Mitigation of malware

US 10,482,247 B2
Filed: 03/28/2019
Issued: 11/19/2019
Est. Priority Date: 06/27/2014
Status: Active Grant

First Claim

Patent Images

1. At least one non-transitory, computer-readable medium including one or more instructions that, when executed by at least one processor, cause the at least one processor to perform a method comprising:

determining a first checksum at a first region or area of a first file;

comparing the first checksum to a root in a checksum tree, the root indicating a checksum at a point of a second file or a fuzzy checksum at the point of the second file;

determining a second checksum at a second region or area of the first file offset from the first region or area of the first file, if the first checksum matches the root;

comparing the second checksum to a descendant node of the root in the checksum tree, the descendant node indicating a checksum or fuzzy checksum, wherein the checksum or fuzzy checksum indicated by the descendant node is offset from the point of the second file;

assigning a classification to the first file, if the second checksum matches the descendant node, wherein the classification indicates malware or a benign file; and

assigning a percentage to the classification.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are provided in example embodiments for mitigating malicious calls. The system can be configured to determine a series of checksums for a file, compare the series of checksums to a checksum tree, where the checksum tree includes a plurality of nodes that each include a fuzzy checksum of known malware, and assign one or more classifications to the file, where each of the one or more classifications is based on each node of the checksum tree that matches a checksum in the series of checksums and includes whether the file includes malware or benign checksums.

Citations

14 Claims

1. At least one non-transitory, computer-readable medium including one or more instructions that, when executed by at least one processor, cause the at least one processor to perform a method comprising:
- determining a first checksum at a first region or area of a first file;
  
  comparing the first checksum to a root in a checksum tree, the root indicating a checksum at a point of a second file or a fuzzy checksum at the point of the second file;
  
  determining a second checksum at a second region or area of the first file offset from the first region or area of the first file, if the first checksum matches the root;
  
  comparing the second checksum to a descendant node of the root in the checksum tree, the descendant node indicating a checksum or fuzzy checksum, wherein the checksum or fuzzy checksum indicated by the descendant node is offset from the point of the second file;
  
  assigning a classification to the first file, if the second checksum matches the descendant node, wherein the classification indicates malware or a benign file; and
  
  assigning a percentage to the classification.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The medium of claim 1, the method further comprising:
    - creating and sending a feature vector to classify the first file.
  - 3. The medium of claim 1, the method further comprising:
    - receiving file data related to new malware or a new benign file; and
      
      creating and sending the checksum tree to analyze the first file.
  - 4. The medium of claim 1, the method further comprising:
    - comparing the second checksum to a sibling to the descendant node in the checksum tree, if the second checksum does not match the descendant node, the sibling to the descendant node indicating a checksum or fuzzy checksum.
  - 5. The medium of claim 1, wherein the second region or area is determined at an entry point of the first file, at a resources section of the first file, or a text section of the first file.

6. An apparatus, comprising:
- a memory; and
  
  a processor configuredto determine a first checksum at a first region or area of a first file;
  
  to compare the first checksum to a root in a checksum tree, the root indicating a checksum at a point of a second file or a fuzzy checksum at the point of the second file;
  
  to determine a second checksum at a second region or area of the first file offset from the first region or area of the first file, if the first checksum matches the root;
  
  to compare the second checksum to a descendant node of the root in the checksum tree, the descendant node indicating a checksum or fuzzy checksum, wherein the checksum or fuzzy checksum indicated by the descendant node is offset from the point of the second file;
  
  to assign a classification to the first file, if the second checksum matches the descendant node, wherein the classification indicates malware or a benign file; and
  
  to assign a percentage to the classification.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The apparatus of claim 6, wherein the processor is configured to create and send a feature vector to classify the first file.
  - 8. The apparatus of claim 6, wherein the processor is configured to receive file data related to new malware or a new benign file, and to create and send the checksum tree to analyze the first file.
  - 9. The apparatus of claim 6, wherein the processor is configured to compare the second checksum to a sibling to the descendant node in the checksum tree, if the second checksum does not match the descendant node, the sibling to the descendant node indicating a checksum or fuzzy checksum.
  - 10. The apparatus of claim 6, wherein the second region or area is determined at an entry point of the first file, at a resources section of the first file, or a text section of the first file.

11. A method, comprising:
- determining a first checksum at a first region or area of a first file;
  
  comparing the first checksum to a root in a checksum tree, the root indicating a checksum at a point of a second file or a fuzzy checksum at the point of the second file;
  
  determining a second checksum at a second region or area of the first file offset from the first region or area of the first file, if the first checksum matches the root;
  
  comparing the second checksum to a descendant node of the root in the checksum tree, the descendant node indicating a checksum or fuzzy checksum, wherein the checksum or fuzzy checksum indicated by the descendant node is offset from the point of the second file;
  
  assigning a classification to the first file, if the second checksum matches the descendant node, wherein the classification indicates malware or a benign file; and
  
  assigning a percentage to the classification.
- View Dependent Claims (12, 13, 14)
- - 12. The method of claim 11, further comprising:
    - creating and sending a feature vector to classify the first file.
  - 13. The method of claim 11, further comprising:
    - receiving file data related to new malware or a new benign file; and
      
      creating and sending the checksum tree to analyze the first file.
  - 14. The method of claim 11, further comprising:
    - comparing the second checksum to a sibling to the descendant node in the checksum tree, if the second checksum does not match the descendant node, the sibling to the descendant node indicating a checksum or fuzzy checksum.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, LLC
Inventors
Alme, Christoph, Hahn, Slawa, Thoene, Sebastian
Primary Examiner(s)
Tabor, Amare F

Application Number

US16/367,607
Publication Number

US 20190228152A1
Time in Patent Office

236 Days
Field of Search

726 23
US Class Current
CPC Class Codes

G06F 21/562   Static detection

G06F 21/563   by source code analysis

G06F 21/564   by virus signature recognition

G06F 21/565   by checking file integrity

G06F 2221/033   Test or assess software

G06F 2221/034   Test or assess a computer o...

Mitigation of malware

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Mitigation of malware

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links