IPC분류정보
국가/구분 |
United States(US) Patent
등록
|
국제특허분류(IPC7판) |
|
출원번호 |
US-0332975
(2011-12-21)
|
등록번호 |
US-8214904
(2012-07-03)
|
발명자
/ 주소 |
- Doukhvalov, Andrey P.
- Tikhomirov, Anton V.
|
출원인 / 주소 |
|
대리인 / 주소 |
|
인용정보 |
피인용 횟수 :
4 인용 특허 :
31 |
초록
▼
Disclosed are systems, methods and computer program products for detecting unknown security threats. In one example, a system receives from an antivirus application deployed on a user's computer information about an unknown security event associated with a software executing on the computer and a us
Disclosed are systems, methods and computer program products for detecting unknown security threats. In one example, a system receives from an antivirus application deployed on a user's computer information about an unknown security event associated with a software executing on the computer and a user's verdict indicating that the software is harmful or clean. The system identifies the user of the computer and a role of the user. The role indicates user's level of expertise in the field of computer security. If the user has a high level of expertise in computer security, the system accepts the user's verdict. If the user has a low level of expertise, the system analyzes the information about the security event to verify that the user's verdict is correct. If the user's verdict was accepted or verified to be correct, the system updates an antivirus database associated with the antivirus application.
대표청구항
▼
1. A computer-implemented method for detecting unknown security threats, the method comprising: receiving from an antivirus application deployed on a user's computer information about an unknown security event associated with a software object executing on said computer, and a user's verdict indicat
1. A computer-implemented method for detecting unknown security threats, the method comprising: receiving from an antivirus application deployed on a user's computer information about an unknown security event associated with a software object executing on said computer, and a user's verdict indicating that the software object is harmful or harmless to the security of said computer;identifying the user of said computer and a role of said user, wherein the user's role indicates user's level of expertise in the field of computer security;if the role of said user indicates that the user has a high level of expertise in the field of computer security, accepting the user's verdict that the software object is harmful or harmless;if the role of said user indicates that the user has a low level of expertise in the field of computer security, analyzing the information about the security event received from the antivirus application to verify that the user's verdict is correct; andif the user's verdict was accepted or verified to be correct, updating an antivirus database, which is associated with the antivirus application and contains information about known harmful and harmless software objects, with said information about the security event and indication that associated software object is harmful or harmless. 2. The method of claim 1 further comprising: if the user's verdict was verified to be correct, increasing the user's level of expertise;if the user's level of expertise reached a predefined threshold, increasing user's role. 3. The method of claim 1, wherein the user's level of expertise in the field of computer security is based on one or more of: a total number of computer threats detected by said user;a number of unique computer threats detected by said user;a level of user proficiency with the antivirus software;a frequency of infections of the computer of said user; andinformation about programs installed on the user's computer and the user's usage of said programs. 4. The method of claim 1 further comprising: detecting an anomaly in the information received from the antivirus application by comparing the received information with a historical record of threats detected by the user;decreasing the user's role based on detection of one or more anomalies. 5. The method of claim 1, wherein different roles have different associated weight coefficients, and wherein the user's verdict is given a higher or lower weight during verification of said user's verdict according to the weight coefficient associated with the role of said user. 6. The method of claim 1, wherein, if the information about the security event received from the antivirus application is not sufficient to verify that the user's verdict is correct or not, the processor is further configured to collect additional information about the security event and the associated software from the computer, wherein the additional information includes one or more of: information about the security event generated by one or more different security modules of the antivirus application, each module performing a different antivirus analysis;information about computer's software and hardware state at the time of occurrence of the security event; andthe date, time and repeat frequency of the security event. 7. The method of claim 1, wherein the software object includes one of an executable file, a data file and a link. 8. A computer-based system for detecting unknown security threats, the system comprising: a processor configured to: receive from an antivirus application deployed on a user's computer information about an unknown security event associated with a software object executing on said computer, and a user's verdict indicating that the software object is harmful or harmless to the security of the computer;identify the user of said computer and a role of said user, wherein the user's role indicates user's level of expertise in the field of computer security;if the role of said user indicates that the user has a high level of expertise in the field of computer security, accept the user's verdict that the software object is harmful or harmless;if the role of said user indicates that the user has a low level of expertise in the field of computer security, analyze the information about the security event received from the antivirus application to verify that the user's verdict is correct; and if the user's verdict was accepted or verified to be correct, update an antivirus database, which is associated with the antivirus application and contains information about known harmful and harmless software object, with said information about the security event and indication that associated software object is harmful or harmless. 9. The system of claim 8, wherein the processor is further configured to: if the user's verdict was verified to be correct, increase the user's level of expertise;if the user's level of expertise reached a predefined threshold, increase user's role. 10. The system of claim 8, wherein the user's level of expertise in the field of computer security is based on one or more of: a total number of computer threats detected by said user;a number of unique computer threats detected by said user;a level of user proficiency with the antivirus software;a frequency of infections of the computer of said user; andinformation about programs installed on the user's computer and the user's usage of said programs. 11. The system of claim 8, wherein the processor is further configured to: detect an anomaly in the information received from the antivirus application by comparing the received information with a historical record of threats detected by the user;decreasing the user's role based on detection of one or more anomalies. 12. The system of claim 8, wherein different roles have different associated weight coefficients, and wherein the user's verdict is given a higher or lower weight during verification of said user's verdict according to the weight coefficient associated with the role of said user. 13. The system of claim 8, wherein, if the information about the security event received from the antivirus application is not sufficient to verify that the user's verdict is correct or not, collecting additional information about the security event and the associated software from the computer, wherein the additional information includes one or more of: information about the security event generated by one or more different security modules of the antivirus application, each module performing a different antivirus analysis;information about computer's software and hardware state at the time of occurrence of the security event; andthe date, time and repeat frequency of the security event. 14. The system of claim 8, wherein the software object includes one of an executable file, a data file and a link. 15. A computer program product embedded in a non-transitory computer-readable storage medium, the computer-readable storage medium comprising computer-executable instructions for detecting unknown security threats, the medium comprises instructions for: receiving from an antivirus application deployed on a user's computer information about an unknown security event associated with a software object executing on said computer, and a user's verdict indicating that the software object is harmful or harmless to the security of the computer;identifying the user of said computer and a role of said user, wherein the user's role indicates user's level of expertise in the field of computer security;if the role of said user indicates that the user has a high level of expertise in the field of computer security, accepting the user's verdict that the software object is harmful or harmless;if the role of said user indicates that the user has a low level of expertise in the field of computer security, analyzing the information about the security event received from the antivirus application to verify that the user's verdict is correct; andif the user's verdict was accepted or verified to be correct, updating an antivirus database, which is associated with the antivirus application and contains information about known harmful and harmless software object, with said information about the security event and indication that associated software object is harmful or harmless. 16. The product of claim 15 further comprises instructions for: if the user's verdict was verified to be correct, increasing the user's level of expertise;if the user's level of expertise reached a predefined threshold, increasing user's role. 17. The product of claim 15, wherein the user's level of expertise in the field of computer security is based on one or more of: a total number of computer threats detected by said user;a number of unique computer threats detected by said user;a level of user proficiency with the antivirus software;a frequency of infections of the computer of said user; andinformation about programs installed on the user's computer and the user's usage of said programs. 18. The product of claim 15 further comprises instructions for: detecting an anomaly in the information received from the antivirus application by comparing the received information with a historical record of threats detected by the user;decreasing the user's role based on detection of one or more anomalies. 19. The product of claim 15, wherein different roles have different associated weight coefficients, and wherein the user's verdict is given a higher or lower weight during verification of said user's verdict according to the weight coefficient associated with the role of said user. 20. The product of claim 15, wherein, if the information about the security event received from the antivirus application is not sufficient to verify that the user's verdict is correct or not, collecting additional information about the security event and the associated software from the computer, wherein the additional information includes one or more of: information about the security event generated by one or more different security modules of the antivirus application, each module performing a different antivirus analysis;information about computer's software and hardware state at the time of occurrence of the security event; andthe date, time and repeat frequency of the security event.
※ AI-Helper는 부적절한 답변을 할 수 있습니다.