System and method using function length statistics to determine file similarity
US-2018096145-A1 · Apr 5, 2018 · US
Advanced file modification heuristics
US2025068731A1 · US · A1
| Field | Value |
|---|---|
| Publication number | US-2025068731-A1 |
| Application number | US-202418944668-A |
| Country | US |
| Kind code | A1 |
| Filing date | Nov 12, 2024 |
| Priority date | Jun 29, 2017 |
| Publication date | Feb 27, 2025 |
| Grant date | — |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Examples of the present disclosure describe systems and methods for providing advanced file modification heuristics. In aspects, software content is selected for monitoring. The monitoring comprises determining when the software content performs file accesses that are followed by read and/or write operations. The read/write operations are analyzed in real-time to determine whether the software content is modifying file content. If the monitoring indicates the software content is modifying accessed files, mathematical calculations are applied to the read-write operations to determine the nature of the modifications. Based on the determined nature of the file modifications, the actions of the software content may be categorized and halted prior to completion; thereby, mitigating malicious cyberattacks and/or unauthorized accesses.
First claim
Opening claim text (preview).
What is claimed is: 1 . A system comprising: a processor; and a non-transitory computer readable media storing instructions that are executable by the processor for: obtaining monitoring results of monitoring selected software content, the monitoring results indicating that the selected software content performs accesses of data content, including input/output (I/O) operations on the data content; analyzing the I/O operations to determine whether the I/O operations are modifying the data content, wherein the analyzing of the actions of the I/O operations does not perform evaluations on the data content on which the I/O operations are performed; responsive to a determination that the actions of the I/O operations are modifying the data content, categorizing the actions of the I/O operations; and responsive to the determined categorization, determining a response to the actions of the I/O operations. 2 . The system of claim 1 , wherein the I/O operations are analyzed using a file modification heuristic. 3 . The system of claim 2 , wherein the file modification heuristic includes one or more of an I/O block analysis, a cumulative read/write analysis, an I/O offset comparison, or an I/O sequence analysis. 4 . The system of claim 1 , wherein categorizing the action of the I/O operations comprises determining a nature of the modification of the data content. 5 . The system of claim 4 , wherein determining the nature of the modification comprises applying Shannon Entropy to the I/O operations, applying Pearson's chi-squared test to the I/O operations or applying a Monte Carlo method to the I/O operations. 6 . The system of claim 1 , wherein determining a response comprises comparing the categorization to a list of known malicious or non-malicious software content, or evaluating the categorization using a set of rules or a model. 7 . The system of claim 6 , wherein the response comprises pausing or terminating the I/O operations, restricting access by the software content to at least a portion of the data content, or suppressing functionality available to the software content. 8 . A method, comprising: obtaining monitoring results of monitoring selected software content, the monitoring results indicating that the selected software content performs accesses of data content, including input/output (I/O) operations on the data content; analyzing the I/O operations to determine whether the I/O operations are modifying the data content, wherein the analyzing of the actions of the I/O operations does not perform evaluations on the data content on which the I/O operations are performed; responsive to a determination that the actions of the I/O operations are modifying the data content, categorizing the actions of the I/O operations; and responsive to the determined categorization, determining a response to the actions of the I/O operations. 9 . The method of claim 8 , wherein the I/O operations are analyzed using a file modification heuristic. 10 . The method of claim 9 , wherein the file modification heuristic includes one or more of an I/O block analysis, a cumulative read/write analysis, an I/O offset comparison, or an I/O sequence analysis. 11 . The method of claim 8 , wherein categorizing the action of the I/O operations comprises determining a nature of the modification of the data content. 12 . The method of claim 11 , wherein determining the nature of the modification comprises applying Shannon Entropy to the I/O operations, applying Pearson's chi-squared test to the I/O operations or applying a Monte Carlo method to the I/O operations. 13 . The method of claim 8 , wherein determining a response comprises comparing the categorization to a list of known malicious or non-malicious software content, or evaluating the categorization using a set of rules or a model. 14 . The method of claim 13 , wherein the response comprises pausing or terminating the I/O operations, restricting access by the software content to at least a portion of the data content, or suppressing functionality available to the software content. 15 . A non-transitory computer readable medium, comprising instructions for: obtaining monitoring results of monitoring selected software content, the monitoring results indicating that the selected software content performs accesses of data content, including input/output (I/O) operations on the data content; analyzing the I/O operations to determine whether the I/O operations are modifying the data content, wherein the analyzing of the actions of the I/O operations does not perform evaluations on the data content on which the I/O operations are performed; responsive to a determination that the actions of the I/O operations are modifying the data content, categorizing the actions of the I/O operations; and responsive to the determined categorization, determining a response to the actions of the I/O operations. 16 . The method of claim 15 , wherein the I/O operations are analyzed using a file modification heuristic. 17 . The method of claim 16 , wherein the file modification heuristic includes one or more of an I/O block analysis, a cumulative read/write analysis, an I/O offset comparison, or an I/O sequence analysis. 18 . The method of claim 15 , wherein categorizing the action of the I/O operations comprises determining a nature of the modification of the data content. 19 . The method of claim 18 , wherein determining the nature of the modification comprises applying Shannon Entropy to the I/O operations, applying Pearson's chi-squared test to the I/O operations or applying a Monte Carlo method to the I/O operations. 20 . The method of claim 15 , wherein determining a response comprises comparing the categorization to a list of known malicious or non-malicious software content, or evaluating the categorization using a set of rules or a model. 21 . The method of claim 20 , wherein the response comprises pausing or terminating the I/O operations, restricting access by the software content to at least a portion of the data content, or suppressing functionality available to the software content.
Assignees
Inventors
Classifications
Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities · CPC title
Test or assess a computer or a system · CPC title
to a system of files or objects, e.g. local or distributed file system or database · CPC title
involving long-term monitoring or reporting · CPC title
- G06F21/554Primary
involving event detection and direct action · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US2025068731A1 cover?
- Examples of the present disclosure describe systems and methods for providing advanced file modification heuristics. In aspects, software content is selected for monitoring. The monitoring comprises determining when the software content performs file accesses that are followed by read and/or write operations. The read/write operations are analyzed in real-time to determine whether the software …
- Who is the assignee on this patent?
- Open Text Inc
- What technology area does this patent fall under?
- Primary CPC classification G06F21/554. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Thu Feb 27 2025 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).