What technology area does this patent fall under?

Primary CPC classification G06F21/563. Mapped technology areas include Physics.

When was this patent published?

Publication date Thu Apr 28 2016 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.

What related patents are in patentsdb?

We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).

Structural recognition of malicious code patterns

US2016119366A1 · US · A1

Patent metadata
Field	Value
Publication number	US-2016119366-A1
Application number	US-201514885765-A
Country	US
Kind code	A1
Filing date	Oct 16, 2015
Priority date	Oct 30, 2008
Publication date	Apr 28, 2016
Grant date	—

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

Title
What the patent document calls the invention.
Abstract
A short plain-language summary of the technical disclosure.
Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
Key dates
Filing, priority, publication, and grant dates set the timeline.
First independent claim
The legal scope of protection — read this for what is actually claimed.
CPC / IPC classifications
Technology tags used to group this patent with similar filings.
Citations and related patents
Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

Various embodiments include an apparatus comprising a detection database including a tree structure of descriptor parts including one or more root nodes and one or more child nodes linked to from one or more parent descriptor parts chains, each of the root nodes representing a descriptor part, and each root node linked to at least one of the child nodes, each root node and each child node linked to any possible additional child nodes, wherein the possible additional child nodes include any possible successor child nodes and a descriptor comparator coupled to the detection database, the descriptor comparator operable to receive data including a plurality of logic entities, once or successively, and to continuously compare logic entities provided to the tree structure of descriptor parts stored in detection database, and to provide an output based on the comparison.

First claim

Opening claim text (preview).

What is claimed is: 1 . A machine readable medium, on which are stored instructions, comprising instructions that when executed cause a machine to: receive a file possibly containing malware; identify a logic entity in the file; compare a chain of logic entities beginning with the logic entity to a path through a tree structure of structural code pattern descriptors, comprising instructions that when executed cause the machine to: match the logic entity to a root node of the tree structure; and match succeeding logic entities of the file with the path through the tree structure of structural code pattern descriptors from the root node to a terminal child node of the path; and indicate the file contains malware responsive to matching the chain of logic entities to the path. 2 . The machine readable medium of claim 1 , wherein the instructions further comprise instructions that when executed cause the machine to: compare a plurality of chains of logic entities to a plurality of paths through the tree structure of structural code pattern descriptors; assign a match probability to each of the plurality of paths; and compare an overall match probability for the file based on the match probabilities assigned to each of the plurality of paths. 3 . The machine readable medium of claim 1 , wherein the instructions that when executed cause the machine to indicate the file contains malware comprise instructions that when executed cause the machine to: output a single bit having a bit value indicative of whether or not malware has been detected in the received file based on whether any part of the chain of logic entities matches a path through the tree structure. 4 . The machine readable medium of claim 1 , wherein the instructions that when executed cause the machine to indicate the file contains malware comprise instructions that when executed cause the machine to: output a malware name that can be assigned to an input file and represents a type or family of detected malicious code. 5 . The machine readable medium of claim 1 , wherein the instructions that when executed cause the machine to compare a chain of logic entities beginning with the logic entity to a path through a tree structure of structural code pattern descriptors further comprises instructions that when executed cause the machine to: determine that the logic entity and succeeding logic entities of the file match a plurality of paths through the tree structure; and determine which of the plurality of paths has a highest match probability. 6 . The machine readable medium of claim 1 , wherein the instructions that when executed cause the machine to compare a chain of logic entities beginning with the logic entity to a path through a tree structure of structural code pattern descriptors further comprises instructions that when executed cause the machine to: terminate the comparison upon reaching a terminal child node in the path through the tree structure. 7 . The machine readable medium of claim 1 , wherein the instructions that when executed cause the machine to compare the chain of logic entities beginning with the logic entity to a path through a tree structure of structural code pattern descriptors further comprises instructions that when executed cause the machine to: begin the comparison upon receiving a portion of the file; and continue to receive the file during the comparison. 8 . A programmable device, comprising: one or more processors; a memory, on which are stored instructions, comprising instructions that when executed cause at least some of the one or more processors to: receive a file possibly containing malware; identify a logic entity in the file; compare a chain of logic entities beginning with the logic entity to a path through a tree structure of structural code pattern descriptors, comprising instructions that when executed cause at least some of the one or more processors to: match the logic entity to a root node of the tree structure; and match succeeding logic entities of the file with the path through the tree structure of structural code pattern descriptors from the root node to a terminal child node of the path; and indicate the file contains malware responsive to matching the chain of logic entities to the path. 9 . The programmable device of claim 8 , wherein the instructions further comprise instructions that when executed cause at least some of the processors to: compare a plurality of chains of logic entities to a plurality of paths through the tree structure of structural code pattern descriptors; assign a match probability to each of the plurality of paths; and compare an overall match probability for the file based on the match probabilities assigned to each of the plurality of paths. 10 . The programmable device of claim 9 , wherein the instructions that when executed cause at least some of the processors to indicate the file contains malware comprise instructions that when executed cause at least some of the processors to: output a single bit having a bit value indicative of whether or not malware has been detected in the received file based on whether any part of the chain of logic entities matches a path through the tree structure. 11 . The programmable device of claim 9 , wherein the instructions that when executed cause at least some of the processors to indicate the file contains malware comprise instructions that when executed cause at least some of the processors to: output a malware name that can be assigned to an input file and represents a type or family of detected malicious code. 12 . The programmable device of claim 9 , wherein the instructions that when executed cause at least some of the processors to compare a chain of logic entities beginning with the logic entity to a path through a tree structure of structural code pattern descriptors further comprises instructions that when executed cause at least some of the processors to: determine that the logic entity and succeeding logic entities of the file match a plurality of paths through the tree structure; and determine which of the plurality of paths has a highest match probability. 13 . The programmable device of claim 9 , wherein the instructions that when executed cause at least some of the processors to compare a chain of logic entities beginning with the logic entity to a path through a tree structure of structural code pattern descriptors further comprises instructions that when executed cause at least some of the processors to: terminate the comparison upon reaching a terminal child node in the path through the tree structure. 14 . The programmable device of claim 9 , wherein the instructions that when executed cause at least some of the processors to compare the chain of logic entities beginning with the logic entity to a path through a tree structure of structural code pattern descriptors further comprises instructions that when executed cause at least some of the processors to: begin the comparison upon receiving a portion of the file; and continue to receive the file during the comparison. 15 . A method for detecting malware, comprising: receiving a file possibly containing malware; identifying a logic entity in the file; comparing a chain of logic entities beginning with the logic entity to a path through a tree structure of structural code pattern descriptors, comprising: matching the logic entity to a root node of the tree structure; and matching succeeding logic entities of the file with the path through the tree structure of structural code pattern descripto

Assignees

Mcafee Inc

Inventors

Alme Christoph

Classifications

G06F21/563Primary
by source code analysis · CPC title
G06F16/9027
Trees · CPC title
H04L63/1416Primary
Event detection, e.g. attack signature detection · CPC title
H04L63/145
the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms · CPC title
G06F17/30961
Physics · mapped topic

Patent family

Related publications grouped by family.

View patent family 41334609

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US2016119366A1 cover?: Various embodiments include an apparatus comprising a detection database including a tree structure of descriptor parts including one or more root nodes and one or more child nodes linked to from one or more parent descriptor parts chains, each of the root nodes representing a descriptor part, and each root node linked to at least one of the child nodes, each root node and each child node linke…
Who is the assignee on this patent?: Mcafee Inc
What technology area does this patent fall under?: Primary CPC classification G06F21/563. Mapped technology areas include Physics.
When was this patent published?: Publication date Thu Apr 28 2016 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?: We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).