Creating rules describing malicious files based on file properties

US 10,255,436 B2
Filed: 09/23/2016
Issued: 04/09/2019
Est. Priority Date: 09/25/2015
Status: Active Grant

First Claim

Patent Images

1. A method for generating a malicious file detection rule, the method comprising:

receiving a fingerprint representing features of a file;

determining a set of nearest neighbor fingerprints to the fingerprint from at least a set of malware fingerprints;

analyzing the set of nearest neighbor fingerprints to determine a representative fingerprint; and

creating the malicious file detection rule based, at least in part, on the representative fingerprint, wherein the malicious file detection rule comprises a plurality of conditions, each condition associated with a feature contained in the fingerprint, and wherein each condition includes an operator, the operator to be applied upon evaluation of the rule to the feature and one or more arguments associated with the condition;

applying the malicious file detection rule to the received fingerprint to determine if the file corresponding to the received fingerprint is a malicious file.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods automatically determine rules for detecting malware. A fingerprint representing a file is received. A set of nearest neighbor fingerprints from at least a set of malware fingerprints that are nearest neighbors are determined. The set of malware fingerprints are analyzed to determine a representative fingerprint. A malicious file detection rule is generated based, at least in part, on the representative fingerprint.

Citations

33 Claims

1. A method for generating a malicious file detection rule, the method comprising:
- receiving a fingerprint representing features of a file;
  
  determining a set of nearest neighbor fingerprints to the fingerprint from at least a set of malware fingerprints;
  
  analyzing the set of nearest neighbor fingerprints to determine a representative fingerprint; and
  
  creating the malicious file detection rule based, at least in part, on the representative fingerprint, wherein the malicious file detection rule comprises a plurality of conditions, each condition associated with a feature contained in the fingerprint, and wherein each condition includes an operator, the operator to be applied upon evaluation of the rule to the feature and one or more arguments associated with the condition;
  
  applying the malicious file detection rule to the received fingerprint to determine if the file corresponding to the received fingerprint is a malicious file.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 2. The method of claim 1, wherein said determining a set of nearest neighbor fingerprints from at least a set of malware fingerprints comprises using a distance function.
  - 3. The method of claim 2 further comprising providing a plurality of datasets, wherein a first dataset comprises a dataset indicative of files that are known to be free of malware, a second dataset comprises said malware fingerprints, and a third dataset comprises a dataset indicative of files for which it is unknown whether the files indicated in the third dataset contain malware.
  - 4. The method of claim 3, wherein said determining a set of nearest neighbor fingerprints comprises querying said first, said second, and said third dataset.
  - 5. The method of claim 4, wherein said determining a set of nearest neighbor fingerprints comprising querying said first, said second, and said third dataset comprises choosing a plurality of nearest neighbors to said fingerprint from each of said first dataset, said second dataset, and said third dataset.
  - 6. The method of claim 5, further comprising establishing a distance threshold and wherein said determining a set of nearest neighbor fingerprints comprises choosing a plurality of nearest neighbors to said fingerprint that are within a distance corresponding to said distance threshold.
  - 7. The method of claim 5, further comprising establishing at least a first distance threshold for said first dataset and a second distance threshold for said second dataset.
  - 8. The method of claim 7, wherein the first distance threshold for the first dataset indicative of files that are known to be free of malware is higher than the distance threshold for the second dataset indicative of files that are known to contain malware.
  - 9. The method of claim 4, said method further comprising forming a cluster set of fingerprints using the nearest neighbors from the second dataset indicative of files known to contain malware and the third dataset indicative of files for which it is unknown whether the files in the third dataset contain malware.
  - 10. The method of claim 9, said method further comprising analyzing the cluster set of fingerprints to determine a cluster representative fingerprint by analyzing features of fingerprints in the cluster set.
  - 11. The method of claim 10, wherein each said fingerprint in said cluster set of fingerprints comprises features, wherein said analyzing the cluster set of fingerprints comprises analyzing said features of said fingerprints in the cluster set, said method further comprising enabling use of a blacklist of blacklisted features for determining a distance between files but not using said blacklisted features on the blacklist in the malicious file detection rule.
  - 12. The method of claim 11, said method further comprising:
    - analyzing each of a plurality of features other than those on said blacklist to determine an indication of at least one of the following three scenarios for each analyzed feature;
      
      (i) the feature has a value that is identical to values in each fingerprint in the cluster set,(ii) the feature has a value that differs from values in other fingerprints in the cluster set, but the feature itself is of an integral type, and(iii) the feature has a value that differs from values in other fingerprints in the cluster set, but the feature itself is not of an integral type.
  - 13. The method of claim 12, said method further comprising:
    - when it is determined as a result of said analyzing a feature of said plurality of features other than those on the blacklist that scenario (i) is present, using the value of the feature in the cluster representative fingerprint;
      
      when it is determined as a result of said analyzing a feature of said plurality of features other than those on the blacklist that scenario (ii) is present, a range of the values is used in the cluster representative fingerprint unless the feature has a bitfield semantic in which case the feature is ignored; and
      
      when it is determined as a result of said analyzing a feature of said plurality of features other than those on the blacklist that scenario (iii) is present, no value is selected for the cluster representative fingerprint and the feature is ignored.
  - 14. The method of claim 10, said method further comprising determining an initial description rule based on said analyzing the cluster set of fingerprints, wherein said initial description rule describes a cluster representative fingerprint and the received fingerprint.
  - 15. The method of claim 14, said method further comprising transforming the initial description rule into a well formed rule, wherein said well formed rule comprises a rule that does not match any fingerprints in the first dataset indicative of files that are known to be free of malware and matches at least two distinct fingerprints in the second dataset indicative of files that are known to contain malware.
  - 16. The method of claim 14, said method further comprising using two parameters R_minand R_maxwhich set, respectively, a minimum number of conditions and a maximum number of conditions that a final candidate rule may have and processing the following steps:
    - a) when any fingerprints from the first dataset indicative of files that are known to not have malware match the initial description rule, no candidate rule is generated;
      
      (b) when a fingerprint has a number of conditions (N) in the range from <
      
      R_min;
      
      R_max>
      
      ,i) randomly selecting N conditions from the initial description rule and forming a new candidate rule using only those selected conditions; and
      
      ii) calculating H_clnas the number of fingerprints the new candidate rule matches with fingerprints in the first dataset, calculating H_malunkas the number of fingerprints the new candidate rule matches on fingerprints in the combination of the second and third datasets, and discarding any candidate new rule that has H_cln>
      
      0; and
      
      (c) from all new rules remaining from step (b), selecting as a final rule the candidate rule with the highest value of H_malunk.
  - 17. The method of claim 16 wherein, when following step (c) there is more than one candidate rule remaining, said method further comprising processing a step (d) comprising selecting as a final rule from the candidate rules remaining following step (c) a rule having the least number of conditions.
  - 18. The method of claim 17 wherein, when following step (d) there is more than one candidate rule remaining, said method further comprising processing a step (e) comprising selecting as a final rule from the candidate rules remaining following step (d) the last candidate rule generated.
  - 19. The method of claim 14, said method further comprising determining a candidate rule from the initial description rule and adding the candidate rule to a candidate rule set.
  - 20. The method of claim 19, said method further comprising:
    - determining if a size of the cluster set can be reduced,wherein, when it is determined that the size of the cluster set can be reduced, performing iterations on the cluster set until a cluster size of one is reached, andwherein, when it is determined that the size of the cluster set cannot be reduced, then selecting a final rule from the candidate rule set.
  - 21. The method of claim 20, said method further comprising selecting as the final rule the rule with the highest H_malunk.
  - 22. The method of claim 21, said method further comprising enabling the final rule to be distributed to computing devices.

23. A method comprising:
- (a) receiving a fingerprint, wherein said fingerprint comprises a data structure representing a file;
  
  (b) determining a set of nearest neighbor fingerprints from at least a set of malware fingerprints;
  
  (c) creating a cluster set of fingerprints;
  
  (d) analyzing the cluster set of fingerprints to create a cluster representative fingerprint;
  
  (e) determining an initial description rule based on said analyzing said cluster set of fingerprints, wherein said initial description rule describes said cluster representative fingerprint and the received fingerprint;
  
  (f) determining a candidate rule from the initial description rule;
  
  (g) adding the candidate rule to a candidate rule set;
  
  (h) determining whether a size of the cluster set can be reduced,(i) wherein, when it is determined that the size of the cluster set can be reduced, reducing the size of the cluster set to create a new cluster set of fingerprints and repeating steps (d)-(i), and(j) wherein, when it is determined that the size of a cluster set cannot be reduced, selecting a final rule from the candidate set;
  
  (k) applying the final rule to the received fingerprint to determine if the file corresponding to the received fingerprint is a malicious file.
- View Dependent Claims (24, 25, 26, 27)
- - 24. The method of claim 23, wherein said step of selecting a final rule from the candidate rule set comprises selecting a rule from the candidate rules in the candidate rule set that has the highest H_malunk.
  - 25. The method of claim 24, wherein said candidate rules in the candidate rule set have at least one condition, wherein said step of selecting a final rule from the candidate rule set further comprises selecting a rule having the least number of conditions.
  - 26. The method of claim 25, wherein said step of selecting a final rule from the candidate rule set further comprises selecting a last candidate rule generated in the candidate rule set.
  - 27. The method of claim 23, said method further comprising applying the final rule to the received fingerprint to determine if the file corresponding to the received fingerprint is a malicious file.

28. A non-transitory computer readable medium containing program instructions for performing a method, said method comprising:
- receiving a fingerprint representing features of a file;
  
  determining a set of nearest neighbor fingerprints to the fingerprint from at least a set of malware fingerprints;
  
  analyzing the set of nearest neighbor fingerprints to determine a representative fingerprint; and
  
  creating a malicious file detection rule based, at least in part, on the representative fingerprint, wherein the malicious file detection rule comprises a plurality of conditions, each condition associated with a feature contained in the fingerprint, and wherein each condition includes an operator, the operator to be applied upon evaluation of the rule to the feature and one or more arguments associated with the condition;
  
  applying the malicious file detection rule to the received fingerprint to determine if the file corresponding to the received fingerprint is a malicious file.

29. A non-transitory computer readable medium containing program instructions for performing a method, said method comprising:
- (a) receiving a fingerprint, wherein said fingerprint comprises a data structure representing a file;
  
  (b) determining a set of nearest neighbor fingerprints from at least a set of malware fingerprints;
  
  (c) creating a cluster set of fingerprints;
  
  (d) analyzing the cluster set of fingerprints to create a cluster representative fingerprint;
  
  (e) determining an initial description rule based on said analyzing said cluster set of fingerprints, wherein said initial description rule describes said cluster representative fingerprint and the received fingerprint;
  
  (f) determining a candidate rule from the initial description rule;
  
  (g) adding the candidate rule to a candidate rule set;
  
  (h) determining whether a size of the cluster set can be reduced,(i) wherein, when it is determined that the size of the cluster set can be reduced, reducing the size of the cluster set to create a new cluster set of fingerprints and repeating steps (d)-(i), and(j) wherein, when it is determined that the size of a cluster set cannot be reduced, selecting a final rule from the candidate set;
  
  (k) applying the final rule to the received fingerprint to determine if the file corresponding to the received fingerprint is a malicious file.
- View Dependent Claims (30, 31, 32, 33)
- - 30. The non-transitory computer readable medium of claim 29 further containing program instructions for performing the method comprising wherein said step of selecting a final rule from the candidate rule set comprises selecting a rule from the candidate rules in the candidate rule set that has the highest H_malunk.
  - 31. The non-transitory computer readable medium of claim 30 further containing program instructions for performing the method comprising wherein said candidate rules in the candidate rule set have at least one condition, wherein said step of selecting a final rule from the candidate rule set further comprises selecting a rule having the least number of conditions.
  - 32. The non-transitory computer readable medium of claim 31 further containing program instructions for performing the method comprising wherein said step of selecting a final rule from the candidate rule set further comprises selecting a last candidate rule generated in the candidate rule set.
  - 33. The non-transitory computer readable medium of claim 29 further containing program instructions for performing the method comprising applying the final rule to the received fingerprint to determine if the file corresponding to the received fingerprint is a malicious file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avast Software SRO (Gen Digital Inc.)
Original Assignee
Avast Software SRO (Gen Digital Inc.)
Inventors
Kova{hacek over (c)}, Peter
Primary Examiner(s)
Homayounmehr, Farid
Assistant Examiner(s)
Zhu, Zhimei

Application Number

US15/275,179
Publication Number

US 20170091451A1
Time in Patent Office

928 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/562   Static detection

G06F 21/564   by virus signature recognition

G06F 2221/034   Test or assess a computer o...

H04L 63/145   the attack involving the pr...

Creating rules describing malicious files based on file properties

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

Creating rules describing malicious files based on file properties

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links