Discovery of malicious strings

US 9,665,716 B2
Filed: 12/23/2014
Issued: 05/30/2017
Est. Priority Date: 12/23/2014
Status: Active Grant

First Claim

Patent Images

1. At least one non-transitory computer-readable medium comprising one or more instructions that when executed by at least one processor, cause the at least one processor to:

populate strings extracted from clean samples into a clean string database;

populate strings extracted from dirty samples into a dirty string database;

determine a string sample of data;

determine a hash of the string sample of data;

perform an Internet search for the string sample;

compare the results of the Internet search for the string sample with results of an Internet search for known clean string samples;

not cluster the hash of the string sample of data if the number of hits from the Internet search is comparable to the number of hits from a known clean string sample search;

cluster the hash with other hashes from other string samples of data to create a string hash signature of a string sample of data if the number of hits from the Internet search is not comparable to the number of hits from a known clean string sample search; and

filter the hash of the string sample of data using the clean string database and not cluster the hash of the string sample of data with the other hashes if the hash of the string sample of data is found in the clean string database.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Particular embodiments described herein provide for an electronic device that can be configured to determine a string sample of data, determine a hash of the string sample of data, automatically cluster the hash with other hashes from other string samples of data, and automatically create a signature hash string for the string sample of data.

13 Citations

19 Claims

1. At least one non-transitory computer-readable medium comprising one or more instructions that when executed by at least one processor, cause the at least one processor to:
- populate strings extracted from clean samples into a clean string database;
  
  populate strings extracted from dirty samples into a dirty string database;
  
  determine a string sample of data;
  
  determine a hash of the string sample of data;
  
  perform an Internet search for the string sample;
  
  compare the results of the Internet search for the string sample with results of an Internet search for known clean string samples;
  
  not cluster the hash of the string sample of data if the number of hits from the Internet search is comparable to the number of hits from a known clean string sample search;
  
  cluster the hash with other hashes from other string samples of data to create a string hash signature of a string sample of data if the number of hits from the Internet search is not comparable to the number of hits from a known clean string sample search; and
  
  filter the hash of the string sample of data using the clean string database and not cluster the hash of the string sample of data with the other hashes if the hash of the string sample of data is found in the clean string database.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The at least one computer-readable medium of claim 1, wherein the string of sample data was received from an electronic device.
  - 3. The at least one computer-readable medium of claim 2, wherein the string of sample data is suspected malware.
  - 4. The at least one computer-readable medium of claim 1, wherein the string-hash signature is a signature that includes hashes of dirty strings and the string hash signature is communicated to an electronic device for use in the detection of the malware.
  - 5. The at least one computer-readable medium of claim 1, further comprising one or more instructions that when executed by the at least one processor, further cause the processor to:
    - remove hashes of short strings from the cluster of hashes; and
      
      communicate the string hash signature to the dirty hash string database.
  - 6. The at least one computer-readable medium of claim 1, further comprising one or more instructions that when executed by the at least one processor, further cause the processor to:
    - determine a cluster of most commonly occurring dirty strings in the dirty string database;
      
      create a hash of each of the dirty strings in the cluster of most commonly occurring dirty strings; and
      
      store the hash of each of the dirty strings from the cluster of most commonly occurring dirty strings in a blacklist hash string database.

7. An apparatus comprising:
- memory; and
  
  a hardware processor configured to;
  
  populate strings extracted from clean samples into a clean string database;
  
  populate strings extracted from dirty samples into a dirty string database;
  
  determine a string sample of data;
  
  determine a hash of the string sample of data;
  
  perform an Internet search for the string sample;
  
  compare the results of the Internet search for the string sample with results of an Internet search for known clean string samples;
  
  not cluster the hash of the string sample of data if the number of hits from the Internet search is comparable to the number of hits from a known clean string sample search;
  
  cluster the hash with other hashes from other string samples of data to create a string hash signature for the string sample of data if the number of hits from the Internet search is not comparable to the number of hits from a known clean string sample search; and
  
  filter the hash of the string sample of data using the clean string database and not cluster the hash of the string sample of data with the other hashes if the hash of the string sample of data is found in the clean string database.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The apparatus of claim 7, wherein the string of sample data was received from an electronic device.
  - 9. The apparatus of claim 8, wherein the string of sample data is suspected malware.
  - 10. The apparatus of claim 7, wherein the string hash signature is a signature that includes hashes of dirty strings and the string hash signature is communicated to an electronic device for use in the detection of the malware.
  - 11. The apparatus of claim 7, wherein the hardware processor is further configured to:
    - remove hashes of short strings from the cluster of hashes.
  - 12. The apparatus of claim 7, wherein the hardware processor is further configured to:
    - communicate the string hash signature to the dirty hash string database.

13. A method comprising:
- populating strings extracted from clean samples into a clean string database;
  
  populating strings extracted from dirty samples into a dirty string database;
  
  determining a string sample of data;
  
  determining a hash of the string sample of data;
  
  performing an Internet search for the string sample;
  
  comparing the results of the Internet search for the string sample with results of an Internet search for known clean string samples;
  
  not clustering the hash of the string sample of data if the number of hits from the Internet search is comparable to the number of hits from a known clean string sample search;
  
  clustering the hash with other hashes from other string samples of data to create a string hash signature for the string sample of data if the number of hits from the Internet search is not comparable to the number of hits from a known clean string sample search; and
  
  filtering the hash of the string sample of data using the clean string database and not clustering the hash of the string sample of data with the other hashes if the hash of the string sample of data is found in the clean string database.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The method of claim 13, wherein the string of sample data was received from an electronic device.
  - 15. The method of claim 14, wherein the string of sample data is suspected malware.
  - 16. The method of claim 13, wherein the string-hash signature is a signature that includes hashes of dirty strings and the string hash signature is communicated to an electronic device for use in the detection of the malware.
  - 17. The method of claim 13, further comprising:
    - removing hashes of short strings from the cluster of hashes.

18. A system for discovering malicious strings, the system comprising:
- memory; and
  
  a hardware processor configured for;
  
  populating strings extracted from clean samples into a clean string database;
  
  populating strings extracted from dirty samples into a dirty string database;
  
  determining a string sample of data;
  
  determining a hash of the string sample of data;
  
  performing an Internet search for the string sample;
  
  comparing the results of the Internet search for the string sample with results of an Internet search for known clean string samples;
  
  not clustering the hash of the string sample of data if the number of hits from the Internet search is comparable to the number of hits from a known clean string sample search;
  
  clustering the hash with other hashes from other string samples of data to create a string hash signature for the string sample of data if the number of hits from the Internet search is not comparable to the number of hits from a known clean string sample search; and
  
  filtering the hash of the string sample of data using the clean string database and not clustering the hash of the string sample of data with the other hashes if the hash of the string sample of data is found in the clean string database.
- View Dependent Claims (19)
- - 19. The system of claim 18, wherein the system is further configured for:
    - filtering the hash of the string sample of data using the dirty string database and not clustering the hash of the string sample of data with the other hashes if the hash of the string sample of data is found in the dirty string database.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Zhang, Zheng, Schmugar, Craig D.
Primary Examiner(s)
RAHIM, MONJUR

Application Number

US14/581,104
Publication Number

US 20160180088A1
Time in Patent Office

889 Days
Field of Search

726 23
US Class Current
CPC Class Codes

G06F 21/564   by virus signature recognition

G06F 21/567   using dedicated hardware

H04L 63/14   for detecting or protecting...

H04L 63/1416   Event detection, e.g. attac...

Discovery of malicious strings

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

13 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Discovery of malicious strings

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

13 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links