Mitigation of malware

US 9,465,939 B2
Filed: 06/27/2014
Issued: 10/11/2016
Est. Priority Date: 06/27/2014
Status: Active Grant

First Claim

Patent Images

1. At least one non-transitory computer-readable medium comprising one or more instructions that when executed by at least one processor:

determine a series of checksums for a file;

compare the series of checksums to a checksum tree, wherein the checksum tree includes a first plurality of nodes that each include a fuzzy checksum of at least a portion of one or more known malware, and a second plurality of nodes that each include a fuzzy checksum of at least a portion of one or more known benign files, wherein each node in the checksum tree includes a classification that indicates a specific malware family or a benign file;

assign one or more classifications to the file, wherein each of the one or more classifications is based on each node of the checksum tree that matches a checksum in the series of checksums; and

assign a percentage to each of the one or more classifications.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are provided in example embodiments for mitigating malicious calls. The system can be configured to determine a series of checksums for a file, compare the series of checksums to a checksum tree, where the checksum tree includes a plurality of nodes that each include a fuzzy checksum of known malware, and assign one or more classifications to the file, where each of the one or more classifications is based on each node of the checksum tree that matches a checksum in the series of checksums and includes whether the file includes malware or benign checksums.

23 Citations

View as Search Results

19 Claims

1. At least one non-transitory computer-readable medium comprising one or more instructions that when executed by at least one processor:
- determine a series of checksums for a file;
  
  compare the series of checksums to a checksum tree, wherein the checksum tree includes a first plurality of nodes that each include a fuzzy checksum of at least a portion of one or more known malware, and a second plurality of nodes that each include a fuzzy checksum of at least a portion of one or more known benign files, wherein each node in the checksum tree includes a classification that indicates a specific malware family or a benign file;
  
  assign one or more classifications to the file, wherein each of the one or more classifications is based on each node of the checksum tree that matches a checksum in the series of checksums; and
  
  assign a percentage to each of the one or more classifications.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The at least one computer-readable medium of claim 1, wherein each node of the second plurality of nodes includes at least one fuzzy checksum of known benign files.
  - 3. The at least one computer-readable medium of claim 1, further comprising one or more instructions that when executed by the at least one processor:
    - compare the series of checksums to a plurality of checksum trees.
  - 4. The at least one computer-readable medium of claim 1, further comprising one or more instructions that when executed by the at least one processor:
    - determine one or more characteristics for the file; and
      
      determine, based on the one or more characteristics of the file, at least one checksum tree to compare to the file.
  - 5. The at least one computer-readable medium of claim 1, further comprising one or more instructions that when executed by the at least one processor:
    - determine if the file is malware based on the one or more classifications assigned to the file.
  - 6. The at least one computer-readable medium of claim 1, further comprising one or more instructions that when executed by the at least one processor:
    - send the file to cloud services for further analysis if each assigned percentage is below a threshold.
  - 7. The at least one computer-readable medium of claim 1, further comprising one or more instructions that when executed by the at least one processor:
    - receive a new checksum tree to be used to compare with the file checksum.

8. An apparatus comprising:
- a checksum module configured to determine a series of checksums for a file and compare the series of checksums to a checksum tree, wherein the checksum tree includes a first plurality of nodes that each include a fuzzy checksum of at least a portion of one or more known malware, and a second plurality of nodes that each include a fuzzy checksum of at least a portion of one or more known benign files, wherein each node in the checksum tree includes a classification that indicates a specific malware family or a benign file; and
  
  a classification module configured to assign one or more classifications to the file, wherein each of the one or more classifications is based on each node of the checksum tree that matches a checksum in the series of checksums, and assign a percentage to each of the one or more classifications.
- View Dependent Claims (9, 10, 11, 12)
- - 9. The apparatus of claim 8, further comprising:
    - a tree module that includes a plurality of checksum trees, wherein the checksum module can compare the series of checksums to a plurality of checksum trees.
  - 10. The apparatus of claim 8, wherein the checksum module can be further configured to:
    - determine one or more characteristics for the file; and
      
      determine, based on the one or more characteristics of the file, at least one checksum tree to compare to the file.
  - 11. The apparatus of claim 8, wherein the classification module is further configured to determine if the file is malware based on the one or more classifications assigned to the file.
  - 12. The apparatus of claim 8, further comprising an update module to receive a new checksum tree to be used to compare with the file checksum.

13. A method, comprising:
- determining a series of checksums for a file;
  
  comparing the series of checksums to a checksum tree, wherein the checksum tree includes a first plurality of nodes that each include a fuzzy checksum of at least a portion of one or more known malware, and a second plurality of nodes that each include a fuzzy checksum of at least a portion of one or more known benign files, wherein each node in the checksum tree includes a classification that indicates a specific malware family or a benign file;
  
  assigning one or more classifications to the file, wherein each of the one or more classifications is based on each node of the checksum tree that matches a checksum in the series of checksums; and
  
  assigning a percentage to each of the one or more classifications.
- View Dependent Claims (14, 16, 17)
- - 14. The method of claim 13, further comprising:
    - comparing the series of checksums to a plurality of checksum trees.
  - 16. The method of claim 13, further comprising:
    - determining if the file is malware based on the one or more classifications assigned to the file.
  - 17. The method of claim 13, further comprising:
    - sending the file to cloud services for further analysis if each assigned percentage is below a threshold.

15. The method of 13, further comprising:
- determining one or more characteristics for the file; and
  
  determining, based on the one or more characteristics of the file, at least one checksum tree to compare to the file.

18. A system for mitigating malware, the system comprising:
- a checksum module to determine a series of checksums for a file; and
  
  a classification module to compare the series of checksums to a checksum tree, wherein the checksum tree includes a first plurality of nodes that each include a fuzzy checksum of at least a portion of one or more known malware, and a second plurality of nodes that each include a fuzzy checksum of at least a portion of one or more known benign files, wherein each node in the checksum tree includes a classification that indicates a specific malware family or a benign file, the classification module to also assign one or more classifications to the file, wherein each of the one or more classifications is based on each node of the checksum tree that matches a checksum in the series of checksums, and wherein a percentage is assigned to each of the one or more of the classifications.
- View Dependent Claims (19)
- - 19. The system of claim 18, wherein the checksum module determines at least one checksum tree to compare to the file based on one or more characteristics of the file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Alme, Christoph, Hahn, Slawa, Thoene, Sebastian
Primary Examiner(s)
Tabor, Amare F

Application Number

US14/318,406
Publication Number

US 20150379264A1
Time in Patent Office

837 Days
Field of Search

726 22- 25, 713/188, 713/187, 713/189
US Class Current

1/1
CPC Class Codes

G06F 21/562   Static detection

G06F 21/563   by source code analysis

G06F 21/564   by virus signature recognition

G06F 21/565   by checking file integrity

G06F 2221/033   Test or assess software

G06F 2221/034   Test or assess a computer o...

Mitigation of malware

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

23 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Mitigation of malware

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

23 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links