Method and system for classification of software using characteristics and combinations of such characteristics

US 8,365,286 B2
Filed: 03/30/2009
Issued: 01/29/2013
Est. Priority Date: 06/30/2006
Status: Active Grant

First Claim

Patent Images

1. A computer program product embodied in a non-transitory computer readable medium that, when executing on one or more computers, performs the steps of:

identifying a functional code block that performs a particular function within executable code;

transforming the functional code block into two or more generic code representations of its functionality by tokenizing the functional code block into a first generic code representation wherein tokenizing includes converting at least one variable to a predefined generic code uniquely representing the at least one variable, and wherein tokenizing excludes instruction codes and by tokenizing the function code block into a second generic code representation with one or more flags and statistical information;

selecting one of the two or more generic code representations as the generic code representation for further analysis based upon a type of file being analyzed;

comparing the generic code representation with a previously characterized malicious code representation; and

in response to a positive correlation from the comparison, identifying the executable code as containing malicious code.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In embodiments of the present invention improved capabilities are described for the steps of identifying a functional code block that performs a particular function within executable code; transforming the functional code block into a generic code representation of its functionality by tokenizing, refactoring, or the like, the functional code block; comparing the generic code representation with a previously characterized malicious code representation; and in response to a positive correlation from the comparison, identifying the executable code as containing malicious code.

378 Citations

24 Claims

1. A computer program product embodied in a non-transitory computer readable medium that, when executing on one or more computers, performs the steps of:
- identifying a functional code block that performs a particular function within executable code;
  
  transforming the functional code block into two or more generic code representations of its functionality by tokenizing the functional code block into a first generic code representation wherein tokenizing includes converting at least one variable to a predefined generic code uniquely representing the at least one variable, and wherein tokenizing excludes instruction codes and by tokenizing the function code block into a second generic code representation with one or more flags and statistical information;
  
  selecting one of the two or more generic code representations as the generic code representation for further analysis based upon a type of file being analyzed;
  
  comparing the generic code representation with a previously characterized malicious code representation; and
  
  in response to a positive correlation from the comparison, identifying the executable code as containing malicious code.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The computer program product of claim 1, wherein tokenization eliminates portions in the functional code block that may be presented in differing versions of code that perform the same function as the functional code block.
  - 3. The computer program product of claim 2, wherein the eliminated portions occur as a result of changed cross references due to variations in content and location of code between the differing versions.
  - 4. The computer program product of claim 2, wherein the differences occur as a result of legitimate optimization techniques.
  - 5. The computer program product of claim 2, wherein the differences occur as a result of malicious obfuscation techniques.
  - 6. The computer program product of claim 1, wherein the executable code is at least one of executable software, a script, a byte code file, and machine code.
  - 7. The computer program product of claim 1, wherein the malicious code representation is pulled from a library of malicious code representations.
  - 8. The computer program product of claim 7, wherein the library is stored on the computer performing a local code scan.
  - 9. The computer program product of claim 7, wherein the library is accessed through a network.
  - 10. The computer program product of claim 7, wherein the library is accessed through a threat research center.
  - 11. The computer program product of claim 7, wherein the library is updated from a threat research center.
  - 12. The computer program product of claim 1 wherein the at least one variable includes a name or a memory address.
  - 13. The computer program product of claim 1 wherein the instruction code is converted into an equivalent formulation.

14. A computer program product embodied in a non-transitory computer readable medium that, when executing on one or more computers, performs the steps of:
- identifying a functional code block that performs a particular function within executable code;
  
  transforming the functional code block into two or more generic code representations of its functionality including a first generic code representation obtained by refactoring the functional code block and converting at least one variable to a predefined generic code uniquely representing the at least one variable, and further including a second generic code representation having one or more flags and statistics;
  
  selecting one of the two or more generic code representations as the generic code representation for further analysis based upon a type of file being analyzed;
  
  comparing the generic code representation with a previously characterized malicious code representation; and
  
  in response to a positive correlation from the comparison, identifying the executable code as containing malicious code.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 15. The computer program product of claim 14, wherein refactoring eliminates portions in the functional code block that may be presented in differing versions of code that perform the same function as the functional code block.
  - 16. The computer program product of claim 15, wherein the eliminated portions occur as a result of changed cross references due to variations in content and location of code between the differing versions.
  - 17. The computer program product of claim 15, wherein the differences occur as a result of legitimate optimization techniques.
  - 18. The computer program product of claim 15, wherein the differences occur as a result of malicious obfuscation techniques.
  - 19. The computer program product of claim 15, wherein the refactoring is lossy refactoring which selectively preserves certain generic characteristics of the code without needing to maintain actual executability.
  - 20. The computer program product of claim 15, wherein the executable code is at least one of executable software, a script, a byte code file, and machine code.
  - 21. The computer program product of claim 15, wherein the malicious code representation is pulled from a library of malicious code representations.
  - 22. The computer program product of claim 21, wherein the library is stored on the computer performing a local code scan.
  - 23. The computer program product of claim 21, wherein the library is accessed through a network.
  - 24. The computer program product of claim 21, wherein the library is accessed through a threat research center.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sophos Limited (Sophos Group Ltd.)
Original Assignee
Sophos Plc (Sophos Group Ltd.)
Inventors
Poston, Robert J.
Primary Examiner(s)
LAFORGIA, CHRISTIAN A

Application Number

US12/413,823
Publication Number

US 20090187992A1
Time in Patent Office

1,401 Days
Field of Search

726 22- 25, 713187-188, 717126-127, 717130-131
US Class Current

726/24
CPC Class Codes

G06F 21/563 by source code analysis

G06F 21/564 by virus signature recognition

Method and system for classification of software using characteristics and combinations of such characteristics

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

378 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for classification of software using characteristics and combinations of such characteristics

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

378 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links