US2017255776A1PendingUtilityA1

Discovery of malicious strings

52
Assignee: MCAFEE INCPriority: Dec 23, 2014Filed: May 22, 2017Published: Sep 7, 2017
Est. expiryDec 23, 2034(~8.5 yrs left)· nominal 20-yr term from priority
G06F 21/564H04L 63/14G06F 21/567H04L 63/1416
52
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

Particular embodiments described herein provide for an electronic device that can be configured to determine a string sample of data, determine a hash of the string sample of data, automatically cluster the hash with other hashes from other string samples of data, and automatically create a signature hash string for the string sample of data.

Claims

exact text as granted — not AI-modified
1 .- 25 . (canceled) 
     
     
         26 . At least one non-transitory computer-readable medium comprising one or more instructions that when executed by at least one processor, cause the at least one processor to:
 determine a string of a data sample;   perform an Internet search for the string;   compare the results of the Internet search for the string with results of an Internet search for a known clean string;   cluster, based on a determination that the number of hits from the Internet search is not comparable to the number of hits from a known clean string search, the string with other strings having Internet search results that are not comparable to those of a known clean string; and   populate a dirty string database with the clustered strings.   
     
     
         27 . The at least one non-transitory computer-readable medium of  claim 26 , further comprising one or more instructions that when executed by the at least one processor, further cause the processor to:
 determine a cluster of most commonly occurring strings in the dirty string database;   create a hash of each of the strings in the cluster of most commonly occurring strings; and   store the hash of each of the strings from the cluster of most commonly occurring strings in a blacklist hash string database.   
     
     
         28 . The at least one non-transitory computer-readable medium of  claim 27 , further comprising one or more instructions that when executed by the at least one processor, further cause the processor to:
 cluster the hash of each of the strings in the cluster of most commonly occurring strings to create a string hash signature; and   communicate the string hash signature to an electronic device for use in the detection of the malware.   
     
     
         29 . The at least one non-transitory computer-readable medium of  claim 28 , further comprising one or more instructions that when executed by the at least one processor, further cause the processor to:
 remove hashes of short strings from the cluster of hashes to create a second string hash signature; and   store the second string hash signature in the blacklist hash string database.   
     
     
         30 . The at least one non-transitory computer-readable medium of  claim 26 , further comprising one or more instructions that when executed by the at least one processor, further cause the processor to:
 determine a hash of the string;   filter the hash of the string using a whitelist hash string database; and   classify the string as trusted if the hash of the string is found in the whitelist hash string database.   
     
     
         31 . The at least one non-transitory computer-readable medium of  claim 26 , wherein the data sample was received from an electronic device. 
     
     
         32 . An apparatus comprising:
 memory; and   a hardware processor configured to:
 determine a string of a data sample; 
 perform an Internet search for the string; 
 compare the results of the Internet search for the string with results of an Internet search for a known clean string; 
 cluster, based on a determination that the number of hits from the Internet search is not comparable to the number of hits from a known clean string search, the string with other strings having Internet search results that are not comparable to those of a known clean string; and 
 populate a dirty string database with the clustered strings. 
   
     
     
         33 . The apparatus of  claim 32 , wherein the hardware processor is further configured to:
 determine a cluster of most commonly occurring strings in the dirty string database;   create a hash of each of the strings in the cluster of most commonly occurring strings; and   store the hash of each of the strings from the cluster of most commonly occurring strings in a blacklist hash string database.   
     
     
         34 . The apparatus of  claim 33 , wherein the hardware processor is further configured to:
 cluster the hash of each of the strings in the cluster of most commonly occurring strings to create a string hash signature; and   communicate the string hash signature to an electronic device for use in the detection of the malware.   
     
     
         35 . The apparatus of  claim 34 , wherein the hardware processor is further configured to:
 remove hashes of short strings from the cluster of hashes to create a second string hash signature; and   store the second string hash signature in the blacklist hash string database.   
     
     
         36 . The apparatus of  claim 32 , wherein the hardware processor is further configured to:
 determine a hash of the string;   filter the hash of the string using a whitelist hash string database; and   classify the string as trusted if the hash of the string is found in the whitelist hash string database.   
     
     
         37 . The apparatus of  claim 32 , wherein the data sample was received from an electronic device. 
     
     
         38 . A method comprising:
 determining a string of a data sample;   performing an Internet search for the string;   comparing the results of the Internet search for the string with results of an Internet search for a known clean string;   clustering, based on a determination that the number of hits from the Internet search is not comparable to the number of hits from a known clean string search, the string with other strings having Internet search results that are not comparable to those of a known clean string; and   populating a dirty string database with the clustered strings.   
     
     
         39 . The method of  claim 38 , further comprising:
 determining a cluster of most commonly occurring strings in the dirty string database;   creating a hash of each of the strings in the cluster of most commonly occurring strings; and   storing the hash of each of the strings from the cluster of most commonly occurring strings in a blacklist hash string database.   
     
     
         40 . The method of  claim 39 , further comprising:
 clustering the hash of each of the strings in the cluster of most commonly occurring strings to create a string hash signature; and   communicating the string hash signature to an electronic device for use in the detection of the malware.   
     
     
         41 . The method of  claim 40 , further comprising:
 removing hashes of short strings from the cluster of hashes to create a second string hash signature; and   storing the second string hash signature in the blacklist hash string database.   
     
     
         42 . The method of  claim 38 , further comprising:
 determining a hash of the string;   filtering the hash of the string using a whitelist hash string database; and   classifying the string as trusted if the hash of the string is found in the whitelist hash string database.   
     
     
         43 . The method of  claim 38 , wherein the data sample was received from an electronic device. 
     
     
         44 . A system for discovering malicious strings, the system comprising:
 memory; and   a hardware processor configured for:
 determining a string of a data sample; 
 performing an Internet search for the string; 
 comparing the results of the Internet search for the string with results of an Internet search for a known clean string; 
 clustering, based on a determination that the number of hits from the Internet search is not comparable to the number of hits from a known clean string search, the string with other strings having Internet search results that are not comparable to those of a known clean string; and 
 populating a dirty string database with the clustered strings. 
   
     
     
         45 . The system of  claim 44 , wherein the system is further configured for:
 determining a cluster of most commonly occurring strings in the dirty string database;   creating a hash of each of the strings in the cluster of most commonly occurring strings; and   storing the hash of each of the strings from the cluster of most commonly occurring strings in a blacklist hash string database.   
     
     
         46 . The system of  claim 45 , wherein the system is further configured for:
 clustering the hash of each of the strings in the cluster of most commonly occurring strings to create a string hash signature; and   communicating the string hash signature to an electronic device for use in the detection of the malware.   
     
     
         47 . The system of  claim 46 , wherein the system is further configured for:
 removing hashes of short strings from the cluster of hashes to create a second string hash signature; and   storing the second string hash signature in the blacklist hash string database.   
     
     
         48 . The system of  claim 44 , wherein the system is further configured for:
 determining a hash of the string;   filtering the hash of the string using a whitelist hash string database; and   classifying the string as trusted if the hash of the string is found in the whitelist hash string database.   
     
     
         49 . The system of  claim 44 , wherein the data sample was received from an electronic device.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.