Methods and apparatus to determine mutex entropy for malware classification
US-2023208872-A1 · Jun 29, 2023 · US
Rule generation using entropy profile for malware detection
US12554848B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-12554848-B2 |
| Application number | US-202418629697-A |
| Country | US |
| Kind code | B2 |
| Filing date | Apr 8, 2024 |
| Priority date | Apr 8, 2024 |
| Publication date | Feb 17, 2026 |
| Grant date | Feb 17, 2026 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
In some embodiments, a method receives a file. The file is packed using a packing method. An entropy profile is generated for the file. The entropy profile describes an entropy of data over positions in the file. The method generates a rule to detect the entropy profile of the file by analyzing entropy values from the entropy profile in slices in the file. The rule is output. The rule is usable to detect in other files that use the packing method based on analyzing entropy in slices of the other files.
First claim
Opening claim text (preview).
The invention claimed is: 1 . A method comprising: receiving a file, wherein the file is packed using a packing method; generating an entropy profile for the file, wherein the entropy profile describes an entropy of data over positions in the file; generating a rule to detect the entropy profile of the file by analyzing entropy values from the entropy profile in a plurality of slices in the file; outputting the rule, wherein the rule is usable to detect in other files that use the packing method based on analyzing entropy in slices of the other files; receiving a current file; generating an entropy profile of the current file; and comparing the entropy profile to the rule to determine if the current file matches the rule, wherein comparing comprises; determining entropy values for the plurality of slices of the entropy profile of the current file; comparing a plurality of sub-rules for the rule to entropy values for slices in the plurality of slices; and determining whether the current file matches the rule based on the comparing. 2 . The method of claim 1 , wherein the packing method is configured to encode the data in the file. 3 . The method of claim 1 , wherein generating the entropy profile for the file comprises: analyzing an entropy of data of the file to generate the entropy profile. 4 . The method of claim 1 , further comprising: analyzing a portion of the entropy profile for respective slices in the plurality of slices of the file to generate entropy values for respective slices. 5 . The method of claim 4 , wherein generating the rule comprises: generating a sub-rule based on the entropy values for respective slices in the plurality of slices to generate the plurality of sub-rules for the rule. 6 . The method of claim 5 , wherein sub-rules in the plurality of sub-rules comprise one or more entropy values based on respective entropy values found in corresponding slices for the sub-rules. 7 . The method of claim 6 , wherein the one or more entropy values comprise a range of entropy values. 8 . The method of claim 7 , wherein the range of entropy values is based on a minimum value and a maximum value for the entropy values in the respective slice. 9 . The method of claim 1 , wherein a size of slices in the plurality of slices is determined based on pre-set sizes of the file. 10 . The method of claim 1 , wherein: a size of the slices in the plurality of slices is based on an analysis of entropy values in the entropy profile for respective slices, and the size of at least two slices is different. 11 . The method of claim 1 , further comprising: deploying the rule to a detection service that uses the rule to check whether the other files match the rule. 12 . The method of claim 1 , further comprising: performing an action associated with the rule when the current file matches the rule; and not performing the action associated with the rule when the current file does not match the rule. 13 . The method of claim 1 , wherein the current file matches the rule when a threshold of slices of the current file match respective sub-rules. 14 . A non-transitory computer-readable storage medium having stored thereon computer executable instructions, which when executed by a computing device, cause the computing device to be operable for: receiving a file, wherein the file is packed using a packing method; generating an entropy profile for the file, wherein the entropy profile describes an entropy of data over positions in the file; generating a rule to detect the entropy profile of the file by analyzing entropy values from the entropy profile in a plurality of slices in the file; and outputting the rule, wherein the rule is usable to detect in other files that use the packing method based on analyzing entropy in slices of the other files; receiving a current file; generating an entropy profile of the current file; and comparing the entropy profile to the rule to determine if the current file matches the rule, wherein comparing comprises; determining entropy values for the plurality of slices of the entropy profile of the current file; comparing a plurality of sub-rules for the rule to entropy values for slices in the plurality of slices; and determining whether the current file matches the rule based on the comparing. 15 . The non-transitory computer-readable storage medium of claim 14 , wherein the packing method is configured to encode the data in the file. 16 . The non-transitory computer-readable storage medium of claim 14 , wherein generating the entropy profile for the file comprises: analyzing an entropy of data of the file to generate the entropy profile. 17 . The non-transitory computer-readable storage medium of claim 14 , wherein: a size of the slices in the plurality of slices is based on an analysis of entropy values in the entropy profile for respective slices, and the size of at least two slices is different. 18 . A method comprising: receiving a first file, wherein the first file is packed using a packing method; generating a rule to detect a first entropy profile of the first file by analyzing entropy values from the first entropy profile in a plurality of slices of the first file; receiving a second file; generating a second entropy profile of the second file; comparing the second entropy profile to the rule to determine if the second file uses the packing method, wherein comparing comprises; determining entropy values for the plurality of slices of the second entropy profile of the second file; comparing a plurality of sub-rules for the rule to entropy values for slices in the plurality of slices; and determining whether the second file matches the rule based on the comparing; performing an action associated with the rule when the second file matches the rule; and not performing the action associated with the rule when the second file does not match the rule. 19 . The method of claim 18 , wherein sub-rules in the plurality of sub-rules comprise one or more entropy values based on respective entropy values found in corresponding slices for the sub-rules in the first file. 20 . The method of claim 19 , wherein the second file matches the rule when a threshold of slices of the second file match respective sub-rules.
Assignees
Inventors
Classifications
- G06F21/56Primary
Computer malware detection or handling, e.g. anti-virus arrangements · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US12554848B2 cover?
- In some embodiments, a method receives a file. The file is packed using a packing method. An entropy profile is generated for the file. The entropy profile describes an entropy of data over positions in the file. The method generates a rule to detect the entropy profile of the file by analyzing entropy values from the entropy profile in slices in the file. The rule is output. The rule is usable…
- Who is the assignee on this patent?
- Salesforce Inc
- What technology area does this patent fall under?
- Primary CPC classification G06F21/56. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Feb 17 2026 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 5 related publications on this page (citations in our corpus or others sharing the same primary CPC).