SIGNAL TOKENS INDICATIVE OF MALWARE

US 20160156646A1
Filed: 07/31/2013
Published: 06/02/2016
Est. Priority Date: 07/31/2013
Status: Active Grant

First Claim

Patent Images

1. A computing device comprising:

a memory and at least one processor to execute a plurality of modules including;

a static code analysis module to determine a first and second set of tokens based on a static code analysis respectively performed on a first set of known malware application code and a second set of known clean application code; and

a signal generation module to generate a set of signal tokens indicative of malware based on groupings of the tokens.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Example embodiments disclosed herein relate to generate signal tokens indicative of malware. A code analysis is performed on known malware application code and known clean application code to generate tokens. Signal tokens indicative of malware are generated based on groupings of the tokens.

16 Citations

View as Search Results

15 Claims

1. A computing device comprising:
- a memory and at least one processor to execute a plurality of modules including;
  
  a static code analysis module to determine a first and second set of tokens based on a static code analysis respectively performed on a first set of known malware application code and a second set of known clean application code; and
  
  a signal generation module to generate a set of signal tokens indicative of malware based on groupings of the tokens.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computing device of claim 1, wherein the known malware application code is in the form of a known malware binary and the known clean application code is in the form of a known clean binary.
  - 3. The computing device of claim 2, wherein the tokens are generated according to rules that include obfuscation tolerant rules.
  - 4. The computing device of claim 3, wherein the respective first set of tokens and the respective second set of tokens are generated if one of the rules is a hit to the corresponding respective binaries.
  - 5. The computing device of claim 1, wherein the set of signal tokens is based on machine learning.
  - 6. The computing device of claim 1, wherein the groupings are based on at least two of a null dereference, resource leak, dead code, path manipulation, query string injection, command injection, resource injection, and denial of service.
  - 7. The computing device of claim 1, further comprising:
    - an output module to output the signal tokens to a signal token malware likeliness database.

8. A method comprising:
- performing code analysis based on rules on a first set of known malware application code and a second set of known clean application code to generate tokens;
  
  determining a set of the tokens indicative of malware; and
  
  generating a set of signal tokens based on groupings of the tokens indicative of malware.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The method of claim 8, wherein the set of the signals tokens is based on machine learning.
  - 10. The method of claim 8, wherein the rules include obfuscation tolerant rules.
  - 11. The method of claim 8, wherein the groupings include at least two of:
    - toll fraud, rooting, abuse of permissions, application installed as a service, sensitive data retrieval, use of reflection, use of dynamic loading, and privacy violation.
  - 12. The method of claim 11, wherein the toll fraud includes the use of a send text message function, wherein the rooting includes gaining privileged access to a device, wherein abuse of permissions includes requesting permissions above a particular threshold, and sensitive data retrieval includes a call to an Application Programming Interface to retrieve device specific information.
  - 13. The method of claim 11, wherein the use of reflection includes the use of a function to download instructions.

14. A non-transitory machine-readable storage medium storing instructions that, if executed by at least one processor of a computing device, cause the computing device to:
- perform a static code analysis based on obfuscation tolerant rules on a first set of known malware binaries and a second set of known clean binaries to generate tokens; and
  
  generate a set of signal tokens indicative of malware based on groupings of the tokens based on machine learning.
- View Dependent Claims (15)
- - 15. The non-transitory machine-readable storage medium of claim 14, wherein the static code analysis further includes at least two of dataflow sources, structural rules, manifest Extensible Markup Language, semantic analysis, and control flow.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Micro Focus LLC (Open Text Corporation)
Original Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Inventors
Hsueh, Frank Chijeen, Kamani, Sejal Pranlal

Granted Patent

US 10,986,103 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/562   Static detection

G06F 21/563   by source code analysis

G06N 20/00   Machine learning

G06N 7/01   Probabilistic graphical mod...

H04L 63/10   for controlling access to d...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/20   for managing network securi...

SIGNAL TOKENS INDICATIVE OF MALWARE

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

16 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

SIGNAL TOKENS INDICATIVE OF MALWARE

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

16 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links