Intelligent Hashes for Centralized Malware Detection

US 20090300761A1
Filed: 05/28/2008
Published: 12/03/2009
Est. Priority Date: 05/28/2008
Status: Active Grant

First Claim

Patent Images

1. A method of generating an intelligent hash for an entity, the method comprising:

generating a sequence of metalanguage instructions based on the entity;

identifying a set of subsequences of the sequence of metalanguage instructions;

generating the intelligent hash for the entity based, at least in part, on the identified set of subsequences; and

storing the intelligent hash on a storage device.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A suspicious entity is identified. An intelligent hash for the suspicious entity is generated, wherein the intelligent hash includes a set of metadata that is specific to the suspicious entity and at least some of the metadata is invariant over changes to the suspicious entity. The intelligent hash is transmitted to a server for evaluation of whether the suspicious entity corresponds to the malware entity. The server is adapted to determine whether the suspicious entity corresponds to the malware entity based on the intelligent hash. A result is received from the server specifying whether the suspicious entity corresponds to the malware entity.

Citations

20 Claims

1. A method of generating an intelligent hash for an entity, the method comprising:
- generating a sequence of metalanguage instructions based on the entity;
  
  identifying a set of subsequences of the sequence of metalanguage instructions;
  
  generating the intelligent hash for the entity based, at least in part, on the identified set of subsequences; and
  
  storing the intelligent hash on a storage device.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein identifying a set of subsequences of metalanguage instructions based on the sequence of metalanguage instructions further comprises:
    - determining a plurality of frequency values for a plurality of subsequences, wherein a frequency value indicates a frequency at which an associated subsequence occurs in the sequence of metalanguage instructions; and
      
      selecting the set of subsequences from the plurality of subsequences based at least in part on the plurality of frequency values, wherein the frequency values of the selected subsequences indicate the subsequences occur with high frequency in the sequence of metalanguage instructions.
  - 3. The method of claim 1, wherein generating an intelligent hash for the entity further comprises:
    - identifying a technique used to compress the entity;
      
      defining information describing the technique used to compress the entity; and
      
      generating the intelligent hash for the entity based, at least in part, on the information describing the identified technique.
  - 4. The method of claim 1, wherein generating an intelligent hash for the entity further comprises:
    - identifying a set of unique strings based on the entity;
      
      defining information describing the set of unique strings; and
      
      generating the intelligent hash for the entity based, at least in part, on information describing the set of unique strings.
  - 5. The method of claim 4, wherein identifying the set of unique strings based on the entity comprises identifying a set of strings indicating communications between the entity and a computer system.
  - 6. The method of claim 4, wherein identifying the set of unique strings based on the entity comprises identifying a set of strings indicating communications performed by the entity through a network.

7. A computer system for determining whether a suspicious entity corresponds to a malware entity, the system comprising:
- a reporting module adapted to receive an intelligent hash generated based on a suspicious entity encountered by a client, wherein the intelligent hash includes a set of metadata that is specific to the suspicious entity and at least some of the metadata is invariant over changes to the suspicious entity; and
  
  an evaluation module adapted to determine whether the suspicious entity corresponds to the malware entity based on the intelligent hash;
  
  wherein the reporting module is further adapted to report to the client whether the suspicious entity hash corresponds to the malware entity.
- View Dependent Claims (8, 9, 10, 11, 12, 13)
- - 8. The computer system of claim 7, further comprising:
    - an intelligent hash database adapted to store a plurality of intelligent hashes;
      
      wherein the evaluation module is further adapted to;
      
      generate a plurality of similarity scores based on the intelligent hash generated based on the suspicious entity and the plurality of intelligent hashes, wherein a similarity score indicates a similarity between the intelligent hash generated based on the suspicious entity and an intelligent hash of the plurality of intelligent hashes; and
      
      determine whether the suspicious entity hash corresponds to the malware entity based on an intelligent hash associated with a highest similarity score of the plurality of similarity scores.
  - 9. The computer system of claim 7, further comprising:
    - an intelligent hash generation module adapted to generate an intelligent hash based on the malicious entity.
  - 10. The computer system of claim 9, wherein the intelligent hash generation module is further adapted to:
    - generate a sequence of metalanguage instructions based on the malicious entity;
      
      identify a set of subsequences of the sequence of metalanguage instructions; and
      
      generate the intelligent hash for the malicious entity based, at least in part, on the identified set of subsequences.
  - 11. The computer system of claim 10, wherein the intelligent hash generation module is further adapted to:
    - determine a plurality of frequency values for a plurality of subsequences, wherein a frequency value indicates a frequency at which an associated subsequence occurs in the sequence of metalanguage instructions; and
      
      select the set of subsequences from the plurality of subsequences based at least in part on the plurality of frequency values, wherein the frequency values of the selected subsequences indicate the subsequences occur with high frequency in the sequence of metalanguage instructions.
  - 12. The computer system of claim 9, wherein the intelligent hash generation module is further adapted to:
    - identify a technique used to compress the malicious entity;
      
      define information describing the technique used to compress the malicious entity; and
      
      generate the intelligent hash for the malicious entity based, at least in part, on the information describing the identified technique.
  - 13. The computer system of claim 9, wherein the intelligent hash generation module is further adapted to:
    - identify a set of unique strings based on the malicious entity;
      
      define information describing the set of unique strings; and
      
      generate the intelligent hash for the malicious entity based, at least in part, on information describing the set of unique strings.

14. A computer-readable storage medium encoded with computer program code for determining whether a suspicious entity corresponds to a malware entity, the program code comprising program code for:
- identifying a suspicious entity;
  
  generating an intelligent hash for the suspicious entity, wherein the intelligent hash includes a set of metadata that is specific to the suspicious entity and at least some of the metadata is invariant over changes to the suspicious entity;
  
  transmitting the intelligent hash to a server for evaluation of whether the suspicious entity corresponds to the malware entity; and
  
  receiving from the server a result specifying whether the suspicious entity corresponds to the malware entity.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The computer-readable storage medium of claim 14, wherein program code for generating the intelligent hash for the suspicious entity comprises program code for:
    - generating a sequence of metalanguage instructions based on the suspicious entity;
      
      identifying a set of subsequences of the sequence of metalanguage instructions; and
      
      generating the intelligent hash for the suspicious entity based, at least in part, on the identified set of subsequences.
  - 16. The computer-readable storage medium of claim 14, further comprising program code for:
    - generating a sequence of metalanguage instructions based on the suspicious entity; and
      
      identifying the set of subsequences of the sequence of metalanguage instructions.
  - 17. The computer-readable storage medium of claim 16, further comprising program code for:
    - determining a plurality of frequency values for a plurality of subsequences, wherein a frequency value indicates a frequency at which an associated subsequence occurs in the sequence of metalanguage instructions; and
      
      selecting the set of subsequences from the plurality of subsequences based at least in part on the plurality of frequency values, wherein the frequency values of the selected subsequences indicate the subsequences occur with high frequency in the sequence of metalanguage instructions.
  - 18. The computer-readable storage medium of claim 14, wherein program code for generating an intelligent hash for the suspicious entity further comprises program code for:
    - identifying an algorithm used to compress the suspicious entity; and
      
      generating the intelligent hash for the suspicious entity based, at least in part, on information indicating the algorithm.
  - 19. The computer-readable storage medium of claim 14, wherein program code for generating an intelligent hash for the suspicious entity further comprises program code for:
    - identifying a set of unique strings based on the suspicious entity; and
      
      generating the intelligent hash for the suspicious entity based, at least in part, on information indicating the set of unique strings.
  - 20. The computer-readable storage medium of claim 14, further comprising program code for:
    - remediating a client responsive to receiving a result specifying the suspicious entity corresponds to the malware entity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Szor, Peter, Park, John

Granted Patent

US 8,732,825 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/562 Static detection

Intelligent Hashes for Centralized Malware Detection

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Intelligent Hashes for Centralized Malware Detection

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links