Automatic signature generation for malicious PDF files

US 9,043,917 B2
Filed: 02/14/2014
Issued: 05/26/2015
Est. Priority Date: 05/24/2011
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a processor configured to;

receive a Portable Document Format (PDF) file that is known to include malicious content;

parse the PDF file to identify a cross-reference table included in the PDF file; and

generate a signature associated with the PDF file from the identified cross-reference table; and

a memory coupled to the processor and configured to provide the processor with instructions.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In some embodiments, automatic signature generation for malicious PDF files includes: parsing a PDF file to extract script stream data embedded in the PDF file; determining whether the extracted script stream data within the PDF file is malicious; and automatically generating a signature for the PDF file.

73 Citations

View as Search Results

20 Claims

1. A system, comprising:
- a processor configured to;
  
  receive a Portable Document Format (PDF) file that is known to include malicious content;
  
  parse the PDF file to identify a cross-reference table included in the PDF file; and
  
  generate a signature associated with the PDF file from the identified cross-reference table; and
  
  a memory coupled to the processor and configured to provide the processor with instructions.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system of claim 1, wherein the identified cross-reference table is identified among a plurality of cross-reference tables included in the PDF file.
  - 3. The system of claim 1, wherein the identified cross-reference table is identified based at least in part on a position associated with the identified cross-reference table relative to a position associated with at least one other cross-reference table included in the PDF file.
  - 4. The system of claim 1, wherein the identified cross-reference table is identified based at least in part on a position associated with the identified cross-reference table relative to a position associated with at least one other cross-reference table included in the PDF file, wherein the position associated with the identified cross-reference table is associated with a most recent incremental save associated with the PDF file.
  - 5. The system of claim 1, wherein generating the signature associated with the PDF file is based at least in part on content included in the identified cross-reference table.
  - 6. The system of claim 1, wherein generating the signature associated with the PDF file is based at least in part on at least one reference object included in the identified cross-reference table.
  - 7. The system of claim 1, wherein generating the signature associated with the PDF file is further based at least in part on a data included in the PDF file that references the identified cross-reference table.
  - 8. The system of claim 1, wherein generating the signature associated with the PDF file is further based at least in part on a startxref object included in the PDF file that references the identified cross-reference table.
  - 9. The system of claim 1, wherein the processor is further configured to de-obfuscate the PDF file.
  - 10. The system of claim 1, wherein the processor is further configured to decrypt the PDF file.

11. A method, comprising:
- receiving a Portable Document Format (PDF) file that is known to include malicious content;
  
  parsing, using a processor, the PDF file to identify a cross-reference table included in the PDF file; and
  
  generating a signature associated with the PDF file from the identified cross-reference table.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. The method of claim 11, wherein the identified cross-reference table is identified among a plurality of cross-reference tables included in the PDF file.
  - 13. The method of claim 11, wherein the identified cross-reference table is identified based at least in part on a position associated with the identified cross-reference table relative to a position associated with at least one other cross-reference table included in the PDF file.
  - 14. The method of claim 11, wherein the identified cross-reference table is identified based at least in part on a position associated with the identified cross-reference table relative to a position associated with at least one other cross-reference table included in the PDF file, wherein the position associated with the identified cross-reference table is associated with a most recent incremental save associated with the PDF file.
  - 15. The method of claim 11, wherein generating the signature associated with the PDF file is based at least in part on content included in the identified cross-reference table.
  - 16. The method of claim 11, wherein generating the signature associated with the PDF file is based at least in part on at least one reference object included in the identified cross-reference table.
  - 17. The method of claim 11, wherein generating the signature associated with the PDF file is further based at least in part on a data included in the PDF file that references the identified cross-reference table.
  - 18. The method of claim 11, wherein generating the signature associated with the PDF file is further based at least in part on a startxref object included in the PDF file that references the identified cross-reference table.

19. A computer program product, the computer program product being embodied in a non-transitory computer readable storage medium and comprising computer instructions for:
- receiving a Portable Document Format (PDF) file that is known to include malicious content;
  
  parsing the PDF file to identify a cross-reference table included in the PDF file; and
  
  generating a signature associated with the PDF file from the identified cross-reference table.
- View Dependent Claims (20)
- - 20. The computer program product of claim 19, wherein the identified cross-reference table is identified among a plurality of cross-reference tables included in the PDF file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palo Alto Networks Incorporated
Original Assignee
Palo Alto Networks Incorporated
Inventors
Zhang, Liang
Primary Examiner(s)
Zecher, Dede
Assistant Examiner(s)
MCCOY, RICHARD ANTHONY

Application Number

US14/180,635
Publication Number

US 20140237597A1
Time in Patent Office

466 Days
Field of Search

None
US Class Current

726/24
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/564   by virus signature recognition

G06F 21/60   Protecting data

H04L 63/12   Applying verification of th...

H04L 63/123   received data contents, e.g...

Automatic signature generation for malicious PDF files

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

73 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Automatic signature generation for malicious PDF files

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

73 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links