Who is the assignee on this patent?

Ye Hua, Dai Weichao, Huang Xiaodong, and 1 more

What technology area does this patent fall under?

Primary CPC classification G06F11/1461. Mapped technology areas include Physics.

When was this patent published?

Publication date Tue Apr 19 2016 00:00:00 GMT+0000 (Coordinated Universal Time) (B1). Legal status and post-grant events are not shown on this page.

What related patents are in patentsdb?

We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).

File backup to combat ransomware

US9317686B1 · US · B1

Patent metadata
Field	Value
Publication number	US-9317686-B1
Application number	US-201313943534-A
Country	US
Kind code	B1
Filing date	Jul 16, 2013
Priority date	Jul 16, 2013
Publication date	Apr 19, 2016
Grant date	Apr 19, 2016

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

Title
What the patent document calls the invention.
Abstract
A short plain-language summary of the technical disclosure.
Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
Key dates
Filing, priority, publication, and grant dates set the timeline.
First independent claim
The legal scope of protection — read this for what is actually claimed.
CPC / IPC classifications
Technology tags used to group this patent with similar filings.
Citations and related patents
Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

Operating system events are monitored and a file change request of a process is detected. If the process is suspicious, then the file to be changed is backed up and then the process is allowed to change the file as requested. If it is later determined that the process is ransomware, the process is blocked and further file backups are halted. The original file is recovered and the encrypted file is discarded. If it is later determined that the process is not malicious, then further file backups are halted. Any backup files are discarded. Ransomware may be detected by comparing a file extension of the process with file extensions of any files requested to be changed, by comparing file extensions of any files requested to be changed, or by an analysis of behavior of the process itself.

First claim

Opening claim text (preview).

We claim: 1. A method of backing up a computer file, said method comprising: continuously monitoring system events within an operating system of a computer; detecting that a process executing on said computer is requesting that said computer file in persistent storage of said computer be changed; determining that said process is suspected of being malicious before said computer file is changed; backing up said computer file to a storage location different from a current location of said computer file in said persistent storage, said backing up occurring before said computer file is changed and only occurring when said process is suspected of being malicious; and allowing said suspicious process to change said computer file as requested; determining that said suspicious process is not malicious by comparing a file extension of said computer file with said suspicious process; and halting any further file backups for computer files associated with said suspicious process. 2. The method as recited in claim 1 wherein said suspicious process is ransomware, and wherein said suspicious process is allowed to encrypt said computer file. 3. The method as recited in claim 1 wherein said suspicious process executes in user mode of said computer. 4. The method as recited in claim 1 further comprising: allowing said suspicious process to encrypt said computer file; determining that said suspicious process is ransomware; and terminating execution of said suspicious process once said determination of ransomware is made. 5. The method as recited in claim 1 further comprising: recovering said backed up computer file from said storage location; and rendering inaccessible said changed computer file. 6. The method as recited in claim 1 wherein said detecting includes intercepting an operating system call to change said computer file, said method further comprising: returning control to said operating system call after said backing up in order to permit said allowing to occur. 7. The method as recited in claim 1 further comprising: determining that said process is suspected of being malicious in real time after said detecting. 8. The method as recited in claim 1 further comprising: determining that said suspicious process is not malicious by comparing resident folders of other computer files that said suspicious process is requesting be changed. 9. The method as recited in claim 8 wherein each of said comparing steps produces a weighted value, said method further comprising: determining that a score of said weighted values is not over a threshold. 10. A method of backing up a computer file, said method comprising: continuously monitoring system events within an operating system of a computer; detecting that a process executing on said computer is requesting that said computer file in persistent storage of said computer be changed; determining that said process is suspected of being malicious before said computer file is changed; backing up said computer file to a storage location different from a current location of said computer file in said persistent storage, said backing up occurring before said computer file is changed and only occurring when said process is suspected of being malicious; allowing said suspicious process to change said computer file as requested; determining that said suspicious process is not malicious by comparing a file extension of said computer file with said suspicious process; and halting any further file backups for computer files associated with said suspicious process. 11. The method as recited in claim 10 wherein said suspicious process executes in user mode of said computer. 12. The method as recited in claim 10 further comprising: determining that said suspicious process is not malicious using a local white list on said computer. 13. The method as recited in claim 10 further comprising: determining that said suspicious process is not malicious using a remote cloud service. 14. The method as recited in claim 10 wherein said detecting includes intercepting an operating system call to change said computer file, said method further comprising: returning control to said operating system call after said backing up in order to permit said allowing to occur. 15. The method as recited in claim 10 further comprising: determining that said process is suspected of being malicious in real time after said detecting. 16. The method as recited in claim 10 further comprising: determining that said suspicious process is not malicious by comparing resident folders of other computer files that said suspicious process is requesting be changed. 17. The method as recited in claim 16 wherein each of said comparing steps produces a weighted value, said method further comprising: determining that a score of said weighted values is not over a threshold. 18. A method of backing up a computer file, said method comprising: detecting that a process executing on said computer is requesting that said computer file in persistent storage of said computer be changed; determining that said process is suspected of being malicious before said computer file is changed; backing up said computer file to a storage location different from a current location of said computer file in said persistent storage, said backing up occurring before said computer file is changed and only occurring when said process is suspected of being malicious; allowing said suspicious process to encrypt said computer file as requested; determining that said suspicious process is not malicious by comparing a file extension of said computer file with said suspicious process; and halting any further file backups for computer files associated with said suspicious process. 19. The method as recited in claim 18 further comprising: determining that suspicious process is ransomware by comparing a file extension of said suspicious process with a file extension of said computer file. 20. The method as recited in claim 18 wherein said suspicious process executes in user mode of said computer. 21. The method as recited in claim 18 further comprising: determining that suspicious process is ransomware by comparing a file extension of said computer file with a file extension of a second computer file that said suspicious process is requesting be changed. 22. The method as recited in claim 18 further comprising: recovering said backed up computer file from said storage location; and rendering inaccessible said changed computer file. 23. The method as recited in claim 18 wherein said detecting includes intercepting an operating system call to change said computer file, said method further comprising: returning control to said operating system call after said backing up in order to permit said allowing to occur. 24. The method as recited in claim 18 further comprising: determining that said process is suspected of being malicious in real time after said detecting. 25. The method as recited in claim 18 further comprising: determining that said suspicious process is not malicious by comparing resident folders of other computer files that said suspicious process is requesting be changed. 26. The method as recited in claim 25 wherein each of said comparing steps produces a weighted value, said method further comprising: determining that a score of said weighted values is n

Assignees

Inventors

Classifications

G06F11/1461Primary
Backup scheduling policy · CPC title
G06F21/56Primary
Computer malware detection or handling, e.g. anti-virus arrangements · CPC title
G06F11/1448Primary
Management of the data involved in backup or backup restore · CPC title
G06F21/568
eliminating virus, restoring damaged files · CPC title
G06F21/566
Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities · CPC title

Patent family

Related publications grouped by family.

View patent family 55700053

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US9317686B1 cover?: Operating system events are monitored and a file change request of a process is detected. If the process is suspicious, then the file to be changed is backed up and then the process is allowed to change the file as requested. If it is later determined that the process is ransomware, the process is blocked and further file backups are halted. The original file is recovered and the encrypted file…
Who is the assignee on this patent?: Ye Hua, Dai Weichao, Huang Xiaodong, and 1 more
What technology area does this patent fall under?: Primary CPC classification G06F11/1461. Mapped technology areas include Physics.
When was this patent published?: Publication date Tue Apr 19 2016 00:00:00 GMT+0000 (Coordinated Universal Time) (B1). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?: We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).