Mitigation of malware

US 10,275,594 B2
Filed: 10/11/2016
Issued: 04/30/2019
Est. Priority Date: 06/27/2014
Status: Active Grant

First Claim

Patent Images

1. At least one non-transitory, computer-readable medium including one or more instructions that, when executed by at least one processor, cause the at least one processor to perform a method comprising:

determining a first checksum at a first region of a first file;

comparing the first checksum to a root in a checksum tree, the root indicating a checksum at a point of a second file;

determining a second checksum at a second region of the first file offset from the first region of the first file, if the first checksum matches the root;

comparing the second checksum to a fuzzy checksum indicated by a child node of the root in the checksum tree, wherein the fuzzy checksum is of at least a portion of malware offset from the point of the second file; and

assigning a classification to the first file, if the second checksum matches the child node, the classification indicating the malware.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are provided in example embodiments for mitigating malicious calls. The system can be configured to determine a series of checksums for a file, compare the series of checksums to a checksum tree, where the checksum tree includes a plurality of nodes that each include a fuzzy checksum of known malware, and assign one or more classifications to the file, where each of the one or more classifications is based on each node of the checksum tree that matches a checksum in the series of checksums and includes whether the file includes malware or benign checksums.

33 Citations

22 Claims

1. At least one non-transitory, computer-readable medium including one or more instructions that, when executed by at least one processor, cause the at least one processor to perform a method comprising:
- determining a first checksum at a first region of a first file;
  
  comparing the first checksum to a root in a checksum tree, the root indicating a checksum at a point of a second file;
  
  determining a second checksum at a second region of the first file offset from the first region of the first file, if the first checksum matches the root;
  
  comparing the second checksum to a fuzzy checksum indicated by a child node of the root in the checksum tree, wherein the fuzzy checksum is of at least a portion of malware offset from the point of the second file; and
  
  assigning a classification to the first file, if the second checksum matches the child node, the classification indicating the malware.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 21, 22)
- - 2. The medium of claim 1, the method further comprising:
    - comparing the second checksum to another fuzzy checksum indicated by another node in the checksum tree, if the second checksum does not match the child node, the another node being a sibling to the child node.
  - 3. The medium of claim 1, wherein the child node indicates a numeric offset of the second region from the first region.
  - 4. The medium of claim 1, wherein the child node indicates a logical position of the second region.
  - 5. The medium of claim 4, wherein the second region is determined at an entry point of the first file, at a resources section of the first file, or a text section of the first file.
  - 6. The medium of claim 1, the method further comprising:
    - assigning a percentage to the classification.
  - 7. The medium of claim 6, the method further comprising:
    - sending a feature vector through a network, based on a comparison of the percentage and a predetermined threshold.
  - 21. The medium of claim 1, the method further comprising:
    - determining if a file location referenced at another root of another checksum tree has been analyzed, if the first checksum does not match the root in the checksum tree.
  - 22. The medium of claim 1, wherein the second file is an executable file, and the point of the second file is an entry point of the executable file.

8. An apparatus, comprising:
- a memory; and
  
  a processor configuredto determine a first checksum at a first region of a first file;
  
  to compare the first checksum to a root in a checksum tree, the root indicating a checksum at a point of a second file;
  
  to determine a second checksum at a second region of the first file offset from the first region of the first file, if the first checksum matches the root;
  
  to compare the second checksum to a fuzzy checksum indicated by a child node of the root in the checksum tree, the fuzzy checksum being of at least a portion of malware offset from the point of the second file; and
  
  to assign a classification to the first file, if the second checksum matches the child node, the classification indicating the malware.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The apparatus of claim 8, wherein the processor is further configured to compare the second checksum to another fuzzy checksum indicated by another node in the checksum tree, if the second checksum does not match the child node, the another node being a sibling to the child node.
  - 10. The apparatus of claim 8, wherein the child node indicates a numeric offset of the second region from the first region.
  - 11. The apparatus of claim 8, wherein the child node indicates a logical position of the second region.
  - 12. The apparatus of claim 11, wherein the second region is determined at an entry point of the first file, at a resources section of the first file, or a text section of the first file.
  - 13. The apparatus of claim 8, wherein the processor is further configured to assign a percentage to the classification.
  - 14. The apparatus of claim 13, wherein the processor is further configured to send a feature vector through a network, based on a comparison of the percentage and a predetermined threshold.

15. A method, comprising:
- determining a first checksum at a first region of a first file;
  
  comparing the first checksum to a root in a checksum tree, the root indicating a checksum at a point of a second file;
  
  determining a second checksum at a second region of the first file offset from the first region of the first file, if the first checksum matches the root;
  
  comparing the second checksum to a fuzzy checksum indicated by a child node of the root in the checksum tree, wherein the fuzzy checksum is of at least a portion of malware offset from the point of the second file; and
  
  assigning a classification to the first file, if the second checksum matches the child node, the classification indicating the malware.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The method of claim 15, further comprising:
    - comparing the second checksum to another fuzzy checksum indicated by another node in the checksum tree, if the second checksum does not match the child node, the another node being a sibling to the child node.
  - 17. The method of claim 15, wherein the child node indicates a numeric offset of the second region from the first region.
  - 18. The method of claim 15, wherein the child node indicates a logical position of the second region.
  - 19. The method of claim 18, wherein the second region is determined at an entry point of the first file, at a resources section of the first file, or a text section of the first file.
  - 20. The method of claim 15, further comprising:
    - assigning a percentage to the classification; and
      
      sending a feature vector through a network, based on a comparison of the percentage and a predetermined threshold.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, LLC
Inventors
Alme, Christoph, Hahn, Slawa, Thoene, Sebastian
Primary Examiner(s)
Tabor, Amare F

Application Number

US15/290,185
Publication Number

US 20170046511A1
Time in Patent Office

931 Days
Field of Search

726 23, 726 22, 726 24, 726 25, 713188-189
US Class Current
CPC Class Codes

G06F 21/562   Static detection

G06F 21/563   by source code analysis

G06F 21/564   by virus signature recognition

G06F 21/565   by checking file integrity

G06F 2221/033   Test or assess software

G06F 2221/034   Test or assess a computer o...

Mitigation of malware

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

33 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Mitigation of malware

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

33 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links