from such remote source.
  • such data may be automatically received based on the monitoring described above.
  • the remote device may automatically transmit the data in response to a determination that the data is potentially unwanted (e.g. that it is unknown whether such data is unwanted, etc.).
  • the data determined to be potentially unwanted may be received by a server.
  • the server may be utilized by a security vendor.
  • Such security vendor may optionally provide known wanted data and/or known unwanted data (e.g. via updates, etc.) to a plurality of client devices, such that the client devices may utilize the known wanted data and/or known unwanted data for determining whether data is wanted and/or unwanted, respectively.
  • the server may optionally receive the data determined to be potentially unwanted for analysis purposes, such as for determining whether the data is wanted or unwanted.
  • the server may be utilized to provide an indication of the determination (e.g. via an update, etc.) to a source from which the data was received and/or to any other desired device.
  • the data is automatically identified as unwanted (e.g. malicious).
  • automatically identifying the data as unwanted may include any determination that the data is unwanted which does not necessarily rely on an analysis of the data.
  • the data may be automatically identified as unwanted without necessarily scanning the data, comparing the data to known wanted data and/or known unwanted data, etc.
  • the data may be automatically identified as unwanted based on at least one source from which the data is received.
  • the data may be automatically identified as unwanted based on a type of the source from which the data is received. For example, if the source includes a security vendor, a multi-scanner service, a honeypot, etc., the data may be automatically identified as unwanted.
  • the data may be automatically identified as unwanted if it is determined that other data previously received from the source (e.g. received previous to that received in operation 302 ) includes known unwanted data. For example, if other data previously received from the source was determined to be unwanted, the data received in operation 302 may be automatically identified as unwanted. As another example, if a predefined threshold amount (e.g. percentage, etc.) of data previously received from the source was determined to be unwanted, the data received in operation 302 may be automatically identified as unwanted. In this way, the data may be automatically identified as unwanted if potentially unwanted data received from such source was determined to be unwanted, if a threshold amount of potentially unwanted data received from such source was determined to be unwanted, if all potentially unwanted data received from such source was determined to be unwanted, etc.
  • a threshold amount e.g. percentage, etc.
  • the data may be automatically identified as unwanted if it is determined that the data was received by a predefined threshold number of different sources.
  • a predefined threshold number may be user-configured, in one embodiment. For example, if the data was independently received (e.g. different copies of the data were received) by the predefined threshold number of different sources, the data may be automatically identified as unwanted.
  • the data may be automatically identified as unwanted if it is determined that a weight assigned to the source from which the data was received meets a predefined threshold weight.
  • the predefined threshold weight may be user-configured, in one embodiment. Additionally, the weight assigned to the source may be based on any desired aspect of the source, such as a type of the source, an amount of potentially unwanted data previously received from the source that was determined to be unwanted, etc.
  • the data may be automatically identified as unwanted if it is determined that an aggregate weight calculated from weights of each source from which the data was received meets the predefined threshold weight. Of course, however, the data may be automatically identified as unwanted in any desired manner.
  • the data may be automatically identified as unwanted based on a probability that the data is actually unwanted. For example, if the source of the data includes a predetermined type of source, is associated with previously received data determined to be unwanted, etc., the probability that the data is unwanted may be determined to meet a threshold probability. In this way, prior to determining whether the data is unwanted via an analysis of the data, the data may optionally be automatically identified as unwanted.
  • the data is stored for use in detecting unwanted data.
  • the data may be stored in any desired type of data structure capable of allowing the data to be used in detecting unwanted data.
  • the data may be stored in a database, a list of known unwanted data (e.g. a blacklist), etc.
  • storing the data may include storing a hash of the data.
  • a plurality of different types of hashes of the data may be stored.
  • the hash may be computed utilizing message-digest algorithm 5 (MD5), secure hash algorithm-1 (SHA-1), secure hash algorithm-256 (SHA-256), etc.
  • an indication that the data is unwanted may be stored in association with the data.
  • Such indication may include any type of identifier, for example.
  • an indication that the data is potentially unwanted data automatically determined to be unwanted data may be stored in association with the data.
  • the stored data may be used for detecting unwanted data by being identifiable as known unwanted data.
  • other received data determined to be potentially unwanted may be compared with the stored data for determining whether such other received data is unwanted. For example, if the other received data matches the stored data, the other received data may be determined to be unwanted. As another example, if a hash of the other received data matches a hash of the stored data, the other received data may be determined to be unwanted.
  • the stored data may optionally be used by the device (e.g. server) on which such data is stored for detecting unwanted data.
  • the stored data may be utilized by any other device (e.g. client device, etc.) for detecting unwanted data.
  • a remote client device may detect other potentially unwanted data (e.g. utilizing a security system, etc.), may calculate a hash of such potentially unwanted data, and may remotely query a database storing the stored data. If the query returns the stored data, the other device may determine that the other potentially unwanted data is unwanted.
  • the stored data may be used in detecting unwanted data in any desired manner.
  • data determined to be potentially unwanted may be automatically identified as unwanted, prior to determining whether the data includes unwanted data via an analysis of such data.
  • storing the data automatically determined to be unwanted for use in detecting unwanted data may allow the data to be used in detecting unwanted data upon the storage of the data.
  • any delay in using the data for detecting unwanted data may be prevented, where such delay results from a delay in determining whether the data is actually unwanted (e.g. via an the analysis of such data), from a wait time resultant from a queue of stored data waiting to be processed for determining whether any of such data is actually unwanted, from a delay in providing an update of known unwanted data and/or known wanted data to client devices detecting the potentially unwanted data, from a delay in installing such update by the client devices, etc.
  • a subsequent analysis of the data may be performed for determining whether the data actually includes unwanted data.
  • the subsequent analysis may be performed at any desired time, as the stored data may already be capable of being used to detect unwanted data.
  • the stored data may be identified by identifying data stored with an indication that the data includes potentially unwanted data automatically identified as unwanted.
  • the stored data may be analyzed, in response to identification thereof, and it may be determined whether the data is unwanted based on the analysis. Accordingly, if the data is determined to be unwanted, a list of known unwanted data may be updated. However, if it is determined that the data is wanted, a list of known wanted data may be updated. Such updated list of known unwanted data or known wanted data may further be provided to the source from which the data determined to be potentially unwanted was received (in operation 302 ) and/or to any other desired device for local use in detecting unwanted data.
  • FIG. 4 shows a system 400 for automatically identifying potentially unwanted (e.g. potentially malicious) data as unwanted (e.g. malicious), in accordance with another embodiment.
  • the system 400 may be implemented in the context of the architecture and environment of FIGS. 1-3 .
  • the system 400 may be implemented in any desired environment. It should also be noted that the aforementioned definitions may apply during the present description.
  • a server 404 is in communication with clients 402 A- 402 B.
  • the clients 402 A- 402 B may include any client capable of detecting potentially malicious data 406 A- 406 B that may be in communication with the server 404 .
  • the clients 402 A- 402 B may include one or more of the clients illustrated in FIG. 1 .
  • the server 404 may include any server capable of automatically identifying the potentially malicious data 406 A- 406 B as malicious and storing such data for use in detecting malicious data.
  • the server 404 may include the server illustrated in FIG. 1 .
  • each of the clients 402 A- 402 B includes a security system 408 A- 408 B.
  • the security systems 408 A- 408 B may include any system utilized by the clients 402 A- 402 B to detect malicious data.
  • the security systems 408 A- 408 B may include a firewall, an anti-virus system, an anti-spyware system, etc.
  • the security systems 408 A- 408 B may be constantly running on the clients 402 A- 402 B. In another embodiment, the security systems 408 A- 408 B may periodically run on the clients 402 A- 402 B. Of course, however, the security systems 408 A- 408 B may interact with the clients 402 A- 402 B in any manner.
  • each security system 408 A- 408 B may identify data 406 A- 406 B on an associated client 402 A- 402 B as potentially malicious. While the present embodiment is described below with respect to only one of the clients 402 A- 402 B, it should be noted that the clients 402 A- 402 B may operate in a similar manner. Thus, the present system 400 may be implemented with respect to either or both of the clients 402 A- 402 B.
  • the security system 408 A of the client 402 A may identify the potentially malicious data 406 A by monitoring the client 402 A for malicious data. Further, the security system 408 A may determine that data 406 A on such client 402 A is potentially malicious in response to a determination that the data 406 A does not match known malicious data and does not match known clean (e.g. non-malicious) data. Such known malicious data and known clean data may be stored in a database on the client 402 A, for example.
  • the security system 408 A may send the potentially malicious data 406 A to the server 404 .
  • the potentially malicious data 406 A may be sent to the server 404 for determining whether the potentially malicious data 406 A is actually malicious.
  • the potentially malicious data 406 A may be sent to the server 404 for analyzing the potentially malicious data 406 A determine whether such is malicious.
  • the server 404 Based on receipt of the potentially malicious data 406 A, the server 404 automatically identifies the potentially malicious data 406 A as malicious. For example, the server 404 may identify the potentially malicious data 406 A as malicious without necessarily analyzing the potentially malicious data 406 A. In one exemplary embodiment, the server 404 may identify the potentially malicious data 406 A as malicious based on an identification of the client 402 A from which the potentially malicious data 406 A was received as a previous source of malicious data.
  • the server 404 stores the data automatically identified as malicious (or a hash thereof) in a list of known malicious data 410 located on the server 404 .
  • the data may be stored in the list of known malicious data 410 for use in detecting malicious data.
  • an identifier indicating that the data was potentially malicious data automatically identified as malicious may be stored in association with the data.
  • the list of known malicious data 410 may optionally include data with an identifier indicating that the data was potentially malicious data automatically identified as malicious and data with an identifier indicating that the data is malicious (e.g. as determined based on an analysis of the data, etc.).
  • the server 404 may perform the analysis on the stored data. If the server 404 determines that the stored data is malicious, based on the analysis, the server 404 may create an updated data (DAT) file 414 (or update an existing DAT file) to include such data as known malicious data. As an option, the server 404 may also change the identifier stored with the data in the list of known malicious data 410 to indicate that the data is malicious (e.g. as determined based on an analysis of the data, as determined by other sources that periodically distribute updates to the list of known malicious data 410 , etc.).
  • DAT updated data
  • the server 404 may also change the identifier stored with the data in the list of known malicious data 410 to indicate that the data is malicious (e.g. as determined based on an analysis of the data, as determined by other sources that periodically distribute updates to the list of known malicious data 410 , etc.).
  • the server 404 may create the updated DAT file 414 (or update any existing DAT file) to include such data as known clean (e.g. non-malicious) data.
  • the server 404 may also remove the data from the list of known malicious data 410 and may store such data in a list of known clean data 412 (e.g. a list of data predetermined to be clean, etc.).
  • the list of known clean data 412 may also be populated with data from software vendors (e.g. operating system vendors), data determined to be clean based on an analysis of such data by the server 404 , data determined to be clean based on a manual analysis (e.g. by human researchers) of such data, data from publicly available databases including known clean data (e.g. National Institute of Standards and Technology database, National Software Reference Library database, etc.), etc.
  • the server 404 may transmit the DAT 414 (e.g. as an update, etc.), which includes the data identified as malicious or clean, to the clients 402 A- 402 B.
  • the DAT 414 e.g. as an update, etc.
  • a list of known malicious data or a list of known clean data located on the clients 402 A- 402 B may be updated for use in subsequent detections of malicious data.
  • other data may be identified by a security system 408 A- 408 B of at least one of the clients 402 A- 402 B as potentially malicious. Based on the identification of the other potentially malicious data, the security system 408 A- 408 B may calculate a hash of the other potentially malicious data. In addition, the security system 408 A- 408 B may remotely query the server 404 for the hash [e.g. via a direct connection between the client 402 A-B and the server 404 , via a domain name server (DNS) cloud, etc.].
  • DNS domain name server
  • the server 404 may subsequently receive the query, and may compare the hash received via the query with the list of known malicious data 410 and the list of known clean data 412 . If the server 404 determines that the received hash matches a hash in the list of known malicious data 410 , the server 404 may identify the other potentially malicious data associated with the hash as malicious. If, however, the server 404 determines that the received hash matches a hash in the list of known clean data 412 , the server 404 may identify the other potentially malicious data associated with the hash as clean. Further, a result to the query identifying the other potentially malicious data as malicious or clean may be sent to the client 402 A- 402 B from which the query was received.
  • the server 404 may automatically determine that the other potentially malicious data associated with the hash is malicious, and may store a hash of the potentially malicious data in the list of known malicious data 410 , as described above.
  • FIG. 5 shows a method 500 for storing a hash of data with an indication of whether the data is potentially malicious or potentially clean, in accordance with yet another embodiment.
  • the method 500 may be carried out in the context of the architecture and environment of FIGS. 1-4 .
  • the method 500 may be carried out using the server 404 of FIG. 4 .
  • the method 500 may be carried out in any desired environment. It should also be noted that the aforementioned definitions may apply during the present description.
  • data is received.
  • the data may be received from a client device that determined that the data is potentially malicious.
  • the data may be received by the client device in response to a determination by the client device that it is unknown whether the data is malicious or clean.
  • the data is known to be malicious or clean, as shown in decision 504 . For example, it may be determined whether the data has been predetermined to be malicious or clean. In one embodiment, the data may be compared with a list of known malicious data. For example, if the data matches data included in the list of known malicious data, the data may be determined to be known to be malicious.
  • the data may be compared with a list of known clean data. Thus, if the data matches data included in the list of known clean data, the data may be determined to be known to be clean. If it is determined that the data is known to be malicious or clean, the method 500 terminates. As an option, an indication of whether the data is malicious or clean may be sent to the source from which the data was received (e.g. based on the determination), prior to the method 500 terminating.
  • determining whether the data may be automatically identified as malicious may include determining whether the data may be identified as malicious, at least temporarily, without performing an analysis on such data for determining whether the data is in fact malicious.
  • the data may be automatically identified as malicious based on a source of the data.
  • the data may be automatically identified as malicious based on any desired aspect associated with the data that does not necessarily require an analysis of the data itself (e.g. an analysis of content of the data, etc.).
  • the method 500 terminates.
  • the client device from which the data was received may wait for the analysis to be performed on the data before such client device may receive an indication of whether the data is malicious.
  • the client device may be notified that such analysis is required before any indication will be received by the client device.
  • the data is hashed. Note operation 508 .
  • the hash is stored in a database with an indication that the data is potentially malicious data automatically identified as malicious, as shown in operation 510 .
  • the hash of the data may be stored such that the hash may be used for detecting unwanted data.
  • an indication that the data has been automatically identified as malicious may be sent to the client device from which the data was received.
  • FIG. 6 shows a method 600 for querying a database of hashes for identifying potentially malicious data as malicious, in accordance with still yet another embodiment.
  • the method 600 may be carried out in the context of the architecture and environment of FIGS. 1-5 .
  • the method 600 may be carried out using one of the clients 402 A- 402 B of FIG. 4 .
  • the method 600 may be carried out in any desired environment.
  • the aforementioned definitions may apply during the present description.
  • the data may be determined to be potentially malicious if it is determined that it is unknown whether the data is malicious or clean. For example, if the data does not match known malicious data or known clean data (e.g. stored on the device on which the data is located), the data may be determined to be malicious.
  • the method 600 continues to wait for potentially malicious data to be detected. If, however, it is determined that potentially malicious data is detected, a hash of the potentially malicious data is calculated. Note operation 604 .
  • a server database of hashes of malicious data is queried for the calculated hash, as shown in operation 606 .
  • the query may include a remote query.
  • the server database of hashes of malicious data may include any database storing hashes of known malicious data.
  • the server database of hashes of malicious data may include the list of known malicious data 410 of FIG. 4 .
  • a result of the query indicates that the calculated hash is found in the server database of hashes of malicious data. If, it is determined that the result of the query indicates that the calculated hash is not found in the server database of hashes of malicious data, the potentially malicious data detected in operation 602 is identified as undetermined to be malicious. Note operation 610 .
  • the server storing the server database of hashes of malicious data may also identify the potentially malicious data as undetermined to be malicious if the result of the query indicates that the calculated hash is not found in the server database of hashes of malicious data.
  • the server may optionally automatically identify the potentially malicious data as malicious (e.g. as described above with respect to the method 500 of FIG. 5 ). If it is determined that the result of the query indicates that the calculated hash is found in the server database of hashes of malicious data, the potentially malicious data detected in operation 602 is identified as malicious. Note operation 612 .

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Computer And Data Communications (AREA)

Abstract

A system, method, and computer program product are provided for automatically identifying potentially unwanted data as unwanted. In use, data determined to be potentially unwanted (e.g. potentially malicious) is received. Additionally, the data is automatically identified as unwanted (e.g. malicious). Furthermore, the data is stored for use in detecting unwanted data (e.g. malicious data).

Description

CROSS-REFERENCE TO RELATED APPLICATION
This application is a reissue application of U.S. Pat. No. 8,301,904, entitled “SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR AUTOMATICALLY IDENTIFYING POTENTIALLY UNWANTED DATA AS UNWANTED,” which issued on Oct. 30, 2012, from U.S. application Ser. No. 12/144,967, filed on Jun. 24, 2008.
FIELD OF THE INVENTION
The present invention relates to security systems, and more particularly to identifying unwanted data.
BACKGROUND
Security systems have traditionally been concerned with identifying unwanted (e.g., malicious) data and acting in response thereto. For example, data which is undetermined to be malicious may be communicated to a security system, and the data may further be analyzed by the security system for determining whether the data is malicious. However, traditional techniques for determining whether data is malicious have generally exhibited various limitations.
For example, security systems that determine whether data is malicious are oftentimes in communication with multiple other devices, and therefore conventionally receive numerous requests to determine whether data is malicious from such devices. When numerous requests are received in this manner, significant delays by the security systems in determining whether the data is malicious and responding to the devices based on the determinations generally exist. Further, the responses generated by the security systems based on such determinations are customarily formed as updates to security systems installed on the devices. However, many times the devices themselves delay installation of the updates when such updates are available from the security systems, thus resulting in a delayed identification by the devices of whether data is in fact malicious.
There is thus a need for overcoming these and/or other issues associated with the prior art.
SUMMARY
A system, method, and computer program product are provided for automatically identifying potentially unwanted data as unwanted. In use, data determined to be potentially unwanted (e.g. potentially malicious) is received. Additionally, the data is automatically identified as unwanted (e.g. malicious). Furthermore, the data is stored for use in detecting unwanted data (e.g. malicious data).
BRIEF DESCRIPTION OF THE DRAWINGS
FIG. 1 illustrates a network architecture, in accordance with one embodiment.
FIG. 2 shows a representative hardware environment that may be associated with the servers and/or clients of FIG. 1, in accordance with one embodiment.
FIG. 3 shows a method for automatically identifying potentially unwanted (e.g. potentially malicious) data as unwanted (e.g. malicious), in accordance with one embodiment.
FIG. 4 shows a system for automatically identifying potentially unwanted (e.g. potentially malicious) data as unwanted (e.g. malicious), in accordance with another embodiment.
FIG. 5 shows a method for storing a hash of data with an indication of whether the data is potentially malicious or potentially clean, in accordance with yet another embodiment.
FIG. 6 shows a method for querying a database of hashes for identifying potentially malicious data as malicious, in accordance with still yet another embodiment.
 DETAILED DESCRIPTION
FIG. 1 illustrates a network architecture 100, in accordance with one embodiment. As shown, a plurality of networks 102 is provided. In the context of the present network architecture 100, the networks 102 may each take any form including, but not limited to a local area network (LAN), a wireless network, a wide area network (WAN) such as the Internet, peer-to-peer network, etc.
Coupled to the networks 102 are servers 104 which are capable of communicating over the networks 102. Also coupled to the networks 102 and the servers 104 is a plurality of clients 106. Such servers 104 and/or clients 106 may each include a desktop computer, lap-top computer, hand-held computer, mobile phone, personal digital assistant (PDA), peripheral (e.g., printer, etc.), any component of a computer, and/or any other type of logic. In order to facilitate communication among the networks 102, at least one gateway 108 is optionally coupled therebetween.
FIG. 2 shows a representative hardware environment that may be associated with the servers 104 and/or clients 106 of FIG. 1, in accordance with one embodiment. Such figure illustrates a typical hardware configuration of a workstation in accordance with one embodiment having a central processing unit 210, such as a microprocessor, and a number of other units interconnected via a system bus 212.
The workstation shown in FIG. 2 includes a Random Access Memory (RAM) 214, Read Only Memory (ROM) 216, an I/O adapter 218 for connecting peripheral devices such as disk storage units 220 to the bus 212, a user interface adapter 222 for connecting a keyboard 224, a mouse 226, a speaker 228, a microphone 232, and/or other user interface devices such as a touch screen (not shown) to the bus 212, communication adapter 234 for connecting the workstation to a communication network 235 (e.g., a data processing network) and a display adapter 236 for connecting the bus 212 to a display device 238.
The workstation may have resident thereon any desired operating system. It will be appreciated that an embodiment may also be implemented on platforms and operating systems other than those mentioned. One embodiment may be written using JAVA, C, and/or C++ language, or other programming languages, along with an object oriented programming methodology. Object oriented programming (OOP) has become increasingly used to develop complex applications.
Of course, the various embodiments set forth herein may be implemented utilizing hardware, software, or any desired combination thereof. For that matter, any type of logic may be utilized which is capable of implementing the various functionality set forth herein.
FIG. 3 shows a method 300 for automatically identifying potentially unwanted (e.g. potentially malicious) data as unwanted (e.g. malicious), in accordance with one embodiment. As an option, the method 300 may be carried out in the context of the architecture and environment of FIGS. 1 and/or 2. Of course, however, the method 300 may be carried out in any desired environment.
As shown in operation 302, data determined to be potentially unwanted (e.g. potentially malicious) is received. In the context of the present description, the data determined to be potentially unwanted may include any data for which it is unknown whether such data is unwanted (e.g. malicious). Thus, in one embodiment, the data may be determined to be unwanted by determining that it is unknown whether the data is unwanted. It should be noted that such data may include any code, application, file, electronic message, process, thread, etc. that is potentially unwanted.
In another embodiment, it may be determined that it is unknown whether the data is unwanted based on an analysis of the data. For example, it may be determined that it is unknown whether the data is unwanted by determining that the data does not match known wanted data (e.g. data predetermined to be wanted, whitelisted data, etc.) and that the data does not match known unwanted data (e.g. data predetermined to be unwanted, blacklisted data, etc.). To this end, the data may be compared to the known wanted data and the known unwanted data for determining whether it is unknown that the data is unwanted.
As another example, the potentially unwanted data may not necessarily match a hash, signature, etc. of known unwanted data. As another example, the potentially unwanted data may not necessarily match a hash, signature, etc. of known wanted data. Such data may be determined to be potentially unwanted based on a scan of the data (e.g., against signatures of known wanted data and/or known unwanted data, etc.), as an option.
In yet another embodiment, the data may be determined to be potentially unwanted if it is determined that the data is suspicious based on an analysis thereof. For example, the data may be determined to have one or more characteristics of malware based on the analysis. In another example, the data may be determined to be a possible new variant of existing malware. To this end, the potentially unwanted data may include data that is determined to potentially include malware, spyware, adware, etc.
Additionally, in one embodiment, the data may be determined to be potentially unwanted based on monitoring performed with respect to the data. For example, the monitoring may include identifying the data (e.g. based on operations performed in association with the data, etc.) and performing an analysis of the data, such as the analysis described above for example. Optionally, the monitoring may be of an electronic messaging application [e.g. electronic mail (email) messaging application], a file transfer protocol (FTP), at least one web site, etc.
In another embodiment, the data may be determined to be potentially unwanted based on a heuristic analysis. In yet another embodiment, the data may be determined to be potentially unwanted based on a behavioral analysis. In yet another embodiment, the data may be determined to be potentially unwanted based on scanning performed on the data. Of course, however, data may be determined to be potentially unwanted in any desired manner.
Further, the data may be determined to be potentially unwanted by a remote source. As another option, the data determined to be potentially unwanted may be received from such remote source. In one embodiment, such data may be automatically received based on the monitoring described above. Just by way of example, the remote device may automatically transmit the data in response to a determination that the data is potentially unwanted (e.g. that it is unknown whether such data is unwanted, etc.).
As an option, the data determined to be potentially unwanted may be received by a server. In one embodiment, the server may be utilized by a security vendor. Such security vendor may optionally provide known wanted data and/or known unwanted data (e.g. via updates, etc.) to a plurality of client devices, such that the client devices may utilize the known wanted data and/or known unwanted data for determining whether data is wanted and/or unwanted, respectively. To this end, the server may optionally receive the data determined to be potentially unwanted for analysis purposes, such as for determining whether the data is wanted or unwanted. Further, based on the determination, the server may be utilized to provide an indication of the determination (e.g. via an update, etc.) to a source from which the data was received and/or to any other desired device.
Moreover, as shown in operation 304, the data is automatically identified as unwanted (e.g. malicious). In one embodiment, automatically identifying the data as unwanted may include any determination that the data is unwanted which does not necessarily rely on an analysis of the data. For example, the data may be automatically identified as unwanted without necessarily scanning the data, comparing the data to known wanted data and/or known unwanted data, etc.
In another embodiment, the data may be automatically identified as unwanted based on at least one source from which the data is received. As an option, the data may be automatically identified as unwanted based on a type of the source from which the data is received. For example, if the source includes a security vendor, a multi-scanner service, a honeypot, etc., the data may be automatically identified as unwanted.
As another option, the data may be automatically identified as unwanted if it is determined that other data previously received from the source (e.g. received previous to that received in operation 302) includes known unwanted data. For example, if other data previously received from the source was determined to be unwanted, the data received in operation 302 may be automatically identified as unwanted. As another example, if a predefined threshold amount (e.g. percentage, etc.) of data previously received from the source was determined to be unwanted, the data received in operation 302 may be automatically identified as unwanted. In this way, the data may be automatically identified as unwanted if potentially unwanted data received from such source was determined to be unwanted, if a threshold amount of potentially unwanted data received from such source was determined to be unwanted, if all potentially unwanted data received from such source was determined to be unwanted, etc.
As yet another option, the data may be automatically identified as unwanted if it is determined that the data was received by a predefined threshold number of different sources. Such predefined threshold number may be user-configured, in one embodiment. For example, if the data was independently received (e.g. different copies of the data were received) by the predefined threshold number of different sources, the data may be automatically identified as unwanted.
As still yet another option, the data may be automatically identified as unwanted if it is determined that a weight assigned to the source from which the data was received meets a predefined threshold weight. The predefined threshold weight may be user-configured, in one embodiment. Additionally, the weight assigned to the source may be based on any desired aspect of the source, such as a type of the source, an amount of potentially unwanted data previously received from the source that was determined to be unwanted, etc. As another option, the data may be automatically identified as unwanted if it is determined that an aggregate weight calculated from weights of each source from which the data was received meets the predefined threshold weight. Of course, however, the data may be automatically identified as unwanted in any desired manner.
In one embodiment, the data may be automatically identified as unwanted based on a probability that the data is actually unwanted. For example, if the source of the data includes a predetermined type of source, is associated with previously received data determined to be unwanted, etc., the probability that the data is unwanted may be determined to meet a threshold probability. In this way, prior to determining whether the data is unwanted via an analysis of the data, the data may optionally be automatically identified as unwanted.
Still yet, as shown in operation 306, the data is stored for use in detecting unwanted data. With respect to the present description, the data may be stored in any desired type of data structure capable of allowing the data to be used in detecting unwanted data. In various embodiments, the data may be stored in a database, a list of known unwanted data (e.g. a blacklist), etc.
As an option, storing the data may include storing a hash of the data. As another option, a plurality of different types of hashes of the data may be stored. The hash may be computed utilizing message-digest algorithm 5 (MD5), secure hash algorithm-1 (SHA-1), secure hash algorithm-256 (SHA-256), etc.
Further, in one embodiment, an indication that the data is unwanted may be stored in association with the data. Such indication may include any type of identifier, for example. In another embodiment, an indication that the data is potentially unwanted data automatically determined to be unwanted data may be stored in association with the data.
Further still, the stored data may be used for detecting unwanted data by being identifiable as known unwanted data. As an option, other received data determined to be potentially unwanted may be compared with the stored data for determining whether such other received data is unwanted. For example, if the other received data matches the stored data, the other received data may be determined to be unwanted. As another example, if a hash of the other received data matches a hash of the stored data, the other received data may be determined to be unwanted. Thus, the stored data may optionally be used by the device (e.g. server) on which such data is stored for detecting unwanted data.
As another option, the stored data may be utilized by any other device (e.g. client device, etc.) for detecting unwanted data. Just by way of example, a remote client device may detect other potentially unwanted data (e.g. utilizing a security system, etc.), may calculate a hash of such potentially unwanted data, and may remotely query a database storing the stored data. If the query returns the stored data, the other device may determine that the other potentially unwanted data is unwanted. Of course, it should be noted that the stored data may be used in detecting unwanted data in any desired manner.
To this end, data determined to be potentially unwanted may be automatically identified as unwanted, prior to determining whether the data includes unwanted data via an analysis of such data. Moreover, storing the data automatically determined to be unwanted for use in detecting unwanted data may allow the data to be used in detecting unwanted data upon the storage of the data. Thus any delay in using the data for detecting unwanted data may be prevented, where such delay results from a delay in determining whether the data is actually unwanted (e.g. via an the analysis of such data), from a wait time resultant from a queue of stored data waiting to be processed for determining whether any of such data is actually unwanted, from a delay in providing an update of known unwanted data and/or known wanted data to client devices detecting the potentially unwanted data, from a delay in installing such update by the client devices, etc.
As an option, once the data is stored for use in detecting unwanted data, a subsequent analysis of the data may be performed for determining whether the data actually includes unwanted data. The subsequent analysis may be performed at any desired time, as the stored data may already be capable of being used to detect unwanted data. Just by way of example, the stored data may be identified by identifying data stored with an indication that the data includes potentially unwanted data automatically identified as unwanted.
In addition, the stored data may be analyzed, in response to identification thereof, and it may be determined whether the data is unwanted based on the analysis. Accordingly, if the data is determined to be unwanted, a list of known unwanted data may be updated. However, if it is determined that the data is wanted, a list of known wanted data may be updated. Such updated list of known unwanted data or known wanted data may further be provided to the source from which the data determined to be potentially unwanted was received (in operation 302) and/or to any other desired device for local use in detecting unwanted data.
More illustrative information will now be set forth regarding various optional architectures and features with which the foregoing technique may or may not be implemented, per the desires of the user. It should be strongly noted that the following information is set forth for illustrative purposes and should not be construed as limiting in any manner. Any of the following features may be optionally incorporated with or without the exclusion of other features described.
FIG. 4 shows a system 400 for automatically identifying potentially unwanted (e.g. potentially malicious) data as unwanted (e.g. malicious), in accordance with another embodiment. As an option, the system 400 may be implemented in the context of the architecture and environment of FIGS. 1-3. Of course, however, the system 400 may be implemented in any desired environment. It should also be noted that the aforementioned definitions may apply during the present description.
As shown, a server 404 is in communication with clients 402A-402B. In one embodiment, the clients 402A-402B may include any client capable of detecting potentially malicious data 406A-406B that may be in communication with the server 404. For example, the clients 402A-402B may include one or more of the clients illustrated in FIG. 1. Additionally, in another embodiment, the server 404 may include any server capable of automatically identifying the potentially malicious data 406A-406B as malicious and storing such data for use in detecting malicious data. For example, the server 404 may include the server illustrated in FIG. 1.
Additionally, each of the clients 402A-402B includes a security system 408A-408B. In the context of the current embodiment, the security systems 408A-408B may include any system utilized by the clients 402A-402B to detect malicious data. For example, the security systems 408A-408B may include a firewall, an anti-virus system, an anti-spyware system, etc.
In one embodiment, the security systems 408A-408B may be constantly running on the clients 402A-402B. In another embodiment, the security systems 408A-408B may periodically run on the clients 402A-402B. Of course, however, the security systems 408A-408B may interact with the clients 402A-402B in any manner.
To this end, each security system 408A-408B may identify data 406A-406B on an associated client 402A-402B as potentially malicious. While the present embodiment is described below with respect to only one of the clients 402A-402B, it should be noted that the clients 402A-402B may operate in a similar manner. Thus, the present system 400 may be implemented with respect to either or both of the clients 402A-402B.
In one embodiment, the security system 408A of the client 402A may identify the potentially malicious data 406A by monitoring the client 402A for malicious data. Further, the security system 408A may determine that data 406A on such client 402A is potentially malicious in response to a determination that the data 406A does not match known malicious data and does not match known clean (e.g. non-malicious) data. Such known malicious data and known clean data may be stored in a database on the client 402A, for example.
In response to the identification of the potentially malicious data 406A, the security system 408A may send the potentially malicious data 406A to the server 404. In one embodiment, the potentially malicious data 406A may be sent to the server 404 for determining whether the potentially malicious data 406A is actually malicious. For example, the potentially malicious data 406A may be sent to the server 404 for analyzing the potentially malicious data 406A determine whether such is malicious.
Based on receipt of the potentially malicious data 406A, the server 404 automatically identifies the potentially malicious data 406A as malicious. For example, the server 404 may identify the potentially malicious data 406A as malicious without necessarily analyzing the potentially malicious data 406A. In one exemplary embodiment, the server 404 may identify the potentially malicious data 406A as malicious based on an identification of the client 402A from which the potentially malicious data 406A was received as a previous source of malicious data.
Further, the server 404 stores the data automatically identified as malicious (or a hash thereof) in a list of known malicious data 410 located on the server 404. In this way, the data may be stored in the list of known malicious data 410 for use in detecting malicious data. As an option, an identifier indicating that the data was potentially malicious data automatically identified as malicious may be stored in association with the data. Thus, the list of known malicious data 410 may optionally include data with an identifier indicating that the data was potentially malicious data automatically identified as malicious and data with an identifier indicating that the data is malicious (e.g. as determined based on an analysis of the data, etc.).
Still yet, once the server 404 is able to analyze the stored data automatically identified as malicious (e.g. in response to resources being available for such analysis, etc.), the server 404 may perform the analysis on the stored data. If the server 404 determines that the stored data is malicious, based on the analysis, the server 404 may create an updated data (DAT) file 414 (or update an existing DAT file) to include such data as known malicious data. As an option, the server 404 may also change the identifier stored with the data in the list of known malicious data 410 to indicate that the data is malicious (e.g. as determined based on an analysis of the data, as determined by other sources that periodically distribute updates to the list of known malicious data 410, etc.).
If, however, the server 404 determines that the stored data is not malicious, based on the analysis, the server 404 may create the updated DAT file 414 (or update any existing DAT file) to include such data as known clean (e.g. non-malicious) data. Optionally, the server 404 may also remove the data from the list of known malicious data 410 and may store such data in a list of known clean data 412 (e.g. a list of data predetermined to be clean, etc.). As another option, the list of known clean data 412 may also be populated with data from software vendors (e.g. operating system vendors), data determined to be clean based on an analysis of such data by the server 404, data determined to be clean based on a manual analysis (e.g. by human researchers) of such data, data from publicly available databases including known clean data (e.g. National Institute of Standards and Technology database, National Software Reference Library database, etc.), etc.
Furthermore, the server 404 may transmit the DAT 414 (e.g. as an update, etc.), which includes the data identified as malicious or clean, to the clients 402A-402B. In this way, a list of known malicious data or a list of known clean data located on the clients 402A-402B (not shown) may be updated for use in subsequent detections of malicious data.
Just by way of example, after storing the data in the list of known malicious data 410, other data may be identified by a security system 408A-408B of at least one of the clients 402A-402B as potentially malicious. Based on the identification of the other potentially malicious data, the security system 408A-408B may calculate a hash of the other potentially malicious data. In addition, the security system 408A-408B may remotely query the server 404 for the hash [e.g. via a direct connection between the client 402A-B and the server 404, via a domain name server (DNS) cloud, etc.]. Of course, while the query is described herein as including the hash of the other potentially malicious data, it should be noted that the query may include the other potentially malicious data itself and/or any other information capable of being used to identify the other potentially malicious data.
The server 404 may subsequently receive the query, and may compare the hash received via the query with the list of known malicious data 410 and the list of known clean data 412. If the server 404 determines that the received hash matches a hash in the list of known malicious data 410, the server 404 may identify the other potentially malicious data associated with the hash as malicious. If, however, the server 404 determines that the received hash matches a hash in the list of known clean data 412, the server 404 may identify the other potentially malicious data associated with the hash as clean. Further, a result to the query identifying the other potentially malicious data as malicious or clean may be sent to the client 402A-402B from which the query was received.
It should be further noted that if the server 404 determines that the received hash does not match hashes include in either of the list of known malicious data 410 or the list of known clean data 412, the server 404 may automatically determine that the other potentially malicious data associated with the hash is malicious, and may store a hash of the potentially malicious data in the list of known malicious data 410, as described above.
FIG. 5 shows a method 500 for storing a hash of data with an indication of whether the data is potentially malicious or potentially clean, in accordance with yet another embodiment. As an option, the method 500 may be carried out in the context of the architecture and environment of FIGS. 1-4. For example, the method 500 may be carried out using the server 404 of FIG. 4. Of course, however, the method 500 may be carried out in any desired environment. It should also be noted that the aforementioned definitions may apply during the present description.
As shown in operation 502, data is received. With respect to the present embodiment, the data may be received from a client device that determined that the data is potentially malicious. For example, the data may be received by the client device in response to a determination by the client device that it is unknown whether the data is malicious or clean.
Additionally, it is determined whether the data is known to be malicious or clean, as shown in decision 504. For example, it may be determined whether the data has been predetermined to be malicious or clean. In one embodiment, the data may be compared with a list of known malicious data. For example, if the data matches data included in the list of known malicious data, the data may be determined to be known to be malicious.
In another embodiment, the data may be compared with a list of known clean data. Thus, if the data matches data included in the list of known clean data, the data may be determined to be known to be clean. If it is determined that the data is known to be malicious or clean, the method 500 terminates. As an option, an indication of whether the data is malicious or clean may be sent to the source from which the data was received (e.g. based on the determination), prior to the method 500 terminating.
If, however, it is determined that the data is not known to be malicious or clean, it is determined whether the data may be automatically identified as malicious. Note decision 506. For example, determining whether the data may be automatically identified as malicious may include determining whether the data may be identified as malicious, at least temporarily, without performing an analysis on such data for determining whether the data is in fact malicious. In one embodiment, the data may be automatically identified as malicious based on a source of the data. Of course, however, the data may be automatically identified as malicious based on any desired aspect associated with the data that does not necessarily require an analysis of the data itself (e.g. an analysis of content of the data, etc.).
If it is determined that the data may not be automatically identified as malicious, the method 500 terminates. As an option, the client device from which the data was received may wait for the analysis to be performed on the data before such client device may receive an indication of whether the data is malicious. As another option, the client device may be notified that such analysis is required before any indication will be received by the client device.
If, however, it is determined that the data may be automatically identified as malicious, the data is hashed. Note operation 508. Furthermore, the hash is stored in a database with an indication that the data is potentially malicious data automatically identified as malicious, as shown in operation 510. To this end, the hash of the data may be stored such that the hash may be used for detecting unwanted data. As an option, an indication that the data has been automatically identified as malicious may be sent to the client device from which the data was received.
FIG. 6 shows a method 600 for querying a database of hashes for identifying potentially malicious data as malicious, in accordance with still yet another embodiment. As an option, the method 600 may be carried out in the context of the architecture and environment of FIGS. 1-5. For example, the method 600 may be carried out using one of the clients 402A-402B of FIG. 4. Of course, however, the method 600 may be carried out in any desired environment. Again, it should be noted that the aforementioned definitions may apply during the present description.
As shown in decision 602, it is determined whether potentially malicious data is detected. The data may be determined to be potentially malicious if it is determined that it is unknown whether the data is malicious or clean. For example, if the data does not match known malicious data or known clean data (e.g. stored on the device on which the data is located), the data may be determined to be malicious.
If it is determined that potentially malicious data is not detected, the method 600 continues to wait for potentially malicious data to be detected. If, however, it is determined that potentially malicious data is detected, a hash of the potentially malicious data is calculated. Note operation 604.
Additionally, a server database of hashes of malicious data is queried for the calculated hash, as shown in operation 606. Thus, the query may include a remote query. In one embodiment, the server database of hashes of malicious data may include any database storing hashes of known malicious data. For example, the server database of hashes of malicious data may include the list of known malicious data 410 of FIG. 4.
Furthermore, as shown indecision 608, it is determined whether a result of the query indicates that the calculated hash is found in the server database of hashes of malicious data. If, it is determined that the result of the query indicates that the calculated hash is not found in the server database of hashes of malicious data, the potentially malicious data detected in operation 602 is identified as undetermined to be malicious. Note operation 610. As an option, the server storing the server database of hashes of malicious data may also identify the potentially malicious data as undetermined to be malicious if the result of the query indicates that the calculated hash is not found in the server database of hashes of malicious data.
Moreover, in response to a determination by the server that the potentially malicious data is undetermined to be malicious, the server may optionally automatically identify the potentially malicious data as malicious (e.g. as described above with respect to the method 500 of FIG. 5). If it is determined that the result of the query indicates that the calculated hash is found in the server database of hashes of malicious data, the potentially malicious data detected in operation 602 is identified as malicious. Note operation 612.
While various embodiments have been described above, it should be understood that they have been presented by way of example only, and not limitation. Thus, the breadth and scope of a preferred embodiment should not be limited by any of the above-described exemplary embodiments, but should be defined only in accordance with the following claims and their equivalents.

Claims (46)

What is claimed is:
1. A computer program product including computer code embodied on a non-transitory computer readable medium, and, when executed by at least one processor, the computer code causes the at least one processor to perform operations comprising:
computer code for receiving, from at least one source, data by a server, wherein the data is not known to be wanted and wherein the data is not known to be unwanted;
computer code for assigning a weight to each of the at least one source from which the data was received;
computer code for calculating an aggregate weight from the weights assigned to each of the at least one source from which the data was received; and
computer code for automatically identifying by the server that the data is unwanted if based on a determination that the aggregate weight meets a predetermined threshold weight; and
computer code for storing the data by the server for use in detecting unwanted data, wherein storing the data includes storing a hash of the data, in response to the identifying.
2. The computer program product of claim 1, wherein the data is not known to be malicious and wherein the data is not known to be non-malicious.
3. The computer program product of claim 1, wherein the data does not match known wanted data and does not match known unwanted data.
4. The computer program product of claim 1, wherein the data is automatically received based on monitoring of at least one of an electronic messaging application, file transfer protocol (FTP), and a web site.
5. The computer program product of claim 1, wherein the data is automatically identified as unwanted based on the at least one source from which the data is received.
6. The computer program product of claim 5, wherein the at least one source includes a security vendor.
7. The computer program product of claim 5, wherein the at least one source includes a honeypot.
8. The computer program product of claim 5, wherein the data is automatically identified as unwanted if it is determined that other data previously received from the at least one source includes included known unwanted data.
9. The computer program product of claim 5, wherein the data is automatically identified as unwanted if it is determined that the data was received by a predefined threshold number of different sources.
10. The computer program product of claim 5, wherein the data is automatically identified as unwanted if it is determined that a weight assigned to the at least one source meets a predefined threshold weight.
11. The computer program product of claim 1, wherein storing the data includes storing a hash of the data.
12. The computer program product of claim 1, further comprising computer code for wherein the computer code causes the at least one processor to perform further operations comprising
storing an indication with the data that the data includes potentially unwanted data automatically identified as unwanted.
13. The computer program product of claim 12, further comprising computer code for wherein the computer code causes the at least one processor to perform further operations comprising
identifying the data stored with the indication that the data includes potentially unwanted data automatically identified as unwanted,
analyzing the data, and
determining whether the data is unwanted based on the analysis.
14. The computer program product of claim 13, further comprising computer code for wherein the computer code causes the at least one processor to perform further operations comprising
updating one of a list of known unwanted data and a list of known wanted data based on the determination whether the data is unwanted.
15. The computer program product of claim 1, wherein the stored data is utilized for detecting the unwanted data by identifying other received data determined to be potentially unwanted as unwanted if the other received data matches the stored data.
16. A method, comprising:
receiving, from at least one source, data by a computer processor, wherein the data is not known to be wanted and wherein the data is not known to be unwanted;
assigning a weight to each of the at least one source from which the data was received;
calculating an aggregate weight from the weights assigned to each of the at least one source from which the data was received;
identifying automatically that the data is unwanted if based on a determination that the aggregate weight meets a predetermined threshold weight; and
storing the data for use in detecting unwanted data, wherein storing the data includes storing a hash of the data, in response to the identifying.
17. A system, comprising:
a computer processor; and
forlogic that is executable by the computer processor and, when executed, causes the computer processor to perform operations including receiving data from at least one source, wherein the data is not known to be wanted and wherein the data is not known to be unwanted, assigning a weight to each of the at least one source from which the data was received, calculating an aggregate weight from the weights assigned to each of the at least one source from which the data was received, identifying automatically that the data is unwanted ifbased on a determination that the aggregate weight meets a predetermined threshold weight, and storing the data for use in detecting unwanted data, wherein storing the data includes storing a hash of the data, in response to the identifying.
18. The method of claim 16, further comprising:
identifying the data as unwanted by the computer processor by analyzing the data.
19. A method, comprising:
receiving a first data by a client computer;
analyzing the first data by the client computer, and determining that the first data is not known to be wanted and wherein the first data is not known to be unwanted;
sending the first data to a server computer;
receiving, by the server computer, the first data from at least one source including the client computer;
assigning a weight to each of the at least one source from which the first data was received by the server computer;
calculating an aggregate weight from the weights assigned to each of the at least one source from which the first data was received by the server computer;
identifying automatically that the first data is unwanted if based on a determination that the aggregate weight meets a predetermined threshold weight; and
storing the first data by the server computer, wherein storing the data includes storing a hash of the data, in response to the identifying.
20. The method of claim 19, further comprising:
analyzing the stored first data by the server computer responsive to analysis resources being available; and
identifying the stored first data as wanted or unwanted responsive to the act of analyzing the stored first data by the server computer;
updating a datastore responsive to the act of identifying the stored first data as wanted or unwanted; and
distributing the updated datastore to the client computer.
21. The method of claim 19, further comprising:
receiving a second data from the client computer, wherein the second data comprises an identification of the client computer as a previous source of unwanted data.
22. The method of claim 19, further comprising:
using the stored first data automatically identified as unwanted for determining that a third data is unwanted.
23. The computer program product of claim 1, wherein the computer code for automatically identifying by the server that the data as is unwanted without analyzing the data comprises:
computer code for automatically identifying by the server the data as unwanted responsive to without analyzing the data, based on a second data, without analyzing the first data.
24. The method of claim 16, wherein the act of identifying the data automatically as unwanted by the computer processor without analyzing the data comprises:
identifying the data automatically as unwanted by the computer process processor without analyzing the data, responsive to based on a second data.
25. The method of claim 24, wherein the second data comprises a source from which the data is received.
26. The system of claim 17, wherein the data is not known to be malicious and wherein the data is not known to be non-malicious.
27. The computer program product of claim 1, wherein the computer code further causes the at least one processor to perform further operations comprising
determining that other received data is unwanted, if a hash of the other received data matches the hash of the data.
28. The computer program product of claim 1, wherein the computer code further causes the at least one processor to perform further operations comprising
performing an analysis of the data for determining whether the data is actually the unwanted data, once the data is stored.
29. The system of claim 17, wherein the data does not match known wanted data and does not match known unwanted data.
30. The system of claim 17, wherein the data is automatically received based on monitoring of at least one of an electronic messaging application, file transfer protocol (FTP), and a web site.
31. The system of claim 17, wherein the data is automatically identified as unwanted based on the at least one source from which the data is received.
32. The system of claim 31, wherein the at least one source includes a security vendor.
33. The system of claim 31, wherein the at least one source includes a honeypot.
34. The system of claim 31, wherein the data is automatically identified as unwanted if it is determined that other data previously received from the at least one source included known unwanted data.
35. The system of claim 31, wherein the data is automatically identified as unwanted if it is determined that the data was received by a predefined threshold number of different sources.
36. The system of claim 31, wherein the data is automatically identified as unwanted if it is determined that a weight assigned to the at least one source meets a predefined threshold weight.
37. The system of claim 17, wherein the operations further include storing an indication with the data that the data includes potentially unwanted data automatically identified as unwanted.
38. The system of claim 37, wherein the operations further include identifying the data stored with the indication that the data includes potentially unwanted data automatically identified as unwanted, analyzing the data, and determining whether the data is unwanted based on the analysis.
39. The system of claim 38, wherein the operations further include updating one of a list of known unwanted data and a list of known wanted data based on the determination whether the data is unwanted.
40. The system of claim 17, wherein the stored data is further utilized for detecting the unwanted data by identifying other received data determined to be potentially unwanted as unwanted if the other received data matches the stored data.
41. The system of claim 17, wherein the operations further include:
analyzing the stored data responsive to analysis resources being available;
identifying the stored data as wanted or unwanted responsive to the analyzing the stored data;
updating a datastore responsive to the identifying the stored data as wanted or unwanted; and
distributing the updated datastore to a client computer.
42. The system of claim 17, wherein the operations further include receiving a second data from a client computer, and the second data comprises an identification of the client computer as a previous source of unwanted data.
43. The system of claim 17, wherein the operations further include using the stored data automatically identified as unwanted for determining that a third data is unwanted.
44. The system of claim 17, wherein the operations further include:
identifying the data automatically as unwanted without analyzing the data, based on a second data.
45. The system of claim 44, wherein the second data comprises a source from which the data is received.
46. The system of claim 17, wherein the operations further include identifying the data as unwanted by analyzing the data.
US14/527,749 2008-06-24 2014-10-29 System, method, and computer program product for automatically identifying potentially unwanted data as unwanted Active 2030-04-19 USRE47558E1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US14/527,749 USRE47558E1 (en) 2008-06-24 2014-10-29 System, method, and computer program product for automatically identifying potentially unwanted data as unwanted

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US12/144,967 US8301904B1 (en) 2008-06-24 2008-06-24 System, method, and computer program product for automatically identifying potentially unwanted data as unwanted
US14/527,749 USRE47558E1 (en) 2008-06-24 2014-10-29 System, method, and computer program product for automatically identifying potentially unwanted data as unwanted

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US12/144,967 Reissue US8301904B1 (en) 2008-06-24 2008-06-24 System, method, and computer program product for automatically identifying potentially unwanted data as unwanted

Publications (1)

Publication Number Publication Date
USRE47558E1 true USRE47558E1 (en) 2019-08-06

Family

ID=47045899

Family Applications (2)

Application Number Title Priority Date Filing Date
US12/144,967 Ceased US8301904B1 (en) 2008-06-24 2008-06-24 System, method, and computer program product for automatically identifying potentially unwanted data as unwanted
US14/527,749 Active 2030-04-19 USRE47558E1 (en) 2008-06-24 2014-10-29 System, method, and computer program product for automatically identifying potentially unwanted data as unwanted

Family Applications Before (1)

Application Number Title Priority Date Filing Date
US12/144,967 Ceased US8301904B1 (en) 2008-06-24 2008-06-24 System, method, and computer program product for automatically identifying potentially unwanted data as unwanted

Country Status (1)

Country Link
US (2) US8301904B1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11575689B2 (en) 2008-03-18 2023-02-07 Mcafee, Llc System, method, and computer program product for dynamically configuring a virtual environment for identifying unwanted data

Families Citing this family (152)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB0513375D0 (en) 2005-06-30 2005-08-03 Retento Ltd Computer security
US8515912B2 (en) 2010-07-15 2013-08-20 Palantir Technologies, Inc. Sharing and deconflicting data changes in a multimaster database system
US8688749B1 (en) 2011-03-31 2014-04-01 Palantir Technologies, Inc. Cross-ontology multi-master replication
US8930331B2 (en) 2007-02-21 2015-01-06 Palantir Technologies Providing unique views of data based on changes or rules
US8590039B1 (en) 2007-11-28 2013-11-19 Mcafee, Inc. System, method and computer program product for sending information extracted from a potentially unwanted data sample to generate a signature
US8301904B1 (en) 2008-06-24 2012-10-30 Mcafee, Inc. System, method, and computer program product for automatically identifying potentially unwanted data as unwanted
US8984390B2 (en) 2008-09-15 2015-03-17 Palantir Technologies, Inc. One-click sharing for screenshots and related documents
US8713674B1 (en) * 2010-12-17 2014-04-29 Zscaler, Inc. Systems and methods for excluding undesirable network transactions
US20120260304A1 (en) * 2011-02-15 2012-10-11 Webroot Inc. Methods and apparatus for agent-based malware management
US8799240B2 (en) 2011-06-23 2014-08-05 Palantir Technologies, Inc. System and method for investigating large amounts of data
US9092482B2 (en) 2013-03-14 2015-07-28 Palantir Technologies, Inc. Fair scheduling for mixed-query loads
US9547693B1 (en) 2011-06-23 2017-01-17 Palantir Technologies Inc. Periodic database search manager for multiple data sources
US8732574B2 (en) 2011-08-25 2014-05-20 Palantir Technologies, Inc. System and method for parameterizing documents for automatic workflow generation
US8504542B2 (en) 2011-09-02 2013-08-06 Palantir Technologies, Inc. Multi-row transactions
US8782004B2 (en) 2012-01-23 2014-07-15 Palantir Technologies, Inc. Cross-ACL multi-master replication
US9081975B2 (en) 2012-10-22 2015-07-14 Palantir Technologies, Inc. Sharing information between nexuses that use different classification schemes for information access control
US9348677B2 (en) 2012-10-22 2016-05-24 Palantir Technologies Inc. System and method for batch evaluation programs
US9501761B2 (en) 2012-11-05 2016-11-22 Palantir Technologies, Inc. System and method for sharing investigation results
US9380431B1 (en) 2013-01-31 2016-06-28 Palantir Technologies, Inc. Use of teams in a mobile application
US10037314B2 (en) 2013-03-14 2018-07-31 Palantir Technologies, Inc. Mobile reports
US10275778B1 (en) 2013-03-15 2019-04-30 Palantir Technologies Inc. Systems and user interfaces for dynamic and interactive investigation based on automatic malfeasance clustering of related data in various data structures
US8909656B2 (en) 2013-03-15 2014-12-09 Palantir Technologies Inc. Filter chains with associated multipath views for exploring large data sets
US8917274B2 (en) 2013-03-15 2014-12-23 Palantir Technologies Inc. Event matrix based on integrated data
US8788405B1 (en) 2013-03-15 2014-07-22 Palantir Technologies, Inc. Generating data clusters with customizable analysis strategies
US8868486B2 (en) 2013-03-15 2014-10-21 Palantir Technologies Inc. Time-sensitive cube
US9965937B2 (en) 2013-03-15 2018-05-08 Palantir Technologies Inc. External malware data item clustering and analysis
US8937619B2 (en) 2013-03-15 2015-01-20 Palantir Technologies Inc. Generating an object time series from data objects
US8799799B1 (en) 2013-05-07 2014-08-05 Palantir Technologies Inc. Interactive geospatial map
US8886601B1 (en) 2013-06-20 2014-11-11 Palantir Technologies, Inc. System and method for incrementally replicating investigative analysis data
US9335897B2 (en) 2013-08-08 2016-05-10 Palantir Technologies Inc. Long click display of a context menu
US9223773B2 (en) 2013-08-08 2015-12-29 Palatir Technologies Inc. Template system for custom document generation
US8713467B1 (en) 2013-08-09 2014-04-29 Palantir Technologies, Inc. Context-sensitive views
US9785317B2 (en) 2013-09-24 2017-10-10 Palantir Technologies Inc. Presentation and analysis of user interaction data
US8938686B1 (en) 2013-10-03 2015-01-20 Palantir Technologies Inc. Systems and methods for analyzing performance of an entity
US8812960B1 (en) 2013-10-07 2014-08-19 Palantir Technologies Inc. Cohort-based presentation of user interaction data
US8924872B1 (en) 2013-10-18 2014-12-30 Palantir Technologies Inc. Overview user interface of emergency call data of a law enforcement agency
US9116975B2 (en) 2013-10-18 2015-08-25 Palantir Technologies Inc. Systems and user interfaces for dynamic and interactive simultaneous querying of multiple data stores
US9021384B1 (en) 2013-11-04 2015-04-28 Palantir Technologies Inc. Interactive vehicle information map
US9569070B1 (en) 2013-11-11 2017-02-14 Palantir Technologies, Inc. Assisting in deconflicting concurrency conflicts
US8868537B1 (en) 2013-11-11 2014-10-21 Palantir Technologies, Inc. Simple web search
US9105000B1 (en) 2013-12-10 2015-08-11 Palantir Technologies Inc. Aggregating data from a plurality of data sources
US10579647B1 (en) 2013-12-16 2020-03-03 Palantir Technologies Inc. Methods and systems for analyzing entity performance
US9734217B2 (en) 2013-12-16 2017-08-15 Palantir Technologies Inc. Methods and systems for analyzing entity performance
US9552615B2 (en) 2013-12-20 2017-01-24 Palantir Technologies Inc. Automated database analysis to detect malfeasance
US10356032B2 (en) 2013-12-26 2019-07-16 Palantir Technologies Inc. System and method for detecting confidential information emails
US9338013B2 (en) 2013-12-30 2016-05-10 Palantir Technologies Inc. Verifiable redactable audit log
US9043696B1 (en) 2014-01-03 2015-05-26 Palantir Technologies Inc. Systems and methods for visual definition of data associations
US8832832B1 (en) 2014-01-03 2014-09-09 Palantir Technologies Inc. IP reputation
US9009827B1 (en) 2014-02-20 2015-04-14 Palantir Technologies Inc. Security sharing system
US9483162B2 (en) 2014-02-20 2016-11-01 Palantir Technologies Inc. Relationship visualizations
US9727376B1 (en) 2014-03-04 2017-08-08 Palantir Technologies, Inc. Mobile tasks
US8924429B1 (en) 2014-03-18 2014-12-30 Palantir Technologies Inc. Determining and extracting changed data from a data source
US9857958B2 (en) 2014-04-28 2018-01-02 Palantir Technologies Inc. Systems and user interfaces for dynamic and interactive access of, investigation of, and analysis of data objects stored in one or more databases
US9009171B1 (en) 2014-05-02 2015-04-14 Palantir Technologies Inc. Systems and methods for active column filtering
US9619557B2 (en) 2014-06-30 2017-04-11 Palantir Technologies, Inc. Systems and methods for key phrase characterization of documents
US9535974B1 (en) 2014-06-30 2017-01-03 Palantir Technologies Inc. Systems and methods for identifying key phrase clusters within documents
US9785773B2 (en) 2014-07-03 2017-10-10 Palantir Technologies Inc. Malware data item analysis
US9021260B1 (en) * 2014-07-03 2015-04-28 Palantir Technologies Inc. Malware data item analysis
US9202249B1 (en) 2014-07-03 2015-12-01 Palantir Technologies Inc. Data item clustering and analysis
US9256664B2 (en) 2014-07-03 2016-02-09 Palantir Technologies Inc. System and method for news events detection and visualization
US10572496B1 (en) 2014-07-03 2020-02-25 Palantir Technologies Inc. Distributed workflow system and database with access controls for city resiliency
US9419992B2 (en) 2014-08-13 2016-08-16 Palantir Technologies Inc. Unwanted tunneling alert system
US9454281B2 (en) 2014-09-03 2016-09-27 Palantir Technologies Inc. System for providing dynamic linked panels in user interface
US9501851B2 (en) 2014-10-03 2016-11-22 Palantir Technologies Inc. Time-series analysis system
US9767172B2 (en) 2014-10-03 2017-09-19 Palantir Technologies Inc. Data aggregation and analysis system
US9984133B2 (en) 2014-10-16 2018-05-29 Palantir Technologies Inc. Schematic and database linking system
US9229952B1 (en) 2014-11-05 2016-01-05 Palantir Technologies, Inc. History preserving data pipeline system and method
US9043894B1 (en) 2014-11-06 2015-05-26 Palantir Technologies Inc. Malicious software detection in a computing system
US10552994B2 (en) 2014-12-22 2020-02-04 Palantir Technologies Inc. Systems and interactive user interfaces for dynamic retrieval, analysis, and triage of data items
US9367872B1 (en) 2014-12-22 2016-06-14 Palantir Technologies Inc. Systems and user interfaces for dynamic and interactive investigation of bad actor behavior based on automatic clustering of related data in various data structures
US9348920B1 (en) 2014-12-22 2016-05-24 Palantir Technologies Inc. Concept indexing among database of documents using machine learning techniques
US10362133B1 (en) 2014-12-22 2019-07-23 Palantir Technologies Inc. Communication data processing architecture
US9648036B2 (en) 2014-12-29 2017-05-09 Palantir Technologies Inc. Systems for network risk assessment including processing of user access rights associated with a network of devices
US9335911B1 (en) 2014-12-29 2016-05-10 Palantir Technologies Inc. Interactive user interface for dynamic data analysis exploration and query processing
US9870205B1 (en) 2014-12-29 2018-01-16 Palantir Technologies Inc. Storing logical units of program code generated using a dynamic programming notebook user interface
US9817563B1 (en) 2014-12-29 2017-11-14 Palantir Technologies Inc. System and method of generating data points from one or more data stores of data items for chart creation and manipulation
US9467455B2 (en) 2014-12-29 2016-10-11 Palantir Technologies Inc. Systems for network risk assessment including processing of user access rights associated with a network of devices
US10372879B2 (en) 2014-12-31 2019-08-06 Palantir Technologies Inc. Medical claims lead summary report generation
US10387834B2 (en) 2015-01-21 2019-08-20 Palantir Technologies Inc. Systems and methods for accessing and storing snapshots of a remote application in a document
US9727560B2 (en) 2015-02-25 2017-08-08 Palantir Technologies Inc. Systems and methods for organizing and identifying documents via hierarchies and dimensions of tags
EP3070622A1 (en) 2015-03-16 2016-09-21 Palantir Technologies, Inc. Interactive user interfaces for location-based data analysis
US9886467B2 (en) 2015-03-19 2018-02-06 Plantir Technologies Inc. System and method for comparing and visualizing data entities and data entity series
US10103953B1 (en) 2015-05-12 2018-10-16 Palantir Technologies Inc. Methods and systems for analyzing entity performance
US9407652B1 (en) 2015-06-26 2016-08-02 Palantir Technologies Inc. Network anomaly detection
US9454785B1 (en) 2015-07-30 2016-09-27 Palantir Technologies Inc. Systems and user interfaces for holistic, data-driven investigation of bad actor behavior based on clustering and scoring of related data
US9996595B2 (en) 2015-08-03 2018-06-12 Palantir Technologies, Inc. Providing full data provenance visualization for versioned datasets
US9456000B1 (en) 2015-08-06 2016-09-27 Palantir Technologies Inc. Systems, methods, user interfaces, and computer-readable media for investigating potential malicious communications
US9600146B2 (en) 2015-08-17 2017-03-21 Palantir Technologies Inc. Interactive geospatial map
US10489391B1 (en) 2015-08-17 2019-11-26 Palantir Technologies Inc. Systems and methods for grouping and enriching data items accessed from one or more databases for presentation in a user interface
US9537880B1 (en) 2015-08-19 2017-01-03 Palantir Technologies Inc. Anomalous network monitoring, user behavior detection and database system
US10102369B2 (en) 2015-08-19 2018-10-16 Palantir Technologies Inc. Checkout system executable code monitoring, and user account compromise determination system
US10853378B1 (en) 2015-08-25 2020-12-01 Palantir Technologies Inc. Electronic note management via a connected entity graph
US11150917B2 (en) 2015-08-26 2021-10-19 Palantir Technologies Inc. System for data aggregation and analysis of data from a plurality of data sources
US9485265B1 (en) 2015-08-28 2016-11-01 Palantir Technologies Inc. Malicious activity detection system capable of efficiently processing data accessed from databases and generating alerts for display in interactive user interfaces
US10706434B1 (en) 2015-09-01 2020-07-07 Palantir Technologies Inc. Methods and systems for determining location information
US9576015B1 (en) 2015-09-09 2017-02-21 Palantir Technologies, Inc. Domain-specific language for dataset transformations
US10296617B1 (en) 2015-10-05 2019-05-21 Palantir Technologies Inc. Searches of highly structured data
US10044745B1 (en) 2015-10-12 2018-08-07 Palantir Technologies, Inc. Systems for computer network security risk assessment including user compromise analysis associated with a network of devices
US9542446B1 (en) 2015-12-17 2017-01-10 Palantir Technologies, Inc. Automatic generation of composite datasets based on hierarchical fields
US9888039B2 (en) 2015-12-28 2018-02-06 Palantir Technologies Inc. Network-based permissioning system
US9916465B1 (en) 2015-12-29 2018-03-13 Palantir Technologies Inc. Systems and methods for automatic and customizable data minimization of electronic data stores
US9823818B1 (en) 2015-12-29 2017-11-21 Palantir Technologies Inc. Systems and interactive user interfaces for automatic generation of temporal representation of data objects
US10089289B2 (en) 2015-12-29 2018-10-02 Palantir Technologies Inc. Real-time document annotation
US9612723B1 (en) 2015-12-30 2017-04-04 Palantir Technologies Inc. Composite graphical interface with shareable data-objects
US10621198B1 (en) 2015-12-30 2020-04-14 Palantir Technologies Inc. System and method for secure database replication
US10698938B2 (en) 2016-03-18 2020-06-30 Palantir Technologies Inc. Systems and methods for organizing and identifying documents via hierarchies and dimensions of tags
US10498711B1 (en) 2016-05-20 2019-12-03 Palantir Technologies Inc. Providing a booting key to a remote system
US10084802B1 (en) 2016-06-21 2018-09-25 Palantir Technologies Inc. Supervisory control and data acquisition
US10291637B1 (en) 2016-07-05 2019-05-14 Palantir Technologies Inc. Network anomaly detection and profiling
US10324609B2 (en) 2016-07-21 2019-06-18 Palantir Technologies Inc. System for providing dynamic linked panels in user interface
US10719188B2 (en) 2016-07-21 2020-07-21 Palantir Technologies Inc. Cached database and synchronization system for providing dynamic linked panels in user interface
US10437840B1 (en) 2016-08-19 2019-10-08 Palantir Technologies Inc. Focused probabilistic entity resolution from multiple data sources
US10698927B1 (en) 2016-08-30 2020-06-30 Palantir Technologies Inc. Multiple sensor session and log information compression and correlation system
US10637874B2 (en) * 2016-09-01 2020-04-28 Cylance Inc. Container file analysis using machine learning model
US10503901B2 (en) 2016-09-01 2019-12-10 Cylance Inc. Training a machine learning model for container file analysis
US10318630B1 (en) 2016-11-21 2019-06-11 Palantir Technologies Inc. Analysis of large bodies of textual data
US10620618B2 (en) 2016-12-20 2020-04-14 Palantir Technologies Inc. Systems and methods for determining relationships between defects
US10728262B1 (en) 2016-12-21 2020-07-28 Palantir Technologies Inc. Context-aware network-based malicious activity warning systems
US10262053B2 (en) 2016-12-22 2019-04-16 Palantir Technologies Inc. Systems and methods for data replication synchronization
US10721262B2 (en) 2016-12-28 2020-07-21 Palantir Technologies Inc. Resource-centric network cyber attack warning system
US10754872B2 (en) 2016-12-28 2020-08-25 Palantir Technologies Inc. Automatically executing tasks and configuring access control lists in a data transformation system
US10460602B1 (en) 2016-12-28 2019-10-29 Palantir Technologies Inc. Interactive vehicle information mapping system
US10325224B1 (en) 2017-03-23 2019-06-18 Palantir Technologies Inc. Systems and methods for selecting machine learning training data
US10606866B1 (en) 2017-03-30 2020-03-31 Palantir Technologies Inc. Framework for exposing network activities
US10068002B1 (en) 2017-04-25 2018-09-04 Palantir Technologies Inc. Systems and methods for adaptive data replication
US10235461B2 (en) 2017-05-02 2019-03-19 Palantir Technologies Inc. Automated assistance for generating relevant and valuable search results for an entity of interest
US10482382B2 (en) 2017-05-09 2019-11-19 Palantir Technologies Inc. Systems and methods for reducing manufacturing failure rates
US10430062B2 (en) 2017-05-30 2019-10-01 Palantir Technologies Inc. Systems and methods for geo-fenced dynamic dissemination
US10956406B2 (en) 2017-06-12 2021-03-23 Palantir Technologies Inc. Propagated deletion of database records and derived data
US11030494B1 (en) 2017-06-15 2021-06-08 Palantir Technologies Inc. Systems and methods for managing data spills
US10027551B1 (en) 2017-06-29 2018-07-17 Palantir Technologies, Inc. Access controls through node-based effective policy identifiers
US10403011B1 (en) 2017-07-18 2019-09-03 Palantir Technologies Inc. Passing system with an interactive user interface
US10963465B1 (en) 2017-08-25 2021-03-30 Palantir Technologies Inc. Rapid importation of data including temporally tracked object recognition
US10984427B1 (en) 2017-09-13 2021-04-20 Palantir Technologies Inc. Approaches for analyzing entity relationships
US10079832B1 (en) 2017-10-18 2018-09-18 Palantir Technologies Inc. Controlling user creation of data resources on a data processing platform
GB201716170D0 (en) 2017-10-04 2017-11-15 Palantir Technologies Inc Controlling user creation of data resources on a data processing platform
US10250401B1 (en) 2017-11-29 2019-04-02 Palantir Technologies Inc. Systems and methods for providing category-sensitive chat channels
US11133925B2 (en) 2017-12-07 2021-09-28 Palantir Technologies Inc. Selective access to encrypted logs
US10380196B2 (en) 2017-12-08 2019-08-13 Palantir Technologies Inc. Systems and methods for using linked documents
US10915542B1 (en) 2017-12-19 2021-02-09 Palantir Technologies Inc. Contextual modification of data sharing constraints in a distributed database system that uses a multi-master replication scheme
US10142349B1 (en) 2018-02-22 2018-11-27 Palantir Technologies Inc. Verifying network-based permissioning rights
US11599369B1 (en) 2018-03-08 2023-03-07 Palantir Technologies Inc. Graphical user interface configuration system
US10878051B1 (en) 2018-03-30 2020-12-29 Palantir Technologies Inc. Mapping device identifiers
EP4290400A3 (en) 2018-04-03 2024-03-06 Palantir Technologies Inc. Controlling access to computer resources
US10754822B1 (en) 2018-04-18 2020-08-25 Palantir Technologies Inc. Systems and methods for ontology migration
US10885021B1 (en) 2018-05-02 2021-01-05 Palantir Technologies Inc. Interactive interpreter and graphical user interface
US10949400B2 (en) 2018-05-09 2021-03-16 Palantir Technologies Inc. Systems and methods for tamper-resistant activity logging
US11244063B2 (en) 2018-06-11 2022-02-08 Palantir Technologies Inc. Row-level and column-level policy service
US11119630B1 (en) 2018-06-19 2021-09-14 Palantir Technologies Inc. Artificial intelligence assisted evaluations and user interface for same
US10868887B2 (en) 2019-02-08 2020-12-15 Palantir Technologies Inc. Systems and methods for isolating applications associated with multiple tenants within a computing platform
US11704441B2 (en) 2019-09-03 2023-07-18 Palantir Technologies Inc. Charter-based access controls for managing computer resources
US10761889B1 (en) 2019-09-18 2020-09-01 Palantir Technologies Inc. Systems and methods for autoscaling instance groups of computing platforms

Citations (62)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6697948B1 (en) 1999-05-05 2004-02-24 Michael O. Rabin Methods and apparatus for protecting information
US20040042416A1 (en) 2002-08-27 2004-03-04 Ngo Chuong Ngoc Virtual Local Area Network auto-discovery methods
US20040044912A1 (en) * 2002-08-26 2004-03-04 Iven Connary Determining threat level associated with network activity
US6708212B2 (en) 1998-11-09 2004-03-16 Sri International Network surveillance
US20040054925A1 (en) * 2002-09-13 2004-03-18 Cyber Operations, Llc System and method for detecting and countering a network attack
US20040073810A1 (en) 2002-10-10 2004-04-15 International Business Machines Corporation Antiviral network system
US20040078592A1 (en) * 2002-10-16 2004-04-22 At & T Corp. System and method for deploying honeypot systems in a network
US20040123117A1 (en) 2002-12-18 2004-06-24 Symantec Corporation Validation for behavior-blocking system
US20040203589A1 (en) * 2002-07-11 2004-10-14 Wang Jiwei R. Method and system for controlling messages in a communication network
US20040255163A1 (en) 2002-06-03 2004-12-16 International Business Machines Corporation Preventing attacks in a data processing system
US20050015455A1 (en) 2003-07-18 2005-01-20 Liu Gary G. SPAM processing system and methods including shared information among plural SPAM filters
US20050027818A1 (en) 2003-01-31 2005-02-03 Friedman Gregory Scott Asynchronous real-time retrieval of data
US20050065899A1 (en) 2003-09-18 2005-03-24 Cong Li Data classification using stochastic key feature generation
US20050177868A1 (en) 2003-07-11 2005-08-11 Computer Associates Think, Inc. Method and system for protecting against computer viruses
US20050262567A1 (en) 2004-05-19 2005-11-24 Itshak Carmona Systems and methods for computer security
US20050262576A1 (en) 2004-05-20 2005-11-24 Paul Gassoway Systems and methods for excluding user specified applications
US6981155B1 (en) 1999-07-14 2005-12-27 Symantec Corporation System and method for computer security
US20060036693A1 (en) 2004-08-12 2006-02-16 Microsoft Corporation Spam filtering with probabilistic secure hashes
US20060070130A1 (en) * 2004-09-27 2006-03-30 Microsoft Corporation System and method of identifying the source of an attack on a computer network
US20060137012A1 (en) * 2004-12-16 2006-06-22 Aaron Jeffrey A Methods and systems for deceptively trapping electronic worms
US20060150256A1 (en) 2004-12-03 2006-07-06 Whitecell Software Inc. A Delaware Corporation Secure system for allowing the execution of authorized computer program code
US7095716B1 (en) 2001-03-30 2006-08-22 Juniper Networks, Inc. Internet security device and method
US20060230452A1 (en) 2004-10-29 2006-10-12 Microsoft Corporation Tagging obtained content for white and black listing
US20060242245A1 (en) 2005-04-20 2006-10-26 Verisign, Inc. Sender identification system and method
US20070016953A1 (en) 2005-06-30 2007-01-18 Prevx Limited Methods and apparatus for dealing with malware
US20070028304A1 (en) 2005-07-29 2007-02-01 Bit 9, Inc. Centralized timed analysis in a network security system
US20070073660A1 (en) 2005-05-05 2007-03-29 Daniel Quinlan Method of validating requests for sender reputation information
US20070226804A1 (en) 2006-03-22 2007-09-27 Method and system for preventing an unauthorized message
US20070240217A1 (en) 2006-04-06 2007-10-11 George Tuvell Malware Modeling Detection System And Method for Mobile Platforms
US20070261112A1 (en) 2006-05-08 2007-11-08 Electro Guard Corp. Network Security Device
US20080126779A1 (en) 2006-09-19 2008-05-29 Ned Smith Methods and apparatus to perform secure boot
US20080127336A1 (en) 2006-09-19 2008-05-29 Microsoft Corporation Automated malware signature generation
US20080141373A1 (en) 2006-12-12 2008-06-12 Fortinet, Inc. Detection of undesired computer files in archives
US20080168533A1 (en) 2006-12-21 2008-07-10 Kabushiki Kaisha Toshiba Program verification apparatus and method, and signature system based on program verification
WO2008089626A1 (en) 2007-01-22 2008-07-31 Zte Corporation A method for identifying a malicious call
US7409712B1 (en) * 2003-07-16 2008-08-05 Cisco Technology, Inc. Methods and apparatus for network message traffic redirection
US20080196099A1 (en) 2002-06-10 2008-08-14 Akonix Systems, Inc. Systems and methods for detecting and blocking malicious content in instant messages
US20080313738A1 (en) 2007-06-15 2008-12-18 Broadcom Corporation Multi-Stage Deep Packet Inspection for Lightweight Devices
US20090044024A1 (en) 2007-08-06 2009-02-12 The Regents Of The University Of Michigan Network service for the detection, analysis and quarantine of malicious and unwanted files
US20090064329A1 (en) 2007-06-25 2009-03-05 Google Inc. Zero-hour quarantine of suspect electronic messages
US20090064337A1 (en) 2007-09-05 2009-03-05 Shih-Wei Chien Method and apparatus for preventing web page attacks
US20090083852A1 (en) 2007-09-26 2009-03-26 Microsoft Corporation Whitelist and Blacklist Identification Data
US7512977B2 (en) 2003-06-11 2009-03-31 Symantec Corporation Intrustion protection system utilizing layers
US20090088133A1 (en) 2007-09-28 2009-04-02 Mark Orlassino Method and System for Distributing Data within a Group of Mobile Units
US20090097661A1 (en) 2007-09-14 2009-04-16 Security First Corporation Systems and methods for managing cryptographic keys
US20090254992A1 (en) 2001-07-30 2009-10-08 Schultz Matthew G Systems and methods for detection of new malicious executables
US20100031358A1 (en) 2008-02-04 2010-02-04 Deutsche Telekom Ag System that provides early detection, alert, and response to electronic threats
US7694150B1 (en) 2004-06-22 2010-04-06 Cisco Technology, Inc System and methods for integration of behavioral and signature based security
US7752667B2 (en) * 2004-12-28 2010-07-06 Lenovo (Singapore) Pte Ltd. Rapid virus scan using file signature created during file write
US7802303B1 (en) 2006-06-30 2010-09-21 Trend Micro Incorporated Real-time in-line detection of malicious code in data streams
US20110047618A1 (en) 2006-10-18 2011-02-24 University Of Virginia Patent Foundation Method, System, and Computer Program Product for Malware Detection, Analysis, and Response
US7912872B2 (en) 2000-01-05 2011-03-22 Nugenesis Technologies Corporation Storing and retrieving the visual form of data
US7945787B2 (en) 2007-04-13 2011-05-17 Computer Associates Think, Inc. Method and system for detecting malware using a remote server
US20110138465A1 (en) 2009-12-03 2011-06-09 International Business Machines Corporation Mitigating malicious file propagation with progressive identifiers
US20110162070A1 (en) 2009-12-31 2011-06-30 Mcafee, Inc. Malware detection via reputation system
US20110197177A1 (en) 2010-02-09 2011-08-11 Rajesh Mony Detection of scripting-language-based exploits using parse tree transformation
US20120084859A1 (en) 2010-09-30 2012-04-05 Microsoft Corporation Realtime multiple engine selection and combining
US8301904B1 (en) 2008-06-24 2012-10-30 Mcafee, Inc. System, method, and computer program product for automatically identifying potentially unwanted data as unwanted
US20130276106A1 (en) 2009-03-04 2013-10-17 Christopher Barton System, method, and computer program product for verifying an identification of program information as unwanted
US20130276120A1 (en) 2008-06-02 2013-10-17 Gregory William Dalcher System, method, and computer program product for determining whether a security status of data is known at a server
US8590039B1 (en) 2007-11-28 2013-11-19 Mcafee, Inc. System, method and computer program product for sending information extracted from a potentially unwanted data sample to generate a signature
US9306796B1 (en) 2008-03-18 2016-04-05 Mcafee, Inc. System, method, and computer program product for dynamically configuring a virtual environment for identifying unwanted data

Patent Citations (73)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6708212B2 (en) 1998-11-09 2004-03-16 Sri International Network surveillance
US6697948B1 (en) 1999-05-05 2004-02-24 Michael O. Rabin Methods and apparatus for protecting information
US6981155B1 (en) 1999-07-14 2005-12-27 Symantec Corporation System and method for computer security
US7912872B2 (en) 2000-01-05 2011-03-22 Nugenesis Technologies Corporation Storing and retrieving the visual form of data
US7095716B1 (en) 2001-03-30 2006-08-22 Juniper Networks, Inc. Internet security device and method
US20090254992A1 (en) 2001-07-30 2009-10-08 Schultz Matthew G Systems and methods for detection of new malicious executables
US20040255163A1 (en) 2002-06-03 2004-12-16 International Business Machines Corporation Preventing attacks in a data processing system
US20080196099A1 (en) 2002-06-10 2008-08-14 Akonix Systems, Inc. Systems and methods for detecting and blocking malicious content in instant messages
US20040203589A1 (en) * 2002-07-11 2004-10-14 Wang Jiwei R. Method and system for controlling messages in a communication network
US20040044912A1 (en) * 2002-08-26 2004-03-04 Iven Connary Determining threat level associated with network activity
US20040042416A1 (en) 2002-08-27 2004-03-04 Ngo Chuong Ngoc Virtual Local Area Network auto-discovery methods
US20040054925A1 (en) * 2002-09-13 2004-03-18 Cyber Operations, Llc System and method for detecting and countering a network attack
US20040073810A1 (en) 2002-10-10 2004-04-15 International Business Machines Corporation Antiviral network system
US20080295177A1 (en) 2002-10-10 2008-11-27 International Business Machines Corporation Antiviral network system
US20040078592A1 (en) * 2002-10-16 2004-04-22 At & T Corp. System and method for deploying honeypot systems in a network
US20040123117A1 (en) 2002-12-18 2004-06-24 Symantec Corporation Validation for behavior-blocking system
US20050027818A1 (en) 2003-01-31 2005-02-03 Friedman Gregory Scott Asynchronous real-time retrieval of data
US7512977B2 (en) 2003-06-11 2009-03-31 Symantec Corporation Intrustion protection system utilizing layers
US20050177868A1 (en) 2003-07-11 2005-08-11 Computer Associates Think, Inc. Method and system for protecting against computer viruses
US7409712B1 (en) * 2003-07-16 2008-08-05 Cisco Technology, Inc. Methods and apparatus for network message traffic redirection
US20050015455A1 (en) 2003-07-18 2005-01-20 Liu Gary G. SPAM processing system and methods including shared information among plural SPAM filters
US20050065899A1 (en) 2003-09-18 2005-03-24 Cong Li Data classification using stochastic key feature generation
US7555777B2 (en) 2004-01-13 2009-06-30 International Business Machines Corporation Preventing attacks in a data processing system
US20050262567A1 (en) 2004-05-19 2005-11-24 Itshak Carmona Systems and methods for computer security
US20050262576A1 (en) 2004-05-20 2005-11-24 Paul Gassoway Systems and methods for excluding user specified applications
US7694150B1 (en) 2004-06-22 2010-04-06 Cisco Technology, Inc System and methods for integration of behavioral and signature based security
US20060036693A1 (en) 2004-08-12 2006-02-16 Microsoft Corporation Spam filtering with probabilistic secure hashes
US20060070130A1 (en) * 2004-09-27 2006-03-30 Microsoft Corporation System and method of identifying the source of an attack on a computer network
US20060230452A1 (en) 2004-10-29 2006-10-12 Microsoft Corporation Tagging obtained content for white and black listing
US20060150256A1 (en) 2004-12-03 2006-07-06 Whitecell Software Inc. A Delaware Corporation Secure system for allowing the execution of authorized computer program code
US20060137012A1 (en) * 2004-12-16 2006-06-22 Aaron Jeffrey A Methods and systems for deceptively trapping electronic worms
US7752667B2 (en) * 2004-12-28 2010-07-06 Lenovo (Singapore) Pte Ltd. Rapid virus scan using file signature created during file write
US20060242245A1 (en) 2005-04-20 2006-10-26 Verisign, Inc. Sender identification system and method
US20070079379A1 (en) * 2005-05-05 2007-04-05 Craig Sprosts Identifying threats in electronic messages
US20070073660A1 (en) 2005-05-05 2007-03-29 Daniel Quinlan Method of validating requests for sender reputation information
US20070016953A1 (en) 2005-06-30 2007-01-18 Prevx Limited Methods and apparatus for dealing with malware
US20070028304A1 (en) 2005-07-29 2007-02-01 Bit 9, Inc. Centralized timed analysis in a network security system
US20070226804A1 (en) 2006-03-22 2007-09-27 Method and system for preventing an unauthorized message
US20070240220A1 (en) 2006-04-06 2007-10-11 George Tuvell System and method for managing malware protection on mobile devices
US20070240217A1 (en) 2006-04-06 2007-10-11 George Tuvell Malware Modeling Detection System And Method for Mobile Platforms
US20070261112A1 (en) 2006-05-08 2007-11-08 Electro Guard Corp. Network Security Device
US7802303B1 (en) 2006-06-30 2010-09-21 Trend Micro Incorporated Real-time in-line detection of malicious code in data streams
US20080126779A1 (en) 2006-09-19 2008-05-29 Ned Smith Methods and apparatus to perform secure boot
US20080127336A1 (en) 2006-09-19 2008-05-29 Microsoft Corporation Automated malware signature generation
US20110047618A1 (en) 2006-10-18 2011-02-24 University Of Virginia Patent Foundation Method, System, and Computer Program Product for Malware Detection, Analysis, and Response
US20080141373A1 (en) 2006-12-12 2008-06-12 Fortinet, Inc. Detection of undesired computer files in archives
US20080168533A1 (en) 2006-12-21 2008-07-10 Kabushiki Kaisha Toshiba Program verification apparatus and method, and signature system based on program verification
WO2008089626A1 (en) 2007-01-22 2008-07-31 Zte Corporation A method for identifying a malicious call
US7945787B2 (en) 2007-04-13 2011-05-17 Computer Associates Think, Inc. Method and system for detecting malware using a remote server
US20080313738A1 (en) 2007-06-15 2008-12-18 Broadcom Corporation Multi-Stage Deep Packet Inspection for Lightweight Devices
US20090064329A1 (en) 2007-06-25 2009-03-05 Google Inc. Zero-hour quarantine of suspect electronic messages
US20090044024A1 (en) 2007-08-06 2009-02-12 The Regents Of The University Of Michigan Network service for the detection, analysis and quarantine of malicious and unwanted files
US20090064337A1 (en) 2007-09-05 2009-03-05 Shih-Wei Chien Method and apparatus for preventing web page attacks
US20090097661A1 (en) 2007-09-14 2009-04-16 Security First Corporation Systems and methods for managing cryptographic keys
US20090083852A1 (en) 2007-09-26 2009-03-26 Microsoft Corporation Whitelist and Blacklist Identification Data
US20090088133A1 (en) 2007-09-28 2009-04-02 Mark Orlassino Method and System for Distributing Data within a Group of Mobile Units
US20140053263A1 (en) 2007-11-28 2014-02-20 Igor Muttik System, method and computer program product for sending information extracted from a potentially unwanted data sample to generate a signature
US9106688B2 (en) 2007-11-28 2015-08-11 Mcafee, Inc. System, method and computer program product for sending information extracted from a potentially unwanted data sample to generate a signature
US20160036832A1 (en) 2007-11-28 2016-02-04 Mcafee, Inc. System, method and computer program product for sending information extracted from a potentially unwanted data sample to generate a signature
US8590039B1 (en) 2007-11-28 2013-11-19 Mcafee, Inc. System, method and computer program product for sending information extracted from a potentially unwanted data sample to generate a signature
US20100031358A1 (en) 2008-02-04 2010-02-04 Deutsche Telekom Ag System that provides early detection, alert, and response to electronic threats
US20160261620A1 (en) 2008-03-18 2016-09-08 Mcafee, Inc. System, method, and computer program product for dynamically configuring a virtual environment for identifying unwanted data
US9306796B1 (en) 2008-03-18 2016-04-05 Mcafee, Inc. System, method, and computer program product for dynamically configuring a virtual environment for identifying unwanted data
US20130276120A1 (en) 2008-06-02 2013-10-17 Gregory William Dalcher System, method, and computer program product for determining whether a security status of data is known at a server
US8301904B1 (en) 2008-06-24 2012-10-30 Mcafee, Inc. System, method, and computer program product for automatically identifying potentially unwanted data as unwanted
US8627461B2 (en) 2009-03-04 2014-01-07 Mcafee, Inc. System, method, and computer program product for verifying an identification of program information as unwanted
US20130276106A1 (en) 2009-03-04 2013-10-17 Christopher Barton System, method, and computer program product for verifying an identification of program information as unwanted
US20110138465A1 (en) 2009-12-03 2011-06-09 International Business Machines Corporation Mitigating malicious file propagation with progressive identifiers
WO2011082084A2 (en) 2009-12-31 2011-07-07 Mcafee, Inc. Malware detection via reputation system
US8719939B2 (en) 2009-12-31 2014-05-06 Mcafee, Inc. Malware detection via reputation system
US20110162070A1 (en) 2009-12-31 2011-06-30 Mcafee, Inc. Malware detection via reputation system
US20110197177A1 (en) 2010-02-09 2011-08-11 Rajesh Mony Detection of scripting-language-based exploits using parse tree transformation
US20120084859A1 (en) 2010-09-30 2012-04-05 Microsoft Corporation Realtime multiple engine selection and combining

Non-Patent Citations (63)

* Cited by examiner, † Cited by third party
Title
"Blacklist," Wikipedia, last modified Jun. 5, 2008, http://en.wikipedia.org/Wiki/Blacklist.
"chroot(2)-Linux man page" http://linux.die.net/man/2/chroot. Downloaded on Feb. 27, 2008 from-http://linux.die.net/man/2/chroot-pp. 1-2.
"Linux/Unix Command: chroot", Downloaded on Feb. 27, 2008 from-http://linux.about.com/library/cmd/blcmd12_chroot. htm-pp. 1-3.
"VMWare DiskMount Utility: User's Manual", http://www.vmware.com/pdf/VMwareDiskMount.pdf, 1998-2005, Revision Apr. 8, 2005, VMWare, Inc., 6 pages.
"chroot(2)—Linux man page" http://linux.die.net/man/2/chroot. Downloaded on Feb. 27, 2008 from—http://linux.die.net/man/2/chroot—pp. 1-2.
"Linux/Unix Command: chroot", Downloaded on Feb. 27, 2008 from—http://linux.about.com/library/cmd/blcmd12_chroot. htm—pp. 1-3.
Advisory Action dated 5, 2012 for U.S. Appl. No. 12/398,073 (3 pages), July.
Advisory Action dated Jul. 29, 2011 in U.S. Appl. No. 12/050,432 (4 pages).
An Architecture for Generating Semantics-Aware Signatures; Vinod Yegneswaran, Jonathon T. Giffin, Paul Barford, Somesh Jha; Appeared in Proceedings of Usenix Security Symposium 2005, year 2005, all pages.
Chouchane, Mohamed R., Andrew Walenstein, and Arun Lakhotia. "Statistical signatures for fast filtering of instruction-substituting metamorphic malware." Proceedings of the 2007 ACM workshop on Recurring malcode. ACM, 2007 (7 pages), Retrieved from internet on Mar. 8, 2017 at https://webcache.googleusercontent.com/search?q=cache:RcgpFElyJe0J:https://cs.columbusstate.edu/cae-ia/facultypapers/chouchane/2007-chouchane-walenstein-lakhotia.pdf+&cd=1&hl=en&ct=clnk&gl=us.
Christodorescu, Miha et al. "Testing Malware Detectors", In the Proceedings of the ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA '04), vol. 29, Issue 4, Jul. 11-14, 2004, Boston Massachusetts, 11 pages.
Final Office Action dated Apr. 12, 2012 for U.S. Appl. No. 12/398,073.
Final Office Action dated Jun. 28, 2012 for U.S. Appl. No. 12/131,383 (27 pages).
Final Office Action dated Mar. 7, 2014 for U.S. Appl. No. 12/131,383 (32 pages).
Final Office Action dated Oct. 17, 2011 for U.S. Appl. No. 12/131,383.
Final Office Action from U.S. Appl. No. 12/050,432 dated Jun. 21, 2012 (9 pages).
Final Office Action received for U.S. Appl. No. 12/144,967 dated Aug. 17, 2011, 8 pages.
Final Office Action, dated Dec. 29, 2011 for U.S. Appl. No. 11/946,777.
Hu, Guoning, and Deepak Venugopal. "A malware signature extraction and detection method applied to mobile networks." Performance, Computing, and Communications Conference, 2007. IPCCC 2007. IEEE international. IEEE, 2007.
International Preliminary Report received for PCT Patent Application No. PCT/US2010/061889, dated Jul. 4, 2012, 4 pages.
International Search Report and Written Opinion received for PCT Patent Application No. PCT/US2010/061889, dated Aug. 29, 2011, 6 pages.
Korean Intellectual Property Office Notice of Grounds for Refusal in Korean Patent Application No. 10-2012-7020220, dated Sep. 23, 2013, 15 pages of Office Action including 5 pages of English Translation.
Non Final Office Action dated Sep. 11, 2013 in U.S. Appl. No. 12/131,383 (29 pages).
Non-Final Office Action dated Apr. 22, 2016 for U.S. Appl. No. 14/823,855 (11 pages).
Non-Final Office Action dated Feb. 11, 2015 for U.S. Appl. No. 14/063,813 (18 pages).
Non-Final Office Action dated Feb. 15, 2013 for U.S. Appl. No. 12/398,073 (12 pages).
Non-Final Office Action dated Mar. 12, 2012 for U.S. Appl. No. 12/050,432.
Non-Final Office Action dated Mar. 13, 2012 for U.S. Appl. No. 12/693,765 (13 pages).
Non-Final Office Action dated Mar. 15, 2012 for U.S. Appl. No. 12/144,967 (8 pages).
Non-Final Office Action dated Mar. 6, 2012 for U.S. Appl. No. 12/131,383.
Non-Final Office Action dated Oct. 4, 2011 for U.S. Appl. No. 12/398,073.
Non-Final Office Action in U.S. Appl. No. 12/144,967 dated Mar. 3, 2011 (8 pages).
Non-Final Office Action received for U.S. Appl. No. 11/946,777, dated Feb. 1, 2013, 5 pages.
Non-Final Office Action Summary from U.S. Appl. No. 11/946,777 dated Jan. 5, 2011.
Non-Final Office Action, dated Dec. 29, 2011 for U.S. Appl. No. 11/946,777.
Notice of Allowance dated Apr. 16, 2015 for U.S. Appl. No. 14/063,813 (10 pages).
Notice of Allowance dated Aug. 30, 2013 for U.S. Appl. No. 12/398,073 (10 pages).
Notice of Allowance dated Jun. 24, 2013 for U.S. Appl. No. 12/398,073 (10 pages).
Notice of Allowance dated Nov. 23, 2016 for U.S. Appl. No. 14/823,855 (11 pages).
Notice of Allowance from U.S. Appl. No. 12/050,432 dated Dec. 16, 2015 (5 pages).
Notice of Allowance from U.S. Appl. No. 12/144,967 dated Aug. 17, 2012 (7 pages).
Notice of Allowance received for U.S. Appl. No. 11/946,777, dated Jul. 19, 2013 (12 pages).
Offce Action Summary from U.S. Appl. No. 11/946,777 dated Jun. 13, 2011.
Office Action for Australian Patent Application No. 2010336989, dated Jun. 21, 2013, 3 pages.
Office Action Summary from U.S. Appl. No. 12/050,432 dated May 13, 2011.
Office Action Summary from U.S. Appl. No. 12/050,432 dated Oct. 6, 2010.
Office Action Summary from U.S. Appl. No. 12/111,846 dated Jun. 24, 2011.
Office Action Summary from U.S. Appl. No. 12/131,383 dated Jun. 24, 2011.
Provisional U.S. Appl. No. 61/291,568 which was filed Dec. 31, 2009 (13 pages).
U.S. Appl. No. 11/946,777, which was filed Nov. 28, 2007.
U.S. Appl. No. 12/050,432, which was filed Mar. 18, 2008.
U.S. Appl. No. 12/111,846, which was filed Apr. 29, 2008.
U.S. Appl. No. 12/131,383, which was filed Jun. 2, 2008.
U.S. Appl. No. 12/144,967 which was filed Jun. 24, 2008 (31 pages).
U.S. Appl. No. 12/398,073, filed Mar. 4, 2009 (24 pages).
U.S. Appl. No. 12/398,073, filed Mar. 4, 2009.
U.S. Appl. No. 12/693,765, filed Jan. 26, 2010 (16 pages).
U.S. Appl. No. 14/063,813 which was filed Oct. 25, 2013 (24 pages).
U.S. Appl. No. 14/823,855 which was filed Aug. 11, 2015 (21 pages).
U.S. Appl. No. 15/070,051 which was filed Mar. 15, 2016 (18 pages).
Wolf, Chris, Column: "Virtual Server 2005 R2 SP1 Treasures: VHD Mount", Jun. 2007, Microsoft Certified Professional Magazine Online, Downloaded on Feb. 27, 2008 from-http://mcpmag.com/columns/article.asp?EditorialsID=1793-pp. 1-5.
Wolf, Chris, Column: "Virtual Server 2005 R2 SP1 Treasures: VHD Mount", Jun. 2007, Microsoft Certified Professional Magazine Online, Downloaded on Feb. 27, 2008 from—http://mcpmag.com/columns/article.asp?EditorialsID=1793—pp. 1-5.
Xu, J-Y., et al, "Polymorphic malicious executable scanner by API sequence analysis." Hybrid Intelligent Systems, 2004. HIS'04. Fourth International Conference on IEEE. 2004.

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11575689B2 (en) 2008-03-18 2023-02-07 Mcafee, Llc System, method, and computer program product for dynamically configuring a virtual environment for identifying unwanted data

Also Published As

Publication number Publication date
US8301904B1 (en) 2012-10-30

Similar Documents

Publication Publication Date Title
USRE47558E1 (en) System, method, and computer program product for automatically identifying potentially unwanted data as unwanted
US10122746B1 (en) Correlation and consolidation of analytic data for holistic view of malware attack
US9294505B2 (en) System, method, and computer program product for preventing a modification to a domain name system setting
US8925087B1 (en) Apparatus and methods for in-the-cloud identification of spam and/or malware
US8677493B2 (en) Dynamic cleaning for malware using cloud technology
US9715589B2 (en) Operating system consistency and malware protection
US9614866B2 (en) System, method and computer program product for sending information extracted from a potentially unwanted data sample to generate a signature
US9628513B2 (en) Electronic message manager system, method, and computer program product for scanning an electronic message for unwanted content and associated unwanted sites
US11687651B2 (en) Cloud-based malware detection
US8448232B1 (en) System, method, and computer program product for preventing communication of unwanted network traffic by holding only a last portion of the network traffic
US8627461B2 (en) System, method, and computer program product for verifying an identification of program information as unwanted
US20230185915A1 (en) Detecting microsoft windows installer malware using text classification models
US9092624B2 (en) System, method, and computer program product for conditionally performing a scan on data based on an associated data structure
USRE48043E1 (en) System, method and computer program product for sending unwanted activity information to a central system
US8645949B2 (en) System, method, and computer program product for scanning data utilizing one of a plurality of virtual machines of a device
US8438637B1 (en) System, method, and computer program product for performing an analysis on a plurality of portions of potentially unwanted data each requested from a different device
US8613092B2 (en) System, method and computer program product for updating a security system definition database based on prioritized instances of known unwanted data
US8918864B2 (en) System, method, and computer program product for making a scan decision during communication of data over a network

Legal Events

Date Code Title Description
AS Assignment

Owner name: MCAFEE, LLC, CALIFORNIA

Free format text: CHANGE OF NAME AND ENTITY CONVERSION;ASSIGNOR:MCAFEE, INC.;REEL/FRAME:043665/0918

Effective date: 20161220

AS Assignment

Owner name: JPMORGAN CHASE BANK, N.A., NEW YORK

Free format text: SECURITY INTEREST;ASSIGNOR:MCAFEE, LLC;REEL/FRAME:045055/0786

Effective date: 20170929

Owner name: MORGAN STANLEY SENIOR FUNDING, INC., MARYLAND

Free format text: SECURITY INTEREST;ASSIGNOR:MCAFEE, LLC;REEL/FRAME:045056/0676

Effective date: 20170929

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1552); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 8

AS Assignment

Owner name: MORGAN STANLEY SENIOR FUNDING, INC., MARYLAND

Free format text: CORRECTIVE ASSIGNMENT TO CORRECT THE REMOVE PATENT 6336186 PREVIOUSLY RECORDED ON REEL 045056 FRAME 0676. ASSIGNOR(S) HEREBY CONFIRMS THE SECURITY INTEREST;ASSIGNOR:MCAFEE, LLC;REEL/FRAME:054206/0593

Effective date: 20170929

Owner name: JPMORGAN CHASE BANK, N.A., NEW YORK

Free format text: CORRECTIVE ASSIGNMENT TO CORRECT THE REMOVE PATENT 6336186 PREVIOUSLY RECORDED ON REEL 045055 FRAME 786. ASSIGNOR(S) HEREBY CONFIRMS THE SECURITY INTEREST;ASSIGNOR:MCAFEE, LLC;REEL/FRAME:055854/0047

Effective date: 20170929

AS Assignment

Owner name: MCAFEE, LLC, CALIFORNIA

Free format text: RELEASE OF INTELLECTUAL PROPERTY COLLATERAL - REEL/FRAME 045055/0786;ASSIGNOR:JPMORGAN CHASE BANK, N.A., AS COLLATERAL AGENT;REEL/FRAME:054238/0001

Effective date: 20201026

AS Assignment

Owner name: MCAFEE, LLC, CALIFORNIA

Free format text: RELEASE OF INTELLECTUAL PROPERTY COLLATERAL - REEL/FRAME 045056/0676;ASSIGNOR:MORGAN STANLEY SENIOR FUNDING, INC., AS COLLATERAL AGENT;REEL/FRAME:059354/0213

Effective date: 20220301

AS Assignment

Owner name: JPMORGAN CHASE BANK, N.A., AS ADMINISTRATIVE AGENT AND COLLATERAL AGENT, NEW YORK

Free format text: SECURITY INTEREST;ASSIGNOR:MCAFEE, LLC;REEL/FRAME:059354/0335

Effective date: 20220301

AS Assignment

Owner name: JPMORGAN CHASE BANK, N.A., AS ADMINISTRATIVE AGENT, NEW YORK

Free format text: CORRECTIVE ASSIGNMENT TO CORRECT THE THE PATENT TITLES AND REMOVE DUPLICATES IN THE SCHEDULE PREVIOUSLY RECORDED AT REEL: 059354 FRAME: 0335. ASSIGNOR(S) HEREBY CONFIRMS THE ASSIGNMENT;ASSIGNOR:MCAFEE, LLC;REEL/FRAME:060792/0307

Effective date: 20220301

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 12TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1553); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 12