Methods and apparatus for dealing with malware
US-9413721-B2 · Aug 9, 2016 · US
Malware data item analysis
US2016004864A1 · US · A1
| Field | Value |
|---|---|
| Publication number | US-2016004864-A1 |
| Application number | US-201514668833-A |
| Country | US |
| Kind code | A1 |
| Filing date | Mar 25, 2015 |
| Priority date | Jul 3, 2014 |
| Publication date | Jan 7, 2016 |
| Grant date | — |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Embodiments of the present disclosure relate to a data analysis system that may automatically analyze a suspected malware file, or group of files. Automatic analysis of the suspected malware file(s) may include one or more automatic analysis techniques. Automatic analysis of may include production and gathering of various items of information related to the suspected malware file(s) including, for example, calculated hashes, file properties, academic analysis information, file execution information, third-party analysis information, and/or the like. The analysis information may be automatically associated with the suspected malware file(s), and a user interface may be generated in which the various analysis information items are presented to a human analyst such that the analyst may quickly and efficiently evaluate the suspected malware file(s). For example, the analyst may quickly determine one or more characteristics of the suspected malware file(s), whether or not the file(s) is malware, and/or a threat level of the file(s).
First claim
Opening claim text (preview).
What is claimed is: 1 . A computer system comprising: one or more computer readable storage devices configured to store: a plurality of computer executable instructions; and a plurality of data items each associated with at least one submission event, each submission event indicating at least one of: a date the associated data item was submitted, or an identifier of a person who submitted the associated data item, wherein: the plurality of data items include at least a first data item, the first data item is associated with a first submission event, and the first data item is further associated with a plurality of analysis information items from an analysis of the first data item, and one or more hardware computer processors in communication with the one or more computer readable storage devices and configured to execute the plurality of computer executable instructions in order to cause the computer system to: receive a second data item, the second data item representing a suspected malware file; compare the second data item with the first data item; determine that the second data item and the first data item match; and provide a notification that the second data item was previously received. 2 . The computer system of claim 1 , wherein the notification includes an indication of the first submission event. 3 . The computer system of claim 2 , wherein the indication of the first submission event includes the date that the first data item was previously submitted. 4 . The computer system of claim 3 , wherein the indication of the first submission event further includes the identifier of the person who submitted the first data item. 5 . The computer system of claim 1 , wherein the one or more hardware computer processors are further configured to execute the a plurality of computer executable instructions in order to cause the computer system to: generate a user interface including one or more user selectable portions presenting various of the analysis information items associated with the first data item. 6 . The computer system of claim 5 , wherein the one or more hardware computer processors are further configured to execute the a plurality of computer executable instructions in order to cause the computer system to: in response to receiving the second data item, generate a second submission event associated with the receipt of the second data item. 7 . The computer system of claim 6 , wherein the one or more hardware computer processors are further configured to execute the a plurality of computer executable instructions in order to cause the computer system to: in response to determining that the second data item and the first data item match, associated the second submission event associated with the first data item. 8 . The computer system of claim 7 , wherein the user interface further includes a selectable element, the selectable element configured to cause the computer system to generate a graphical visualization including at least: a first graphical representation of the first data item, a second graphical representation of the first submission event, and a third graphical representation of the second submission event. 9 . The computer system of claim 8 , wherein the graphical visualization further includes: a fourth graphical representation of at least one of the analysis information items. 10 . The computer system of claim 9 , wherein the graphical visualization further includes: fifth graphical representation of relationships among the first, second, third, and fourth graphical representations. 11 . The computer system of claim 10 , wherein the first, second, third, and fourth graphical representations comprise graphical nodes, and the fifth graphical representation comprises graphical edges. 12 . The computer system of claim 1 , wherein the one or more hardware computer processors are further configured to execute the a plurality of computer executable instructions in order to cause the computer system to: initiate an internal analysis of the first data item including at least calculation of a hash of the data item; initiate an external analysis of the first data item by one or more third party analysis systems; and associate results of the internal and external analyses with the first data item, the results of the internal and external analyses comprising the analysis information items. 13 . The computer system of claim 12 , wherein the internal analysis includes analysis performed by the one or more hardware computer processors, and wherein the internal analysis further includes at least one of calculation of an MD5 hash of the first data item, calculation of a SHA-1 hash of the first data item, calculation of a SHA-256 hash of the first data item, calculation of an SSDeep hash of the first data item, or calculation of a size of the first data item. 14 . The computer system of claim 12 , wherein the external analysis includes analysis performed by at least a second computer system, and wherein the external analysis includes execution of the first data item in a sandboxed environment and analysis of the first data item by a third-party malware analysis service. 15 . The computer system of claim 14 , wherein any payload provided by the first data item after execution of the first data item in the sandboxed environment is associated with the first data item. 16 . The computer system of claim 1 , wherein the one or more hardware computer processors are further configured to execute the a plurality of computer executable instructions in order to cause the computer system to: in response to receiving the second data item, generate a second submission event associated with the receipt of the second data item; and in response to determining that the second data item and the first data item match, associated the second submission event associated with the first data item. 17 . The computer system of claim 16 , wherein the one or more hardware computer processors are further configured to execute the a plurality of computer executable instructions in order to cause the computer system to: receive a third data item, the third data item representing another suspected malware file; generate a third submission event associated with the receipt of the third data item; compare the third data item with at least one of the first data item or the second data item; determine that at the third data item and at least one of the first data item or the second data item match; associate the third submission event with the first data item; and provide a notification that the third data item was previously received. 18 . The computer system of claim 1 , wherein comparing the second data item with the first data item comprises: calculating a hash of the second data item and comparing the calculated hash to a previously calculated hash of the first data item. 19 . The computer system of claim 1 , wherein the one or more hardware computer processors are further configured to execute the plurality of computer executable instructions in order to cause the computer system to: share the first data item and associated analysis information items with a second computer systems via a third computer system.
Assignees
Inventors
Classifications
- G06F21/56Primary
Computer malware detection or handling, e.g. anti-virus arrangements · CPC title
Test or assess a computer or a system · CPC title
Multiple levels of security · CPC title
to a system of files or objects, e.g. local or distributed file system or database · CPC title
to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US2016004864A1 cover?
- Embodiments of the present disclosure relate to a data analysis system that may automatically analyze a suspected malware file, or group of files. Automatic analysis of the suspected malware file(s) may include one or more automatic analysis techniques. Automatic analysis of may include production and gathering of various items of information related to the suspected malware file(s) including, …
- Who is the assignee on this patent?
- Palantir Technologies Inc
- What technology area does this patent fall under?
- Primary CPC classification G06F21/56. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Thu Jan 07 2016 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).