METHOD AND SYSTEM FOR CLASSIFICATION OF SOFTWARE USING CHARACTERISTICS AND COMBINATIONS OF SUCH CHARACTERISTICS

US 20090187992A1
Filed: 03/30/2009
Published: 07/23/2009
Est. Priority Date: 06/30/2006
Status: Active Grant

First Claim

Patent Images

1. A computer program product embodied in a computer readable medium that, when executing on one or more computers, performs the steps of:

a. identifying a functional code block that performs a particular function within executable code;

b. transforming the functional code block into a generic code representation of its functionality by tokenizing the functional code block;

c. comparing the generic code representation with a previously characterized malicious code representation; and

d. in response to a positive correlation from the comparison, identifying the executable code as containing malicious code.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In embodiments of the present invention improved capabilities are described for the steps of identifying a functional code block that performs a particular function within executable code; transforming the functional code block into a generic code representation of its functionality by tokenizing, refactoring, or the like, the functional code block; comparing the generic code representation with a previously characterized malicious code representation; and in response to a positive correlation from the comparison, identifying the executable code as containing malicious code.

339 Citations

24 Claims

1. A computer program product embodied in a computer readable medium that, when executing on one or more computers, performs the steps of:
- a. identifying a functional code block that performs a particular function within executable code;
  
  b. transforming the functional code block into a generic code representation of its functionality by tokenizing the functional code block;
  
  c. comparing the generic code representation with a previously characterized malicious code representation; and
  
  d. in response to a positive correlation from the comparison, identifying the executable code as containing malicious code.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 18, 19, 20, 21, 22, 23)
- - 2. The computer program product of claim 1, wherein tokenization eliminates portions in the functional code block that may be presented in differing versions of code that perform the same function as the functional code block.
  - 3. The computer program product of claim 2, wherein the eliminated portions occur as a result of changed cross references due to variations in content and location of code between the differing versions.
  - 4. The computer program product of claim 2, wherein the differences occur as a result of legitimate optimization techniques.
  - 5. The computer program product of claim 2, wherein the differences occur as a result of malicious obfuscation techniques.
  - 6. The computer program product of claim 1, wherein the executable code is at least one of executable software, a script, a byte code file, and machine code.
  - 7. The computer program product of claim 1, wherein the malicious code representation is pulled from a library of malicious code representations.
  - 8. The computer program product of claim 7, wherein the library is stored on the computer performing a local code scan.
  - 9. The computer program product of claim 7, wherein the library is accessed through a network.
  - 10. The computer program product of claim 7, wherein the library is accessed through a threat research center.
  - 11. The computer program product of claim 7, wherein the library is updated from a threat research center.
  - 18. The computer program product of claim 1, wherein the executable code is at least one of executable software, a script, a byte code file, and machine code.
  - 19. The computer program product of claim 1, wherein the malicious code representation is pulled from a library of malicious code representations.
  - 20. The computer program product of claim 19, wherein the library is stored on the computer performing a local code scan.
  - 21. The computer program product of claim 19, wherein the library is accessed through a network.
  - 22. The computer program product of claim 19, wherein the library is accessed through a threat research center.
  - 23. The computer program product of claim 19, wherein the library is updated from a threat research center.

12. A computer program product embodied in a computer readable medium that, when executing on one or more computers, performs the steps of:
- a. identifying a functional code block that performs a particular function within executable code;
  
  b. transforming the functional code block into a generic code representation of its functionality by refactoring the functional code block;
  
  c. comparing the generic code representation with a previously characterized malicious code representation; and
  
  d. in response to a positive correlation from the comparison, identifying the executable code as containing malicious code.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The computer program product of claim 12, wherein refactoring eliminates portions in the functional code block that may be presented in differing versions of code that perform the same function as the functional code block.
  - 14. The computer program product of claim 13, wherein the eliminated portions occur as a result of changed cross references due to variations in content and location of code between the differing versions.
  - 15. The computer program product of claim 13, wherein the differences occur as a result of legitimate optimization techniques.
  - 16. The computer program product of claim 13, wherein the differences occur as a result of malicious obfuscation techniques.
  - 17. The computer program product of claim 13, wherein the refactoring is lossy refactoring which selectively preserves certain generic characteristics of the code without needing to maintain actual executability.

24. A computer program product embodied in a computer readable medium that, when executing on one or more computers, performs the steps of:
- a. identifying a plurality of functional code blocks within executable code;
  
  b. transforming the plurality of functional code blocks into a plurality of generic code representations of its functionality by at least one of refactoring and tokenizing the plurality of functional code blocks;
  
  c. comparing each of the plurality of generic code representations with a plurality of previously characterized malicious code representations; and
  
  d. in response to a positive correlation from the comparison, identifying the executable code as containing malicious code.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sophos Limited (Sophos Group Ltd.)
Original Assignee
Sophos Limited (Sophos Group Ltd.)
Inventors
Poston, Robert J.

Granted Patent

US 8,365,286 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 21/563 by source code analysis

G06F 21/564 by virus signature recognition

METHOD AND SYSTEM FOR CLASSIFICATION OF SOFTWARE USING CHARACTERISTICS AND COMBINATIONS OF SUCH CHARACTERISTICS

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

339 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND SYSTEM FOR CLASSIFICATION OF SOFTWARE USING CHARACTERISTICS AND COMBINATIONS OF SUCH CHARACTERISTICS

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

339 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links