Creating rules describing malicious files based on file properties
First Claim
Patent Images
1. A method for generating a malicious file detection rule, the method comprising:
- receiving a fingerprint representing features of a file;
determining a set of nearest neighbor fingerprints to the fingerprint from at least a set of malware fingerprints;
analyzing the set of nearest neighbor fingerprints to determine a representative fingerprint; and
creating the malicious file detection rule based, at least in part, on the representative fingerprint, wherein the malicious file detection rule comprises a plurality of conditions, each condition associated with a feature contained in the fingerprint, and wherein each condition includes an operator, the operator to be applied upon evaluation of the rule to the feature and one or more arguments associated with the condition;
applying the malicious file detection rule to the received fingerprint to determine if the file corresponding to the received fingerprint is a malicious file.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems and methods automatically determine rules for detecting malware. A fingerprint representing a file is received. A set of nearest neighbor fingerprints from at least a set of malware fingerprints that are nearest neighbors are determined. The set of malware fingerprints are analyzed to determine a representative fingerprint. A malicious file detection rule is generated based, at least in part, on the representative fingerprint.
-
Citations
33 Claims
-
1. A method for generating a malicious file detection rule, the method comprising:
-
receiving a fingerprint representing features of a file; determining a set of nearest neighbor fingerprints to the fingerprint from at least a set of malware fingerprints; analyzing the set of nearest neighbor fingerprints to determine a representative fingerprint; and creating the malicious file detection rule based, at least in part, on the representative fingerprint, wherein the malicious file detection rule comprises a plurality of conditions, each condition associated with a feature contained in the fingerprint, and wherein each condition includes an operator, the operator to be applied upon evaluation of the rule to the feature and one or more arguments associated with the condition; applying the malicious file detection rule to the received fingerprint to determine if the file corresponding to the received fingerprint is a malicious file. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
-
23. A method comprising:
-
(a) receiving a fingerprint, wherein said fingerprint comprises a data structure representing a file; (b) determining a set of nearest neighbor fingerprints from at least a set of malware fingerprints; (c) creating a cluster set of fingerprints; (d) analyzing the cluster set of fingerprints to create a cluster representative fingerprint; (e) determining an initial description rule based on said analyzing said cluster set of fingerprints, wherein said initial description rule describes said cluster representative fingerprint and the received fingerprint; (f) determining a candidate rule from the initial description rule; (g) adding the candidate rule to a candidate rule set; (h) determining whether a size of the cluster set can be reduced, (i) wherein, when it is determined that the size of the cluster set can be reduced, reducing the size of the cluster set to create a new cluster set of fingerprints and repeating steps (d)-(i), and (j) wherein, when it is determined that the size of a cluster set cannot be reduced, selecting a final rule from the candidate set; (k) applying the final rule to the received fingerprint to determine if the file corresponding to the received fingerprint is a malicious file. - View Dependent Claims (24, 25, 26, 27)
-
-
28. A non-transitory computer readable medium containing program instructions for performing a method, said method comprising:
-
receiving a fingerprint representing features of a file; determining a set of nearest neighbor fingerprints to the fingerprint from at least a set of malware fingerprints; analyzing the set of nearest neighbor fingerprints to determine a representative fingerprint; and creating a malicious file detection rule based, at least in part, on the representative fingerprint, wherein the malicious file detection rule comprises a plurality of conditions, each condition associated with a feature contained in the fingerprint, and wherein each condition includes an operator, the operator to be applied upon evaluation of the rule to the feature and one or more arguments associated with the condition; applying the malicious file detection rule to the received fingerprint to determine if the file corresponding to the received fingerprint is a malicious file.
-
-
29. A non-transitory computer readable medium containing program instructions for performing a method, said method comprising:
-
(a) receiving a fingerprint, wherein said fingerprint comprises a data structure representing a file; (b) determining a set of nearest neighbor fingerprints from at least a set of malware fingerprints; (c) creating a cluster set of fingerprints; (d) analyzing the cluster set of fingerprints to create a cluster representative fingerprint; (e) determining an initial description rule based on said analyzing said cluster set of fingerprints, wherein said initial description rule describes said cluster representative fingerprint and the received fingerprint; (f) determining a candidate rule from the initial description rule; (g) adding the candidate rule to a candidate rule set; (h) determining whether a size of the cluster set can be reduced, (i) wherein, when it is determined that the size of the cluster set can be reduced, reducing the size of the cluster set to create a new cluster set of fingerprints and repeating steps (d)-(i), and (j) wherein, when it is determined that the size of a cluster set cannot be reduced, selecting a final rule from the candidate set; (k) applying the final rule to the received fingerprint to determine if the file corresponding to the received fingerprint is a malicious file. - View Dependent Claims (30, 31, 32, 33)
-
Specification