Systems and methods for automated generation of generic signatures used to detect polymorphic malware

US 9,836,603 B2
Filed: 02/11/2016
Issued: 12/05/2017
Est. Priority Date: 12/30/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for automated generation of generic signatures used to detect polymorphic malware, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:

clustering a set of polymorphic file samples that share a set of static attributes in common with one another;

computing a distance of the polymorphic file samples from a centroid that represents a reference data point with respect to the set of polymorphic file samples, wherein computing the distance comprises;

computing, based at least in part on certain static attributes of the polymorphic file samples, a plurality of vectors that represent data points with respect to the centroid;

calculating an average of the vectors;

determining that the distance is below a certain threshold by determining that the average of the vectors is within a certain numerical value of the centroid;

upon determining that the distance is below the certain threshold;

identifying, within the set of static attributes shared in common by the polymorphic file samples, a subset of static attributes whose values are identical across all of the polymorphic file samples;

generating a generic file-classification signature from the subset of static attributes.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The disclosed computer-implemented method for automated generation of generic signatures used to detect polymorphic malware may include (1) clustering a set of polymorphic file samples that share a set of static attributes in common with one another, (2) computing a distance of the polymorphic file samples from a centroid that represents a reference data point with respect to the set of polymorphic file samples, (3) determining that the distance of the polymorphic file samples from the centroid is below a certain threshold, and then upon determining that the distance is below the certain threshold, (4) identifying, within the set of static attributes shared in common by the polymorphic file samples, a subset of static attributes whose values are identical across all of the polymorphic file samples and (5) generating a generic file-classification signature from the subset of static attributes. Various other methods, systems, and computer-readable media are also disclosed.

Citations

17 Claims

1. A computer-implemented method for automated generation of generic signatures used to detect polymorphic malware, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- clustering a set of polymorphic file samples that share a set of static attributes in common with one another;
  
  computing a distance of the polymorphic file samples from a centroid that represents a reference data point with respect to the set of polymorphic file samples, wherein computing the distance comprises;
  
  computing, based at least in part on certain static attributes of the polymorphic file samples, a plurality of vectors that represent data points with respect to the centroid;
  
  calculating an average of the vectors;
  
  determining that the distance is below a certain threshold by determining that the average of the vectors is within a certain numerical value of the centroid;
  
  upon determining that the distance is below the certain threshold;
  
  identifying, within the set of static attributes shared in common by the polymorphic file samples, a subset of static attributes whose values are identical across all of the polymorphic file samples;
  
  generating a generic file-classification signature from the subset of static attributes.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein clustering the set of polymorphic file samples that share the set of static attributes in common comprises:
    - identifying at least one polymorphic variant that has certain static attributes;
      
      determining that certain static attributes of at least one additional polymorphic variant are identical to the certain attributes of the polymorphic variant;
      
      in response to determining that the certain attributes of the additional polymorphic variant are identical to the certain attributes of the polymorphic variant, forming a cluster that includes the polymorphic variant and the additional polymorphic variant.
  - 3. The method of claim 2, wherein:
    - computing the distance of the polymorphic file samples from the centroid comprises;
      
      computing a distance of the polymorphic variant from the centroid;
      
      computing an additional distance of the additional polymorphic variant from the centroid;
      
      determining that the distance of the polymorphic file samples from the centroid is below the certain threshold comprises;
      
      determining, based at least in part on the distances of the polymorphic variant and the additional polymorphic variant, a density of the cluster that includes the polymorphic variant and the additional polymorphic variant;
      
      determining that the density of the cluster satisfies a density threshold indicating that the cluster is qualified for use in generating a generic file-classification signature whose false positive rate is at an acceptable level.
  - 4. The method of claim 1, wherein:
    - computing the distance of the polymorphic file samples from the centroid comprises computing, based at least in part on certain static attributes of the polymorphic file samples, a plurality of vectors that represent data points with respect to the centroid;
      
      determining that the distance of the polymorphic file samples from the centroid is below the certain threshold comprises determining that each of the vectors is within a certain numerical value of the centroid.
  - 5. The method of claim 1, wherein determining that the distance of the polymorphic file samples from the centroid is below the certain threshold comprises determining that the distance of the polymorphic file samples from the centroid is approximately zero.
  - 6. The method of claim 1, wherein:
    - clustering the set of polymorphic file samples that share the set of static attributes in common comprises clustering the set of polymorphic file samples on a server;
      
      generating the generic file-classification signature from the subset of static attributes comprises generating the generic file-classification signature on the server;
      
      further comprising distributing the generic file-classification signature to at least one client device via a network to enable the client device to classify at least one polymorphic file sample as malware using the generic file-classification signature by comparing certain static attributes of the polymorphic file with the subset of static attributes.

7. A system for automated generation of generic signatures used to detect polymorphic malware, the system comprising:
- a clustering module, stored in memory, that clusters a set of polymorphic file samples that share a set of static attributes in common with one another;
  
  a computation module, stored in memory, that computes a distance of the polymorphic file samples from a centroid that represents a reference data point with respect to the set of polymorphic file samples, wherein computing the distance comprises;
  
  computing, based at least in part on certain static attributes of the polymorphic file samples, a plurality of vectors that represent data points with respect to the centroid;
  
  calculating an average of the vectors;
  
  a determination module, stored in memory, that determines that the distance is below a certain threshold by determining that the average of the vectors is within a certain numerical value of the centroid;
  
  an identification module, stored in memory, that identifies, within the set of static attributes shared in common by the polymorphic file samples, a subset of static attributes whose values are identical across all of the polymorphic file samples;
  
  a generation module, stored in memory, that generates a generic file-classification signature from the subset of static attributes;
  
  at least one physical processor that executes the clustering module, the computation module, the determination module, the identification module, and the generation module.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The system of claim 7, wherein:
    - the identification module identifies at least one polymorphic variant that has certain static attributes;
      
      the determination module determines that certain static attributes of at least one additional polymorphic variant are identical to the certain attributes of the polymorphic variant;
      
      the cluster module forms a cluster that includes the polymorphic variant and the additional polymorphic variant in response to the determination that the certain attributes of the additional polymorphic variant are identical to the certain attributes of the polymorphic variant.
  - 9. The system of claim 8, wherein:
    - the computation module;
      
      computes a distance of the polymorphic variant from the centroid;
      
      computes an additional distance of the additional polymorphic variant from the centroid;
      
      the determination module;
      
      determines, based at least in part on the distances of the polymorphic variant and the additional polymorphic variant, a density of the cluster that includes the polymorphic variant and the additional polymorphic variant;
      
      determines that the density of the cluster satisfies a density threshold indicating that the cluster is qualified for use in generating a generic file-classification signature whose false positive rate is at an acceptable level.
  - 10. The system of claim 9, wherein:
    - the computation module computes, based at least in part on certain static attributes of the polymorphic file samples, a plurality of vectors that represent data points with respect to the centroid;
      
      the determination module determines that each of the vectors is within a certain numerical value of the centroid.
  - 11. The system of claim 7, wherein the determination module determines that the distance of the polymorphic file samples from the centroid is approximately zero.
  - 12. The system of claim 7, wherein:
    - the clustering module clusters the set of polymorphic file samples on a server;
      
      the generating module generates the generic file-classification signature on the server;
      
      further comprising a distribution module, stored in memory and executed by the physical processor, that distributes the generic file-classification signature to at least one client device via a network to enable the client device to classify at least one polymorphic file sample as malware using the generic file-classification signature by comparing certain static attributes of the polymorphic file with the subset of static attributes.

13. A non-transitory computer-readable medium comprising one or more computer-executable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
- cluster a set of polymorphic file samples that share a set of static attributes in common with one another;
  
  compute a distance of the polymorphic file samples from a centroid that represents a reference data point with respect to the set of polymorphic file samples, wherein computing the distance comprises;
  
  computing, based at least in part on certain static attributes of the polymorphic file samples, a plurality of vectors that represent data points with respect to the centroid;
  
  calculating an average of the vectors;
  
  determine that the distance is below a certain threshold by determining that the average of the vectors is within a certain numerical value of the centroid;
  
  upon determining that the distance is below the certain threshold;
  
  identify, within the set of static attributes shared in common by the polymorphic file samples, a subset of static attributes whose values are identical across all of the polymorphic file samples;
  
  generate a generic file-classification signature from the subset of static attributes.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The non-transitory computer-readable medium of claim 13, wherein the one or more computer-executable instructions further cause the computing device to:
    - identify at least one polymorphic variant that has certain static attributes;
      
      determine that certain static attributes of at least one additional polymorphic variant are identical to the certain attributes of the polymorphic variant;
      
      form a cluster that includes the polymorphic variant and the additional polymorphic variant in response to the determination that the certain attributes of the additional polymorphic variant are identical to the certain attributes of the polymorphic variant.
  - 15. The non-transitory computer-readable medium of claim 14, wherein the one or more computer-executable instructions further cause the computing device to:
    - compute a distance of the polymorphic variant from the centroid;
      
      compute an additional distance of the additional polymorphic variant from the centroid;
      
      determine, based at least in part on the distances of the polymorphic variant and the additional polymorphic variant, a density of the cluster that includes the polymorphic variant and the additional polymorphic variant;
      
      determine that the density of the cluster satisfies a density threshold indicating that the cluster is qualified for use in generating a generic file-classification signature whose false positive rate is at an acceptable level.
  - 16. The non-transitory computer-readable medium of claim 13, wherein the one or more computer-executable instructions further cause the computing device to:
    - compute, based at least in part on certain static attributes of the polymorphic file samples, a plurality of vectors that represent data points with respect to the centroid;
      
      determine that each of the vectors is within a certain numerical value of the centroid.
  - 17. The non-transitory computer-readable medium of claim 13, wherein the one or more computer-executable instructions further cause the computing device to determine that the distance of the polymorphic file samples from the centroid is approximately zero.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
RoyChowdhury, Ajitesh, Kumar, Anudeep, Dubey, Himanshu, Shekokar, Nitin
Primary Examiner(s)
Hailu, Teshome

Application Number

US15/041,043
Publication Number

US 20170193229A1
Time in Patent Office

663 Days
Field of Search

726 23
US Class Current
CPC Class Codes

G06F 21/564 by virus signature recognition

G06F 2221/034 Test or assess a computer o...

Systems and methods for automated generation of generic signatures used to detect polymorphic malware

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for automated generation of generic signatures used to detect polymorphic malware

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links