AUTOMATICALLY DETERMINING WHETHER MALWARE SAMPLES ARE SIMILAR

US 20170251003A1
Filed: 02/29/2016
Published: 08/31/2017
Est. Priority Date: 02/29/2016
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a processor configured to;

receive a plurality of samples for performing automated malware analysis to generate log files based on the automated malware analysis;

compare the log files based on the automated malware analysis;

determine whether any of the plurality of samples are similar based on the comparison of the log files based on the automated malware analysis; and

perform an action based on determining that at least two samples are similar; and

a memory coupled to the processor and configured to provide the processor with instructions.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for automatically determining whether malware samples are similar are disclosed. In some embodiments, a system, process, and/or computer program product for automatically determining whether malware samples are similar includes receiving a plurality of samples for performing automated malware analysis to generate log files based on the automated malware analysis; comparing the log files based on the automated malware analysis; determining whether any of the plurality of samples are similar based on the comparison of the log files based on the automated malware analysis; and performing an action based on determining that at least two samples are similar.

Citations

20 Claims

1. A system, comprising:
- a processor configured to;
  
  receive a plurality of samples for performing automated malware analysis to generate log files based on the automated malware analysis;
  
  compare the log files based on the automated malware analysis;
  
  determine whether any of the plurality of samples are similar based on the comparison of the log files based on the automated malware analysis; and
  
  perform an action based on determining that at least two samples are similar; and
  
  a memory coupled to the processor and configured to provide the processor with instructions.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system recited in claim 1, wherein the log files are processed to extract one or more artifacts and/or one or more high-risk artifacts associated with the log files.
  - 3. The system recited in claim 1, wherein performing automated malware analysis includes is performing a dynamic analysis.
  - 4. The system recited in claim 1, wherein performing automated malware analysis includes performing a static analysis.
  - 5. The system recited in claim 1, wherein a log file for a sample comprises one or more lines based on the automated malware analysis results for the sample.
  - 6. The system recited in claim 1, wherein the processor is further configured to:
    - process the log files to extract artifacts associated with the log files.
  - 7. The system recited in claim 1, wherein the processor is further configured to:
    - process the log files to extract artifacts associated with the log files; and
      
      determine whether a first malware sample is similar to any of the plurality of samples based on the artifacts.

8. A method, comprising:
- receiving a plurality of samples for performing automated malware analysis to generate log files based on the automated malware analysis;
  
  comparing the log files based on the automated malware analysis;
  
  determining whether any of the plurality of samples are similar based on the comparison of the log files based on the automated malware analysis; and
  
  performing an action based on determining that at least two samples are similar.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method of claim 8, wherein the log files are processed to extract one or more artifacts and/or one or more high-risk artifacts associated with the log files.
  - 10. The method of claim 8, wherein performing automated malware analysis includes performing a dynamic analysis.
  - 11. The method of claim 8, wherein performing automated malware analysis includes performing a static analysis.
  - 12. The method of claim 8, wherein a log file for a sample comprises one or more lines based on the automated malware analysis results for the sample.
  - 13. The method of claim 8, further comprising:
    - processing the log files to extract artifacts associated with the log files.
  - 14. The method of claim 8, further comprising:
    - processing the log files to extract artifacts associated with the log files; and
      
      determining whether a first malware sample is similar to any of the plurality of samples based on the artifacts.

15. A computer program product, the computer program product being embodied in a tangible computer readable storage medium and comprising computer instructions for:
- receiving a plurality of samples for performing automated malware analysis to generate log files based on the automated malware analysis;
  
  comparing the log files based on the automated malware analysis;
  
  determining whether any of the plurality of samples are similar based on the comparison of the log files based on the automated malware analysis; and
  
  performing an action based on determining that at least two samples are similar.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer program product recited in claim 15, wherein the log files are processed to extract one or more artifacts and/or one or more high-risk artifacts associated with the log files.
  - 17. The computer program product recited in claim 15, wherein performing automated malware analysis includes performing a dynamic analysis.
  - 18. The computer program product recited in claim 15, wherein performing automated malware analysis includes performing a static analysis.
  - 19. The computer program product recited in claim 15, wherein a log file for a sample comprises one or more lines based on the automated malware analysis results for the sample.
  - 20. The computer program product recited in claim 15, further comprising computer instructions for:
    - processing the log files to extract artifacts associated with the log files.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palo Alto Networks Incorporated
Original Assignee
Palo Alto Networks Incorporated
Inventors
Rostami-Hesarsorkh, Shadi, Vasudevan, Sudarshan, Rostamabadi, Farshad

Granted Patent

US 10,200,390 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/562   Static detection

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/034   Test or assess a computer o...

G06N 20/00   Machine learning

G06N 5/01   Dynamic search techniques; ...

G06N 5/02   Knowledge representation; S...

H04L 63/1425   Traffic logging, e.g. anoma...

AUTOMATICALLY DETERMINING WHETHER MALWARE SAMPLES ARE SIMILAR

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

AUTOMATICALLY DETERMINING WHETHER MALWARE SAMPLES ARE SIMILAR

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links