FUZZY HASH OF BEHAVIORAL RESULTS

US 20150096023A1
Filed: 09/30/2013
Published: 04/02/2015
Est. Priority Date: 09/30/2013
Status: Active Grant

First Claim

Patent Images

1. A computerized method for classifying objects in a malware system, comprising:

receiving, by a malicious content detection (MCD) system, an object to be classified;

detecting behaviors of the received object, wherein the behaviors are detected after processing the received object;

generating a fuzzy hash for the received object based on the detected behaviors;

comparing the fuzzy hash for the received object with a fuzzy hash of an object in a preexisting cluster to generate a similarity measure;

associating the received object with the preexisting cluster in response to determining that the similarity measure is above a predefined threshold value; and

reporting, via a communications interface, results of the association to a client device.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computerized method is described in which a received object is analyzed by a malicious content detection (MCD) system to determine whether the object is malware or non-malware. The analysis may include the generation of a fuzzy hash based on a collection of behaviors for the received object. The fuzzy hash may be used by the MCD system to determine the similarity of the received object with one or more objects in previously classified/analyzed clusters. Upon detection of a “similar” object, the suspect object may be associated with the cluster and classified based on information attached to the cluster. This similarity matching provides 1) greater flexibility in analyzing potential malware objects, which may share multiple characteristics and behaviors but are also slightly different from previously classified objects and 2) a more efficient technique for classifying/assigning attributes to objects.

250 Citations

24 Claims

1. A computerized method for classifying objects in a malware system, comprising:
- receiving, by a malicious content detection (MCD) system, an object to be classified;
  
  detecting behaviors of the received object, wherein the behaviors are detected after processing the received object;
  
  generating a fuzzy hash for the received object based on the detected behaviors;
  
  comparing the fuzzy hash for the received object with a fuzzy hash of an object in a preexisting cluster to generate a similarity measure;
  
  associating the received object with the preexisting cluster in response to determining that the similarity measure is above a predefined threshold value; and
  
  reporting, via a communications interface, results of the association to a client device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 14)
- - 2. The computerized method of claim 1, further comprising:
    - creating a new cluster for the received object in response to determining that the similarity measure is below the predefined threshold value.
  - 3. The computerized method of claim 1, wherein the received object is at least one of a file, a uniform resource locator, a web object, a capture of network traffic for a user over time, and an email message.
  - 4. The computerized method of claim 1, wherein the changes performed by the received object include (1) network calls, (2) modifications to a registry, (3) modifications to a file system, and (4) an application program interface call.
  - 5. The computerized method of claim 1, further comprising:
    - generating a preliminary malware score for the received object based on a comparison of the detected behaviors with known malware behaviors, wherein the preliminary malware score indicates the probability the received object is malware; and
      
      generating a final malware score for the received object based on the cluster the received object is associated,wherein the final malware score is greater than the preliminary malware score when the received object is associated with a cluster of objects classified as malware and the final malware score is less than the preliminary malware score when the received object is associated with a cluster of objects classified as non-malware.
  - 6. The computerized method of claim 1, further comprising:
    - scrubbing, prior to generating the fuzzy hash, the behaviors to remove data that does not identify the received object, wherein the fuzzy hash is generated using the scrubbed behaviors.
  - 7. The computerized method of claim 6, wherein scrubbing the behaviors includes removing a subset of process identifiers of processes called by the received object, values written to a registry by the received object, and names of objects generated, modified, or deleted by the received object.
  - 8. The computerized method of claim 2, further comprising:
    - transmitting, by the MCD system, the new cluster or the preexisting cluster with the newly associated received object to another MCD system.
  - 9. The computerized method of claim 1, further comprising:
    - classifying the received object as malware, non-malware, or with an unknown status to match a classification of the preexisting cluster, when the received object is assigned to the preexisting cluster.
  - 10. The computerized method of claim 1, further comprising:
    - assigning a malware family name to the received object to match a malware family name of the preexisting cluster, when the received object is assigned to the preexisting cluster.
  - 14. The non-transitory storage medium of claim 11 of claim 1, wherein the changes performed by the received object include (1) network calls, (2) modifications to a registry, (3) modifications to a file system, and (4) an application program interface call.

11. A non-transitory storage medium including instructions that, when executed by one or more hardware processors, performs a plurality of operations, comprising:
- detecting behaviors of a received object, wherein the behaviors are detected after processing the received object;
  
  generating a fuzzy hash for the received object based on the detected behaviors;
  
  comparing the fuzzy hash for the received object with a fuzzy hash of an object in a preexisting cluster to generate a similarity measure; and
  
  associating the received object with the preexisting cluster in response to determining that the similarity measure is above a predefined threshold value.
- View Dependent Claims (12, 13, 15, 16, 17, 18, 19)
- - 12. The non-transitory storage medium of claim 11, wherein the operations further comprise:
    - creating a new cluster for the received object in response to determining that the similarity measure is below the predefined threshold value.
  - 13. The non-transitory storage medium of claim 11, wherein the received object is one of a file, a uniform resource locator, a web object, a capture of network traffic for a user over time, and an email message.
  - 15. The non-transitory storage medium of claim 11, wherein the operations further comprise:
    - generating a preliminary malware score for the received object based on a comparison of the detected behaviors with known malware behaviors, wherein the preliminary malware score indicates the probability the received object is malware; and
      
      generating a final malware score for the received object based on the cluster the received object is associated,wherein the final malware score is greater than the preliminary malware score when the received object is associated with a cluster of objects classified as malware and the final malware score is less than the preliminary malware score when the received object is associated with a cluster of objects classified as non-malware.
  - 16. The non-transitory storage medium of claim 11, wherein the operations further comprise:
    - scrubbing, prior to generating the fuzzy hash, the behaviors to remove data that does not identify the received object, wherein the fuzzy hash is generated using the scrubbed behaviors.
  - 17. The non-transitory storage medium of claim 11, wherein scrubbing the behaviors includes removing a subset of process identifiers of processes called by the received object, values written to a registry by the received object, and names of objects generated, modified, or deleted by the received object.
  - 18. The non-transitory storage medium of claim 11, wherein the operations further comprise:
    - classifying the received object as malware, non-malware, or with an unknown status to match a classification of the preexisting cluster, when the received object is assigned to the preexisting cluster.
  - 19. The non-transitory storage medium of claim 11, wherein the operations further comprise:
    - assigning a malware family name to the received object to match a malware family name of the preexisting cluster, when the received object is assigned to the preexisting cluster.

20. A system comprising:
- one or more hardware processors;
  
  a memory including one or more software modules that, when executed by the one or more hardware processors;
  
  detect behaviors of a received object, wherein the behaviors are detected after processing the received object;
  
  generate a fuzzy hash for the received object based on the detected behaviors;
  
  compare the fuzzy hash for the received object with a fuzzy hash of an object in a preexisting cluster to generate a similarity measure; and
  
  associate the received object with the preexisting cluster in response to determining that the similarity measure is above a predefined threshold value.
- View Dependent Claims (21, 22, 23, 24)
- - 21. The system of claim 20, wherein when executed the software modules further:
    - create a new cluster for the received object in response to determining that the similarity measure is below the predefined threshold value.
  - 22. The system of claim 20, wherein when executed the software modules further:
    - scrub, prior to generating the fuzzy hash, the behaviors to remove data that does not identify the received object, wherein the fuzzy hash is generated using the scrubbed behaviors.
  - 23. The system of claim 20, wherein when executed the software modules further:
    - classify the received object as malware, non-malware, or with an unknown status to match a classification of the preexisting cluster, when the received object is assigned to the preexisting cluster.
  - 24. The system of claim 20, wherein when executed the software modules further:
    - assign a malware family name to the received object to match a malware family name of the preexisting cluster, when the received object is assigned to the preexisting cluster.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Mesdaq, Ali, Westin, Paul L. III

Granted Patent

US 9,294,501 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/562   Static detection

G06F 21/564   by virus signature recognition

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/034   Test or assess a computer o...

H04L 63/14   for detecting or protecting...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

FUZZY HASH OF BEHAVIORAL RESULTS

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

250 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

FUZZY HASH OF BEHAVIORAL RESULTS

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

250 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links