System and method to mitigate malware

US 10,127,380 B2
Filed: 06/02/2017
Issued: 11/13/2018
Est. Priority Date: 02/26/2015
Status: Active Grant

First Claim

Patent Images

1. At least one non-transitory computer readable medium comprising one or more instructions that when executed by a processor, cause the computer readable medium to:

receive script data;

determine a checksum tree for the script data;

associate each checksum of the checksum tree with a Bayesian score;

compare each checksum of the checksum tree to one or more subtree checksums, wherein each of the one or more subtree checksums is a malware checksum or a benign checksum;

assign one or more probability classifications to the script data, wherein the assigned probability classification includes the associated Bayesian score for each checksum; and

store the assigned probability classifications in memory.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Particular embodiments described herein provide for an electronic device that can be configured to receive script data, determine a checksum tree for the script data, compare each checksum of the checksum tree to one or more subtree checksums, and assign one or more classifications to the script data. In one example, the checksum tree is an abstract syntax tree.

17 Citations

25 Claims

1. At least one non-transitory computer readable medium comprising one or more instructions that when executed by a processor, cause the computer readable medium to:
- receive script data;
  
  determine a checksum tree for the script data;
  
  associate each checksum of the checksum tree with a Bayesian score;
  
  compare each checksum of the checksum tree to one or more subtree checksums, wherein each of the one or more subtree checksums is a malware checksum or a benign checksum;
  
  assign one or more probability classifications to the script data, wherein the assigned probability classification includes the associated Bayesian score for each checksum; and
  
  store the assigned probability classifications in memory.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The at least one non-transitory computer readable medium of claim 1, wherein the checksum tree is calculated on an abstract syntax tree.
  - 3. The at least one non-transitory computer readable medium of claim 1, wherein each checksum in the subtree checksums is a prevalent malware or benign checksum.
  - 4. The at least one non-transitory computer readable medium of claim 1, wherein the probability classification is based on a subtree of the checksum tree that matches a checksum in the subtree checksums.
  - 5. The at least one non-transitory computer readable medium of claim 1, further comprising one or more instructions that when executed by the at least one processor, further cause the processor to:
    - determine based on comparing each checksum of the checksum tree to one or more subtree checksums that each checksum of the checksum tree does not match one or more subtree checksums;
      
      determine whether the subtree has a sibling; and
      
      compare, based on determining that the subtree has a sibling, each checksum of the checksum tree to one or more sibling subtree checksums.
  - 6. The at least one machine readable medium of claim 1, wherein the assigned probability classification further includes a likely malware family name.
  - 7. The at least one machine readable medium of claim 1, wherein the assigned probability classification further includes a list of malware family relationships and a relationship likelihood.

8. An apparatus comprising:
- memory; and
  
  a hardware processor configured to;
  
  receive script data;
  
  determine a checksum tree for the script data;
  
  associate each checksum of the checksum tree with a Bayesian score;
  
  compare each checksum of the checksum tree to one or more subtree checksums, wherein each of the one or more subtree checksums is a malware checksum or a benign checksum;
  
  assign one or more probability classifications to the script data, wherein the assigned probability classification includes the associated Bayesian score for each checksum; and
  
  store the assigned probability classifications in memory.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The apparatus of claim 8, wherein the checksum tree is calculated on an abstract syntax tree.
  - 10. The apparatus of claim 8, wherein each checksum in the subtree checksums is a prevalent malware or benign checksum.
  - 11. The apparatus of claim 8, wherein the probability classification is based on a subtree of the checksum tree that matches a checksum in the subtree checksums.
  - 12. The apparatus of claim 8, wherein the hardware processor is further configured to:
    - determine based on comparing each checksum of the checksum tree to one or more subtree checksums that each checksum of the checksum tree does not match one or more subtree checksums;
      
      determine whether the subtree has a sibling; and
      
      compare, based on determining that the subtree has a sibling, each checksum of the checksum tree to one or more sibling subtree checksums.
  - 13. The apparatus of claim 8, wherein the assigned probability classification further includes a likely malware family name.
  - 14. The apparatus of claim 8, wherein the assigned probability classification further includes a list of malware family relationships and a relationship likelihood.

15. A method comprising:
- receiving script data;
  
  determining a checksum tree for the script data;
  
  associating each checksum of the checksum tree with a Bayesian score;
  
  comparing each checksum of the checksum tree to one or more subtree checksums, wherein each of the one or more subtree checksums is a malware checksum or a benign checksum;
  
  assigning one or more probability classifications to the script data, wherein the assigned probability classification includes the associated Bayesian score for each checksum; and
  
  storing the assigned probability classifications in memory.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The method of claim 15, wherein the checksum tree is calculated on an abstract syntax tree.
  - 17. The method of claim 15, wherein each checksum in the subtree checksums is a prevalent malware or benign checksum.
  - 18. The method of claim 15, wherein the probability classification is based on a subtree of the checksum tree that matches a checksum in the subtree checksums.
  - 19. The method of claim 15, further comprising:
    - determining based on comparing each checksum of the checksum tree to one or more subtree checksums that each checksum of the checksum tree does not match one or more subtree checksums;
      
      determining whether the subtree has a sibling; and
      
      comparing, based on determining that the subtree has a sibling, each checksum of the checksum tree to one or more sibling subtree checksums.
  - 20. The method of claim 15, wherein the assigned probability classification further includes a likely malware family name.
  - 21. The method of claim 15, wherein the assigned probability classification further includes a list of malware family relationships and a relationship likelihood.

22. A system for mitigating malware, the system comprising:
- a memory element;
  
  communication circuitry;
  
  a hardware processor configured to;
  
  receive script data;
  
  determine a checksum tree for the script data;
  
  associate each checksum of the checksum tree with a Bayesian score;
  
  compare each checksum of the checksum tree to one or more subtree checksums, wherein each of the one or more subtree checksums is a malware checksum or a benign checksum;
  
  assign one or more probability classifications to the script data, wherein the assigned probability classification includes the associated Bayesian score for each checksum; and
  
  store the assigned probability classifications in memory.
- View Dependent Claims (23, 24, 25)
- - 23. The system of claim 22, wherein the system is further configured to:
    - determine based on comparing each checksum of the checksum tree to one or more subtree checksums that each checksum of the checksum tree does not match one or more subtree checksums;
      
      determine whether the subtree has a sibling; and
      
      compare, based on determining that the subtree has a sibling, each checksum of the checksum tree to one or more sibling subtree checksums.
  - 24. The system of claim 22, wherein the assigned probability classification further includes a likely malware family name.
  - 25. The system of claim 22, wherein the assigned probability classification further includes a list of malware family relationships and a relationship likelihood.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, LLC
Inventors
Alme, Christoph, Hahn, Slawa, Finke, Stefan
Primary Examiner(s)
Brown, Anthony

Application Number

US15/612,506
Publication Number

US 20170270298A1
Time in Patent Office

529 Days
Field of Search

726 22- 25
US Class Current
CPC Class Codes

G06F 16/2246   Trees, e.g. B+trees

G06F 21/552   involving long-term monitor...

G06F 21/563   by source code analysis

System and method to mitigate malware

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

17 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

System and method to mitigate malware

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

17 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links