Identification of obfuscated computer items using visual algorithms

US 9,690,935 B2
Filed: 08/19/2013
Issued: 06/27/2017
Est. Priority Date: 12/31/2012
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

obtaining, by a visual algorithm stored in memory and executed by at least one processor of a first computer, a candidate character string associated with a potentially malicious computer item operating on a second computer;

generating, by the visual algorithm during execution by the at least one processor, a first visual identifier (ID) by at least translating the candidate character string into the first visual ID in accordance with one or more translation rules stored on the first computer, the first visual ID is different from the candidate character string;

generating a value representing a characteristic of the potentially malicious computer item, the characteristic being associated with a size of the potentially malicious computer item or a memory location associated with the potentially malicious computer item;

analyzing the first virtual ID with a reference ID where a comparison between the first virtual ID and the reference ID is used to determine whether the potentially malicious computer item should be identified as a malicious computer item; and

in response to the comparison between the first virtual ID and the reference ID being indeterminate as to whether the potentially malicious computer item is to be identified as a malicious computer item, further analyzing the characteristic of the potentially malicious computer item by determining whether the value falls outside an expected range of values associated with a non-malicious computer item.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method to identify character strings associated with potentially malicious software items. The method includes employing a visual algorithm to translate one or more characters of a character string into corresponding characters in a visual ID for use in grouping and comparing computer items having similar visual IDs, such as a reference ID for a computer item that is known to be non-malicious. The method may, among other things, elucidate an attacker'"'"'s attempt to obfuscate malicious software by using file names that are very similar to those used for harmless files.

149 Citations

18 Claims

1. A method comprising:
- obtaining, by a visual algorithm stored in memory and executed by at least one processor of a first computer, a candidate character string associated with a potentially malicious computer item operating on a second computer;
  
  generating, by the visual algorithm during execution by the at least one processor, a first visual identifier (ID) by at least translating the candidate character string into the first visual ID in accordance with one or more translation rules stored on the first computer, the first visual ID is different from the candidate character string;
  
  generating a value representing a characteristic of the potentially malicious computer item, the characteristic being associated with a size of the potentially malicious computer item or a memory location associated with the potentially malicious computer item;
  
  analyzing the first virtual ID with a reference ID where a comparison between the first virtual ID and the reference ID is used to determine whether the potentially malicious computer item should be identified as a malicious computer item; and
  
  in response to the comparison between the first virtual ID and the reference ID being indeterminate as to whether the potentially malicious computer item is to be identified as a malicious computer item, further analyzing the characteristic of the potentially malicious computer item by determining whether the value falls outside an expected range of values associated with a non-malicious computer item.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, wherein the generating of the first visual ID includes applying the visual algorithm to the candidate character string to translate a first character of the candidate character string into a first character of the first visual ID.
  - 3. The method of claim 1, wherein the generating of the first visual ID includes using a first rule by the virtual algorithm to translate a first character and a second character of the candidate character string into corresponding first and second characters of the first visual ID.
  - 4. The method of claim 3, wherein,the first and second characters of the candidate character string have different values, andthe first rule is configured to control the virtual algorithm to translate the first and second characters of the candidate character string so that the first and second characters of the first visual ID are equal.
  - 5. The method of claim 3, wherein the generating of the first visual ID by the visual algorithm during execution by the at least one processor further includes using a second rule to determine that a third character of the candidate character string will not be represented by a corresponding character in the first visual ID.
  - 6. The method of claim 1, wherein the candidate character string is obtained over a network via an agent application operating on the second computer and the value representing the characteristic of the potentially malicious computer item is obtained through the agent application.
  - 7. The method of claim 1, wherein the generating of the first visual ID further includes adding one or more neutral value characters to the first visual ID until the number of characters in the first visual ID is greater than or equal to a length limit established for the first virtual ID.
  - 8. The method of claim 1, wherein the comparison of the first visual ID against the reference ID comprisesdetermining a difference between the first visual ID and the reference.
  - 9. The method of claim 1, wherein the generating of the value representing the characteristic of the potentially malicious computer item further comprising:
    - determining the value for the characteristic of a first computer item associated with the candidate character string;
      
      determining a second value for a characteristic of a second computer item associated with a reference ID; and
      
      determining a difference between the value and the second value for the characteristic.
  - 10. The method of claim 9, wherein the reference ID is chosen for comparison based on a visual similarity of the reference ID with the first visual ID.
  - 11. The method of claim 1, further comprising:
    - determining the expected range of values for the characteristic based on a second computer item associated with the reference ID; and
      
      flagging the first visual ID for further analysis if the value for the characteristic of the first computer item associated with the candidate character string does not satisfy the expected range of values.
  - 12. The method of claim 1,displaying the first visual ID with a second visual ID on a visual display wherein,the first visual ID and the second visual IDs are arranged according to a timeline of computer events involving associated computer items under analysis by the visual algorithm being executed by the at least one processor.
  - 13. The method of claim 1, further comprising:
    - displaying the first visual ID with a second visual ID on a visual display; and
      
      displaying, via the visual display, comments for at least one of the first visual ID and the second visual ID that relate to at least one of (i) a comparison with a candidate character string, and (ii) a comparison with the value for the characteristic of the potentially malicious computer item.
  - 14. The method of claim 1, wherein the translating the candidate character string comprises reducing a plurality of alphanumeric characters of the candidate character string to a single alphanumeric character of the visual ID.
  - 15. The method of claim 14, wherein,the plurality of alphanumeric characters appear in the candidate character string in succession, andthe single alphanumeric character is a numeral.
  - 16. The method of claim 1, further comprising:
    - converting a portion of the candidate character string prior to generating the first visual ID.

17. A system comprising:
- at least one processor;
  
  a memory communicatively coupled to the at least one processor, the memory to store a visual algorithm that, when executed by the at least one processor, performs a plurality of operations that comprise;
  
  obtaining a candidate character string associated with a potentially malicious computer item from a computer,generating a first visual identifier (ID) by at least translating the candidate character string into the first visual ID, the first visual ID being different from the candidate character string,generating a value representing a characteristic of the potentially malicious computer item, the characteristic being associated with a size of the potentially malicious computer item or a memory location associated with the potentially malicious computer item,analyzing the first virtual ID with a reference ID where a comparison between the first virtual ID and a reference ID is used to determine whether the potentially malicious computer item should be identified as a malicious computer item, andin response to the comparison between the first virtual ID and the reference ID being indeterminate as to whether the potentially malicious computer item is to be identified as a malicious computer item, further analyzing the characteristic of the potentially malicious computer item by determining whether the value falls outside an expected range of values associated with a non-malicious computer item.
- View Dependent Claims (18)
- - 18. The system of claim 17, further comprising:
    - a visual display, wherein,the visual algorithm, when executed by the at least one processor, is configured to display, via the visual display, the first visual ID with a second visual ID based on a timeline of computer events involving associated computer items.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Shiffer, Jason, Ross, David
Primary Examiner(s)
Traore, Fatoumata

Application Number

US13/969,879
Publication Number

US 20140189866A1
Time in Patent Office

1,408 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/561   Virus type analysis

G06F 21/562   Static detection

G06F 21/566   Dynamic detection, i.e. det...

Identification of obfuscated computer items using visual algorithms

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

149 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Identification of obfuscated computer items using visual algorithms

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

149 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links