Dismiss
InnovationQ will be updated on Sunday, Oct. 22, from 10am ET - noon. You may experience brief service interruptions during that time.
Browse Prior Art Database

Method and System for Automatically Identifying Authorized and Unauthorized Versions of an Application using Crowd Sourcing

IP.com Disclosure Number: IPCOM000240807D
Publication Date: 2015-Mar-04
Document File: 5 page(s) / 105K

Publishing Venue

The IP.com Prior Art Database

Abstract

A method and system is disclosed for automatically determining authorized application versions and identifying unauthorized version and malware infected versions using crowd sourced popularity measures and analytics within an environment.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 26% of the total text.

Page 01 of 5

Method and System for Automatically Identifying Authorized and Unauthorized Versions of an Application using Crowd Sourcing

Malware can disguise as a legitimate common application on a computer , and can evade normal detection mechanisms like antivirus. The application can be evaded

when there is a targeted or zero day attack and malware signature does not exist for the threat. Currently, malware solutions may not protect devices completely.

Anti-malware solutions watch for misuse of system resources by applications indicating an anomaly and shut down the applications.

Disclosed is a method and system for automatically determining authorized and unauthorized versions of an application using crowd sourced popularity measures and analytics within an environment. The method and system also determines malware infected versions of the application using the crowd sourced popularity measures and analytics. Additionally, the method and system automatically identifies applications that are at low risk of being malicious without requiring external intel and without delays that can occur when a threat is newly emerged. The external intel can be a new malware signature update. When the threat is newly emerged, the signature is required to be developed. New variants of an application can be identified by crowd sourcing information about the popularity of the application in a population . Based on business rules, the new variants can indicate a malware infiltration. The new variants can also indicate that a new version of the application is currently being deployed , potentially

without notice of an enterprise Information Technology (IT) organization. The method and system leverages crowd sourcing information to develop a popularity template . Thereafter, the popularity template is used to identify anomalies and find items for investigation.

By observing the environment, authorized (named) applications, versions within an application, hash (patch) levels within a version are deduced based on popularity.

Alerts to a system administrator are created when a member of the environment is not using an authorized application, version or hash (patch) level. Hash is used as a proxy indicator for a patch level and/or inappropriate software modification by malware or a hacker.

Fig. 1 illustrates a system for automatically identifying authorized and unauthorized version of an application using crowd sourced popularity.

1


Page 02 of 5

Figure 1

As illustrated in Fig. 1, the system analyzes the endpoints of the population crowd source, the degree of popularity of the application's version and variants within the version in a central database. Based on the analysis, a system administrator is informed if any anomaly is identified.

Fig. 2 visually represents a graph constructed from crowd sourced information for a given application.

2


Page 03 of 5

Figure 2

In Fig. 2, a small number of devices have older versions of the application are illustrated as region "A",...