System and method for detecting malware by transforming objects and analyzing different views of objects

US 8,769,692 B1
Filed: 07/14/2011
Issued: 07/01/2014
Est. Priority Date: 07/14/2011
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

generating a plurality of transformed views of an object in a network environment;

generating a plurality of filtered information sets corresponding respectively to the plurality of transformed views, each of the filtered information sets including particular location data indicating one or more locations in the object corresponding to at least one obfuscation element, wherein a first filtered information set of the plurality of filtered information sets includes a first location data indicating one or more locations in the object corresponding to a first obfuscation element, and wherein a second filtered information set of the plurality of filtered information sets includes a second location data indicating one or more locations in the object corresponding to a second obfuscation element; and

detecting a suspect correlation based on an analysis of at least some of the plurality of transformed views and of at least some of the plurality of filtered information sets, wherein the analysis includes;

identifying a construct in first and second transformed views; and

determining whether one or more criteria are satisfied based on a proximity of the one or more locations of the first location data and the one or more locations of the second location data relative to the construct in the first and second transformed views, respectively.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method in one example implementation includes generating a plurality of transformed views of an object in a network environment and generating a plurality of filtered information sets. The method further includes detecting a suspect correlation based on an analysis of at least some of the plurality of transformed views and of at least some of the plurality of filtered information sets. In a more specific embodiment, the analysis includes an original view of the object. Other more specific embodiments include applying filters to selected views of the object, where each of the filters is associated with a different obfuscation type. Applying the filters includes transforming obfuscation elements in the plurality of transformed views, where the object contains the one or more obfuscation elements.

34 Citations

View as Search Results

28 Claims

1. A method, comprising:
- generating a plurality of transformed views of an object in a network environment;
  
  generating a plurality of filtered information sets corresponding respectively to the plurality of transformed views, each of the filtered information sets including particular location data indicating one or more locations in the object corresponding to at least one obfuscation element, wherein a first filtered information set of the plurality of filtered information sets includes a first location data indicating one or more locations in the object corresponding to a first obfuscation element, and wherein a second filtered information set of the plurality of filtered information sets includes a second location data indicating one or more locations in the object corresponding to a second obfuscation element; and
  
  detecting a suspect correlation based on an analysis of at least some of the plurality of transformed views and of at least some of the plurality of filtered information sets, wherein the analysis includes;
  
  identifying a construct in first and second transformed views; and
  
  determining whether one or more criteria are satisfied based on a proximity of the one or more locations of the first location data and the one or more locations of the second location data relative to the construct in the first and second transformed views, respectively.
- View Dependent Claims (2, 3)
- - 2. The method of claim 1,wherein the generating the plurality of transformed views includes applying a plurality of filters to one or more selected views of the object, andwherein each of the plurality of filters is associated with a different obfuscation type.
  - 3. The method of claim 1, further comprising reporting the suspect correlation.

4. One or more non-transitory computer readable storage media that includes code for execution and when executed by at least one processor is operable to perform operations comprising:
- generating a plurality of transformed views of an object in a network environment;
  
  generating a plurality of filtered information sets corresponding respectively to the plurality of transformed views, each of the filtered information sets including particular location data indicating one or more locations in the object corresponding to at least one obfuscation element, wherein a first filtered information set of the plurality of filtered information sets includes a first location data indicating one or more locations in the object corresponding to a first obfuscation element, and wherein a second filtered information set of the plurality of filtered information sets includes a second location data indicating one or more locations in the object corresponding to a second obfuscation element; and
  
  detecting a suspect correlation based on an analysis of at least some of the plurality of transformed views and of at least some of the plurality of filtered information sets, wherein the analysis includes;
  
  identifying a construct in first and second transformed views of the plurality of transformed views; and
  
  determining whether one or more criteria are satisfied based on first and second location data relative to the construct in the first and second transformed views, respectively.
- View Dependent Claims (5, 6, 7, 8)
- - 5. The one or more computer readable storage media of claim 4,wherein the generating the plurality of transformed views includes applying a plurality of filters to one or more selected views of the object to generate the plurality of transformed views andwherein each of the plurality of filters is associated with a different obfuscation type.
  - 6. The one or more non-transitory computer readable storage media of claim 5,wherein the applying the plurality of filters includes transforming one or more obfuscation elements in the plurality of transformed views, andwherein the object contains the one or more obfuscation elements.
  - 7. The one or more computer readable storage media of claim 4, wherein the analysis includes an original view of the object.
  - 8. The one or more non-transitory computer readable storage media of claim 4,wherein the generating the plurality of transformed views includes:
    - applying a selected first filter to an original view of the object to generate a first transformed view of the plurality of transformed views; and
      
      applying a selected second filter to the first transformed view to generate a second transformed view of the plurality of transformed views, andwherein each of the plurality of filters is associated with a different obfuscation type.

9. An apparatus, comprising:
- a malware detection module;
  
  an object; and
  
  at least one processor operable to execute operations associated with the object, wherein the malware detection module, the object, and the processor cooperate such that the apparatus is configured for;
  
  generating a plurality of transformed views of an object in a network environment;
  
  generating a plurality of filtered information sets corresponding respectively to the plurality of transformed views, each of the filtered information sets including particular location data indicating one or more locations in the object corresponding to at least one obfuscation element, wherein a first filtered information set of the plurality of filtered information sets includes a first location data indicating one or more locations in the object corresponding to a first obfuscation element, and wherein a second filtered information set of the plurality of filtered information sets includes a second location data indicating one or more locations in the object corresponding to a second obfuscation element; and
  
  detecting a suspect correlation based on an analysis of at least some of the plurality of transformed views and of at least some of the plurality of filtered information sets, wherein the analysis includes determining whether one or more criteria are satisfied based on a first frequency of the first filtered obfuscation element and a second frequency of the second filtered obfuscation element.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The apparatus of claim 9,wherein the generating the plurality of transformed views includes applying a plurality of filters to one or more selected views of the object, andwherein each of the plurality of filters is associated with a different obfuscation type.
  - 11. The apparatus of claim 10,wherein the applying the plurality of filters includes transforming one or more obfuscation elements in the plurality of transformed views, andwherein the object contains the one or more obfuscation elements.
  - 12. The apparatus of claim 11, wherein the transforming one or more obfuscation elements includes one of removing, replacing, or normalizing the one or more obfuscation elements in the plurality of transformed views.
  - 13. The apparatus of claim 11, wherein the one or more obfuscation elements are selected from a group consisting of polymorphic code instructions, vocabulary text from a text generator, and noise.

14. One or more non-transitory computer readable storage media that includes code for execution and when executed by at least one processor is operable to perform operations comprising:
- generating a plurality of transformed views of an object in a network environment;
  
  generating a plurality of filtered information sets corresponding respectively to the plurality of transformed views, each of the filtered information sets including particular location data indicating one or more locations in the object corresponding to at least one obfuscation element, wherein a first filtered information set of the plurality of filtered information sets includes a first location data indicating one or more locations in the object corresponding to a first obfuscation element, wherein one or more occurrences of the first obfuscation element in the object are transformed in the first transformed view, wherein a second filtered information set of the plurality of filtered information sets includes a second location data indicating one or more locations in the object corresponding to a second obfuscation element, and wherein one or more occurrences of the second obfuscation element in the object are transformed in the second transformed view; and
  
  detecting a suspect correlation based on an analysis of at least some of the plurality of transformed views and of at least some of the plurality of filtered information sets.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The one or more non-transitory computer readable storage media of claim 14,wherein the generating the plurality of transformed views includes applying a plurality of filters to one or more selected views of the object, andwherein each of the plurality of filters is associated with a different obfuscation type.
  - 16. The one or more non-transitory computer readable storage media of claim 15,wherein the applying the plurality of filters includes transforming one or more obfuscation elements in the plurality of transformed views, andwherein the object contains the one or more obfuscation elements.
  - 17. The one or more non-transitory computer readable storage media of claim 16, wherein the transforming one or more obfuscation elements includes one of removing, replacing, or normalizing the one or more obfuscation elements in the plurality of transformed views.
  - 18. The one or more non-transitory computer readable storage media of claim 16, wherein the one or more obfuscation elements are selected from a group consisting of polymorphic code instructions, vocabulary text from a text generator, and noise.

19. One or more non-transitory computer readable storage media that includes code for execution and when executed by at least one processor is operable to perform operations comprising:
- generating a plurality of transformed views of an object in a network environment;
  
  generating a plurality of filtered information sets corresponding respectively to the plurality of transformed views, each of the filtered information sets including particular location data indicating one or more locations in the object corresponding to at least one obfuscation element, wherein a first filtered information set of the plurality of filtered information sets includes a first location data indicating one or more locations in the object corresponding to a first obfuscation element, wherein each of the one or more locations of the first location data corresponds to a single occurrence of the first obfuscation element in the object, wherein a second filtered information set of the plurality of filtered information sets includes a second location data indicating one or more locations in the object corresponding to a second obfuscation element, and wherein each of the one or more locations of the second location data corresponds to a single occurrence of the second obfuscation element in the object; and
  
  detecting a suspect correlation based on an analysis of at least some of the plurality of transformed views and of at least some of the plurality of filtered information sets.
- View Dependent Claims (20, 21, 22, 23)
- - 20. The one or more non-transitory computer readable storage media of claim 19, wherein the analysis is based, in part, on an original view of the object.
  - 21. The one or more non-transitory computer readable storage media of claim 19,wherein the generating the plurality of transformed views includes applying a plurality of filters to one or more selected views of the object, andwherein each of the plurality of filters is associated with a different obfuscation type.
  - 22. The one or more non-transitory computer readable storage media of claim 21,wherein the applying the plurality of filters includes transforming one or more obfuscation elements in the plurality of transformed views, andwherein the object contains the one or more obfuscation elements.
  - 23. The one or more non-transitory computer readable storage media of claim 19,wherein the generating the plurality of transformed views includes:
    - applying a selected first filter to an original view of the object to generate a first transformed view of the plurality of transformed views; and
      
      applying a selected second filter to the first transformed view to generate a second transformed view of the plurality of transformed views,wherein each of the plurality of filters is associated with a different obfuscation type.

24. One or more non-transitory computer readable storage media that includes code for execution and when executed by at least one processor is operable to perform operations comprising:
- generating a plurality of transformed views of an object in a network environment;
  
  generating a plurality of filtered information sets corresponding respectively to the plurality of transformed views, each of the filtered information sets including particular location data indicating one or more locations in the object corresponding to at least one obfuscation element, wherein a first filtered information set of the plurality of filtered information sets includes a first location data indicating one or more locations in the object corresponding to a first obfuscation element, wherein each of the one or more locations of the first location data corresponds to one or more successive occurrences of the first obfuscation element in the object, wherein a second filtered information set of the plurality of filtered information sets includes a second location data indicating one or more locations in the object corresponding to a second obfuscation element, and wherein each of the one or more locations of the second location data corresponds to one or more successive occurrences of the second obfuscation element in the object; and
  
  detecting a suspect correlation based on an analysis of at least some of the plurality of transformed views and of at least some of the plurality of filtered information sets.
- View Dependent Claims (25, 26, 27, 28)
- - 25. The one or more non-transitory computer readable storage media of claim 24,wherein the generating the plurality of transformed views includes applying a plurality of filters to one or more selected views of the object, andwherein each of the plurality of filters is associated with a different obfuscation type.
  - 26. The one or more non-transitory computer readable storage media of claim 25,wherein the applying the plurality of filters includes transforming one or more obfuscation elements in the plurality of transformed views, andwherein the object contains the one or more obfuscation elements.
  - 27. The one or more non-transitory computer readable storage media of claim 26, wherein the transforming one or more obfuscation elements includes one of removing, replacing, or normalizing the one or more obfuscation elements in the plurality of transformed views.
  - 28. The one or more non-transitory computer readable storage media of claim 26, wherein the one or more obfuscation elements are selected from a group consisting of polymorphic code instructions, vocabulary text from a text generator, and noise.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Muttik, Igor G., Bartram, Anthony Vaughan
Primary Examiner(s)
CHEN, SHIN HON

Application Number

US13/182,641
Time in Patent Office

1,083 Days
Field of Search

None
US Class Current

726/24
CPC Class Codes

G06F 21/56   Computer malware detection ...

H04L 63/0227   Filtering policies mail mes...

H04L 63/1416   Event detection, e.g. attac...

H04L 67/02   based on web technology, e....

System and method for detecting malware by transforming objects and analyzing different views of objects

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

34 Citations

28 Claims

Specification

Use Cases

Quick Links

Others

System and method for detecting malware by transforming objects and analyzing different views of objects

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

34 Citations

28 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others