Identification of obfuscated computer items using visual algorithms
First Claim
Patent Images
1. A method comprising:
- obtaining, by a visual algorithm stored in memory and executed by at least one processor of a first computer, a candidate character string associated with a potentially malicious computer item operating on a second computer;
generating, by the visual algorithm during execution by the at least one processor, a first visual identifier (ID) by at least translating the candidate character string into the first visual ID in accordance with one or more translation rules stored on the first computer, the first visual ID is different from the candidate character string;
generating a value representing a characteristic of the potentially malicious computer item, the characteristic being associated with a size of the potentially malicious computer item or a memory location associated with the potentially malicious computer item;
analyzing the first virtual ID with a reference ID where a comparison between the first virtual ID and the reference ID is used to determine whether the potentially malicious computer item should be identified as a malicious computer item; and
in response to the comparison between the first virtual ID and the reference ID being indeterminate as to whether the potentially malicious computer item is to be identified as a malicious computer item, further analyzing the characteristic of the potentially malicious computer item by determining whether the value falls outside an expected range of values associated with a non-malicious computer item.
8 Assignments
0 Petitions
Accused Products
Abstract
A method to identify character strings associated with potentially malicious software items. The method includes employing a visual algorithm to translate one or more characters of a character string into corresponding characters in a visual ID for use in grouping and comparing computer items having similar visual IDs, such as a reference ID for a computer item that is known to be non-malicious. The method may, among other things, elucidate an attacker'"'"'s attempt to obfuscate malicious software by using file names that are very similar to those used for harmless files.
149 Citations
18 Claims
-
1. A method comprising:
-
obtaining, by a visual algorithm stored in memory and executed by at least one processor of a first computer, a candidate character string associated with a potentially malicious computer item operating on a second computer; generating, by the visual algorithm during execution by the at least one processor, a first visual identifier (ID) by at least translating the candidate character string into the first visual ID in accordance with one or more translation rules stored on the first computer, the first visual ID is different from the candidate character string; generating a value representing a characteristic of the potentially malicious computer item, the characteristic being associated with a size of the potentially malicious computer item or a memory location associated with the potentially malicious computer item; analyzing the first virtual ID with a reference ID where a comparison between the first virtual ID and the reference ID is used to determine whether the potentially malicious computer item should be identified as a malicious computer item; and in response to the comparison between the first virtual ID and the reference ID being indeterminate as to whether the potentially malicious computer item is to be identified as a malicious computer item, further analyzing the characteristic of the potentially malicious computer item by determining whether the value falls outside an expected range of values associated with a non-malicious computer item. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A system comprising:
-
at least one processor; a memory communicatively coupled to the at least one processor, the memory to store a visual algorithm that, when executed by the at least one processor, performs a plurality of operations that comprise; obtaining a candidate character string associated with a potentially malicious computer item from a computer, generating a first visual identifier (ID) by at least translating the candidate character string into the first visual ID, the first visual ID being different from the candidate character string, generating a value representing a characteristic of the potentially malicious computer item, the characteristic being associated with a size of the potentially malicious computer item or a memory location associated with the potentially malicious computer item, analyzing the first virtual ID with a reference ID where a comparison between the first virtual ID and a reference ID is used to determine whether the potentially malicious computer item should be identified as a malicious computer item, and in response to the comparison between the first virtual ID and the reference ID being indeterminate as to whether the potentially malicious computer item is to be identified as a malicious computer item, further analyzing the characteristic of the potentially malicious computer item by determining whether the value falls outside an expected range of values associated with a non-malicious computer item. - View Dependent Claims (18)
-
Specification