Fuzzy hash of behavioral results
First Claim
1. A computerized method for classifying objects in a system configured to detect malicious content within one or more objects analyzed by the system, comprising:
- detecting, by the system, behaviors of an object for classification after processing of the received object has started;
collecting data associated with the detected behaviors;
generating a fuzzy hash for the received object based on the data associated with the detected behaviors, the generating of the fuzzy hash includes;
(i) removing a portion of the data associated with the detected behaviors to produce a remaining portion of the data associated with the detected behaviors, and(ii) performing a hash operation on the remaining portion of the data associated with the detected behaviors;
comparing the fuzzy hash for the received object with a fuzzy hash of an object in a preexisting cluster to generate a similarity measure;
associating the received object with the preexisting cluster in response to determining that the similarity measure is above a predefined threshold value; and
reporting, by the system via a communications interface, whether the received object is associated with the preexisting cluster.
5 Assignments
0 Petitions
Accused Products
Abstract
A computerized method for classifying objects in a malware system is described. The method includes detecting behaviors of an object for classification after processing of the object has begun. Data associated with the detected behaviors is collected, and a fuzzy hash for the received object is generated. The generation of the fuzzy hash may include (i) removing a portion of the data associated with the detected behaviors, and (ii) performing a hash operation on a remaining portion of the data associated with the detected behaviors. Thereafter, the fuzzy hash for the received object is compared to a fuzzy hash of an object in a preexisting cluster to generate a similarity measure. The received object is associated with the preexisting cluster in response to determining that the similarity measure is above a predefined threshold value. Thereafter, the results are reported.
662 Citations
20 Claims
-
1. A computerized method for classifying objects in a system configured to detect malicious content within one or more objects analyzed by the system, comprising:
-
detecting, by the system, behaviors of an object for classification after processing of the received object has started; collecting data associated with the detected behaviors; generating a fuzzy hash for the received object based on the data associated with the detected behaviors, the generating of the fuzzy hash includes; (i) removing a portion of the data associated with the detected behaviors to produce a remaining portion of the data associated with the detected behaviors, and (ii) performing a hash operation on the remaining portion of the data associated with the detected behaviors; comparing the fuzzy hash for the received object with a fuzzy hash of an object in a preexisting cluster to generate a similarity measure; associating the received object with the preexisting cluster in response to determining that the similarity measure is above a predefined threshold value; and reporting, by the system via a communications interface, whether the received object is associated with the preexisting cluster. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A system comprising:
-
one or more hardware processors; a memory including one or more software modules that, when executed by the one or more hardware processors; detect behaviors of a received object for classification after processing of the received object has started; collect data associated with the detected behaviors; generate a fuzzy hash for the received object based on the data associated with the detected behaviors, the fuzzy hash being generated by at least; (i) removing a portion of the data associated with the detected behaviors to produce a remaining portion of the data associated with the detected behaviors, and (ii) performing a hash operation on the removed portion of the data associated with the detected behaviors; compare the fuzzy hash for the received object with a fuzzy hash of an object in a preexisting cluster to generate a similarity measure; associate the received object with the preexisting cluster in response to determining that the similarity measure is above a predefined threshold value; and report whether the received object is associated with the preexisting cluster. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification