Systems and methods for intelligent phishing threat detection and phishing threat remediation in a cyber security threat detection and mitigation platform
US-2024414198-A1 · Dec 12, 2024 · US
Detecting file encrypting malware
US9292687B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-9292687-B2 |
| Application number | US-201414462638-A |
| Country | US |
| Kind code | B2 |
| Filing date | Aug 19, 2014 |
| Priority date | Aug 22, 2013 |
| Publication date | Mar 22, 2016 |
| Grant date | Mar 22, 2016 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A method in a computer for detecting a file encryption attack. The computer detects an attempt to overwrite current file data of a file with new file data. The computer then compares the new file data to the current file data to obtain a measure of the difference between the current and the new file data, and if the difference exceeds a threshold, the computer considers this to identify a file encryption attack.
First claim
Opening claim text (preview).
The invention claimed is: 1. A method in a computer for detecting a file encryption attack attempting to encrypt file data, the method comprising: detecting, by a computing device, an attempt to overwrite existing file data of a file with new file data; calculating, by the computing device, a difference in entropy between the new file data and the existing file data, wherein the calculating the difference in entropy comprises calculating a measure of how well the existing file and the new file data could be compressed without data loss given a pre-determined compression scheme; using, by the computing device, said difference in entropy to identify a file encryption attack; performing, by the computing device, a response to the identified file encryption attack, wherein the response comprises at least one of: preventing the attempt to overwrite the existing file data; reverting the attempt to overwrite the existing file data; terminating a program, process, service or thread which performed the attempt to overwrite the existing file data; and notifying the user and sending a notification to a remote server of the identified attack. 2. The method according to claim 1 , comprising: prompting the user to authorise performing the response. 3. The method according to claim 1 , comprising: identifying the attempt to overwrite the existing file data as non-malicious if a program, process, service or thread which performed the attempt to overwrite the existing file data is included on a whitelist. 4. The method according to claim 3 , comprising: prompting the user to add a program, process, service or thread which performed the attempt to overwrite the existing file data to the whitelist. 5. The method according to claim 1 , comprising: identifying the attempt to overwrite the existing file data as non-malicious if a file type of the file is not a target file type. 6. The method according to claim 1 , comprising: incrementing a count of a number of modifications for a program, process, service or thread which performed the attempt to overwrite the existing file data. 7. The method according to claim 6 , comprising: determining that the count of the number of modifications for the program, process, service or thread exceeds a threshold value; and performing a response comprising at least one of: terminating the program, process, service or thread; reverting all file operations performed by the program, process, service or thread; preventing the attempt to overwrite the existing file data; notifying the user. 8. The method according to claim 1 , wherein said detecting is performed by a software module logically located between applications of the computer and a software kernel of the computer, or within the software kernel. 9. A computer comprising: a file system monitor, configured with one or more processors, for detecting an attempt to overwrite existing file data of a file with new file data; a data comparator, configured with the one or more processors, for calculating a difference in entropy between the new file data and the existing file data, wherein the calculating the difference in entropy comprises calculating a measure of how well the existing file and the new file data could be compressed without data loss given a pre-determined compression scheme; and an attack response processor configured for using said difference in entropy to identify a file encryption attack and for performing a response to the identified file encryption attack, wherein the response comprises at least one of: preventing the attempt to overwrite the existing file data; reverting the attempt to overwrite the existing file data; terminating a program, process, service or thread which performed the attempt to overwrite the existing file data; and notifying the user of the attack. 10. The computer according to claim 9 , wherein the attack response processor is configured to prompt the user to authorise performing the response. 11. The computer according to claim 9 , comprising a memory for storing a whitelist of programs, processes, services or threads, and a whitelist module for identifying the attempt to overwrite the existing file data as non-malicious if a program, process, service or thread which performed the attempt to overwrite the existing file data is included on the whitelist. 12. The computer according to claim 11 , wherein the whitelist module is configured to add the program, process, service or thread which performed the attempt to overwrite the existing file data to the whitelist in response to user input. 13. The computer according to claim 9 , comprising a program context module configured to, in response to identifying the file encryption attack, increment a count of a number of modifications for the program, process, service or thread which performed the attempt to overwrite the existing file data. 14. The computer according to claim 13 , wherein the program context module is additionally configured to: determine that the count of the number of modifications for the program, process, service, or thread exceeds a threshold value; and the attack response processor is configured to perform a response comprising at least one of: terminating the program, process, service or thread; reverting all file operations performed by the program, process, service or thread; preventing the attempt to overwrite the existing file data; notifying the user. 15. The computer according to claim 9 , wherein the file system monitor comprises a software module logically located between applications of the computer and a software kernel of the computer, or within the software kernel. 16. A device comprising a computer program for causing the device to perform a method for detecting a file encryption attack attempting to encrypt file data, the method comprising: detecting an attempt to overwrite existing file data of a file with new file data; calculating a difference in entropy between the new file data and the existing file data, wherein the calculating the difference in entropy comprises calculating a measure of how well the existing file and the new file data could be compressed without data loss given a pre-determined compression scheme; using said difference in entropy to identify a file encryption attack; and performing, by the computing device, a response to the identified file encryption attack, wherein the response comprises at least one of: preventing the attempt to overwrite the existing file data; reverting the attempt to overwrite the existing file data; terminating a program, process, service or thread which performed the attempt to overwrite the existing file data; and notifying the user and sending a notification to a remote server of the identified attack.
Assignees
Inventors
Classifications
- G06F21/554Primary
involving event detection and direct action · CPC title
by checking file integrity · CPC title
Anti-malware arrangements, e.g. protection against SMS fraud or mobile malware · CPC title
- G06F21/56Primary
Computer malware detection or handling, e.g. anti-virus arrangements · CPC title
the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9292687B2 cover?
- A method in a computer for detecting a file encryption attack. The computer detects an attempt to overwrite current file data of a file with new file data. The computer then compares the new file data to the current file data to obtain a measure of the difference between the current and the new file data, and if the difference exceeds a threshold, the computer considers this to identify a file …
- Who is the assignee on this patent?
- F Secure Corp
- What technology area does this patent fall under?
- Primary CPC classification G06F21/554. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Mar 22 2016 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).