Fuzzy hash of behavioral results

US 9,912,691 B2
Filed: 03/21/2016
Issued: 03/06/2018
Est. Priority Date: 09/30/2013
Status: Active Grant

First Claim

Patent Images

1. A computerized method for classifying objects in a system configured to detect malicious content within one or more objects analyzed by the system, comprising:

detecting, by the system, behaviors of an object for classification after processing of the received object has started;

collecting data associated with the detected behaviors;

generating a fuzzy hash for the received object based on the data associated with the detected behaviors, the generating of the fuzzy hash includes;

(i) removing a portion of the data associated with the detected behaviors to produce a remaining portion of the data associated with the detected behaviors, and(ii) performing a hash operation on the remaining portion of the data associated with the detected behaviors;

comparing the fuzzy hash for the received object with a fuzzy hash of an object in a preexisting cluster to generate a similarity measure;

associating the received object with the preexisting cluster in response to determining that the similarity measure is above a predefined threshold value; and

reporting, by the system via a communications interface, whether the received object is associated with the preexisting cluster.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computerized method for classifying objects in a malware system is described. The method includes detecting behaviors of an object for classification after processing of the object has begun. Data associated with the detected behaviors is collected, and a fuzzy hash for the received object is generated. The generation of the fuzzy hash may include (i) removing a portion of the data associated with the detected behaviors, and (ii) performing a hash operation on a remaining portion of the data associated with the detected behaviors. Thereafter, the fuzzy hash for the received object is compared to a fuzzy hash of an object in a preexisting cluster to generate a similarity measure. The received object is associated with the preexisting cluster in response to determining that the similarity measure is above a predefined threshold value. Thereafter, the results are reported.

662 Citations

20 Claims

1. A computerized method for classifying objects in a system configured to detect malicious content within one or more objects analyzed by the system, comprising:
- detecting, by the system, behaviors of an object for classification after processing of the received object has started;
  
  collecting data associated with the detected behaviors;
  
  generating a fuzzy hash for the received object based on the data associated with the detected behaviors, the generating of the fuzzy hash includes;
  
  (i) removing a portion of the data associated with the detected behaviors to produce a remaining portion of the data associated with the detected behaviors, and(ii) performing a hash operation on the remaining portion of the data associated with the detected behaviors;
  
  comparing the fuzzy hash for the received object with a fuzzy hash of an object in a preexisting cluster to generate a similarity measure;
  
  associating the received object with the preexisting cluster in response to determining that the similarity measure is above a predefined threshold value; and
  
  reporting, by the system via a communications interface, whether the received object is associated with the preexisting cluster.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The computerized method of claim 1, further comprising:
    - creating a new cluster for the received object in response to determining that the similarity measure is below the predefined threshold value.
  - 3. The computerized method of claim 1, wherein the received object is at least one of a file, a uniform resource locator, a web object, a capture of network traffic for a user over time, and an email message.
  - 4. The computerized method of claim 1, wherein the changes performed by the received object include (1) network calls, (2) modifications to a registry, (3) modifications to a file system, or (4) an application program interface call.
  - 5. The computerized method of claim 1, further comprising:
    - generating a preliminary malware score for the received object based on a comparison of the detected behaviors with known malware behaviors, wherein the preliminary malware score indicates the probability the received object is malware; and
      
      generating a final malware score for the received object based on the cluster the received object is associated, wherein the final malware score is greater than the preliminary malware score when the received object is associated with a cluster of objects classified as malware and the final malware score is less than the preliminary malware score when the received object is associated with a cluster of objects classified as non-malware.
  - 6. The computerized method of claim 1, wherein the removing of the portion of the data associated the detected behaviors comprises removing data that does not identify the received object.
  - 7. The computerized method of claim 6, wherein the removing of the portion of the data associated the detected behaviors includes at least one of:
    - (i) a process identifier of a process called by the received object, or (ii) a value written to a registry by the received object, or (iii) names of objects generated, modified, or deleted by the received object.
  - 8. The computerized method of claim 2, further comprising:
    - transmitting, by the system, the new cluster or the preexisting cluster with the newly associated received object to another system configured to detect malicious content within one or more objects.
  - 9. The computerized method of claim 1, further comprising:
    - classifying the received object as malware, non-malware, or with an unknown status to match a classification of the preexisting cluster, when the received object is assigned to the preexisting cluster.
  - 10. The computerized method of claim 1, further comprising:
    - assigning a malware family name to the received object to match a malware family name of the preexisting cluster, when the received object is assigned to the preexisting cluster.
  - 11. The computerized method of claim 1, wherein the removing of the data associated with the detected behaviors includes removing values written to a registry or modified registry values.
  - 12. The method of claim 1, wherein the behaviors of the object including the system processing a suspected malware object by detonating, executing or opening the suspected malware object to cause the suspected malware object to perform the behaviors.
  - 13. The method of claim 1, wherein the pre-existing cluster is retrieved from cloud computing services.
  - 14. The method of claim 1, wherein the received object is provided from a client device remotely located from the system.

15. A system comprising:
- one or more hardware processors;
  
  a memory including one or more software modules that, when executed by the one or more hardware processors;
  
  detect behaviors of a received object for classification after processing of the received object has started;
  
  collect data associated with the detected behaviors;
  
  generate a fuzzy hash for the received object based on the data associated with the detected behaviors, the fuzzy hash being generated by at least;
  
  (i) removing a portion of the data associated with the detected behaviors to produce a remaining portion of the data associated with the detected behaviors, and(ii) performing a hash operation on the removed portion of the data associated with the detected behaviors;
  
  compare the fuzzy hash for the received object with a fuzzy hash of an object in a preexisting cluster to generate a similarity measure;
  
  associate the received object with the preexisting cluster in response to determining that the similarity measure is above a predefined threshold value; and
  
  report whether the received object is associated with the preexisting cluster.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system of claim 15, wherein the one or more software modules, when executed by the one or more hardware processors, are further configured to:
    - create a new cluster for the received object in response to determining that the similarity measure is below the predefined threshold value.
  - 17. The system of claim 15, wherein the removing the data associated with the detected behaviors includes removing data associated with the detected behaviors that does not identify the received object, wherein the fuzzy hash is generated using the detected behaviors.
  - 18. The system of claim 15, wherein the one or more software modules, when executed by the one or more hardware processors, are further configured to:
    - classify the received object as malware, non-malware, or with an unknown status to match a classification of the preexisting cluster, when the received object is assigned to the preexisting cluster.
  - 19. The system of claim 15, wherein the one or more software modules, when executed by the one or more hardware processors, are further configured to:
    - assign a malware family name to the received object to match a malware family name of the preexisting cluster, when the received object is assigned to the preexisting cluster.
  - 20. The system of claim 15 being in communication with a client device remotely located from the system to receive the received object.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Mesdaq, Ali, Westin, III, Paul L.
Primary Examiner(s)
Jhaveri, Jayesh

Application Number

US15/076,322
Publication Number

US 20160261612A1
Time in Patent Office

715 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/562   Static detection

G06F 21/564   by virus signature recognition

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/034   Test or assess a computer o...

H04L 63/14   for detecting or protecting...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

Fuzzy hash of behavioral results

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

662 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Fuzzy hash of behavioral results

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

662 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links