Method and apparatus for analyzing and detecting malicious software
First Claim
Patent Images
1. A method comprising:
- directing a comparison of patterns within sample code to a predetermined set of malicious software patterns,wherein determining the predetermined set of malicious software patterns comprises;
determining common patterns between known malicious software samples based on frequently occurring symbol combinations; and
filtering the common patterns based on patterns of known benign software samples to define the predetermined set of malicious software patterns;
determining that the sample code is malicious software based on a number of patterns within the sample code that match patterns within the predetermined set of malicious software patterns; and
subsequent to the determination that the sample code is malicious software, determining one or more clusters with which the sample code is associated,wherein the determination of the one or more clusters with which the sample code is associated with comprises;
determining a first occurrence frequency, the first occurrence frequency being a number of distinct malicious software samples that match each malware code pattern within the sample code;
determining a second occurrence frequency, the second occurrence frequency being a number of distinct malicious software samples that match each malware code pattern within a subset of the sample code;
determining a first malicious software cluster with which the sample code is associated based on the first occurrence frequency,wherein the first malicious software cluster is comprised of one or more malicious software samples clustered based on a set of malicious code patterns to which the one or more malicious software samples matches; and
determining a second malicious software cluster with which the sample code is associated based on the difference between the first occurrence frequency and the second occurrence frequency being less than or equal to a predetermined parameter, wherein the second malicious software cluster is comprised of one or more malicious software samples clustered based on the set of malicious code patterns to which the one or more malicious software samples matches; and
providing an output, in response to a request comprising the sample code, indicating that the sample code is malicious software.
2 Assignments
0 Petitions
Accused Products
Abstract
A method for providing analysis and detection of malicious software may include directing a comparison of patterns within sample code to a predetermined set of malicious software patterns, determining whether the sample code is likely to be malicious software based on the comparison, and, in response to a determination that the sample code is likely to be malicious software, determining a malicious software cluster with which the sample code is associated based on the patterns within the sample code. A corresponding computer program product and apparatus are also provided.
28 Citations
14 Claims
-
1. A method comprising:
-
directing a comparison of patterns within sample code to a predetermined set of malicious software patterns, wherein determining the predetermined set of malicious software patterns comprises; determining common patterns between known malicious software samples based on frequently occurring symbol combinations; and filtering the common patterns based on patterns of known benign software samples to define the predetermined set of malicious software patterns; determining that the sample code is malicious software based on a number of patterns within the sample code that match patterns within the predetermined set of malicious software patterns; and subsequent to the determination that the sample code is malicious software, determining one or more clusters with which the sample code is associated, wherein the determination of the one or more clusters with which the sample code is associated with comprises; determining a first occurrence frequency, the first occurrence frequency being a number of distinct malicious software samples that match each malware code pattern within the sample code; determining a second occurrence frequency, the second occurrence frequency being a number of distinct malicious software samples that match each malware code pattern within a subset of the sample code; determining a first malicious software cluster with which the sample code is associated based on the first occurrence frequency, wherein the first malicious software cluster is comprised of one or more malicious software samples clustered based on a set of malicious code patterns to which the one or more malicious software samples matches; and determining a second malicious software cluster with which the sample code is associated based on the difference between the first occurrence frequency and the second occurrence frequency being less than or equal to a predetermined parameter, wherein the second malicious software cluster is comprised of one or more malicious software samples clustered based on the set of malicious code patterns to which the one or more malicious software samples matches; and providing an output, in response to a request comprising the sample code, indicating that the sample code is malicious software. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. An apparatus comprising at least one processor and at least one memory including computer program code, the at least one memory and the computer program code configured to, with the at least one processor, cause the apparatus at least to:
-
direct a comparison of patterns within sample code to a predetermined set of malicious software patterns, wherein the at least one memory and computer program code are configured to, with the at least one processor, cause the apparatus to determine the predetermined set of malicious software patterns by; determining common patterns between known malicious software samples based on frequently occurring symbol combinations; and filtering the common patterns based on patterns of known benign software samples to define the predetermined set of malicious software patterns; determine that the sample code is malicious software based on a number of patterns within the sample code that match patterns within the predetermined set of malicious software patterns; and subsequent to the determination that the sample code is malicious software, determine one or more clusters with which the sample code is associated, wherein the determination of the one or more clusters with which the sample code is associated with comprises; determine a first occurrence frequency, the first occurrence frequency being a number of distinct malicious software samples that match each malware code pattern within the sample code; determine a second occurrence frequency, the second occurrence frequency being a number of distinct malicious software samples that match each malware code pattern within a subset of the sample code; determine a first malicious software cluster with which the sample code is associated based on the first occurrence frequency, wherein the first malicious software cluster is comprised of one or more malicious software samples clustered based on a set of malicious code patterns to which the one or more malicious software samples matches; determine a second malicious software cluster with which the sample code is associated based on the difference between the first occurrence frequency and the second occurrence frequency being less than or equal to a predetermined parameter, wherein the second malicious software cluster is comprised of one or more malicious software samples clustered based on the set of malicious code patterns to which the one or more malicious software samples matches; and providing an output, in response to a request comprising the sample code, indicating that the sample code is malicious software. - View Dependent Claims (9, 10, 11, 12, 13)
-
-
14. A computer program product comprising at least one non-transitory computer-readable storage medium having computer-executable program code instructions stored therein, the computer-executable program code instructions comprising program code instructions for:
-
directing a comparison of patterns within sample code to a predetermined set of malicious software patterns, wherein determining the predetermined set of malicious software patterns comprises; determining common patterns between known malicious software samples based on frequently occurring symbol combinations; and filtering the common patterns based on patterns of known benign software samples to define the predetermined set of malicious software patterns; determining that the sample code is malicious software based on a number of patterns within the sample code that match patterns within the predetermined set of malicious software patterns; and subsequent to the determination that the sample code is malicious software, determining one or more clusters with which the sample code is associated, wherein the determination of the one or more clusters with which the sample code is associated with comprises; determining a first occurrence frequency, the first occurrence frequency being a number of distinct malicious software samples that match each malware code pattern within the sample code; determining a second occurrence frequency, the second occurrence frequency being a number of distinct malicious software samples that match each malware code pattern within a subset of the sample code; determining a first malicious software cluster with which the sample code is associated based on the first occurrence frequency, wherein the first malicious software cluster is comprised of one or more malicious software samples clustered based on a set of malicious code patterns to which the one or more malicious software samples matches; determining a second malicious software cluster with which the sample code is associated based on the difference between the first occurrence frequency and the second occurrence frequency being less than or equal to a predetermined parameter, wherein the second malicious software cluster is comprised of one or more malicious software samples clustered based on the set of malicious code patterns to which the one or more malicious software samples matches; and providing an output, in response to a request comprising the sample code, indicating that the sample code is malicious software.
-
Specification