System and method to mitigate malware

US 9,672,357 B2
Filed: 06/26/2015
Issued: 06/06/2017
Est. Priority Date: 02/26/2015
Status: Active Grant

First Claim

Patent Images

1. At least one non-transitory computer readable medium comprising one or more instructions that when executed by a processor, cause the computer readable medium to:

receive script data;

determine a checksum tree for the script data;

compare each checksum of the checksum tree to one or more subtree checksums, wherein each of the one or more subtree checksums is a malware checksum or a benign checksum;

assign one or more classifications to the script data, wherein the assigned classification includes a likely malware family name or a benign label; and

store the assigned classifications in memory.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Particular embodiments described herein provide for an electronic device that can be configured to receive script data, determine a checksum tree for the script data, compare each checksum of the checksum tree to one or more subtree checksums, and assign one or more classifications to the script data. In one example, the checksum tree is an abstract syntax tree.

Citations

25 Claims

1. At least one non-transitory computer readable medium comprising one or more instructions that when executed by a processor, cause the computer readable medium to:
- receive script data;
  
  determine a checksum tree for the script data;
  
  compare each checksum of the checksum tree to one or more subtree checksums, wherein each of the one or more subtree checksums is a malware checksum or a benign checksum;
  
  assign one or more classifications to the script data, wherein the assigned classification includes a likely malware family name or a benign label; and
  
  store the assigned classifications in memory.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The at least one non-transitory computer readable medium of claim 1, wherein the checksum tree is calculated on an abstract syntax tree.
  - 3. The at least one non-transitory computer readable medium of claim 1, wherein each checksum in the subtree checksums is a prevalent malware or benign checksum.
  - 4. The at least one non-transitory computer readable medium of claim 1, wherein the classification is based on a subtree of the checksum tree that matches a checksum in the subtree checksums.
  - 5. The at least one machine readable medium of claim 1, wherein the assigned classification that includes a likely malware family name further includes a probability value.
  - 6. The at least one non-transitory computer readable medium of claim 1, wherein one or more checksums of the checksum tree is a fuzzy checksum.
  - 7. The at least one non-transitory computer readable medium of claim 1, further comprising one or more instructions that when executed by the at least one processor, cause the machine readable medium to:
    - serialize the checksum tree into a feature vector.
  - 8. The at least one non-transitory computer readable medium of claim 7, further comprising one or more instructions that when executed by the at least one processor, cause the machine readable medium to:
    - communicate the feature vector to a network element for further analysis.

9. An apparatus comprising:
- a memory element;
  
  a processor;
  
  a tree generation module configured to;
  
  receive script data at the processor; and
  
  determine a checksum tree for the script data; and
  
  a detection module configured to;
  
  compare each checksum of the checksum tree to one or more subtree checksums stored in the memory, wherein each of the one or more subtree checksums is a malware checksum or a benign checksum; and
  
  assign one or more classifications to the script data, wherein the assigned classification includes a likely malware family name or a benign label.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The apparatus of claim 9, wherein the checksum tree is calculated on an abstract syntax tree.
  - 11. The apparatus of claim 9, wherein each checksum in the subtree checksums is a prevalent malware or benign checksum.
  - 12. The apparatus of claim 9, wherein the classification is based on a subtree of the checksum tree that matches a checksum in the subtree checksums.
  - 13. The apparatus of claim 9, wherein the assigned classification that includes a likely malware family name further includes a probability value.
  - 14. The apparatus of claim 9, wherein one or more checksums of the checksum tree is a fuzzy checksum.
  - 15. The apparatus of claim 9, wherein the detection module is further configured to:
    - serialize the checksum tree into a feature vector.
  - 16. The apparatus of claim 15, wherein the detection module is further configured to:
    - communicate the feature vector to a network element for further analysis.

17. A method comprising:
- receiving script data at a processor;
  
  determining a checksum tree for the script data;
  
  comparing each checksum of the checksum tree to one or more subtree checksums, wherein each of the one or more subtree checksums is a malware checksum or a benign checksum;
  
  assigning one or more classifications to the script data, wherein the assigned classification includes a likely malware family name or a benign label; and
  
  storing the assigned classification in memory.
- View Dependent Claims (18, 19, 20, 21, 22, 23)
- - 18. The method of claim 17, wherein the checksum tree is calculated on an abstract syntax tree.
  - 19. The method of claim 17, wherein each checksum in the subtree checksums is a prevalent malware or benign checksum.
  - 20. The method of claim 17, wherein the classification is based on a subtree of the checksum tree that matches a checksum in the subtree checksums.
  - 21. The method of claim 17, wherein the assigned classification that includes a likely malware family name further includes a probability value.
  - 22. The method of claim 17, wherein one or more checksums of the checksum tree is a fuzzy checksum.
  - 23. The method of claim 17, further comprising:
    - serializing the checksum tree into a feature vector; and
      
      communicating the feature vector to a network element for further analysis.

24. A system for mitigating malware, the system comprising:
- a memory element;
  
  communication circuitry;
  
  a hardware processor configured to;
  
  receive script data;
  
  determine a checksum tree for the script data;
  
  compare each checksum of the checksum tree to one or more subtree checksums, wherein each of the one or more subtree checksums is a malware checksum or a benign checksum;
  
  assign one or more classifications to the script data, wherein the assigned classification includes a likely malware family name or a benign label; and
  
  store the assigned classifications in memory.
- View Dependent Claims (25)
- - 25. The system of claim 24, wherein the classification is based on a subtree of the checksum tree that matches a checksum in the subtree checksums.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Hahn, Slawa, Finke, Stefan, Alme, Christoph
Primary Examiner(s)
BROWN, ANTHONY D

Application Number

US14/751,935
Publication Number

US 20160253500A1
Time in Patent Office

711 Days
Field of Search

726 22- 25
US Class Current
CPC Class Codes

G06F 16/2246   Trees, e.g. B+trees

G06F 21/552   involving long-term monitor...

G06F 21/563   by source code analysis

System and method to mitigate malware

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

System and method to mitigate malware

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links