DISCOVERY OF MALICIOUS STRINGS

US 20170255776A1
Filed: 05/22/2017
Published: 09/07/2017
Est. Priority Date: 12/23/2014
Status: Abandoned Application

First Claim

Patent Images

1-25. -25. (canceled)

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Particular embodiments described herein provide for an electronic device that can be configured to determine a string sample of data, determine a hash of the string sample of data, automatically cluster the hash with other hashes from other string samples of data, and automatically create a signature hash string for the string sample of data.

Citations

49 Claims

1-25. -25. (canceled)

26. At least one non-transitory computer-readable medium comprising one or more instructions that when executed by at least one processor, cause the at least one processor to:
- determine a string of a data sample;
  
  perform an Internet search for the string;
  
  compare the results of the Internet search for the string with results of an Internet search for a known clean string;
  
  cluster, based on a determination that the number of hits from the Internet search is not comparable to the number of hits from a known clean string search, the string with other strings having Internet search results that are not comparable to those of a known clean string; and
  
  populate a dirty string database with the clustered strings.
- View Dependent Claims (27, 28, 29, 30, 31)
- - 27. The at least one non-transitory computer-readable medium of claim 26, further comprising one or more instructions that when executed by the at least one processor, further cause the processor to:
    - determine a cluster of most commonly occurring strings in the dirty string database;
      
      create a hash of each of the strings in the cluster of most commonly occurring strings; and
      
      store the hash of each of the strings from the cluster of most commonly occurring strings in a blacklist hash string database.
  - 28. The at least one non-transitory computer-readable medium of claim 27, further comprising one or more instructions that when executed by the at least one processor, further cause the processor to:
    - cluster the hash of each of the strings in the cluster of most commonly occurring strings to create a string hash signature; and
      
      communicate the string hash signature to an electronic device for use in the detection of the malware.
  - 29. The at least one non-transitory computer-readable medium of claim 28, further comprising one or more instructions that when executed by the at least one processor, further cause the processor to:
    - remove hashes of short strings from the cluster of hashes to create a second string hash signature; and
      
      store the second string hash signature in the blacklist hash string database.
  - 30. The at least one non-transitory computer-readable medium of claim 26, further comprising one or more instructions that when executed by the at least one processor, further cause the processor to:
    - determine a hash of the string;
      
      filter the hash of the string using a whitelist hash string database; and
      
      classify the string as trusted if the hash of the string is found in the whitelist hash string database.
  - 31. The at least one non-transitory computer-readable medium of claim 26, wherein the data sample was received from an electronic device.

32. An apparatus comprising:
- memory; and
  
  a hardware processor configured to;
  
  determine a string of a data sample;
  
  perform an Internet search for the string;
  
  compare the results of the Internet search for the string with results of an Internet search for a known clean string;
  
  cluster, based on a determination that the number of hits from the Internet search is not comparable to the number of hits from a known clean string search, the string with other strings having Internet search results that are not comparable to those of a known clean string; and
  
  populate a dirty string database with the clustered strings.
- View Dependent Claims (33, 34, 35, 36, 37)
- - 33. The apparatus of claim 32, wherein the hardware processor is further configured to:
    - determine a cluster of most commonly occurring strings in the dirty string database;
      
      create a hash of each of the strings in the cluster of most commonly occurring strings; and
      
      store the hash of each of the strings from the cluster of most commonly occurring strings in a blacklist hash string database.
  - 34. The apparatus of claim 33, wherein the hardware processor is further configured to:
    - cluster the hash of each of the strings in the cluster of most commonly occurring strings to create a string hash signature; and
      
      communicate the string hash signature to an electronic device for use in the detection of the malware.
  - 35. The apparatus of claim 34, wherein the hardware processor is further configured to:
    - remove hashes of short strings from the cluster of hashes to create a second string hash signature; and
      
      store the second string hash signature in the blacklist hash string database.
  - 36. The apparatus of claim 32, wherein the hardware processor is further configured to:
    - determine a hash of the string;
      
      filter the hash of the string using a whitelist hash string database; and
      
      classify the string as trusted if the hash of the string is found in the whitelist hash string database.
  - 37. The apparatus of claim 32, wherein the data sample was received from an electronic device.

38. A method comprising:
- determining a string of a data sample;
  
  performing an Internet search for the string;
  
  comparing the results of the Internet search for the string with results of an Internet search for a known clean string;
  
  clustering, based on a determination that the number of hits from the Internet search is not comparable to the number of hits from a known clean string search, the string with other strings having Internet search results that are not comparable to those of a known clean string; and
  
  populating a dirty string database with the clustered strings.
- View Dependent Claims (39, 40, 41, 42, 43)
- - 39. The method of claim 38, further comprising:
    - determining a cluster of most commonly occurring strings in the dirty string database;
      
      creating a hash of each of the strings in the cluster of most commonly occurring strings; and
      
      storing the hash of each of the strings from the cluster of most commonly occurring strings in a blacklist hash string database.
  - 40. The method of claim 39, further comprising:
    - clustering the hash of each of the strings in the cluster of most commonly occurring strings to create a string hash signature; and
      
      communicating the string hash signature to an electronic device for use in the detection of the malware.
  - 41. The method of claim 40, further comprising:
    - removing hashes of short strings from the cluster of hashes to create a second string hash signature; and
      
      storing the second string hash signature in the blacklist hash string database.
  - 42. The method of claim 38, further comprising:
    - determining a hash of the string;
      
      filtering the hash of the string using a whitelist hash string database; and
      
      classifying the string as trusted if the hash of the string is found in the whitelist hash string database.
  - 43. The method of claim 38, wherein the data sample was received from an electronic device.

44. A system for discovering malicious strings, the system comprising:
- memory; and
  
  a hardware processor configured for;
  
  determining a string of a data sample;
  
  performing an Internet search for the string;
  
  comparing the results of the Internet search for the string with results of an Internet search for a known clean string;
  
  clustering, based on a determination that the number of hits from the Internet search is not comparable to the number of hits from a known clean string search, the string with other strings having Internet search results that are not comparable to those of a known clean string; and
  
  populating a dirty string database with the clustered strings.
- View Dependent Claims (45, 46, 47, 48, 49)
- - 45. The system of claim 44, wherein the system is further configured for:
    - determining a cluster of most commonly occurring strings in the dirty string database;
      
      creating a hash of each of the strings in the cluster of most commonly occurring strings; and
      
      storing the hash of each of the strings from the cluster of most commonly occurring strings in a blacklist hash string database.
  - 46. The system of claim 45, wherein the system is further configured for:
    - clustering the hash of each of the strings in the cluster of most commonly occurring strings to create a string hash signature; and
      
      communicating the string hash signature to an electronic device for use in the detection of the malware.
  - 47. The system of claim 46, wherein the system is further configured for:
    - removing hashes of short strings from the cluster of hashes to create a second string hash signature; and
      
      storing the second string hash signature in the blacklist hash string database.
  - 48. The system of claim 44, wherein the system is further configured for:
    - determining a hash of the string;
      
      filtering the hash of the string using a whitelist hash string database; and
      
      classifying the string as trusted if the hash of the string is found in the whitelist hash string database.
  - 49. The system of claim 44, wherein the data sample was received from an electronic device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, Inc. (McAfee, LLC)
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Zhang, Zheng, Schmugar, Craig D.

Application Number

US15/601,534
Publication Number

US 20170255776A1
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/564   by virus signature recognition

G06F 21/567   using dedicated hardware

H04L 63/14   for detecting or protecting...

H04L 63/1416   Event detection, e.g. attac...

DISCOVERY OF MALICIOUS STRINGS

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

49 Claims

Specification

Solutions

Use Cases

Quick Links

DISCOVERY OF MALICIOUS STRINGS

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

49 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links