US 10,891,378 B2
Automated malware signature generation
Ning Sun, Bellevue, WA (US); Patrick Winkler, Redmond, WA (US); Chengyun Chu, Redmond, WA (US); Hong Jia, Redmond, WA (US); Jason Geffner, Bothell, WA (US); Tony Lee, Sammamish, WA (US); Jigar Mody, Bellevue, WA (US); and Frank Swiderski, Seattle, WA (US)
Assigned to Microsoft Technology Licensing, LLC, Redmond, WA (US)
Filed by Microsoft Technology Licensing, LLC, Redmond, WA (US)
Filed on May 29, 2018, as Appl. No. 15/991,163.
Application 15/991,163 is a continuation of application No. 13/486,518, filed on Jun. 1, 2012, granted, now 9,996,693.
Application 13/486,518 is a continuation of application No. 11/523,199, filed on Sep. 19, 2006, granted, now 8,201,244, issued on Jun. 12, 2012.
Prior Publication US 2019/0073476 A1, Mar. 7, 2019
This patent is subject to a terminal disclaimer.
Int. Cl. G06F 12/14 (2006.01); G06F 21/56 (2013.01)
CPC G06F 21/566 (2013.01) [G06F 21/564 (2013.01)] 20 Claims
OG exemplary drawing
 
1. A method, comprising:
monitoring a system to detect an unknown file;
disassembling the unknown file to obtain one or more disassembled functions, each of the one or more disassembled functions comprising a block of assembly code that is configured to be referenced by one or more instructions;
determining, via a processing unit, a function characteristic value for each of the one or more disassembled functions;
determining a plurality of weight values for each one of the one or more disassembled functions based on at least the function characteristic value(s), each of the weight values for a given disassembled function indicating a reliability that the given disassembled function is an identifier of a different malware family in a plurality of known malware families;
characterizing the unknown file as belonging to a particular one of the plurality of known malware families based on at least the weight values; and
based on the characterization of the unknown file as belonging to the particular one of the known malware families, providing information about the unknown file to a computer program for use in detecting malware.