Systems and methods for byte-level context diversity-based automatic malware signature generation

US 8,291,497 B1
Filed: 03/20/2009
Issued: 10/16/2012
Est. Priority Date: 03/20/2009
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for facilitating automatic malware signature generation, at least a portion of the method being performed by a computing system comprising at least one processor, the method comprising:

providing a byte sequence marked for possible inclusion within one or more malware signatures;

determining a context diversity of the byte sequence within malware files each containing the byte sequence in accordance with a diversity-based heuristic, the containing malware files being a subset of a plurality of malware files, the context diversity of the byte sequence identifying differences between the containing malware files such that a higher context diversity level of the byte sequence indicates that the byte sequence has a likelihood of being representative of a sequence found in goodware and a lower context diversity of the byte sequence has a likelihood of being representative of a sequence found in malware;

preventing the byte sequence from being included within the one or more malware signatures in accordance with the determined context diversity.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method for facilitating automatic malware signature generation may comprise providing a byte sequence marked for possible inclusion within one or more malware signatures, determining a context diversity of the byte sequence within malware files each containing the byte sequence in accordance with a diversity-based heuristic, and preventing the byte sequence from being included within the one or more malware signatures in accordance with the determined context diversity. Corresponding systems and computer-readable storage media are also disclosed.

92 Citations

View as Search Results

20 Claims

1. A computer-implemented method for facilitating automatic malware signature generation, at least a portion of the method being performed by a computing system comprising at least one processor, the method comprising:
- providing a byte sequence marked for possible inclusion within one or more malware signatures;
  
  determining a context diversity of the byte sequence within malware files each containing the byte sequence in accordance with a diversity-based heuristic, the containing malware files being a subset of a plurality of malware files, the context diversity of the byte sequence identifying differences between the containing malware files such that a higher context diversity level of the byte sequence indicates that the byte sequence has a likelihood of being representative of a sequence found in goodware and a lower context diversity of the byte sequence has a likelihood of being representative of a sequence found in malware;
  
  preventing the byte sequence from being included within the one or more malware signatures in accordance with the determined context diversity.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein the determining of the context diversity of the byte sequence within the containing malware files comprises:
    - grouping the plurality of malware files into a plurality of malware family clusters;
      
      determining a total number of the malware family clusters that include at least one of the containing malware files.
  - 3. The method of claim 2, wherein the preventing comprises preventing the byte sequence from being included within the one or more malware signatures if the total number of the malware family clusters that include at least one of the containing malware files is greater than a predetermined threshold.
  - 4. The method of claim 2, wherein the preventing comprises preventing the byte sequence from being included within the one or more malware signatures if a ratio of the total number of the malware family clusters that include at least one of the containing malware files to a total number of the containing malware files is greater than a predetermined threshold.
  - 5. The method of claim 1, wherein the context diversity of the byte sequence refers to where the byte sequence is located within the containing malware files.
  - 6. The method of claim 1, wherein the determining of the context diversity of the byte sequence within the containing malware files comprises:
    - determining a byte offset of the byte sequence in each of the containing malware files;
      
      determining a standard deviation of the byte offset of the byte sequence in each of the containing files.
  - 7. The method of claim 6, wherein the preventing comprises preventing the byte sequence from being included within the one or more malware signatures if the standard deviation is greater than a predetermined threshold.
  - 8. The method of claim 6, wherein the byte offset comprises at least one of an absolute byte offset and a fractional positional byte offset.
  - 9. The method of claim 1, wherein the determining of the context diversity of the byte sequence within the containing malware files comprises:
    - determining whether a second byte sequence associated with a malware signature is located within each of one or more of the containing malware files;
      
      determining a standard deviation of a distance between the byte sequence and the second byte sequence within each of the one or more containing malware files if the second byte sequence is located within each of one or more of the containing malware files.
  - 10. The method of claim 9, wherein the preventing comprises preventing the byte sequence from being included within the one or more malware signatures if the standard deviation is greater than a predetermined threshold.
  - 11. The method of claim 1, wherein the determining of the context diversity of the byte sequence within the containing malware files comprises:
    - determining a total number of distinct byte sequences surrounding the byte sequence in two or more of the containing malware files.
  - 12. The method of claim 1, wherein the context diversity of the byte sequence refers to differences in how the byte sequence is used within the containing malware files.

13. A system for facilitating automatic malware signature generation, the system comprising:
- a byte sequence marking module configured to mark a byte sequence for possible inclusion within one or more malware signatures;
  
  a context diversity determination module communicatively coupled to a malware signature generation module and configured to determine a context diversity of the byte sequence within malware files each containing the byte sequence in accordance with a diversity-based heuristic, the containing malware files being a subset of a plurality of malware files, the context diversity of the byte sequence identifying differences between the containing malware files such that a higher context diversity level of the byte sequence indicates that the byte sequence has a likelihood of being representative of a sequence found in goodware and a lower context diversity of the byte sequence has a likelihood of being representative of a sequence found in malware;
  
  a prevention module communicatively coupled to the context diversity determination module and configured to prevent the byte sequence from being included within the one or more malware signatures in accordance with the determined context diversity;
  
  at least one hardware processor configured to execute the byte sequence marking module, the context diversity determination module, and the prevention module.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The system of claim 13, wherein the context diversity determination module is configured to determine the context diversity of the byte sequence within the containing malware files by:
    - grouping the plurality of malware files into a plurality of malware family clusters;
      
      determining a total number of the malware family clusters that include at least one of the containing malware files.
  - 15. The system of claim 14, wherein the prevention module is configured to prevent the byte sequence from being included within the one or more malware signatures if the total number of the malware family clusters that include at least one of the containing malware files is greater than a predetermined threshold.
  - 16. The system of claim 13, wherein the context diversity determination module is configured to determine the context diversity of the byte sequence within the containing malware files by:
    - determining a byte offset of the byte sequence in each of the containing malware files;
      
      determining a standard deviation of the byte offset of the byte sequence in each of the containing files.
  - 17. The system of claim 13, wherein the context diversity determination module is configured to determine the context diversity of the byte sequence within the containing malware files by:
    - determining whether a second byte sequence associated with a malware signature is located within each of one or more of the containing malware files;
      
      determining a standard deviation of a distance between the byte sequence and the second byte sequence within each of the one or more containing malware files if the second byte sequence is located within each of one or more of the containing malware files.
  - 18. The system of claim 13, wherein the context diversity determination module is configured to determine the context diversity of the byte sequence within the containing malware files by:
    - determining a total number of distinct byte sequences surrounding the byte sequence in two or more of the containing malware files.

19. A non-transitory computer-readable-storage medium including instructions configured to direct a computing system to:
- provide a byte sequence marked for possible inclusion within one or more malware signatures;
  
  determine a context diversity of the byte sequence within malware files each containing the byte sequence in accordance with a diversity-based heuristic, the containing malware files being a subset of a plurality of malware files, the context diversity of the byte sequence identifying differences between the containing malware files such that a higher context diversity level of the byte sequence indicates that the byte sequence has a likelihood of being representative of a sequence found in goodware and a lower context diversity of the byte sequence has a likelihood of being representative of a sequence found in malware;
  
  prevent the byte sequence from being included within the one or more malware signatures in accordance with the determined context diversity.
- View Dependent Claims (20)
- - 20. The non-transitory computer-readable-storage medium of claim 19, wherein the instructions are configured to direct the computing system to determine the context diversity of the byte sequence within the containing malware files by directing the computing system to:
    - group the plurality of malware files into a plurality of malware family clusters;
      
      determine a total number of the malware family clusters that include at least one of the containing malware files.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Chiueh, Tzi-cker, Schneider, Scott, Griffin, Kent
Primary Examiner(s)
Kosowski, Carolyn B

Application Number

US12/408,306
Time in Patent Office

1,306 Days
Field of Search

726/23
US Class Current

726/23
CPC Class Codes

G06F 21/564 by virus signature recognition

Systems and methods for byte-level context diversity-based automatic malware signature generation

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

92 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for byte-level context diversity-based automatic malware signature generation

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

92 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links