| 发明名称 | Systems and methods for identifying associations between malware samples | ||
| 摘要 | Systems and methods are disclosed for identifying associations between binary samples, such as e-mail files and their attachments or a document and an executable program associated with the document. In one implementation, the method includes receiving a plurality of binary samples, and extracting metadata from the plurality of binary samples. The metadata for a binary sample from the plurality of binary samples includes a set of attributes of the binary sample. The method further includes identifying a set of associations between the plurality of binary samples based on the extracted metadata. Each association is characterized by at least one attribute the associated binary samples have in common, and each association has a confidence level indicative of a strength of the association. The method also includes identifying associations with a confidence level that exceeds a predefined threshold. | ||
| 申请公布号 | US9405905(B2) | 申请公布日期 | 2016.08.02 |
| 申请号 | US201414524325 | 申请日期 | 2014.10.27 |
| 申请人 | VERISIGN, INC. | 发明人 | Sinclair Gregory;Olson Ryan;Falcone Robert |
| 分类号 | G06F17/30;G06F7/00;G06F21/56;H04L29/06;G06Q10/10;H04L12/58 | 主分类号 | G06F17/30 |
| 代理机构 | MH2 Technology Law Group, LLP | 代理人 | MH2 Technology Law Group, LLP |
| 主权项 | 1. A method, performed by a processor, for identifying associations between binary samples, comprising: receiving a plurality of binary samples; determining one or more file types associated with the plurality of binary samples; extracting type-specific metadata from the plurality of binary samples, the type-specific metadata for a binary sample from the plurality of binary samples including a set of attributes of the binary sample that are unique for a file type associated with the binary sample; identifying a set of associations between the plurality of binary samples based on the extracted metadata, each association characterized by at least one attribute in the set of attributes that the associated binary samples have in common; receiving a reference sample corresponding to a known malware sample; identifying that the reference sample is associated with at least one binary sample among the plurality of binary samples; generating data corresponding to a malware alert in response to identifying that the reference sample is associated with the at least one binary sample; communicating the data to a front-end system; and generating, at the front-end system, a display corresponding to the malware alert using the data. | ||
| 地址 | Reston VA US | ||