IPC분류정보
국가/구분 |
United States(US) Patent
등록
|
국제특허분류(IPC7판) |
|
출원번호 |
US-0944121
(2010-11-11)
|
등록번호 |
US-8413244
(2013-04-02)
|
발명자
/ 주소 |
|
출원인 / 주소 |
|
대리인 / 주소 |
|
인용정보 |
피인용 횟수 :
25 인용 특허 :
7 |
초록
▼
Techniques for classifying unknown files taking into account temporal proximity between unknown files and files with known classifications are disclosed. In response to a classification request for a target file, client systems hosting (or hosted) instances of the target file are identified. For eac
Techniques for classifying unknown files taking into account temporal proximity between unknown files and files with known classifications are disclosed. In response to a classification request for a target file, client systems hosting (or hosted) instances of the target file are identified. For each system, files created around the time the target file was created on the system are identified. Within the identified files, files with known classifications are identified, and a score is determined for each such file to measure temporal proximity between the creation of the file and the creation of the target file. Local temporal proximity scores aggregate the scores for the client system. Global temporal proximity scores measures an aspect of the local temporal proximity scores for all identified client systems. The global temporal proximity scores are fed into a classifier to determine a classification, which is returned in response to the classification request.
대표청구항
▼
1. A computer-implemented method for classifying computer files, comprising: identifying a plurality of client systems hosting a local instance of a target file;for one or more of the identified plurality of client systems, identifying a plurality of files hosted on the client system, one or more of
1. A computer-implemented method for classifying computer files, comprising: identifying a plurality of client systems hosting a local instance of a target file;for one or more of the identified plurality of client systems, identifying a plurality of files hosted on the client system, one or more of the plurality of files associated with a timestamp within a time range around a timestamp associated with the local instance of the target file hosted on the client system,identifying known malicious files in the plurality of files hosted on the client system,for one or more of the identified known malicious files, determining a score measuring a temporal proximity between the timestamp of the malicious file and the timestamp the local instance of the target file, anddetermining a local malicious temporal proximity score measuring an aggregation of the scores of the identified known malicious files;determining a global malicious temporal proximity score measuring an aspect of the local malicious temporal proximity scores of the identified plurality of client systems; anddetermining a classification of the target file based at least in part on the global malicious temporal proximity score. 2. The method of claim 1, wherein identifying the plurality of client systems hosting the file further comprises identifying one or more client systems that hosted the file. 3. The method of claim 1, wherein the aspect of the local malicious temporal proximity scores measured by the global malicious temporal proximity score comprises at least one of the following: an average, a mean, a median, a maximum, and a minimum. 4. The method of claim 1, wherein the timestamp of the target file comprises a creation timestamp of the target file. 5. The method of claim 1, wherein the classification comprises malicious and legitimate, wherein a file classified as malicious is known to contain malware and a file classified as legitimate is known to not contain malware. 6. The method of claim 1, wherein the classification comprises a spectrum of classifications ranging from malicious to legitimate, wherein a file classified as malicious is known to contain malware and a file classified as legitimate is known to not contain malware. 7. A computer-implemented method for classifying computer files, comprising: identifying a plurality of client systems hosting a local instance of a target file;for one or more of the identified plurality of client systems, identifying a plurality of files hosted on the client system, one or more of the plurality of files associated with a timestamp within a time range around a timestamp associated with the local instance of the target file hosted on the client system,identifying known legitimate files in the plurality of files hosted on the client system,for one or more of the identified known legitimate files, determining a score measuring a temporal proximity between the timestamp of the legitimate file and the timestamp the local instance of the target file, anddetermining a local legitimate temporal proximity score measuring an aggregation of the scores of the identified known legitimate files;determining a global legitimate temporal proximity score measuring an aspect of the local legitimate temporal proximity scores of the identified plurality of client systems; anddetermining a classification of the target file based at least in part on the global legitimate temporal proximity score. 8. The method of claim 7, wherein identifying the plurality of client systems hosting the file further comprises identifying one or more client systems that hosted the file. 9. The method of claim 7, wherein the aspect of the local legitimate temporal proximity scores measured by the global legitimate temporal proximity score comprises at least one of the following: an average, a mean, a median, a maximum, and a minimum. 10. The method of claim 7, wherein the timestamp of the target file comprises a creation timestamp of the target file. 11. The method of claim 7, wherein the classification comprises malicious and legitimate, wherein a file classified as malicious is known to contain malware and a file classified as legitimate is known to not contain malware. 12. The method of claim 7, wherein the classification comprises a spectrum of classifications ranging from malicious to legitimate, wherein a file classified as malicious is known to contain malware and a file classified as legitimate is known to not contain malware. 13. A computer system for classifying computer files, comprising: a computer-readable storage medium comprising executable computer program code for: identifying a plurality of client systems hosting a local instance of a target file;for one or more of the identified plurality of client systems, identifying a plurality of files hosted on the client system, one or more of the plurality of files associated with a timestamp within a time range around a timestamp associated with the local instance of the target file hosted on the client system,identifying known malicious files in the plurality of files hosted on the client system,for one or more of the identified known malicious files, determining a score measuring a temporal proximity between the timestamp of the malicious file and the timestamp the local instance of the target file, anddetermining a local malicious temporal proximity score measuring an aggregation of the scores of the identified known malicious files;determining a global malicious temporal proximity score measuring an aspect of the local malicious temporal proximity scores of the identified plurality of client systems; anddetermining a classification of the target file based at least in part on the global malicious temporal proximity score. 14. The computer system of claim 13, wherein identifying the plurality of client systems hosting the file further comprises identifying one or more client systems that hosted the file. 15. The computer system of claim 13, wherein the aspect of the local malicious temporal proximity scores measured by the global malicious temporal proximity score comprises at least one of the following: an average, a mean, a median, a maximum, and a minimum. 16. The computer system of claim 13, wherein the timestamp of the target file comprises a creation timestamp of the target file. 17. The computer system of claim 13, wherein the classification comprises malicious and legitimate, wherein a file classified as malicious is known to contain malware and a file classified as legitimate is known to not contain malware. 18. The computer system of claim 13, wherein the classification comprises a spectrum of classifications ranging from malicious to legitimate, wherein a file classified as malicious is known to contain malware and a file classified as legitimate is known to not contain malware.
※ AI-Helper는 부적절한 답변을 할 수 있습니다.