Method for malware detection using deep inspection and data discovery agents
US-9367687-B1 · Jun 14, 2016 · US
Malware data item analysis
US9785773B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-9785773-B2 |
| Application number | US-201514668833-A |
| Country | US |
| Kind code | B2 |
| Filing date | Mar 25, 2015 |
| Priority date | Jul 3, 2014 |
| Publication date | Oct 10, 2017 |
| Grant date | Oct 10, 2017 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Embodiments of the present disclosure relate to a data analysis system that may automatically analyze a suspected malware file, or group of files. Automatic analysis of the suspected malware file(s) may include one or more automatic analysis techniques. Automatic analysis of may include production and gathering of various items of information related to the suspected malware file(s) including, for example, calculated hashes, file properties, academic analysis information, file execution information, third-party analysis information, and/or the like. The analysis information may be automatically associated with the suspected malware file(s), and a user interface may be generated in which the various analysis information items are presented to a human analyst such that the analyst may quickly and efficiently evaluate the suspected malware file(s). For example, the analyst may quickly determine one or more characteristics of the suspected malware file(s), whether or not the file(s) is malware, and/or a threat level of the file(s).
First claim
Opening claim text (preview).
What is claimed is: 1. A computer system comprising: one or more computer readable storage devices configured to store: a plurality of computer executable instructions; and a plurality of data items each associated with at least one respective submission event, each submission event indicating at least one of: a date the associated data item was submitted, or an identifier of a person who submitted the associated data item, wherein: the plurality of data items include at least a first data item representing a suspected malware file, the first data item is associated with a first submission event, and the first data item is further associated with a plurality of analysis information items from an analysis of the first data item, wherein the plurality of analysis information items includes at least one of: a payload associated with the first data item, academic analysis information associated with the first data item, file execution information associated with the first data item, third-party analysis information associated with the first data item, a hash of the first data item, a size of the first data item, or a file property associated with the first data item, and one or more hardware computer processors in communication with the one or more computer readable storage devices and configured to execute the plurality of computer executable instructions in order to cause the one or more hardware computer processors to: receive, via an upload or transmission to the computer system, a second data item, the second data item representing a suspected malware file; perform an analysis of the second data item to determine one or more characteristics associated with the second data item; compare at least a first characteristic associated with the second data item with a corresponding first characteristic associated with the first data item; determine, based at least in part on comparing the first characteristic and the corresponding first characteristic, that the second data item and the first data item match; in response to determining that the second data item and the first data item match: associate a second submission event with the first data item, the second submission event being different from the first submission event; and generate a displayable notification that the second data item was previously received, wherein the displayable notification includes an indication of the first submission event associated with the first data item representing a suspected malware file; and generate a user interface including one or more user selectable portions presenting at least: one or more of the analysis information items associated with the first data item, and information regarding the first submission event associated with the first data item. 2. The computer system of claim 1 , wherein the indication of the first submission event includes a date that the first data item was previously submitted. 3. The computer system of claim 1 , wherein the indication of the first submission event includes at least both of: a date the first data item was submitted; and an identifier of the person who submitted the first data item. 4. The computer system of claim 1 , wherein the one or more hardware computer processors are further configured to execute the plurality of computer executable instructions in order to cause the one or more hardware computer processors to: in response to receiving the second data item, generate the second submission event associated with the receipt of the second data item. 5. The computer system of claim 4 , wherein the user interface further includes a selectable element, and wherein the one or more hardware computer processors are further configured to execute the a plurality of computer executable instructions in order to cause the one or more hardware computer processors to: in response to a selection of the selectable element, generate a graphical visualization including at least: a first graphical representation of the first data item, a second graphical representation of the first submission event, and a third graphical representation of the second submission event. 6. The computer system of claim 5 , wherein the graphical visualization further includes: a fourth graphical representation of at least one of the analysis information items. 7. The computer system of claim 6 , wherein the graphical visualization further includes: fifth graphical representation of relationships among the first, second, third, and fourth graphical representations. 8. The computer system of claim 7 , wherein the first, second, third, and fourth graphical representations comprise graphical nodes, and the fifth graphical representation comprises graphical edges. 9. The computer system of claim 1 , wherein the one or more hardware computer processors are further configured to execute the a plurality of computer executable instructions in order to cause the one or more hardware computer processors to: initiate an internal analysis of the first data item including at least calculation of a hash of the data item; initiate an external analysis of the first data item by one or more third party analysis systems; and associate results of the internal and external analyses with the first data item, the results of the internal and external analyses comprising the analysis information items. 10. The computer system of claim 9 , wherein the internal analysis includes analysis performed by the one or more hardware computer processors, and wherein the internal analysis further includes at least one of calculation of an MD5 hash of the first data item, calculation of a SHA-1 hash of the first data item, calculation of a SHA-256 hash of the first data item, calculation of an SSDeep hash of the first data item, or calculation of a size of the first data item. 11. The computer system of claim 9 , wherein the external analysis includes analysis performed by at least a second computer system, and wherein the external analysis includes execution of the first data item in a sandboxed environment and analysis of the first data item by a third-party malware analysis service. 12. The computer system of claim 11 , wherein any payload provided by the first data item after execution of the first data item in the sandboxed environment is associated with the first data item. 13. The computer system of claim 1 , wherein the one or more hardware computer processors are further configured to execute the a plurality of computer executable instructions in order to cause the one or more hardware computer processors to: in response to receiving the second data item, generate the second submission event associated with the second data item. 14. The computer system of claim 13 , wherein the one or more hardware computer processors are further configured to execute the a plurality of computer executable instructions in order to cause the one or more hardware computer processors to: receive a third data item, the third data item representing another suspected malware file; generate a third submission event associated with the receipt of the third data item; compare the third data item with at least one of the first data item or the second data item; determine that at the third data item and at least one of the first data item or the second data item match; associate the third submission event with the first data item; and provide a notification that the third data item was previously received. 15. The computer system of claim 1 , wherein comparing the second data item with the first data item comprises: calcul
Assignees
Inventors
Classifications
to a system of files or objects, e.g. local or distributed file system or database · CPC title
to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself · CPC title
Multiple levels of security · CPC title
- G06F21/56Primary
Computer malware detection or handling, e.g. anti-virus arrangements · CPC title
Test or assess a computer or a system · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9785773B2 cover?
- Embodiments of the present disclosure relate to a data analysis system that may automatically analyze a suspected malware file, or group of files. Automatic analysis of the suspected malware file(s) may include one or more automatic analysis techniques. Automatic analysis of may include production and gathering of various items of information related to the suspected malware file(s) including, …
- Who is the assignee on this patent?
- Palantir Technologies Inc
- What technology area does this patent fall under?
- Primary CPC classification G06F21/56. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Oct 10 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).