System and method for generating a malware identifier
First Claim
Patent Images
1. A method for generating an identifier for use in malware detection, comprising:
- obtaining a first plurality of indicators of compromise that correspond to a plurality of anomalous behaviors;
performing a filtering operation on the first plurality of indicators of compromise by at least removing one or more indicators of compromise from the first plurality of indicators of compromise to create a second plurality of indicators of compromise, wherein the removing of the one or more indicators of compromises comprises (i) maintaining a count value for each of the first plurality of indicators, (ii) removing at least a first indicator of compromise of the one or more indicators of compromise when a count value of the first indicator of compromise exceeds a first threshold that corresponds to a high occurrence rate in one or more known malware families, of a plurality of known malware and (iii) removing at least a second indicator of compromise of the one or more indicators of compromise when a count value of the second indicator of compromise is less than a second threshold that corresponds to a low occurrence rate in the plurality of known malware families; and
creating the identifier represented by the second plurality of indicators of compromise.
7 Assignments
0 Petitions
Accused Products
Abstract
One embodiment of the disclosure is directed to a method for generating an identifier for use in malware detection. Herein, a first plurality of indicators of compromise are obtained. These indicators of compromise correspond to a plurality of anomalous behaviors. Thereafter, a filtering operation is performed on the first plurality of indicators of compromise by removing one or more indicators of compromise from the first plurality of indicators of compromise to create a second plurality of indicators of compromise. The identifier represented by the second plurality of indicators of compromise is created.
-
Citations
34 Claims
-
1. A method for generating an identifier for use in malware detection, comprising:
-
obtaining a first plurality of indicators of compromise that correspond to a plurality of anomalous behaviors; performing a filtering operation on the first plurality of indicators of compromise by at least removing one or more indicators of compromise from the first plurality of indicators of compromise to create a second plurality of indicators of compromise, wherein the removing of the one or more indicators of compromises comprises (i) maintaining a count value for each of the first plurality of indicators, (ii) removing at least a first indicator of compromise of the one or more indicators of compromise when a count value of the first indicator of compromise exceeds a first threshold that corresponds to a high occurrence rate in one or more known malware families, of a plurality of known malware and (iii) removing at least a second indicator of compromise of the one or more indicators of compromise when a count value of the second indicator of compromise is less than a second threshold that corresponds to a low occurrence rate in the plurality of known malware families; and creating the identifier represented by the second plurality of indicators of compromise. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method for generating an identifier for use in malware detection, comprising:
-
monitoring behaviors of at least an object executing within a virtual environment to obtain a first plurality of indicators of compromise that correspond to a plurality of anomalous behaviors; performing a filtering operation on the first plurality of indicators of compromise by at least removing one or more indicators of compromise from the first plurality of indicators of compromise to create a second plurality of indicators of compromise, wherein the removing of the one or more indicators of compromises comprises (i) removing at least a first indicator of compromise of the one or more indicators of compromise when a number of occurrences of the first indicator of compromise in a plurality of known malware families exceeds a first threshold, and (ii) removing at least a second indicator of compromise of the one or more indicators of compromise when a number of occurrences of the second indicator of compromise in the plurality of known malware families falls below a second threshold being less than the first threshold; and creating the identifier represented by the second plurality of indicators of compromise. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. An electronic device, comprising:
-
a processor; and a memory communicatively coupled to the processor, the memory comprises a classifier to (i) perform a filtering operation on a first plurality of indicators of compromise by at least removing one or more indicators of compromise from the first plurality of indicators of compromise to create a second plurality of indicators of compromise, and (ii) create an identifier represented by the second plurality of indicators of compromise, wherein the removing of the one or more indicators of compromises comprises (i) removing at least a first indicator of compromise of the one or more indicators of compromise when a number of occurrences of the first indicator of compromise in a plurality of known malware families exceeds a first threshold, and (ii) removing at least a second indicator of compromise of the one or more indicators of compromise when a number of occurrences of the second indicator of compromise in the plurality of known malware families falls below a second threshold being less than the first threshold. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
-
-
31. A method for generating an identifier for use in malware detection, comprising:
-
obtaining a first plurality of indicators of compromise that correspond to a plurality of behaviors; performing a filtering operation on the first plurality of indicators of compromise by removing one or more indicators of compromise from the first plurality of indicators of compromise to create a second plurality of indicators of compromise including at least a first indicator of compromise of the one or more indicators of compromise when a count value of the first indicator of compromise exceeds a first threshold; and creating the identifier represented by the second plurality of indicators of compromise by at least determining whether the second plurality of indicators of compromise statistically matches indicators of compromise associated with any of a plurality of known malware family identifiers, wherein a first known malware family identifier of the plurality of known malware family identifiers includes indicators of compromise associated with an Advanced Persistent Threat (APT) family identifier being an identifier of a malware that targets an entity and is configured to surveil, extract or manipulate data to which the entity would have access. - View Dependent Claims (32, 33, 34)
-
Specification