US2018046801A1PendingUtilityA1

Malware data item analysis

51
Assignee: PALANTIR TECHNOLOGIES INCPriority: Jul 3, 2014Filed: Oct 6, 2017Published: Feb 15, 2018
Est. expiryJul 3, 2034(~8 yrs left)· nominal 20-yr term from priority
G06F 21/6209G06F 21/56H04L 63/105G06F 2221/034G06F 21/6218
51
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

Embodiments of the present disclosure relate to a data analysis system that may automatically analyze a suspected malware file, or group of files. Automatic analysis of the suspected malware file(s) may include one or more automatic analysis techniques. Automatic analysis of may include production and gathering of various items of information related to the suspected malware file(s) including, for example, calculated hashes, file properties, academic analysis information, file execution information, third-party analysis information, and/or the like. The analysis information may be automatically associated with the suspected malware file(s), and a user interface may be generated in which the various analysis information items are presented to a human analyst such that the analyst may quickly and efficiently evaluate the suspected malware file(s). For example, the analyst may quickly determine one or more characteristics of the suspected malware file(s), whether or not the file(s) is malware, and/or a threat level of the file(s).

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
         1 . A computer network comprising:
 a database configured to store file data items; and   one or more hardware computer processors configured to execute computer executable instructions in order to:
 receive a first data item including a suspected malware file; 
 store, in the database, the first data item in association with at least one of:
 a date of submission of the first data item, or 
 an identifier of the person who submitted the first data item; 
 
 initiate an internal analysis of the first data item to generate an internal analysis information item; 
 transmit the first data item to an external analysis provider outside of the computer system for external analysis; 
 receive, from the external analysis provider, an external analysis information item; and 
 generate a graphical user interface presenting analysis information items associated with the first data item, the graphical user interface including at least:
 a first node representing the first data item, and 
 a second node representing the internal analysis information item. 
 
   
     
     
         2 . The computer system of  claim 1 , wherein the graphical user interface further includes a third node representing the external analysis information item, wherein the first, second, and third nodes are linked by edges in a graph or web. 
     
     
         3 . The computer system of  claim 1 , wherein the one or more hardware computer processors are further configured to execute computer executable instructions in order to:
 search the database for previously submitted data items matching the first data item; and   generate a displayable notification indicating that the first data item was previously submitted.   
     
     
         4 . The computer system of  claim 3 , wherein the displayable notification indicates the date that the first data item was previously submitted. 
     
     
         5 . The computer system of  claim 3 , wherein the displayable notification indicates an identifier of the person who submitted the first data item. 
     
     
         6 . The computer system of  claim 1 , wherein nodes in the graphical user interface are user selectable icons. 
     
     
         7 . The computer system of  claim 1 , wherein the one or more hardware computer processors are further configured to execute computer executable instructions in order to:
 receive a submission of a second data item representing a suspected malware file; and   generate a fourth node in the graphical user interface, the fourth node indicating the submission of the second data item.   
     
     
         8 . The computer system of  claim 7 , wherein the one or more hardware computer processors are further configured to execute computer executable instructions in order to:
 compare an analysis information item of the second data item to at least one of the internal analysis information item or the external analysis information item;   determine that the second data item and the first data item match; and   in response to determining that the second data item and the first data item match, associate a second submission event with the first data item.   
     
     
         9 . The computer system of  claim 8 , wherein comparing the analysis information item of the second data item to at least one of the internal analysis information item or the external analysis information item includes:
 calculating a hash of the second data item; and   comparing the calculated hash to a previously calculated hash of the first data item.   
     
     
         10 . The computer system of  claim 7 , the graphical user interface including at least:
 the first node representing the first data item,   the second node representing the internal analysis information item,   a third node representing the submission of the first data item, and   a fourth node representing a submission of the second data item.   
     
     
         11 . The computer system of  claim 10 , the graphical user interface further including at least:
 a fifth node representing the external analysis information item.   
     
     
         12 . The computer system of  claim 11 , wherein the graphical visualization further includes edges linking the first node to the second, third, fourth, and fifth nodes. 
     
     
         13 . The computer system of  claim 7 , wherein the one or more hardware computer processors are further configured to execute computer executable instructions in order to:
 receive a submission of a third data item, the third data item representing another suspected malware file;   compare the third data item with at least one of the first data item or the second data item;   determine that at the third data item and at least one of the first data item or the second data item match;   generate a fifth node in the graphical user interface, the fifth node indicating the submission of the third data item and linked to at least one of the first or third node; and   provide a notification that the third data item was previously received.   
     
     
         14 . The computer system of  claim 1 , wherein the internal analysis includes at least calculation of a hash of the data item. 
     
     
         15 . The computer system of  claim 14 , wherein the hash is at least one of an MD5 hash of the first data item, a SHA-1 hash of the first data item, a SHA-256 hash of the first data item, an SSDeep hash of the first data item, or a size of the first data item. 
     
     
         16 . The computer system of  claim 15 , the external analysis includes analysis performed by at least a second computer system, and wherein the external analysis includes execution of the first data item in a sandboxed environment and analysis of the first data item by a third-party malware analysis service. 
     
     
         17 . The computer system of  claim 16 , wherein any payload provided by the first data item after execution of the first data item in the sandboxed environment is indicated as a node in the graphical user interface. 
     
     
         18 . The computer system of  claim 1 , wherein the one or more hardware computer processors are further configured to execute computer executable instructions in order to:
 share the first data item and associated analysis information items with a second computer system via a third computer system.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.