IDENTIFICATION OF OBFUSCATED COMPUTER ITEMS USING VISUAL ALGORITHMS

US 20140189866A1
Filed: 08/19/2013
Published: 07/03/2014
Est. Priority Date: 12/31/2012
Status: Active Grant

First Claim

Patent Images

1. A method to identify one or more items associated with a computer, the method comprising the steps of:

initiating a visual algorithm in a computer, the visual algorithm including a set of executable computer instructions configured to cause (i) consumption of a character string in the computer, and (ii) generation of a visual ID based on the character string; and

generating a first visual ID by applying the visual algorithm to a candidate character string.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method to identify character strings associated with potentially malicious software items. The method includes employing a visual algorithm to translate one or more characters of a character string into corresponding characters in a visual ID for use in grouping and comparing computer items having similar visual IDs, such as a reference ID for a computer item that is known to be non-malicious. The method may, among other things, elucidate an attacker'"'"'s attempt to obfuscate malicious software by using file names that are very similar to those used for harmless files.

184 Citations

20 Claims

1. A method to identify one or more items associated with a computer, the method comprising the steps of:
- initiating a visual algorithm in a computer, the visual algorithm including a set of executable computer instructions configured to cause (i) consumption of a character string in the computer, and (ii) generation of a visual ID based on the character string; and
  
  generating a first visual ID by applying the visual algorithm to a candidate character string.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1,wherein the step of generating a first visual ID includes applying the visual algorithm to the candidate character string to translate a first character of the candidate character string into a first character of the first visual ID.
  - 3. The method of claim 1,wherein the step of generating a first visual ID includes using a first rule to translate a first character and a second character of the candidate character string into corresponding first and second characters of the first visual ID.
  - 4. The method of claim 3, wherein,the first and second characters of the candidate character string have different values, andthe first rule is configured to translate the first and second characters of the candidate character string so that the first and second characters of the first visual ID are equal.
  - 5. The method of claim 3,wherein the step of generating a first visual ID further includes using a second rule to determine that a third character of the candidate character string will not be represented by a corresponding character in the first visual ID.
  - 6. The method of claim 1,wherein the step of generating a first visual ID includes applying a length limit for the first visual ID.
  - 7. The method of claim 6,wherein the step of generating a first visual ID further includes adding one or more neutral value characters to the first visual ID until the number of characters in the first visual ID is greater than or equal to the length limit.
  - 8. The method of claim 1, further comprising the steps of:
    - comparing the first visual ID against a reference ID, anddetermining a difference between the first visual ID and the reference ID based on the comparison.
  - 9. The method of claim 1, further comprising the steps of:
    - determining a first value for a first characteristic of a first computer item associated with the candidate character string;
      
      determining a second value for the first characteristic of a second computer item associated with a reference ID; and
      
      determining a difference between the first and second values for the first characteristic.
  - 10. The method of claim 9,wherein the reference ID is chosen for comparison based on a visual similarity of the reference ID with the first visual ID.
  - 11. The method of claim 9, further comprising the step of:
    - determining a range of values for the first characteristic based on the second computer item associated with the reference ID.
  - 12. The method of claim 11, further comprising the step of:
    - flagging the first visual ID for further analysis if the value for the first characteristic of the first computer item associated with the candidate character string does not satisfy the range of values.
  - 13. The method of claim 1, further comprising the step of:
    - displaying the first visual ID with a second visual ID on a visual display.
  - 14. The method of claim 13,wherein the first and second visual ID'"'"'s are arranged according to a timeline of computer events involving associated computer items.
  - 15. The method of claim 13, further comprising the step of:
    - displaying comments for at least one of the first visual ID and the second visual ID that relate to at least one of (i) a comparison with a candidate character string, and (ii) a comparison with a value for a first characteristic of an associated computer item.

16. A system to identify one or more computer items comprising:
- a computer;
  
  a visual algorithm configured for execution via the computer; and
  
  a candidate character string.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The system of claim 16,wherein the visual algorithm is further configured to apply a rule to the candidate character string to generate a first visual ID.
  - 18. The system of claim 17,wherein the rule causes at least two characters in the candidate character string that appear in succession to be translated into a single character to form a portion of the first visual ID.
  - 19. The system of claim 17, further comprising:
    - a visual display.
  - 20. The system of claim 19,wherein the computer is configured to display the first visual ID with a second visual ID based on a timeline of computer events involving associated computer items.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Shiffer, Jason, Ross, David

Granted Patent

US 9,690,935 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/561   Virus type analysis

G06F 21/562   Static detection

G06F 21/566   Dynamic detection, i.e. det...

IDENTIFICATION OF OBFUSCATED COMPUTER ITEMS USING VISUAL ALGORITHMS

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

184 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

IDENTIFICATION OF OBFUSCATED COMPUTER ITEMS USING VISUAL ALGORITHMS

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

184 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links