FUZZY HASH OF BEHAVIORAL RESULTS
First Claim
1. A computerized method for classifying objects in a malware system, comprising:
- detecting behaviors of an object for classification after processing of the received object has started;
collecting data associated with the detected behaviors;
generating a fuzzy hash for the received object based on the data associated with the detected behaviors, the generating of the fuzzy hash includes;
(i) removing a portion of the data associated with the detected behaviors to produce a remaining portion of the data associated with the detected behaviors, and(ii) performing a hash operation on the remaining portion of the data associated with the detected behaviors;
comparing the fuzzy hash for the received object with a fuzzy hash of an object in a preexisting cluster to generate a similarity measure;
associating the received object with the preexisting cluster in response to determining that the similarity measure is above a predefined threshold value; and
reporting, via a communications interface, whether the received object is associated with the preexisting cluster.
5 Assignments
0 Petitions
Accused Products
Abstract
A computerized method for classifying objects in a malware system is described. The method includes detecting behaviors of an object for classification after processing of the object has begun. Data associated with the detected behaviors is collected, and a fuzzy hash for the received object is generated. The generation of the fuzzy hash may include (i) removing a portion of the data associated with the detected behaviors, and (ii) performing a hash operation on a remaining portion of the data associated with the detected behaviors. Thereafter, the fuzzy hash for the received object is compared to a fuzzy hash of an object in a preexisting cluster to generate a similarity measure. The received object is associated with the preexisting cluster in response to determining that the similarity measure is above a predefined threshold value. Thereafter, the results are reported.
150 Citations
16 Claims
-
1. A computerized method for classifying objects in a malware system, comprising:
-
detecting behaviors of an object for classification after processing of the received object has started; collecting data associated with the detected behaviors; generating a fuzzy hash for the received object based on the data associated with the detected behaviors, the generating of the fuzzy hash includes; (i) removing a portion of the data associated with the detected behaviors to produce a remaining portion of the data associated with the detected behaviors, and (ii) performing a hash operation on the remaining portion of the data associated with the detected behaviors; comparing the fuzzy hash for the received object with a fuzzy hash of an object in a preexisting cluster to generate a similarity measure; associating the received object with the preexisting cluster in response to determining that the similarity measure is above a predefined threshold value; and reporting, via a communications interface, whether the received object is associated with the preexisting cluster. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. The computerized method of claim 11, wherein the removing of the data associated with the detected behaviors includes removing values written to a registry or modified registry values.
-
12. A system comprising:
-
one or more hardware processors; a memory including one or more software modules that, when executed by the one or more hardware processors; detect behaviors of a received object for classification after processing of the received object has started; collecting data associated with the detected behaviors; generate a fuzzy hash for the received object based on the data associated with the detected behaviors, the generating the fuzzy hash includes; (i) removing a portion of the data associated with the detected behaviors to produce a remaining portion of the data associated with the detected behaviors, and (ii) performing a hash operation on the removing portion of the data associated with the detected behaviors; compare the fuzzy hash for the received object with a fuzzy hash of an object in a preexisting cluster to generate a similarity measure; associate the received object with the preexisting cluster in response to determining that the similarity measure is above a predefined threshold value; reporting whether the received object is associated with the preexisting cluster. - View Dependent Claims (13, 14, 15, 16)
-
Specification