System and method using function length statistics to determine file similarity
US-2018096145-A1 · Apr 5, 2018 · US
Advanced file modification heuristics
US12174952B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-12174952-B2 |
| Application number | US-202318170421-A |
| Country | US |
| Kind code | B2 |
| Filing date | Feb 16, 2023 |
| Priority date | Jun 29, 2017 |
| Publication date | Dec 24, 2024 |
| Grant date | Dec 24, 2024 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Examples of the present disclosure describe systems and methods for providing advanced file modification heuristics. In aspects, software content is selected for monitoring. The monitoring comprises determining when the software content performs file accesses that are followed by read and/or write operations. The read/write operations are analyzed in real-time to determine whether the software content is modifying file content. If the monitoring indicates the software content is modifying accessed files, mathematical calculations are applied to the read-write operations to determine the nature of the modifications. Based on the determined nature of the file modifications, the actions of the software content may be categorized and halted prior to completion; thereby, mitigating malicious cyberattacks and/or unauthorized accesses.
First claim
Opening claim text (preview).
What is claimed is: 1. A system comprising: a processor; and a non-transitory computer readable media storing instructions that are executable by the processor for: obtaining monitoring results of monitoring of selected software content, the monitoring results indicating that the selected software content performs accesses of data content followed by input/output (I/O) operations on the data content; analyzing, in real time, actions of the I/O operations to determine whether the actions of the I/O operations are modifying the data content, wherein the analyzing of the actions excludes any evaluation of the data content on which the I/O operations are performed; responsive to determining that the actions of the I/O operations are modifying the data content, determining a categorization of the actions of the I/O operations; and responsive to determining the categorization, determining in real time whether to halt the actions of the I/O operations prior to completion. 2. The system of claim 1 , wherein the instructions are executable by the processor for: selecting the selected software content for monitoring. 3. The system of claim 1 , wherein the monitoring of the selected software content includes monitoring an event file. 4. The system of claim 1 , wherein the accesses of data content comprise an access of a file, wherein the I/O operations on the data content comprise I/O operations on the accessed file. 5. The system of claim 1 , wherein determining the categorization of the actions of the I/O operations comprises determining whether the actions of the I/O operations comprise data compression or data encryption. 6. The system of claim 1 , wherein the instructions are executable by the processor for: restoring a previous version of the data content. 7. The system of claim 1 , wherein determining the categorization of the actions of the I/O operations comprises evaluating randomness in accessed data content. 8. A method, comprising: obtaining monitoring results of monitoring of selected software content, the monitoring results indicating that the selected software content performs accesses of data content followed by input/output (I/O) operations on the data content; analyzing, in real time, actions of the I/O operations to determine whether the actions of the I/O operations are modifying the data content, wherein the analyzing of the actions excludes any evaluation of the data content on which the I/O operations are performed; responsive to determining that the actions of the I/O operations are modifying the data content, determining a categorization of the actions of the I/O operations; and responsive to determining the categorization, determining in real time whether to halt the actions of the I/O operations prior to completion. 9. The method of claim 8 , further comprising: selecting the selected software content for monitoring. 10. The method of claim 8 , wherein the monitoring of the selected software content includes monitoring an event file. 11. The method of claim 8 , wherein the accesses of data content comprise an access of a file, wherein the I/O operations on the data content comprise I/O operations on the accessed file. 12. The method of claim 8 , wherein determining the categorization of the actions of the I/O operations comprises determining whether the actions of the I/O operations comprise data compression or data encryption. 13. The method of claim 8 , further comprising: restoring a previous version of the data content. 14. The method of claim 8 , wherein determining the categorization of the actions of the I/O operations comprises evaluating randomness in accessed data content. 15. A non-transitory computer readable medium, comprising instructions for: obtaining monitoring results of monitoring of selected software content, the monitoring results indicating that the selected software content performs accesses of data content followed by input/output (I/O) operations on the data content; analyzing, in real time, actions of the I/O operations to determine whether the actions of the I/O operations are modifying the data content, wherein the analyzing of the actions excludes any evaluation of the data content on which the I/O operations are performed; responsive to determining that the actions of the I/O operations are modifying the data content, determining a categorization of the actions of the I/O operations; and responsive to determining the categorization, determining in real time whether to halt the actions of the I/O operations prior to completion. 16. The non-transitory computer readable medium of claim 15 , wherein the instructions are for: selecting the selected software content for monitoring. 17. The non-transitory computer readable medium of claim 15 , wherein the monitoring of the selected software content includes monitoring an event file. 18. The non-transitory computer readable medium of claim 15 , wherein the accesses of data content comprise an access of a file, wherein the I/O operations on the data content comprise I/O operations on the accessed file. 19. The non-transitory computer readable medium of claim 15 , wherein determining the categorization of the actions of the I/O operations comprises determining whether the actions of the I/O operations comprise data compression or data encryption. 20. The non-transitory computer readable medium of claim 15 , wherein the instructions are for: restoring a previous version of the data content. 21. The non-transitory computer readable medium of claim 15 , wherein determining the categorization of the actions of the I/O operations comprises evaluating randomness in accessed data content.
Assignees
Inventors
Classifications
Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities · CPC title
Test or assess a computer or a system · CPC title
to a system of files or objects, e.g. local or distributed file system or database · CPC title
involving long-term monitoring or reporting · CPC title
- G06F21/554Primary
involving event detection and direct action · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US12174952B2 cover?
- Examples of the present disclosure describe systems and methods for providing advanced file modification heuristics. In aspects, software content is selected for monitoring. The monitoring comprises determining when the software content performs file accesses that are followed by read and/or write operations. The read/write operations are analyzed in real-time to determine whether the software …
- Who is the assignee on this patent?
- Webroot Inc
- What technology area does this patent fall under?
- Primary CPC classification G06F21/554. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Dec 24 2024 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).