SYSTEMS, APPARATUS, AND METHODS FOR DETECTING MALWARE

US 20080263669A1
Filed: 04/23/2007
Published: 10/23/2008
Est. Priority Date: 04/23/2007
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

creating a first fuzzy fingerprint of a known malware file, the first fuzzy fingerprint including a first set of calculated complexity approximations and weightings for each of a plurality of blocks within the known malware file;

creating a second fuzzy fingerprint of a file to be checked, the second fuzzy fingerprint including a second set of calculated complexity approximations and weightings for each of a plurality of blocks within the file to be checked;

comparing the second fuzzy fingerprint to the first fuzzy fingerprint including comparing the calculated complexity approximations from the second fuzzy fingerprint with a plurality of the complexity approximations from the first fuzzy fingerprint using a block-wise comparison; and

calculating an similarity probability for each of the block-wise comparisons, the calculation including a respective weighting for each of the plurality of blocks within the known malware file and for each of the plurality of blocks within the file to be checked, and the calculation including a distance between the compared blocks; and

calculating an overall similarity probability for the plurality of blocks compared.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Various embodiments, including a method comprising creating a first fuzzy fingerprint of a known malware file, the first fuzzy fingerprint including a first set of calculated complexity approximations and weightings for each of a plurality of blocks within the known malware file, creating a second fuzzy fingerprint of a file to be checked, the second fuzzy fingerprint including a second set of calculated complexity approximations and weightings for each of a plurality of blocks within the file to be checked, comparing the second fuzzy fingerprint to the first fuzzy fingerprint, calculating a similarity probability for each of the block-wise comparisons, the calculation including a respective weightings for each of the plurality of blocks within the known malware file and for each of the plurality of blocks within the file to be checked, and the calculation including a distance between the compared blocks; and calculating an overall similarity probability for the plurality of blocks compared.

78 Citations

View as Search Results

27 Claims

1. A method comprising:
- creating a first fuzzy fingerprint of a known malware file, the first fuzzy fingerprint including a first set of calculated complexity approximations and weightings for each of a plurality of blocks within the known malware file;
  
  creating a second fuzzy fingerprint of a file to be checked, the second fuzzy fingerprint including a second set of calculated complexity approximations and weightings for each of a plurality of blocks within the file to be checked;
  
  comparing the second fuzzy fingerprint to the first fuzzy fingerprint including comparing the calculated complexity approximations from the second fuzzy fingerprint with a plurality of the complexity approximations from the first fuzzy fingerprint using a block-wise comparison; and
  
  calculating an similarity probability for each of the block-wise comparisons, the calculation including a respective weighting for each of the plurality of blocks within the known malware file and for each of the plurality of blocks within the file to be checked, and the calculation including a distance between the compared blocks; and
  
  calculating an overall similarity probability for the plurality of blocks compared.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, including stopping the block-wise comparisons if a threshold number of block-wise comparisons in a row each dropped below a threshold value N for the calculated similarity probability.
  - 3. The method of claim 1, calculating a complexity approximation for each of a plurality of blocks within the known malware file and calculating a complexity approximation for each of the plurality of blocks within the file to be checked includes calculating the information entropy for a given block using the formula:
  - 4. The method of claim 1, wherein calculating a similarity value for each of the block-wise comparisons includes for any given two blocks being compared, calculating an actual deviation of both blocks complexity value in relation to a maximum possible deviation, times a proximity factor for the comparison between an offset i in a first file x₁and an offset j in a second file x₂, wherein:
  - 5. The method of claim 4, including summing up using Bayes'"'"' formula to generate an overall similarity probability, wherein Bayes'"'"' formula relates the conditional and marginal probabilities of stochastic events A and B:
  - 6. The method of claim 1, wherein calculating the overall similarity probability for the plurality of blocks compared includes comparing the overall similarity probability to a threshold value M to determine if the second file is to be considered malware.
  - 7. The method of claim 6, including determining that the file to be checked is a variant of the known malware file when the calculated overall similarity probability equals or exceeds the threshold value M.
  - 8. The method of claim 1, wherein calculating the overall similarity probability for the plurality of blocks compared includes comparing the overall similarity probability to a threshold value X and a threshold value M to determine if the second file is to be considered malware or is to be considered a suspicious file, wherein the threshold value M is greater than the threshold value X.
  - 9. The method of claim 8, wherein when the calculated overall similarity probability is less than the threshold value X the file to be checked is determined not to be a variant of the known malware file, and when the calculated overall similarity probability is greater than threshold value M the file to be checked is determined to be a variant of the known malware file, and the file to be checked is considered a suspicious file when the calculated overall similarity probability is greater than the threshold value X but less than or equal to the threshold value for M.

10. An apparatus comprising:
- a gateway including an anti-malware engine coupled to a generated fuzzy fingerprints database including plurality of fingerprints for known malware files;
  
  a fuzzy fingerprint generator coupled to the anti-malware engine, the fuzzy fingerprint generator operable to produce a fuzzy fingerprint including a complexity approximation for each of a plurality of blocks for a file provided by the anti-malware engine; and
  
  a fingerprint comparator coupled to the anti-malware engine, the fingerprint comparator operable to compare a produced fingerprint from the fingerprint generator with any one of the plurality fingerprints for the generated fuzzy fingerprints database and to produce a similarity probability on a block-wise basis.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The apparatus of claim 10, producing a complexity approximation for each of a plurality of blocks includes calculating the information entropy for a given block using the formula:
  - 12. The apparatus of claim 10, wherein producing the similarity probability on a block-wise basis includes for any given two blocks being compared, calculating an actual deviation of both blocks complexity value in relation to a maximum possible deviation, times a proximity factor for the comparison between an offset i in a first file x₁and an offset j in a second file x₂, wherein:
  - 13. The apparatus of claim 12, including summing up using Bayes'"'"' formula to generate an overall similarity probability, wherein Bayes'"'"' formula relates the conditional and marginal probabilities of stochastic events A and B:
  - 14. The apparatus of claim 10, including an update mechanism operable to receive updated versions of generated fuzzy fingerprints for storage in the generated fuzzy fingerprints database.
  - 15. The apparatus of claim 10, wherein the generated fuzzy fingerprints database includes precondition table 125 contains magic bytes signatures for all media type covered by the database 124.
  - 16. The apparatus of claim 10, wherein the generated fuzzy fingerprints database includes a jump table operable to determine a relative offset into the generated fuzzy fingerprints database based on a file size of the file to be checked.

17. A system comprising:
- A plurality of protected devices coupled to a network through a gateway, the gateway including an anti-malware engine;
  
  a generated fuzzy fingerprint database coupled to the anti-malware engine, the generated fingerprint database including plurality of fingerprints for known malware files coupled to the anti-malware engine;
  
  a fuzzy fingerprint generator coupled to the anti-malware engine, the fuzzy fingerprint generator operable to produce a fuzzy executable fingerprint including a complexity approximation for each of a plurality of blocks in a file provided by the anti-malware engine; and
  
  a fuzzy fingerprint comparator coupled to the anti-malware engine, the fuzzy fingerprint comparator operable to compare a produced fuzzy executable fingerprint from the fingerprint generator with any one of the plurality of fingerprints from the generated fingerprint database and to produce a similarity probability on a block-by-block basis.
- View Dependent Claims (18, 19, 20, 21, 22, 23)
- - 18. The system of claim 17, wherein the generated fuzzy fingerprints database is coupled to an update mechanism, the update mechanism operable to receive an updated version of the generated fuzzy fingerprints database.
  - 19. The system of claim 18, wherein the updated version update is created from a training set of known malware files on a vendor-provided fingerprint generator server.
  - 20. The system of claim 17, wherein the generated fuzzy fingerprints database is coupled to an update mechanism, the update mechanism operable to receive a new version of the fuzzy executable fingerprints for known malware files.
  - 21. The system of claim 20, wherein the new version of fuzzy executable fingerprints for known malware files is an incremental update of a previous version of fuzzy executable fingerprints for known malware files.
  - 22. The system of claim 17, including an update provisioning server coupled to update mechanism, the update provisioning server operable to couple the update provisioning server to a fuzzy fingerprint generator server.
  - 23. The system of claim 17, including a fuzzy fingerprint generator server operable to store a plurality of known malware files to be used as one or more training sets for generating a fuzzy executable fingerprint for each of a known malware file.

24. A method comprising:
- storing as at least one training set a plurality of files known to be malware;
  
  generating for each file of the plurality of files known to be malware a fuzzy executable fingerprint, each fuzzy executable fingerprint including a first set of calculated complexity approximations and weightings for each of a plurality of blocks within each individual ones of the plurality of files known to be malware; and
  
  providing to one or more anti-malware engines the generated fuzzy executable fingerprints for each file of the plurality of files.
- View Dependent Claims (25, 26, 27)
- - 25. The method of claim 24, including receiving from any one of the at least one anti-malware engines a detected variant of a one of the plurality of files known to be malware;
    - andupdating the at least one training set to include the detected variant of the one of the files known to be malware.
  - 26. The method of claim 25, including generating a fuzzy executable fingerprint for the detected variant of the one of the files known to be malware;
    - andupdating each of the one or more anti-malware engines to include the generated fuzzy executable fingerprint for the detected variant of the one of the files known to be malware.
  - 27. The method of claim 24, wherein providing to one or more anti-malware engines the generated fuzzy executable fingerprint includes a vendor for the anti-malware software providing an updated version of the generated fuzzy executable fingerprints database.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
Secure Computing Corporation (McAfee, LLC)
Inventors
Alme, Christoph

Granted Patent

US 8,312,546 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 21/56 Computer malware detection ...

SYSTEMS, APPARATUS, AND METHODS FOR DETECTING MALWARE

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

78 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEMS, APPARATUS, AND METHODS FOR DETECTING MALWARE

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

78 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links