System and method for generating a malware identifier

US 10,467,411 B1
Filed: 08/28/2017
Issued: 11/05/2019
Est. Priority Date: 12/26/2013
Status: Active Grant

First Claim

Patent Images

1. A method for generating an identifier for use in malware detection, comprising:

obtaining a first plurality of indicators of compromise that correspond to a plurality of anomalous behaviors;

performing a filtering operation on the first plurality of indicators of compromise by at least removing one or more indicators of compromise from the first plurality of indicators of compromise to create a second plurality of indicators of compromise, wherein the removing of the one or more indicators of compromises comprises (i) maintaining a count value for each of the first plurality of indicators, (ii) removing at least a first indicator of compromise of the one or more indicators of compromise when a count value of the first indicator of compromise exceeds a first threshold that corresponds to a high occurrence rate in one or more known malware families, of a plurality of known malware and (iii) removing at least a second indicator of compromise of the one or more indicators of compromise when a count value of the second indicator of compromise is less than a second threshold that corresponds to a low occurrence rate in the plurality of known malware families; and

creating the identifier represented by the second plurality of indicators of compromise.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

One embodiment of the disclosure is directed to a method for generating an identifier for use in malware detection. Herein, a first plurality of indicators of compromise are obtained. These indicators of compromise correspond to a plurality of anomalous behaviors. Thereafter, a filtering operation is performed on the first plurality of indicators of compromise by removing one or more indicators of compromise from the first plurality of indicators of compromise to create a second plurality of indicators of compromise. The identifier represented by the second plurality of indicators of compromise is created.

Citations

34 Claims

1. A method for generating an identifier for use in malware detection, comprising:
- obtaining a first plurality of indicators of compromise that correspond to a plurality of anomalous behaviors;
  
  performing a filtering operation on the first plurality of indicators of compromise by at least removing one or more indicators of compromise from the first plurality of indicators of compromise to create a second plurality of indicators of compromise, wherein the removing of the one or more indicators of compromises comprises (i) maintaining a count value for each of the first plurality of indicators, (ii) removing at least a first indicator of compromise of the one or more indicators of compromise when a count value of the first indicator of compromise exceeds a first threshold that corresponds to a high occurrence rate in one or more known malware families, of a plurality of known malware and (iii) removing at least a second indicator of compromise of the one or more indicators of compromise when a count value of the second indicator of compromise is less than a second threshold that corresponds to a low occurrence rate in the plurality of known malware families; and
  
  creating the identifier represented by the second plurality of indicators of compromise.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the obtaining of the first plurality of indicators of compromise comprises executing an object within a virtual environment and detecting the plurality of anomalous behaviors corresponding to the first plurality of indicators of compromise.
  - 3. The method of claim 1, wherein the creating of the identifier comprisesdetermining whether the second plurality of indicators of compromise statistically matches indicators of compromise associated with any of a plurality of known malware family identifiers;
    - andupdating a database including the plurality of known malware family identifies with the identifier upon determining that the second plurality of indicators of compromise statistically matches indicators of compromise associated with a first known malware family identifier of the plurality of known malware family identifiers.
  - 4. The method of claim 1, wherein the second plurality of indicators statistically matches the indicators of compromise associated with the first known malware family identifier when a certain level of correlation between the second plurality of indicators and the indicators of compromise associated with the first known malware family identifier is reached.
  - 5. The method of claim 4, wherein the level of correlation is reached when the second plurality of indicators matches at least ninety percent of the indicators of compromise associated with the first known malware family identifier.
  - 6. The method of claim 1, wherein the first threshold corresponds to the high occurrence rate in a first known malware family of the one or more known malware families and the second threshold corresponds to the low occurrence rate in the plurality of known malware families excluding the first known malware family.
  - 7. The method of claim 1, wherein the creating of the identifier comprisesdetermining whether the second plurality of indicators of compromise statistically matches indicators of compromise associated with any of a plurality of known malware family identifiers;
    - andreporting results of an analysis of an object for malware by including a first known malware family identifier upon determining that the second plurality of indicators of compromise statistically matches the indicators of compromise associated with the first known malware family identifier of the plurality of known malware family identifiers.
  - 8. The method of claim 7, wherein the indicators of compromise associated with the first known malware family identifier of the plurality of known malware family identifiers includes indicators of compromise associated with an Advanced Persistent Threat (APT) family identifier being an identifier of a malware that targets an entity and may be configured to exfiltrate information that is accessible by the entity.
  - 9. The method of claim 7, wherein the indicators of compromise associated with the first known malware family identifier of the plurality of known malware family identifiers includes indicators of compromise associated with a non-APT family identifier.
  - 10. The method of claim 7, where the reporting of the results of the analysis of the object for malware further comprises reporting that the object includes unknown APT malware upon determining that the second plurality of indicators of compromise fails to statistically match the indicators of compromise associated with any of the plurality of known malware family identifiers.

11. A method for generating an identifier for use in malware detection, comprising:
- monitoring behaviors of at least an object executing within a virtual environment to obtain a first plurality of indicators of compromise that correspond to a plurality of anomalous behaviors;
  
  performing a filtering operation on the first plurality of indicators of compromise by at least removing one or more indicators of compromise from the first plurality of indicators of compromise to create a second plurality of indicators of compromise, wherein the removing of the one or more indicators of compromises comprises (i) removing at least a first indicator of compromise of the one or more indicators of compromise when a number of occurrences of the first indicator of compromise in a plurality of known malware families exceeds a first threshold, and (ii) removing at least a second indicator of compromise of the one or more indicators of compromise when a number of occurrences of the second indicator of compromise in the plurality of known malware families falls below a second threshold being less than the first threshold; and
  
  creating the identifier represented by the second plurality of indicators of compromise.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The method of claim 11, wherein the obtaining of the first plurality of indicators of compromise comprises executing the object within the virtual environment and detecting the plurality of anomalous behaviors during monitoring of the behaviors of at least the object.
  - 13. The method of claim 11, wherein the performing of the filtering operation comprisesmaintaining a count value for each type of indicator of compromise of the first plurality of indicators of compromise;
    - andremoving at least the first indicator of compromise of the one or more indicators of compromise when a count value of the first indicator of compromise exceeds the first threshold.
  - 14. The method of claim 13, wherein the removing of the one or more indicators of compromise further comprises removing at least the second indicator of compromise of the one or more indicators of compromise when a count value of the second indicator of compromise is less than the second threshold.
  - 15. The method of claim 14, wherein the first threshold corresponds to a high occurrence rate in the plurality of known malware families greater than a first prescribed number.
  - 16. The method of claim 15, wherein the second threshold corresponds to a low occurrence rate in the plurality of known malware families less than a second prescribed number that is less than the first prescribed number.
  - 17. The method of claim 12, wherein the creating of the identifier comprisesdetermining whether the second plurality of indicators of compromise statistically matches indicators of compromise associated with any of the plurality of known malware family identifiers;
    - andreporting results of an analysis of an object for malware by including a first known malware family identifier upon determining that the second plurality of indicators of compromise statistically matches the indicators of compromise associated with the first known malware family identifier of the plurality of known malware family identifiers.
  - 18. The method of claim 17, wherein the indicators of compromise associated with the first known malware family identifier of the plurality of known malware family identifiers includes indicators of compromise associated with an Advanced Persistent Threat (APT) family identifier.
  - 19. The method of claim 17, wherein the indicators of compromise associated with the first known malware family identifier of the plurality of known malware family identifiers includes indicators of compromise associated with a non-APT family identifier.
  - 20. The method of claim 17, where the reporting of the results of the analysis of the object for malware further comprises reporting that the object includes unknown APT malware upon determining that the second plurality of indicators of compromise fails to statistically match the indicators of compromise associated with any of the plurality of known malware family identifiers.

21. An electronic device, comprising:
- a processor; and
  
  a memory communicatively coupled to the processor, the memory comprises a classifier to (i) perform a filtering operation on a first plurality of indicators of compromise by at least removing one or more indicators of compromise from the first plurality of indicators of compromise to create a second plurality of indicators of compromise, and (ii) create an identifier represented by the second plurality of indicators of compromise, wherein the removing of the one or more indicators of compromises comprises (i) removing at least a first indicator of compromise of the one or more indicators of compromise when a number of occurrences of the first indicator of compromise in a plurality of known malware families exceeds a first threshold, and (ii) removing at least a second indicator of compromise of the one or more indicators of compromise when a number of occurrences of the second indicator of compromise in the plurality of known malware families falls below a second threshold being less than the first threshold.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 22. The electronic device of claim 21, wherein the memory further comprises one or more virtual machines that execute an object to be analyzed for malware and detect a plurality of anomalous behaviors corresponding to the first plurality of indicators of compromise.
  - 23. The electronic device of claim 21, wherein the classifier configured to perform the filtering operation comprisesa counter to maintain a count value for each type of indicator of compromise of the first plurality of indicators of compromise;
    - anda family identifier generator logic to remove at least the first indicator of compromise of the one or more indicators of compromise when a count value of the first indicator of compromise exceeds the first threshold.
  - 24. The electronic device of claim 23, wherein the family identifier generator logic removes the one or more indicators of compromise by at least removing at least the second indicator of compromise of the one or more indicators of compromise when a count value of the second indicator of compromise is less than a second threshold.
  - 25. The electronic device of claim 24, wherein the first threshold corresponds to a high occurrence rate in the plurality of known malware families.
  - 26. The electronic device of claim 25, wherein the second threshold corresponds to a low occurrence rate in the plurality of known malware families.
  - 27. The electronic device of claim 22, wherein the classifier comprises (i) a run-time classifier that, upon execution by the processor, determines whether the second plurality of indicators of compromise statistically matches indicators of compromise associated with any of a plurality of known malware family identifiers, and (ii) reporting logic that, upon execution by the processor, reports results of an analysis of an object for malware by including a first known malware family identifier upon the run-time classifier determining that the second plurality of indicators of compromise statistically matches the indicators of compromise associated with the first known malware family identifier of the plurality of known malware family identifiers.
  - 28. The electronic device of claim 27, wherein the indicators of compromise associated with the first known malware family identifier of the plurality of known malware family identifiers includes indicators of compromise associated with an Advanced Persistent Threat (APT) family identifier.
  - 29. The electronic device of claim 27, wherein the indicators of compromise associated with the first known malware family identifier of the plurality of known malware family identifiers includes indicators of compromise associated with a non-APT family identifier.
  - 30. The electronic device of claim 27, where the reporting logic reports the results of the analysis of the object for malware by at least reporting that the object includes unknown APT malware upon determining by the classifier that the second plurality of indicators of compromise fails to statistically match the indicators of compromise associated with any of the plurality of known malware family identifiers.

31. A method for generating an identifier for use in malware detection, comprising:
- obtaining a first plurality of indicators of compromise that correspond to a plurality of behaviors;
  
  performing a filtering operation on the first plurality of indicators of compromise by removing one or more indicators of compromise from the first plurality of indicators of compromise to create a second plurality of indicators of compromise including at least a first indicator of compromise of the one or more indicators of compromise when a count value of the first indicator of compromise exceeds a first threshold; and
  
  creating the identifier represented by the second plurality of indicators of compromise by at least determining whether the second plurality of indicators of compromise statistically matches indicators of compromise associated with any of a plurality of known malware family identifiers, wherein a first known malware family identifier of the plurality of known malware family identifiers includes indicators of compromise associated with an Advanced Persistent Threat (APT) family identifier being an identifier of a malware that targets an entity and is configured to surveil, extract or manipulate data to which the entity would have access.
- View Dependent Claims (32, 33, 34)
- - 32. The method of claim 31, wherein the performing of the filtering operation comprisesmaintaining a count value for each type of indicator of compromise of the first plurality of indicators of compromise;
    - andremoving at least a first indicator of compromise of the one or more indicators of compromise when a count value of the first indicator of compromise exceeds the first threshold.
  - 33. The method of claim 32, wherein the removing of the one or more indicators of compromise further comprises removing at least a second indicator of compromise of the one or more indicators of compromise when a count value of the second indicator of compromise is less than a second threshold.
  - 34. The method of claim 33, wherein the first threshold corresponds to a high occurrence rate in the first known malware family identifier and the second threshold corresponds to a low occurrence rate in a plurality of known malware families excluding the first known malware family identifier.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
FireEye, Inc. (Alphabet Inc.)
Inventors
Pidathala, Vinay K., Bu, Zheng, Aziz, Ashar
Primary Examiner(s)
Eskandarnia, Arvin

Application Number

US15/688,727
Time in Patent Office

799 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/56 Computer malware detection ...

G06F 21/566 Dynamic detection, i.e. det...

System and method for generating a malware identifier

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

34 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for generating a malware identifier

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

34 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links