Detecting Malware Using Stored Patterns

US 20130145471A1
Filed: 12/06/2011
Published: 06/06/2013
Est. Priority Date: 12/06/2011
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

identifying, by at least one processor, a plurality of portions of a file;

comparing, by the at least one processor, the plurality of portions of the file to a plurality of stored patterns, the plurality of stored patterns comprising portions of known malware;

determining, by at least one processor, from the plurality of portions of the file and based on the comparing of the plurality of portions of the file to the plurality of stored patterns, a set of matching portions, the set of matching portions comprising one or more of the plurality of portions of the file;

determining, by at least one processor, a score for each portion in the set of matching portions; and

providing, by at least one processor, information regarding the set of matching portions, the information comprising the scores determined for each portion of the set of matching portions.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, a method includes identifying a plurality of portions of a file and comparing the plurality of portions of the file to a plurality of stored patterns. The plurality of stored patterns include portions of known malware. The method also includes determining, from the plurality of portions of the file and based on the comparing of the plurality of portions of the file to the plurality of stored patterns, a set of matching portions. The set of matching portions include one or more of the plurality of portions of the file. In addition, the method includes determining a score for each portion in the set of matching portions and providing information regarding the set of matching portions. The information includes the scores determined for each portion of the set of matching portions.

Citations

21 Claims

1. A method comprising:
- identifying, by at least one processor, a plurality of portions of a file;
  
  comparing, by the at least one processor, the plurality of portions of the file to a plurality of stored patterns, the plurality of stored patterns comprising portions of known malware;
  
  determining, by at least one processor, from the plurality of portions of the file and based on the comparing of the plurality of portions of the file to the plurality of stored patterns, a set of matching portions, the set of matching portions comprising one or more of the plurality of portions of the file;
  
  determining, by at least one processor, a score for each portion in the set of matching portions; and
  
  providing, by at least one processor, information regarding the set of matching portions, the information comprising the scores determined for each portion of the set of matching portions.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein each score comprises a ranking of a likelihood that each respective portion in the set of matching portions is associated with malware.
  - 3. The method of claim 1, wherein comparing the plurality of portions of the file to the plurality of stored patterns comprises comparing byte sequences or text strings.
  - 4. The method of claim 1, wherein each score is determined based on the frequency with which each respective portion in the set of matching portions occurs in the plurality of stored patterns.
  - 5. The method of claim 1, wherein the information is provided to a human analyst to assist in determining whether the file is malware.
  - 6. The method of claim 1, wherein the information further comprises a description of each portion in the set of matching portions.
  - 7. The method of claim 1, further comprising:
    - in response to determining the score for each portion in the set of matching portions, determining, by the at least one processor, that the file is potential malware; and
      
      in response to determining that the file is potential malware, performing, by the at least one processor, remedial action regarding the file.

8. A system comprising:
- at least one computer-readable medium; and
  
  one or more processors configured to;
  
  identify a plurality of portions of a file;
  
  compare the plurality of portions of the file to a plurality of stored patterns, the plurality of stored patterns comprising portions of known malware;
  
  determine, from the plurality of portions of the file and based on the comparing of the plurality of portions of the file to the plurality of stored patterns, a set of matching portions, the set of matching portions comprising one or more of the plurality of portions of the file;
  
  determine a score for each portion in the set of matching portions; and
  
  provide information regarding the set of matching portions, the information comprising the scores determined for each portion of the set of matching portions.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein each score comprises a ranking of a likelihood that each respective portion in the set of matching portions is associated with malware.
  - 10. The system of claim 8, wherein the one or more processors are configured to compare the plurality of portions of the file to the plurality of stored patterns by comparing byte sequences or text strings.
  - 11. The system of claim 8, wherein the one or more processors are configured to determine each score based on the frequency with which each respective portion in the set of matching portions occurs in the plurality of stored patterns.
  - 12. The system of claim 8, wherein the one or more processors are configured to provide the information to a human analyst to assist in determining whether the file is malware.
  - 13. The system of claim 8, wherein the information further comprises a description of each portion in the set of matching portions.
  - 14. The system of claim 8, wherein the one or more processors are further configured to:
    - determine that the file is potential malware in response to determining the score for each portion in the set of matching portions; and
      
      perform remedial action regarding the file in response to determining that the file is potential malware, performing remedial action regarding the file.

15. At least one non-transitory computer-readable medium comprising instructions that, when executed by one or more processors, are configured to:
- identify a plurality of portions of a file;
  
  compare the plurality of portions of the file to a plurality of stored patterns, the plurality of stored patterns comprising portions of known malware;
  
  determine, from the plurality of portions of the file and based on the comparing of the plurality of portions of the file to the plurality of stored patterns, a set of matching portions, the set of matching portions comprising one or more of the plurality of portions of the file;
  
  determine a score for each portion in the set of matching portions; and
  
  provide information regarding the set of matching portions, the information comprising the scores determined for each portion of the set of matching portions.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The at least one non-transitory computer-readable medium of claim 15, wherein each score comprises a ranking of a likelihood that each respective portion in the set of matching portions is associated with malware.
  - 17. The at least one non-transitory computer-readable medium of claim 15, wherein the instructions are configured to compare the plurality of portions of the file to the plurality of stored patterns by comparing byte sequences or text strings.
  - 18. The at least one non-transitory computer-readable medium of claim 15, wherein the instructions are configured to determine each score based on the frequency with which each respective portion in the set of matching portions occurs in the plurality of stored patterns.
  - 19. The at least one non-transitory computer-readable medium of claim 15, wherein the instructions are configured to provide the information to a human analyst to assist in determining whether the file is malware.
  - 20. The at least one non-transitory computer-readable medium of claim 15, wherein the information further comprises a description of each portion in the set of matching portions.
  - 21. The at least one non-transitory computer-readable medium of claim 15, wherein the instructions are further configured to:
    - determine that the file is potential malware in response to determining the score for each portion in the set of matching portions; and
      
      perform remedial action regarding the file in response to determining that the file is potential malware, performing remedial action regarding the file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Forcepoint Federal Holdings LLC (Francisco Partners Management LLC)
Original Assignee
Raytheon Company (Rtx Corporation)
Inventors
Richard, Matthew, Lee, Jesse J., McDougal, Monty D., Jennings, Randy S., Sterns, William E.

Granted Patent

US 8,635,700 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 21/562 Static detection

G06F 21/564 by virus signature recognition

Detecting Malware Using Stored Patterns

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting Malware Using Stored Patterns

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links