System and method for determining data entropy to identify malware

US 20080184367A1
Filed: 01/25/2007
Published: 07/31/2008
Est. Priority Date: 01/25/2007
Status: Active Grant

First Claim

Patent Images

1. A malware detection method in a data processing system for determining suspicious data based on data entropy, the method comprising the steps of:

acquiring a block of data;

calculating an entropy value for the block of data;

comparing the entropy value to a threshold value; and

recording the block of data as suspicious when the entropy value exceeds the threshold value.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for performing malware detection for determining suspicious data based on data entropy are provided. The method includes acquiring a block of data, calculating an entropy value for the block of data, comparing the entropy value to a threshold value, and recording the block of data as suspicious when the entropy value exceeds the threshold value. An administrator may then investigate suspicious data.

Citations

20 Claims

1. A malware detection method in a data processing system for determining suspicious data based on data entropy, the method comprising the steps of:
- acquiring a block of data;
  
  calculating an entropy value for the block of data;
  
  comparing the entropy value to a threshold value; and
  
  recording the block of data as suspicious when the entropy value exceeds the threshold value.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, further comprising reporting suspicious data to an administrator.
  - 3. The method of claim 1, wherein calculating an entropy value includes calculating Shannon Entropy for the block of data.
  - 4. The method of claim 1, wherein calculating an entropy value includes:
    - calculating a global entropy value for the block of data; and
      
      calculating a sample entropy value for the block of data.
  - 5. The method of claim 4, wherein calculating a sample entropy value includes:
    - dividing the block of data into samples;
      
      iteratively calculating an individual sample entropy value for each sample to create a plurality of individual sample entropy values; and
      
      performing a statistical method on the plurality of individual sample entropy values to calculate the sample entropy value.
  - 6. The method of claim 5, wherein performing a statistical method includes:
    - calculating the mean and standard deviation of the plurality of individual sample entropy values; and
      
      adding one standard deviation to the mean.
  - 7. The method of claim 4, wherein comparing the entropy value to a threshold value includes comparing both the global entropy value and the sample entropy value to the threshold.
  - 8. The method of claim 7, wherein recording the block of data as suspicious when the entropy value exceeds the threshold value includes recording the block of data as suspicious when at least on of the global entropy value and the sample entropy value exceeds the threshold.
  - 9. The method of claim 1, further comprising examining metadata for the block of data for suspicious features.
  - 10. The method of claim 1, wherein the threshold is 0.9.

11. A computer-readable medium having computer-executable instructions for performing a method of malware detection for determining suspicious data based on data entropy, the method comprising the steps of:
- acquiring a block of data;
  
  calculating an entropy value for the block of data;
  
  comparing the entropy value to a threshold value; and
  
  recording the block of data as suspicious when the entropy value exceeds the threshold value.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The computer-readable medium of claim 11, the method further comprising reporting suspicious packets to an administrator.
  - 13. The computer-readable medium of claim 11, wherein calculating an entropy value includes calculating Shannon Entropy for the block of data.
  - 14. The computer-readable medium of claim 11, wherein calculating an entropy value includes:
    - calculating a global entropy value for the block of data; and
      
      calculating a sample entropy value for the block of data.
  - 15. The computer-readable medium of claim 14, wherein calculating a sample entropy value includes:
    - dividing the block of data into samples;
      
      iteratively calculating an individual sample entropy value for each sample to create a plurality of individual sample entropy values; and
      
      performing a statistical method on the plurality of individual sample entropy values to calculate the sample entropy value.
  - 16. The computer-readable medium of claim 15, wherein performing a statistical method includes:
    - calculating the mean and standard deviation of the plurality of individual sample entropy values; and
      
      adding one standard deviation to the mean.
  - 17. The computer-readable medium of claim 14, wherein comparing the entropy value to a threshold value includes comparing both the global entropy value and the sample entropy value to the threshold.
  - 18. The computer-readable medium of claim 17, wherein recording the block of data as suspicious when the entropy value exceeds the threshold value includes recording the block of data as suspicious when at least on of the global entropy value and the sample entropy value exceeds the threshold.
  - 19. The computer-readable medium of claim 11, the method further comprising examining metadata for the block of data for suspicious features.
  - 20. The computer-readable medium of claim 11, wherein the threshold is 0.9.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
Mandiant, Inc. (Alphabet Inc.)
Inventors
Garman, Jason, McMillan, Chad

Granted Patent

US 8,069,484 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/563 by source code analysis

System and method for determining data entropy to identify malware

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for determining data entropy to identify malware

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links