AUTOMATIC CLUSTERING OF MALWARE VARIANTS BASED ON STRUCTURED CONTROL FLOW

US 20160357965A1
Filed: 06/03/2016
Published: 12/08/2016
Est. Priority Date: 06/04/2015
Status: Abandoned Application

First Claim

Patent Images

1. A method of detecting malware on a computerized system comprising:

accessing a digital software from a file;

building a structured flow control that maps the software'"'"'s execution paths;

evaluating the structured flow control using a plurality of distance measures to determine if a portion of the software is malicious.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer network computer server device accesses software from a file. The device builds a structured flow control that maps the software'"'"'s execution paths. The structured flow control is evaluated using multiple distance measures to determine if a portion of the software is malicious.

17 Citations

View as Search Results

22 Claims

1. A method of detecting malware on a computerized system comprising:
- accessing a digital software from a file;
  
  building a structured flow control that maps the software'"'"'s execution paths;
  
  evaluating the structured flow control using a plurality of distance measures to determine if a portion of the software is malicious.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1 where the building of the structured flow control comprises disassembling the executable code of the digital software and scanning the disassembled executable for code instructions.
  - 3. The method of claim 2 where the software'"'"'s execution paths are free of jump paths.
  - 4. The method of claim 1 where the structured flow control comprises a string notation that is an abstraction of a disassembly of an executable code that comprises the digital software.
  - 5. The method of claim 4 where the abstraction comprises if-then-else instructions, loop instructions, and call instructions.
  - 6. The method of claim 1 where the structured flow control comprises a tree structure that is an abstraction of a disassembly of an executable code that comprises the digital software.
  - 7. The method of claim 1 further comprising automatically designating portions of the software malicious based on a distance measure between software nodes.
  - 8. The method of claim 7 further comprising calculating a threshold value for a clustering process that segregates a plurality of malware families.
  - 9. The method of claim 1 further comprising designating a portion of the software into a plurality of malware families based on a number of shared software functions.
  - 10. The method of claim 1 further comprising designating a portion of the software into a plurality of malware families based on a measured similarity the structured flow control and a second structured flow control.
  - 11. The method of claim 1 further comprising building a malware candidate cluster by determining the data points the comprise the structure flow control having the greatest similarity.
  - 12. The method of claim 1 where the act of building a structured flow control that maps the software'"'"'s execution paths are generated from an automated static analysis.
  - 13. The method of claim 1 where the act of determining if a portion of the software is malicious comprises determining if the portion of the software comprises known malware or a variant of known malware.

14. A networked computer server device, comprising:
- a network connection operable to access software from a digital file;
  
  a software static module coupled to the network connection operable to build a structured flow control of the software that maps execution paths of the software;
  
  a cluster module coupled to the software static module operable to evaluate the structured flow control using a plurality of distance measures to determine if a portion of the software is malicious.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The networked computer server device of claim 14 where the structured flow controls comprises a regex string.
  - 16. The networked computer server device of claim 14 where the structured flow control comprises tree structure.
  - 17. The networked computer server device of claim 14 where software static module constructs a file containing the disassembled executable code of the software.
  - 18. The networked computer server device of claim 14 where the software static module coupled and the cluster module comprises a server cluster.
  - 19. The networked computer server device of claim 14 where the determination if a portion of the software is malicious is based on a computed behaviour of the software.

20. A machine-readable medium with instructions stored thereon, the instructions when executed operable to cause a computerized system to:
- access a digital software from a file;
  
  build a structured flow control that maps the software'"'"'s execution paths; and
  
  evaluates the structured flow control using a plurality of distance measures to determine if a portion of the software is malicious.
- View Dependent Claims (21, 22)
- - 21. The machine-readable medium of claim 20 where the structured flow control comprises a tree structure that is an abstraction of a disassembly of an executable code that comprises the digital software.
  - 22. The machine-readable medium of claim 20 wherein the instructions when executed are operable to cause a computerized system to disassemble the executable code of the digital software and scan the disassembled executable for code instructions.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
UT-Battelle LLC
Original Assignee
UT-Battelle LLC
Inventors
Awad, Rima L., Prowell, Stacy J., Sayre, Kirk D.

Application Number

US15/172,884
Publication Number

US 20160357965A1
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/52   during program execution, e...

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/033   Test or assess software

AUTOMATIC CLUSTERING OF MALWARE VARIANTS BASED ON STRUCTURED CONTROL FLOW

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

17 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

AUTOMATIC CLUSTERING OF MALWARE VARIANTS BASED ON STRUCTURED CONTROL FLOW

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

17 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links