Method and apparatus for analyzing and detecting malicious software

US 9,449,175 B2
Filed: 06/03/2010
Issued: 09/20/2016
Est. Priority Date: 06/03/2010
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

directing a comparison of patterns within sample code to a predetermined set of malicious software patterns,wherein determining the predetermined set of malicious software patterns comprises;

determining common patterns between known malicious software samples based on frequently occurring symbol combinations; and

filtering the common patterns based on patterns of known benign software samples to define the predetermined set of malicious software patterns;

determining that the sample code is malicious software based on a number of patterns within the sample code that match patterns within the predetermined set of malicious software patterns; and

subsequent to the determination that the sample code is malicious software, determining one or more clusters with which the sample code is associated,wherein the determination of the one or more clusters with which the sample code is associated with comprises;

determining a first occurrence frequency, the first occurrence frequency being a number of distinct malicious software samples that match each malware code pattern within the sample code;

determining a second occurrence frequency, the second occurrence frequency being a number of distinct malicious software samples that match each malware code pattern within a subset of the sample code;

determining a first malicious software cluster with which the sample code is associated based on the first occurrence frequency,wherein the first malicious software cluster is comprised of one or more malicious software samples clustered based on a set of malicious code patterns to which the one or more malicious software samples matches; and

determining a second malicious software cluster with which the sample code is associated based on the difference between the first occurrence frequency and the second occurrence frequency being less than or equal to a predetermined parameter, wherein the second malicious software cluster is comprised of one or more malicious software samples clustered based on the set of malicious code patterns to which the one or more malicious software samples matches; and

providing an output, in response to a request comprising the sample code, indicating that the sample code is malicious software.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for providing analysis and detection of malicious software may include directing a comparison of patterns within sample code to a predetermined set of malicious software patterns, determining whether the sample code is likely to be malicious software based on the comparison, and, in response to a determination that the sample code is likely to be malicious software, determining a malicious software cluster with which the sample code is associated based on the patterns within the sample code. A corresponding computer program product and apparatus are also provided.

28 Citations

14 Claims

1. A method comprising:
- directing a comparison of patterns within sample code to a predetermined set of malicious software patterns,wherein determining the predetermined set of malicious software patterns comprises;
  
  determining common patterns between known malicious software samples based on frequently occurring symbol combinations; and
  
  filtering the common patterns based on patterns of known benign software samples to define the predetermined set of malicious software patterns;
  
  determining that the sample code is malicious software based on a number of patterns within the sample code that match patterns within the predetermined set of malicious software patterns; and
  
  subsequent to the determination that the sample code is malicious software, determining one or more clusters with which the sample code is associated,wherein the determination of the one or more clusters with which the sample code is associated with comprises;
  
  determining a first occurrence frequency, the first occurrence frequency being a number of distinct malicious software samples that match each malware code pattern within the sample code;
  
  determining a second occurrence frequency, the second occurrence frequency being a number of distinct malicious software samples that match each malware code pattern within a subset of the sample code;
  
  determining a first malicious software cluster with which the sample code is associated based on the first occurrence frequency,wherein the first malicious software cluster is comprised of one or more malicious software samples clustered based on a set of malicious code patterns to which the one or more malicious software samples matches; and
  
  determining a second malicious software cluster with which the sample code is associated based on the difference between the first occurrence frequency and the second occurrence frequency being less than or equal to a predetermined parameter, wherein the second malicious software cluster is comprised of one or more malicious software samples clustered based on the set of malicious code patterns to which the one or more malicious software samples matches; and
  
  providing an output, in response to a request comprising the sample code, indicating that the sample code is malicious software.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising determining the predetermined set of malicious software patterns based on code patterns associated with a plurality of known malicious software samples.
  - 3. The method of claim 2, wherein determining the predetermined set of malicious software patterns comprises, for the plurality of known malicious software samples:
    - producing a representation of executable code of a known malicious software sample;
      
      dividing the representation of the executable code into sequences based on sequencing criteria;
      
      processing the sequences to form a symbol record for each sequence;
      
      processing the symbol record and adding the symbol record to a repository of malicious software code;
      
      determining common patterns between known malicious software samples of the repository based on frequently occurring symbol combinations; and
      
      directing storage of the common patterns as the predetermined set of malicious software patterns.
  - 4. The method of claim 1, wherein determining whether the sample code is malicious software comprises determining a number of matching patterns between the sample code and the predetermined set of malicious software patterns and determining a likelihood that the sample code is malicious software based on the number.
  - 5. The method of claim 1, wherein determining whether the sample code is malicious software further includes providing an output to a user in response to the sample code likely being malicious software.
  - 6. The method of claim 1, wherein determining the malicious software cluster with which the sample code is associated further includes providing an output to a user indicating the malicious software cluster.
  - 7. The method of claim 1, in which the operations of claim 1 are performed by at least one service configured accordingly as part of a method for facilitating access to at least one interface to allow access to at least one service via at least one network.

8. An apparatus comprising at least one processor and at least one memory including computer program code, the at least one memory and the computer program code configured to, with the at least one processor, cause the apparatus at least to:
- direct a comparison of patterns within sample code to a predetermined set of malicious software patterns,wherein the at least one memory and computer program code are configured to, with the at least one processor, cause the apparatus to determine the predetermined set of malicious software patterns by;
  
  determining common patterns between known malicious software samples based on frequently occurring symbol combinations; and
  
  filtering the common patterns based on patterns of known benign software samples to define the predetermined set of malicious software patterns;
  
  determine that the sample code is malicious software based on a number of patterns within the sample code that match patterns within the predetermined set of malicious software patterns; and
  
  subsequent to the determination that the sample code is malicious software, determine one or more clusters with which the sample code is associated,wherein the determination of the one or more clusters with which the sample code is associated with comprises;
  
  determine a first occurrence frequency, the first occurrence frequency being a number of distinct malicious software samples that match each malware code pattern within the sample code;
  
  determine a second occurrence frequency, the second occurrence frequency being a number of distinct malicious software samples that match each malware code pattern within a subset of the sample code;
  
  determine a first malicious software cluster with which the sample code is associated based on the first occurrence frequency,wherein the first malicious software cluster is comprised of one or more malicious software samples clustered based on a set of malicious code patterns to which the one or more malicious software samples matches;
  
  determine a second malicious software cluster with which the sample code is associated based on the difference between the first occurrence frequency and the second occurrence frequency being less than or equal to a predetermined parameter, wherein the second malicious software cluster is comprised of one or more malicious software samples clustered based on the set of malicious code patterns to which the one or more malicious software samples matches; and
  
  providing an output, in response to a request comprising the sample code, indicating that the sample code is malicious software.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The apparatus of claim 8, wherein the at least one memory and computer program code are further configured to, with the at least one processor, cause the apparatus to determine the predetermined set of malicious software patterns based on code patterns associated with a plurality of known malicious software samples.
  - 10. The apparatus of claim 9, wherein the at least one memory and computer program code are configured to, with the at least one processor, cause the apparatus to determine the predetermined set of malicious software patterns by, for the plurality of known malicious software samples:
    - producing a representation of executable code of a known malicious software sample;
      
      dividing the representation of the executable code into sequences based on sequencing criteria;
      
      processing the sequences to form a symbol record for each sequence;
      
      processing the symbol record and adding the symbol record to a repository of malicious software code;
      
      determining common patterns between known malicious software samples of the repository based on frequently occurring symbol combinations; and
      
      directing storage of the common patterns as the predetermined set of malicious software patterns.
  - 11. The apparatus of claim 8, wherein the at least one memory and computer program code are configured to, with the at least one processor, cause the apparatus to determine whether the sample code is malicious software by determining a number of matching patterns between the sample code and the predetermined set of malicious software patterns and determining a likelihood that the sample code is malicious software based on the number.
  - 12. The apparatus of claim 8, wherein the at least one memory and computer program code are configured to, with the at least one processor, cause the apparatus to determine the malicious software cluster with which the sample code is associated to further include providing an output to a user indicating the malicious software cluster.
  - 13. The apparatus of claim 8, wherein the apparatus comprises a mobile terminal comprising user interface circuitry to facilitate user control of at least some functions of the apparatus.

14. A computer program product comprising at least one non-transitory computer-readable storage medium having computer-executable program code instructions stored therein, the computer-executable program code instructions comprising program code instructions for:
- directing a comparison of patterns within sample code to a predetermined set of malicious software patterns,wherein determining the predetermined set of malicious software patterns comprises;
  
  determining common patterns between known malicious software samples based on frequently occurring symbol combinations; and
  
  filtering the common patterns based on patterns of known benign software samples to define the predetermined set of malicious software patterns;
  
  determining that the sample code is malicious software based on a number of patterns within the sample code that match patterns within the predetermined set of malicious software patterns; and
  
  subsequent to the determination that the sample code is malicious software, determining one or more clusters with which the sample code is associated,wherein the determination of the one or more clusters with which the sample code is associated with comprises;
  
  determining a first occurrence frequency, the first occurrence frequency being a number of distinct malicious software samples that match each malware code pattern within the sample code;
  
  determining a second occurrence frequency, the second occurrence frequency being a number of distinct malicious software samples that match each malware code pattern within a subset of the sample code;
  
  determining a first malicious software cluster with which the sample code is associated based on the first occurrence frequency,wherein the first malicious software cluster is comprised of one or more malicious software samples clustered based on a set of malicious code patterns to which the one or more malicious software samples matches;
  
  determining a second malicious software cluster with which the sample code is associated based on the difference between the first occurrence frequency and the second occurrence frequency being less than or equal to a predetermined parameter, wherein the second malicious software cluster is comprised of one or more malicious software samples clustered based on the set of malicious code patterns to which the one or more malicious software samples matches; and
  
  providing an output, in response to a request comprising the sample code, indicating that the sample code is malicious software.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nokia Technologies Oy (Nokia Corporation)
Original Assignee
Nokia Technologies Oy (Nokia Corporation)
Inventors
Miettinen, Markus Juhani
Primary Examiner(s)
Pham, Luu
Assistant Examiner(s)
JACKSON, JENISE E

Application Number

US12/793,235
Publication Number

US 20110302654A1
Time in Patent Office

2,301 Days
Field of Search

726 22- 25, 726/6
US Class Current

1/1
CPC Class Codes

G06F 21/552 involving long-term monitor...

G06F 21/566 Dynamic detection, i.e. det...

Method and apparatus for analyzing and detecting malicious software

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

28 Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for analyzing and detecting malicious software

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

28 Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links