Automated malware family signature generation
First Claim
Patent Images
1. A system, comprising:
- a processor configured to;
receive a set of metadata associated with a plurality of samples;
cluster the samples;
determine, for members of a first cluster, a set of similarities shared among at least a portion of the members of the first cluster; and
evaluate the similarities for suitability as a malware family signature, including by generating a query encompassing the similarities and performing the query against a malware repository; and
a memory coupled to the processor and configured to provide the processor with instructions.
1 Assignment
0 Petitions
Accused Products
Abstract
The automatic generation of malware family signatures is disclosed. A set of metadata associated with a plurality of samples is received. The samples are clustered. For members of a first cluster, a set of similarities shared among at least a portion of the members of the first cluster is determined. The similarities are evaluated for suitability as a malware family signature. In the event the similarities are determined to be suitable as a malware family signature, a signature is generated.
-
Citations
29 Claims
-
1. A system, comprising:
-
a processor configured to; receive a set of metadata associated with a plurality of samples; cluster the samples; determine, for members of a first cluster, a set of similarities shared among at least a portion of the members of the first cluster; and evaluate the similarities for suitability as a malware family signature, including by generating a query encompassing the similarities and performing the query against a malware repository; and a memory coupled to the processor and configured to provide the processor with instructions. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A method, comprising:
-
receiving a set of metadata associated with a plurality of samples; clustering the samples; determining, for members of a first cluster, a set of similarities shared among at least a portion of the members of the first cluster; and evaluating the similarities for suitability as a malware family signature, including by generating a query encompassing the similarities and performing the query against a malware repository. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
-
-
29. A computer program product embodied in a non-transitory computer readable storage medium and comprising computer instructions for:
-
receiving a set of metadata associated with a plurality of samples; clustering the samples; determining, for members of a first cluster, a set of similarities shared among at least a portion of the members of the first cluster; and evaluating the similarities for suitability as a malware family signature, including by generating a query encompassing the similarities and performing the query against a malware repository.
-
Specification