Automated malware signature generation

US 20080127336A1
Filed: 09/19/2006
Published: 05/29/2008
Est. Priority Date: 09/19/2006
Status: Active Grant

First Claim

Patent Images

1. A method for automated malware signature generation, comprising:

monitoring incoming unknown files for the presence of malware;

analyzing said incoming unknown files based on both a plurality of classifiers of file behavior and a plurality of classifiers of file content;

classifying an incoming unknown file as having a particular malware classification based on said analyzing of said incoming unknown files;

generating a malware signature for said incoming unknown file based on said particular malware classification; and

providing access to said malware signature.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Automated malware signature generation is disclosed. Automated malware signature generation includes monitoring incoming unknown files for the presence of malware and analyzing the incoming unknown files based on both a plurality of classifiers of file behavior and a plurality of classifiers of file content. An incoming file is classified as having a particular malware classification based on the analyzing of incoming unknown files and a malware signature is generated for the incoming unknown file based on the particular malware classification. Access is provided to the malware signature.

Citations

20 Claims

1. A method for automated malware signature generation, comprising:
- monitoring incoming unknown files for the presence of malware;
  
  analyzing said incoming unknown files based on both a plurality of classifiers of file behavior and a plurality of classifiers of file content;
  
  classifying an incoming unknown file as having a particular malware classification based on said analyzing of said incoming unknown files;
  
  generating a malware signature for said incoming unknown file based on said particular malware classification; and
  
  providing access to said malware signature.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 further comprising validating said malware signature before providing access to said malware signature.
  - 3. The method of claim 2 wherein said validating said malware signature comprises string and function based validation.
  - 4. The method of claim 1 wherein rules are used along with said plurality of behavior classifiers and said plurality of content classifiers to identify an incoming file as having a particular malware classification.
  - 5. The method of claim 1 wherein said classifying said incoming unknown files comprises conducting runtime analysis, heuristic pattern analysis, function similarity analysis and string analysis.
  - 6. The method of claim 1 wherein said generating said malware signature is rule based.
  - 7. The method of claim 1 wherein said malware signature is validated if it contains components that correspond to one or more machine code functions associated with a malware family.
  - 8. The method of claim 1 wherein said signature is validated if it contains at least one string associated with a malware family.

9. A computer useable medium having computer-executable instructions for performing steps, comprising:
- an incoming unknown file monitor for monitoring incoming unknown files for the presence of malware;
  
  an incoming unknown file analyzer for analyzing said incoming unknown files based on both a plurality of measures of file behavior and a plurality of measures of file content;
  
  an incoming unknown file classifier for classifying an incoming unknown file as having a particular malware classification based on said analyzing of said incoming unknown files;
  
  an incoming unknown file generator for generating a malware signature for said incoming unknown file based on said particular malware classification; and
  
  a malware signature access provider providing access to said malware signature.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The medium of claim 9 further comprising validating said malware signature before providing access to said malware signature.
  - 11. The medium of claim 10 wherein said validating said malware signature comprises string and function based validation.
  - 12. The medium of claim 9 wherein rules are used along with said plurality of measures of file behavior and said plurality of measures of file content to identify an incoming file as having a particular malware classification.
  - 13. The medium of claim 9 wherein said classifying said incoming unknown files comprises conducting runtime analysis, heuristic pattern analysis, function similarity analysis and string analysis.
  - 14. The medium of claim 9 wherein said generating said malware signature is rule based.
  - 15. The medium of claim 9 wherein said malware signature is validated if it contains components that correspond to one or more machine code functions associated with a malware family.
  - 16. The medium of claim 9 wherein said signature is validated if it contains at least one string associated with a malware family.

17. An apparatus comprising:
- a computer readable memory unit; and
  
  a processor coupled to said memory unit, said processor for generating a malware signature for an incoming unknown file based on a particular malware classification.
- View Dependent Claims (18, 19, 20)
- - 18. The apparatus of claim 17 further comprising validating said malware signature before providing access to said malware signature.
  - 19. The apparatus of claim 18 wherein said validating said malware signature comprises string and function based validation.
  - 20. The apparatus of claim 17 wherein rules are used along with a plurality of measures of file behavior and a plurality of measures of file content to identify said incoming file as having a particular malware classification.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Jia, Hong, Winkler, Patrick, Mody, Jigar, Swiderski, Frank, Sun, Ning, Lee, Tony, Geffner, Jason, Chu, Chengyun

Granted Patent

US 8,201,244 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

G06F 21/564 by virus signature recognition

G06F 21/566 Dynamic detection, i.e. det...

Automated malware signature generation

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Automated malware signature generation

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links