US2017255776A1PendingUtilityA1
Discovery of malicious strings
Est. expiryDec 23, 2034(~8.5 yrs left)· nominal 20-yr term from priority
G06F 21/564H04L 63/14G06F 21/567H04L 63/1416
52
PatentIndex Score
0
Cited by
0
References
0
Claims
Abstract
Particular embodiments described herein provide for an electronic device that can be configured to determine a string sample of data, determine a hash of the string sample of data, automatically cluster the hash with other hashes from other string samples of data, and automatically create a signature hash string for the string sample of data.
Claims
exact text as granted — not AI-modified1 .- 25 . (canceled)
26 . At least one non-transitory computer-readable medium comprising one or more instructions that when executed by at least one processor, cause the at least one processor to:
determine a string of a data sample; perform an Internet search for the string; compare the results of the Internet search for the string with results of an Internet search for a known clean string; cluster, based on a determination that the number of hits from the Internet search is not comparable to the number of hits from a known clean string search, the string with other strings having Internet search results that are not comparable to those of a known clean string; and populate a dirty string database with the clustered strings.
27 . The at least one non-transitory computer-readable medium of claim 26 , further comprising one or more instructions that when executed by the at least one processor, further cause the processor to:
determine a cluster of most commonly occurring strings in the dirty string database; create a hash of each of the strings in the cluster of most commonly occurring strings; and store the hash of each of the strings from the cluster of most commonly occurring strings in a blacklist hash string database.
28 . The at least one non-transitory computer-readable medium of claim 27 , further comprising one or more instructions that when executed by the at least one processor, further cause the processor to:
cluster the hash of each of the strings in the cluster of most commonly occurring strings to create a string hash signature; and communicate the string hash signature to an electronic device for use in the detection of the malware.
29 . The at least one non-transitory computer-readable medium of claim 28 , further comprising one or more instructions that when executed by the at least one processor, further cause the processor to:
remove hashes of short strings from the cluster of hashes to create a second string hash signature; and store the second string hash signature in the blacklist hash string database.
30 . The at least one non-transitory computer-readable medium of claim 26 , further comprising one or more instructions that when executed by the at least one processor, further cause the processor to:
determine a hash of the string; filter the hash of the string using a whitelist hash string database; and classify the string as trusted if the hash of the string is found in the whitelist hash string database.
31 . The at least one non-transitory computer-readable medium of claim 26 , wherein the data sample was received from an electronic device.
32 . An apparatus comprising:
memory; and a hardware processor configured to:
determine a string of a data sample;
perform an Internet search for the string;
compare the results of the Internet search for the string with results of an Internet search for a known clean string;
cluster, based on a determination that the number of hits from the Internet search is not comparable to the number of hits from a known clean string search, the string with other strings having Internet search results that are not comparable to those of a known clean string; and
populate a dirty string database with the clustered strings.
33 . The apparatus of claim 32 , wherein the hardware processor is further configured to:
determine a cluster of most commonly occurring strings in the dirty string database; create a hash of each of the strings in the cluster of most commonly occurring strings; and store the hash of each of the strings from the cluster of most commonly occurring strings in a blacklist hash string database.
34 . The apparatus of claim 33 , wherein the hardware processor is further configured to:
cluster the hash of each of the strings in the cluster of most commonly occurring strings to create a string hash signature; and communicate the string hash signature to an electronic device for use in the detection of the malware.
35 . The apparatus of claim 34 , wherein the hardware processor is further configured to:
remove hashes of short strings from the cluster of hashes to create a second string hash signature; and store the second string hash signature in the blacklist hash string database.
36 . The apparatus of claim 32 , wherein the hardware processor is further configured to:
determine a hash of the string; filter the hash of the string using a whitelist hash string database; and classify the string as trusted if the hash of the string is found in the whitelist hash string database.
37 . The apparatus of claim 32 , wherein the data sample was received from an electronic device.
38 . A method comprising:
determining a string of a data sample; performing an Internet search for the string; comparing the results of the Internet search for the string with results of an Internet search for a known clean string; clustering, based on a determination that the number of hits from the Internet search is not comparable to the number of hits from a known clean string search, the string with other strings having Internet search results that are not comparable to those of a known clean string; and populating a dirty string database with the clustered strings.
39 . The method of claim 38 , further comprising:
determining a cluster of most commonly occurring strings in the dirty string database; creating a hash of each of the strings in the cluster of most commonly occurring strings; and storing the hash of each of the strings from the cluster of most commonly occurring strings in a blacklist hash string database.
40 . The method of claim 39 , further comprising:
clustering the hash of each of the strings in the cluster of most commonly occurring strings to create a string hash signature; and communicating the string hash signature to an electronic device for use in the detection of the malware.
41 . The method of claim 40 , further comprising:
removing hashes of short strings from the cluster of hashes to create a second string hash signature; and storing the second string hash signature in the blacklist hash string database.
42 . The method of claim 38 , further comprising:
determining a hash of the string; filtering the hash of the string using a whitelist hash string database; and classifying the string as trusted if the hash of the string is found in the whitelist hash string database.
43 . The method of claim 38 , wherein the data sample was received from an electronic device.
44 . A system for discovering malicious strings, the system comprising:
memory; and a hardware processor configured for:
determining a string of a data sample;
performing an Internet search for the string;
comparing the results of the Internet search for the string with results of an Internet search for a known clean string;
clustering, based on a determination that the number of hits from the Internet search is not comparable to the number of hits from a known clean string search, the string with other strings having Internet search results that are not comparable to those of a known clean string; and
populating a dirty string database with the clustered strings.
45 . The system of claim 44 , wherein the system is further configured for:
determining a cluster of most commonly occurring strings in the dirty string database; creating a hash of each of the strings in the cluster of most commonly occurring strings; and storing the hash of each of the strings from the cluster of most commonly occurring strings in a blacklist hash string database.
46 . The system of claim 45 , wherein the system is further configured for:
clustering the hash of each of the strings in the cluster of most commonly occurring strings to create a string hash signature; and communicating the string hash signature to an electronic device for use in the detection of the malware.
47 . The system of claim 46 , wherein the system is further configured for:
removing hashes of short strings from the cluster of hashes to create a second string hash signature; and storing the second string hash signature in the blacklist hash string database.
48 . The system of claim 44 , wherein the system is further configured for:
determining a hash of the string; filtering the hash of the string using a whitelist hash string database; and classifying the string as trusted if the hash of the string is found in the whitelist hash string database.
49 . The system of claim 44 , wherein the data sample was received from an electronic device.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.