Methods for identifying malicious software
First Claim
1. A method for identifying malicious software in an executable file, comprising:
- dividing a portion of the executable file into a plurality of windows, each window of the plurality of windows comprising one or more bytes;
applying to the one or more bytes of the plurality of windows a transformation function that provides a numerically comparable value for the each window;
displaying graphically the numerically comparable value for the each window as a function of the each window;
determining if a given numerical comparable value is a statistical outlier with respect to other numerical comparable values; and
if the given numerical comparable value is a statistical outlier, identifying a window comprising the given numerical comparable value as the malicious software,wherein the statistical outlier has a value two standard deviations greater than the mean of the numerical comparable values.
8 Assignments
0 Petitions
Accused Products
Abstract
Malicious software is identified in an executable file by identifying malicious structural features, decryption code, and cryptographic functions. A malicious structural feature is identified by comparing a known malicious structural feature to one or more instructions of the executable file. A malicious structural feature is also identified by graphically and statistically comparing windows of bytes or instructions in a section of the executable file. Cryptography is an indicator of malicious software. Decryption code is identified in an executable file by identifying a tight loop around a reversible instruction that writes to random access memory. Cryptographic functions are identified in an executable file be obtaining a known cryptographic function and performing a string comparison of the numeric constants of the known cryptographic function with the executable file.
-
Citations
25 Claims
-
1. A method for identifying malicious software in an executable file, comprising:
-
dividing a portion of the executable file into a plurality of windows, each window of the plurality of windows comprising one or more bytes; applying to the one or more bytes of the plurality of windows a transformation function that provides a numerically comparable value for the each window; displaying graphically the numerically comparable value for the each window as a function of the each window; determining if a given numerical comparable value is a statistical outlier with respect to other numerical comparable values; and if the given numerical comparable value is a statistical outlier, identifying a window comprising the given numerical comparable value as the malicious software, wherein the statistical outlier has a value two standard deviations greater than the mean of the numerical comparable values. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A method for identifying malicious software in an executable file, comprising:
-
disassembling a portion of the executable file into instructions; dividing the portion into a plurality of windows, each window of the plurality of windows comprising one or more instructions; applying to the one or more instructions of the plurality of windows a transformation function that provides a numerically comparable value for the each window and results in a list of numerically comparable values for the plurality of windows; determining if a value from the list is a statistical outlier with respect to other values from the list; and if the value is a statistical outlier, identifying a window comprising the value as the malicious software, wherein the statistical outlier has a value two standard deviations greater than the mean of the list. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
-
-
25. A method for identifying malicious software in an executable file, comprising:
-
dividing a portion of the executable file into a plurality of windows, each window containing one or more bytes; applying to the one or more bytes in the plurality of windows a transformation function that provides a numerically comparable value for the each window; using information resulting from the applying a transformation function to compute a probability that a given one of the one or more bytes is malicious software determining if a given numerical comparable value is a statistical outlier with respect to other numerical comparable values; and if the given numerical comparable value is a statistical outlier, identifying a window comprising the given numerical comparable value as the malicious software, wherein the statistical outlier has a value two standard deviations greater than the mean of the numerical comparable values.
-
Specification