Discovery of malicious strings
First Claim
Patent Images
1. At least one non-transitory computer-readable medium comprising one or more instructions that when executed by at least one processor, cause the at least one processor to:
- populate strings extracted from clean samples into a clean string database;
populate strings extracted from dirty samples into a dirty string database;
determine a string sample of data;
determine a hash of the string sample of data;
perform an Internet search for the string sample;
compare the results of the Internet search for the string sample with results of an Internet search for known clean string samples;
not cluster the hash of the string sample of data if the number of hits from the Internet search is comparable to the number of hits from a known clean string sample search;
cluster the hash with other hashes from other string samples of data to create a string hash signature of a string sample of data if the number of hits from the Internet search is not comparable to the number of hits from a known clean string sample search; and
filter the hash of the string sample of data using the clean string database and not cluster the hash of the string sample of data with the other hashes if the hash of the string sample of data is found in the clean string database.
10 Assignments
0 Petitions
Accused Products
Abstract
Particular embodiments described herein provide for an electronic device that can be configured to determine a string sample of data, determine a hash of the string sample of data, automatically cluster the hash with other hashes from other string samples of data, and automatically create a signature hash string for the string sample of data.
13 Citations
19 Claims
-
1. At least one non-transitory computer-readable medium comprising one or more instructions that when executed by at least one processor, cause the at least one processor to:
-
populate strings extracted from clean samples into a clean string database; populate strings extracted from dirty samples into a dirty string database; determine a string sample of data; determine a hash of the string sample of data; perform an Internet search for the string sample; compare the results of the Internet search for the string sample with results of an Internet search for known clean string samples; not cluster the hash of the string sample of data if the number of hits from the Internet search is comparable to the number of hits from a known clean string sample search; cluster the hash with other hashes from other string samples of data to create a string hash signature of a string sample of data if the number of hits from the Internet search is not comparable to the number of hits from a known clean string sample search; and filter the hash of the string sample of data using the clean string database and not cluster the hash of the string sample of data with the other hashes if the hash of the string sample of data is found in the clean string database. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. An apparatus comprising:
-
memory; and a hardware processor configured to; populate strings extracted from clean samples into a clean string database; populate strings extracted from dirty samples into a dirty string database; determine a string sample of data; determine a hash of the string sample of data; perform an Internet search for the string sample; compare the results of the Internet search for the string sample with results of an Internet search for known clean string samples; not cluster the hash of the string sample of data if the number of hits from the Internet search is comparable to the number of hits from a known clean string sample search; cluster the hash with other hashes from other string samples of data to create a string hash signature for the string sample of data if the number of hits from the Internet search is not comparable to the number of hits from a known clean string sample search; and filter the hash of the string sample of data using the clean string database and not cluster the hash of the string sample of data with the other hashes if the hash of the string sample of data is found in the clean string database. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. A method comprising:
-
populating strings extracted from clean samples into a clean string database; populating strings extracted from dirty samples into a dirty string database; determining a string sample of data; determining a hash of the string sample of data; performing an Internet search for the string sample; comparing the results of the Internet search for the string sample with results of an Internet search for known clean string samples; not clustering the hash of the string sample of data if the number of hits from the Internet search is comparable to the number of hits from a known clean string sample search; clustering the hash with other hashes from other string samples of data to create a string hash signature for the string sample of data if the number of hits from the Internet search is not comparable to the number of hits from a known clean string sample search; and filtering the hash of the string sample of data using the clean string database and not clustering the hash of the string sample of data with the other hashes if the hash of the string sample of data is found in the clean string database. - View Dependent Claims (14, 15, 16, 17)
-
-
18. A system for discovering malicious strings, the system comprising:
-
memory; and a hardware processor configured for; populating strings extracted from clean samples into a clean string database; populating strings extracted from dirty samples into a dirty string database; determining a string sample of data; determining a hash of the string sample of data; performing an Internet search for the string sample; comparing the results of the Internet search for the string sample with results of an Internet search for known clean string samples; not clustering the hash of the string sample of data if the number of hits from the Internet search is comparable to the number of hits from a known clean string sample search; clustering the hash with other hashes from other string samples of data to create a string hash signature for the string sample of data if the number of hits from the Internet search is not comparable to the number of hits from a known clean string sample search; and filtering the hash of the string sample of data using the clean string database and not clustering the hash of the string sample of data with the other hashes if the hash of the string sample of data is found in the clean string database. - View Dependent Claims (19)
-
Specification