Who is the assignee on this patent?

Morris Melvyn, Jaroch Joseph, Webroot Inc

What technology area does this patent fall under?

Primary CPC classification G06F21/56. Mapped technology areas include Physics.

When was this patent published?

Publication date Tue Aug 09 2016 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.

What related patents are in patentsdb?

We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).

Methods and apparatus for dealing with malware

US9413721B2 · US · B2

Patent metadata
Field	Value
Publication number	US-9413721-B2
Application number	US-201213372375-A
Country	US
Kind code	B2
Filing date	Feb 13, 2012
Priority date	Feb 15, 2011
Publication date	Aug 9, 2016
Grant date	Aug 9, 2016

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

Title
What the patent document calls the invention.
Abstract
A short plain-language summary of the technical disclosure.
Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
Key dates
Filing, priority, publication, and grant dates set the timeline.
First independent claim
The legal scope of protection — read this for what is actually claimed.
CPC / IPC classifications
Technology tags used to group this patent with similar filings.
Citations and related patents
Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

Methods for classifying computer objects as malware and the associated apparatus are disclosed. An exemplary method includes, at a base computer, receiving data about a computer object from each of plural remote computers on which the object or similar objects are stored or processed wherein the base computer comprises plural threat servers arranged to receive the data from the plural remote computers and apply rules or heuristics against the data in real time to determine whether or not the object is malware and to communicate the determination to the remote computers. The base computer includes at least one central server in communication with the threat servers and arranged to receive the data about objects from the threat servers to maintain a master database of data received about objects from all threat servers.

First claim

Opening claim text (preview).

What is claimed is: 1. A method of classifying a computer object as malware, the method comprising: receiving, at a first threat server, details of a first computer object from a first remote computer, wherein the details of the first computer object include data uniquely identifying the first computer object; determining, by the first threat server, whether the first computer object has been previously seen by comparing the data uniquely identifying the first computer object to a plurality of data uniquely identifying plural computer objects in a first database associated with the first threat server; receiving additional information about the first computer object from the first remote computer when the first computer object has not been previously seen; storing the details of the first computer object and the received additional information about the first computer object in a second database associated with the first threat server when the first computer object has not been previously seen; providing contents of the second database to at least one database associated with a central server, wherein the contents comprise a signature of the first computer object, behavior information about the first computer object, and information about the first remote computer; increasing a count associated with a number of times that the first computer object has been seen, and providing the increased count associated with the number of times that the first computer object has been seen to the central server; and receiving, at a second threat server, at least a portion of the contents of the at least one database associated with the central server, wherein the at least a portion of the contents of the at least one database associated with the central server include a subset of the details of the first computer object stored in the second database. 2. The method according to claim 1 , further comprising storing at intervals, the contents of the second database in storage together with a timestamp and clearing the second database. 3. The method according to claim 2 , further comprising creating a backup central server by receiving at a second central server, all of the time-stamped blocks of data from the second database and incorporating all of the time-stamped blocks of data into at least one database associated with the second central server. 4. The method according to claim 2 , further comprising: taking the central server off-line for a period of time such that the central server does not receive data from the first and second threat servers during that period of time; after the period of time has elapsed, updating at least one database associated with the central server with time-stamped blocks of data from the storage that have a timestamp later than the time when the central server went off-line; and bringing the central server back on line. 5. The method according to claim 2 , comprising: rolling back at least one database associated with the central server to a point of time in the past; updating the at least one database associated with the central server with time-stamped blocks of data from storage that have a timestamp later than the past point of time; and bringing the central server back on line. 6. The method according to claim 2 , wherein the central server comprises: a) an object database storing object signatures and metadata about objects; b) a behavior database storing object behavior information; and c) a computer-object database storing information about what objects are present on what remote computers. 7. The method according to claim 6 , wherein the threat and central servers are implemented using cloud computing. 8. The method according to claim 1 , further comprising: receiving, at the second threat server, details of a second computer object from a second remote computer, wherein the details of the second computer object include data uniquely identifying the second computer object; determining, by the second threat server, whether the second computer object has been previously seen by comparing the data uniquely identifying the second computer object to a plurality of data uniquely identifying plural computer objects in a third database associated with the second threat server; determining that the second computer object has been seen before; increasing a count associated with a number of times that the second computer object has been seen and providing the increased count associated with the number of times that the second computer object has been seen to the at least one central server; and receiving, at the first threat server, a count associated with the number of times that the second computer object has been seen. 9. A system for classifying a computer object as malware, the system comprising: a first threat server arranged to receive details of a computer object from a first remote computer, wherein the details of the first computer object include data uniquely identifying the first computer object, wherein the first threat server is further arranged to receive the details of the computer object from the first remote computer and determine whether the first computer object has been previously seen by comparing the data uniquely identifying the first computer object to a plurality of data uniquely identifying plural computer objects in a first database associated with the first threat server, wherein the first threat server is further arranged to receive additional information about the first computer object from the first remote computer when the first computer object has not been previously seen, store the details of the first computer object and the received additional information about the first computer object in a second database associated with the first threat server when the first computer object has not been previously seen, provide contents of the second database to at least one database associated with a central server wherein the contents comprise a signature of the first computer object, behavior information about the first computer object, and information about the first remote computer, and increase a count associated with a number of times that the first computer object has been seen; the central server arranged to receive the increased count associated with the number of times that the first computer object has been seen; and a second threat server arranged to receive at least a portion of the contents of the at least one database associated with the central server, wherein the at least a portion of the contents of the at least one database associated with the central server include a subset of the details of the first computer object stored in the second database. 10. The system according to claim 9 , wherein the first and second threat servers are arranged to store, at intervals, the contents of the second database in storage together with a timestamp and clear the database. 11. The system according to claim 10 , further comprising: a backup central server having a database, the database of the backup central server being populated by receiving at the backup central server all of the time-stamped blocks of data from the storage and incorporating them into the database of the backup central server. 12. The system according to claim 10 , wherein, in the event that the central server is taken off-line for a period of time such that it does not receive updates of data from the first and second threat servers during that period of time, the central server is arranged to, after the period of time has elapsed, update at least one database with time-stamped blocks of data from the storage that have a timestamp later tha

Assignees

Inventors

Classifications

G06F21/566
Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities · CPC title
H04L63/145
the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms · CPC title
G06F21/56Primary
Computer malware detection or handling, e.g. anti-virus arrangements · CPC title
H04L63/14
for detecting or protecting against malicious traffic · CPC title
H04L63/0263Primary
Rule management · CPC title

Patent family

Related publications grouped by family.

View patent family 45688475

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US9413721B2 cover?: Methods for classifying computer objects as malware and the associated apparatus are disclosed. An exemplary method includes, at a base computer, receiving data about a computer object from each of plural remote computers on which the object or similar objects are stored or processed wherein the base computer comprises plural threat servers arranged to receive the data from the plural remote co…
Who is the assignee on this patent?: Morris Melvyn, Jaroch Joseph, Webroot Inc
What technology area does this patent fall under?: Primary CPC classification G06F21/56. Mapped technology areas include Physics.
When was this patent published?: Publication date Tue Aug 09 2016 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?: We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).