Tunable multi-part perceptual image hashing
First Claim
Patent Images
1. A method comprising:
- receiving first image data, wherein said first image data comprises a first icon;
performing a discrete cosine transformation (DCT) on at least a portion of the first image data to create a DCT matrix;
determining a plurality of features from coefficients of a plurality of areas of the DCT matrix, wherein the features comprise a sign of a coefficient, a magnitude of the coefficient, a neighbor variance of the coefficient, and a differential between a magnitude of the coefficient and a reference average magnitude;
encoding the plurality of features of the coefficients into a first hash string; and
determining a weighted distance between the first hash string and a second hash string associated with a second icon for use in determining whether the first icon is a suspicious icon that is potentially associated with malware.
3 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods generate a perceptual image hash of an image. The perceptual image hash can be generated from multiple features extracted from a DCT transformation of the image. The perceptual image hash can be compared to other perceptual image hash values using a weighted Hamming distance function.
16 Citations
30 Claims
-
1. A method comprising:
-
receiving first image data, wherein said first image data comprises a first icon; performing a discrete cosine transformation (DCT) on at least a portion of the first image data to create a DCT matrix; determining a plurality of features from coefficients of a plurality of areas of the DCT matrix, wherein the features comprise a sign of a coefficient, a magnitude of the coefficient, a neighbor variance of the coefficient, and a differential between a magnitude of the coefficient and a reference average magnitude; encoding the plurality of features of the coefficients into a first hash string; and determining a weighted distance between the first hash string and a second hash string associated with a second icon for use in determining whether the first icon is a suspicious icon that is potentially associated with malware. - View Dependent Claims (2, 3, 4, 5, 6, 19, 20, 21, 22)
-
-
7. A non-transitory machine-readable medium having stored thereon instructions, that when executed by one or more processors of a device, cause the device to:
-
receive first image data, wherein said first image data comprises a first icon; perform a discrete cosine transformation (DCT) on at least a portion of the first image data to create a DCT matrix; determine a plurality of features from coefficients of a plurality of areas of the DCT matrix, wherein the features comprise a sign of a coefficient, a magnitude of the coefficient, a neighbor variance of the coefficient, and a differential between a magnitude of the coefficient and a reference average magnitude; encode the plurality of features of the coefficients into a first hash string; and determine a weighted distance between the first hash string and a second hash string associated with a second icon for use in determining whether the first icon is a suspicious icon that is potentially associated with malware. - View Dependent Claims (8, 9, 10, 11, 12, 23, 24, 25, 26)
-
-
13. An apparatus comprising:
-
one or more processors; a non-transitory machine-readable medium coupled to the one or more processors; and a perceptual image hash unit executable by the one or more processors and configured to; receive first image data, wherein said first image data comprises a first icon, perform a discrete cosine transformation (DCT) on at least a portion of the first image data to create a DCT matrix, determine a plurality of features from coefficients of a plurality of areas of the DCT matrix, wherein the features comprise a sign of a coefficient, a magnitude of the coefficient, a neighbor variance of the coefficient, and a differential between a magnitude of the coefficient and a reference average magnitude, encode the plurality of features of the coefficients into a first hash string, and a detection engine configured to determine a weighted distance between the first hash string and a second hash string associated with a second icon for use in determining whether the first icon is a suspicious icon that is potentially associated with malware. - View Dependent Claims (14, 15, 16, 17, 18, 27, 28, 29, 30)
-
Specification