[미국특허]
Methods and apparatus for dealing with malware
원문보기
IPC분류정보
국가/구분
United States(US) Patent
등록
국제특허분류(IPC7판)
H04L-029/06
G06F-021/56
출원번호
US-0372375
(2012-02-13)
등록번호
US-9413721
(2016-08-09)
발명자
/ 주소
Morris, Melvyn
Jaroch, Joseph
출원인 / 주소
WEBROOT INC.
대리인 / 주소
Merchant & Gould P.C.
인용정보
피인용 횟수 :
2인용 특허 :
36
초록▼
Methods for classifying computer objects as malware and the associated apparatus are disclosed. An exemplary method includes, at a base computer, receiving data about a computer object from each of plural remote computers on which the object or similar objects are stored or processed wherein the bas
Methods for classifying computer objects as malware and the associated apparatus are disclosed. An exemplary method includes, at a base computer, receiving data about a computer object from each of plural remote computers on which the object or similar objects are stored or processed wherein the base computer comprises plural threat servers arranged to receive the data from the plural remote computers and apply rules or heuristics against the data in real time to determine whether or not the object is malware and to communicate the determination to the remote computers. The base computer includes at least one central server in communication with the threat servers and arranged to receive the data about objects from the threat servers to maintain a master database of data received about objects from all threat servers.
대표청구항▼
1. A method of classifying a computer object as malware, the method comprising: receiving, at a first threat server, details of a first computer object from a first remote computer, wherein the details of the first computer object include data uniquely identifying the first computer object;determini
1. A method of classifying a computer object as malware, the method comprising: receiving, at a first threat server, details of a first computer object from a first remote computer, wherein the details of the first computer object include data uniquely identifying the first computer object;determining, by the first threat server, whether the first computer object has been previously seen by comparing the data uniquely identifying the first computer object to a plurality of data uniquely identifying plural computer objects in a first database associated with the first threat server;receiving additional information about the first computer object from the first remote computer when the first computer object has not been previously seen;storing the details of the first computer object and the received additional information about the first computer object in a second database associated with the first threat server when the first computer object has not been previously seen;providing contents of the second database to at least one database associated with a central server, wherein the contents comprise a signature of the first computer object, behavior information about the first computer object, and information about the first remote computer;increasing a count associated with a number of times that the first computer object has been seen, and providing the increased count associated with the number of times that the first computer object has been seen to the central server; andreceiving, at a second threat server, at least a portion of the contents of the at least one database associated with the central server, wherein the at least a portion of the contents of the at least one database associated with the central server include a subset of the details of the first computer object stored in the second database. 2. The method according to claim 1, further comprising storing at intervals, the contents of the second database in storage together with a timestamp and clearing the second database. 3. The method according to claim 2, further comprising creating a backup central server by receiving at a second central server, all of the time-stamped blocks of data from the second database and incorporating all of the time-stamped blocks of data into at least one database associated with the second central server. 4. The method according to claim 2, further comprising: taking the central server off-line for a period of time such that the central server does not receive data from the first and second threat servers during that period of time;after the period of time has elapsed, updating at least one database associated with the central server with time-stamped blocks of data from the storage that have a timestamp later than the time when the central server went off-line; andbringing the central server back on line. 5. The method according to claim 2, comprising: rolling back at least one database associated with the central server to a point of time in the past;updating the at least one database associated with the central server with time-stamped blocks of data from storage that have a timestamp later than the past point of time; andbringing the central server back on line. 6. The method according to claim 2, wherein the central server comprises: a) an object database storing object signatures and metadata about objects;b) a behavior database storing object behavior information; andc) a computer-object database storing information about what objects are present on what remote computers. 7. The method according to claim 6, wherein the threat and central servers are implemented using cloud computing. 8. The method according to claim 1, further comprising: receiving, at the second threat server, details of a second computer object from a second remote computer, wherein the details of the second computer object include data uniquely identifying the second computer object;determining, by the second threat server, whether the second computer object has been previously seen by comparing the data uniquely identifying the second computer object to a plurality of data uniquely identifying plural computer objects in a third database associated with the second threat server;determining that the second computer object has been seen before;increasing a count associated with a number of times that the second computer object has been seen and providing the increased count associated with the number of times that the second computer object has been seen to the at least one central server; andreceiving, at the first threat server, a count associated with the number of times that the second computer object has been seen. 9. A system for classifying a computer object as malware, the system comprising: a first threat server arranged to receive details of a computer object from a first remote computer, wherein the details of the first computer object include data uniquely identifying the first computer object, wherein the first threat server is further arranged to receive the details of the computer object from the first remote computer and determine whether the first computer object has been previously seen by comparing the data uniquely identifying the first computer object to a plurality of data uniquely identifying plural computer objects in a first database associated with the first threat server, wherein the first threat server is further arranged to receive additional information about the first computer object from the first remote computer when the first computer object has not been previously seen, store the details of the first computer object and the received additional information about the first computer object in a second database associated with the first threat server when the first computer object has not been previously seen, provide contents of the second database to at least one database associated with a central server wherein the contents comprise a signature of the first computer object, behavior information about the first computer object, and information about the first remote computer, and increase a count associated with a number of times that the first computer object has been seen;the central server arranged to receive the increased count associated with the number of times that the first computer object has been seen; anda second threat server arranged to receive at least a portion of the contents of the at least one database associated with the central server, wherein the at least a portion of the contents of the at least one database associated with the central server include a subset of the details of the first computer object stored in the second database. 10. The system according to claim 9, wherein the first and second threat servers are arranged to store, at intervals, the contents of the second database in storage together with a timestamp and clear the database. 11. The system according to claim 10, further comprising: a backup central server having a database, the database of the backup central server being populated by receiving at the backup central server all of the time-stamped blocks of data from the storage and incorporating them into the database of the backup central server. 12. The system according to claim 10, wherein, in the event that the central server is taken off-line for a period of time such that it does not receive updates of data from the first and second threat servers during that period of time, the central server is arranged to, after the period of time has elapsed, update at least one database with time-stamped blocks of data from the storage that have a timestamp later than the time when the central server went off-line. 13. The system according to claim 10, wherein, in the event that at least one database of a central server is rolled back to a point of time in the past, the central server is arranged to update the at least one database with time-stamped blocks of data from storage that have a timestamp later than the point of time in the past. 14. The system according to claim 9, wherein the central server comprises: a) an object database storing object signatures and metadata about objects;b) a behavior database storing object behavior information; andc) a computer-object database storing information about what objects are present on what remote computers. 15. The system according to claim 14, wherein the first and second threat servers and the central server are implemented using cloud computing.
Waissbein, Ariel; Futoransky, Ariel; Tiscornia, Diego Bartolome; Gutesman, Ezequiel David, Establishing and enforcing security and privacy policies in web-based applications.
McGrattan, Emma K.; Ball, Stephen; Moucaddem, Sami R.; Rivet, Jean-Francois; Kuo, Chin L.; Yang, Frank H., Method and apparatus for data backup using data blocks.
Houston, Gregory Neil; Kobsa, Christian D.; Embar, Sridhar; Di Iorio, Matthew Thaddeus; Williams, Bryan Douglas; Nikitaides, Michael George, System and method for managing security events on a network.
Mahaffey, Kevin Patrick; Burgess, James David; Golombek, David; Wyatt, Timothy Micheal; Lineberry, Anthony McKay; Barton, Kyle; Evans, Daniel Lee; Richardson, David Luke; Salomon, Ariel, System and method for server-coupled malware prevention.
※ AI-Helper는 부적절한 답변을 할 수 있습니다.