What technology area does this patent fall under?

Primary CPC classification G06F21/564. Mapped technology areas include Physics.

When was this patent published?

Publication date Tue Dec 24 2024 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.

What related patents are in patentsdb?

We list 2 related publications on this page (citations in our corpus or others sharing the same primary CPC).

Method and system for automatically generating malware signature

US12174959B2 · US · B2

Patent metadata
Field	Value
Publication number	US-12174959-B2
Application number	US-202217666103-A
Country	US
Kind code	B2
Filing date	Feb 7, 2022
Priority date	Feb 7, 2022
Publication date	Dec 24, 2024
Grant date	Dec 24, 2024

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

Title
What the patent document calls the invention.
Abstract
A short plain-language summary of the technical disclosure.
Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
Key dates
Filing, priority, publication, and grant dates set the timeline.
First independent claim
The legal scope of protection — read this for what is actually claimed.
CPC / IPC classifications
Technology tags used to group this patent with similar filings.
Citations and related patents
Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

Automatic generation of a malware signature is disclosed. Code of a sample including packages and function names is parsed. Standard type packages and vendor type packages are filtered from the code of the sample to obtain main type packages. A signature using a fuzzy hash for the sample is generated based on the main type packages. A determination of whether the sample is malware is performed using the signature and a similarity score threshold.

First claim

Opening claim text (preview).

What is claimed is: 1. A system, comprising: a processor configured to: parse code of a sample including packages and function names; filter standard type packages and vendor type packages from the code of the sample to obtain main type packages; generate a signature using a fuzzy hash for the sample based on the main type packages, comprising to: obtain function names associated with the main type packages; concatenate the function names associated with the main type packages to obtain a concatenated string; and perform the fuzzy hash on the concatenated string to obtain the signature; and determine whether the sample is malware using the signature and a similarity score threshold; and a memory coupled to the processor and configured to provide the processor with instructions. 2. The system of claim 1 , wherein the parsing of the code of the sample comprises to: parse a table of the sample to extract the packages and the function names. 3. The system of claim 1 , wherein the filtering of the standard type packages and the vendor type packages from the code of the sample comprises to: classify the packages of the sample into main type, standard type, and vendor type; and filter the standard type packages and the vendor type packages from the packages to obtain the main type packages. 4. The system of claim 1 , wherein the fuzzy hash includes ssdeep. 5. The system of claim 1 , wherein the concatenating of the function names associated with the main type packages to obtain the concatenated string comprises to: sort the function names in alphabetical order; and concatenate the sorted function names to obtain the concatenated string. 6. The system of claim 1 , wherein the determining whether the sample is malware using the signature and the similarity score threshold comprises to: compare the signature with a signature associated with a known malware to obtain a similarity score. 7. The system of claim 6 , wherein the determining whether the sample is malware using the signature and the similarity score threshold further comprises to: determine whether the similarity score is equal to or exceeds the similarity score threshold; and in the event that the similarity score is equal to or exceeds the similarity score threshold, determine that the sample is malware. 8. The system of claim 6 , wherein the determining whether the sample is malware using the signature and the similarity score threshold further comprises to: determine whether the similarity score is equal to or exceeds the similarity score threshold; and in the event that the similarity score fails to equal or exceed the similarity score threshold, determine that the sample is benign. 9. A method, comprising: parsing, using a processor, code of a sample including packages and function names; filtering, using the processor, standard type packages and vendor type packages from the code of the sample to obtain main type packages; generating, using the processor, a signature using a fuzzy hash for the sample based on the main type packages, comprising: obtaining function names associated with the main type packages; concatenating the function names associated with the main type packages to obtain a concatenated string; and performing the fuzzy hash on the concatenated string to obtain the signature; and determining, using the processor, whether the sample is malware using the signature and a similarity score threshold. 10. The method of claim 9 , wherein the parsing of the code of the sample comprises: parsing a table of the sample to extract the packages and the function names. 11. The method of claim 9 , wherein the filtering of the standard type packages and the vendor type packages from the code of the sample comprises: classifying the packages of the sample into main type, standard type, and vendor type; and filtering the standard type packages and the vendor type packages from the packages to obtain the main type packages. 12. The method of claim 9 , wherein the fuzzy hash includes ssdeep. 13. The method of claim 9 , wherein the concatenating of the function names associated with the main type packages to obtain the concatenated string comprises: sorting the function names in alphabetical order; and concatenating the sorted function names to obtain the concatenated string. 14. The method of claim 9 , wherein the determining whether the sample is malware using the signature and the similarity score threshold comprises: comparing the signature with a signature associated with a known malware to obtain a similarity score. 15. The method of claim 14 , wherein the determining whether the sample is malware using the signature and the similarity score threshold further comprises: determining whether the similarity score is equal to or exceeds the similarity score threshold; and in the event that the similarity score is equal to or exceeds the similarity score threshold, determining that the sample is malware. 16. The method of claim 14 , wherein the determining whether the sample is malware using the signature and the similarity score threshold further comprises: determining whether the similarity score is equal to or exceeds the similarity score threshold; and in the event that the similarity score fails to equal or exceed the similarity score threshold, determining that the sample is benign. 17. A computer program product embodied in a non-transitory computer readable medium and comprising computer instructions for: parsing code of a sample including packages and function names; filtering standard type packages and vendor type packages from the code of the sample to obtain main type packages; generating a signature using a fuzzy hash for the sample based on the main type, comprising: obtaining function names associated with the main type packages; concatenating the function names associated with the main type packages to obtain a concatenated string; and performing the fuzzy hash on the concatenated string to obtain the signature; and determining whether the sample is malware using the signature and a similarity score threshold.

Assignees

Palo Alto Networks Inc

Inventors

Classifications

G06F21/577
Assessing vulnerabilities and evaluating computer system security · CPC title
G06F2221/033
Test or assess software · CPC title
G06F21/564Primary
by virus signature recognition · CPC title

Patent family

Related publications grouped by family.

View patent family 88095893

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US12174959B2 cover?: Automatic generation of a malware signature is disclosed. Code of a sample including packages and function names is parsed. Standard type packages and vendor type packages are filtered from the code of the sample to obtain main type packages. A signature using a fuzzy hash for the sample is generated based on the main type packages. A determination of whether the sample is malware is performed …
Who is the assignee on this patent?: Palo Alto Networks Inc
What technology area does this patent fall under?: Primary CPC classification G06F21/564. Mapped technology areas include Physics.
When was this patent published?: Publication date Tue Dec 24 2024 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?: We list 2 related publications on this page (citations in our corpus or others sharing the same primary CPC).