&#xfeff;<html>
  <head>
    <META http-equiv="Content-Type" content="text/html; charset=utf-8">
<link rel="stylesheet" type="text/css" href="html_style_eog.css"/>
<script type="text/javascript">
          function printpage()
          {
          window.print()
          }
        </script>
<script type="text/javascript" src="https://components.uspto.gov/js/ais/40-patentsgazette.js"></script></head>
  <body bgcolor='#FFFFFF' onload='javascript: if ((navigator.appName.indexOf("Netscape")!=-1) && parent.leftFrame!=null) parent.leftFrame.location.reload();'>
    <basefont face="Times New Roman, Times New Roman, Times New Roman " size="2">
      <div style="margin-left: +10pt">
        <table width="90%" border="0" rules="none" align="center">
          <tr align="center">
            <td width="20%" colspan="1" rowspan="2" align="left" valign="top"><a href="https://ppubs.uspto.gov/pubwebapp/external.html?q=11880391.pn.&amp;db=USPAT" target="popup"><input type="button" class="button" value="   Full Text   "></a></td>
            <td class="table_data"><b>US 11,880,391 B2</b></td>
            <td width="20%" colspan="1" rowspan="2" align="right" valign="top">
              <form><input type="button" value="Print this page" onclick="printpage()"></form>
            </td>
          </tr>
          <tr align="center">
            <td colspan="1" class="table_data" style="text-transform: uppercase"><b>Clustering software codes in scalable manner</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b> Sameer Shashikant Paranjape,  Portland, OR (US);  Bronson Boersma,  Buena Park, CA (US); and  David Alan Greer,  Portland, OR (US)</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b>Assigned to  CYLANCE, INC.,  San Ramon, CA (US)</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b>Filed by  Cylance Inc.,  San Ramon, CA (US)</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b>Filed on Apr.  20, 2021, as Appl. No. 17/235,524.</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b>Prior Publication US 2022/0335067 A1, Oct.  20, 2022</b></td>
          </tr>
          <tr align="center">
            <td colspan="3" class="table_data"><b>Int. Cl. </b><i><b>G06F 16/28</b></i> (2019.01); <i><b>G06F 16/22</b></i> (2019.01)</td>
          </tr>
        </table>
        <table width="90%" border="0" rules="none" align="center">
          <colgroup>
            <col width="75%">
            <col width="15%">
          </colgroup>
          <tr align="left">
            <td class="table_data" align="left"><b>CPC </b><i><b>G06F 16/285</b></i> (2019.01)&#xa0;[<i><b>G06F 16/2255</b></i> (2019.01)]</td>
            <td class="table_data" align="right"><b>8 Claims</b></td>
          </tr>
        </table>
        <center><img src="US11880391-20240123-D00000.gif" alt="OG exemplary drawing"></center>
        <table width="90%" border="0" rules="none" align="center">
          <colgroup>
            <col width="90%">
          </colgroup>
          <tr>
            <td class="table_data" align="center">&#xa0;</td>
          </tr>
          <tr>
            <td valign="top" class="para_text">
              <div class="claim_text_root">1. A computer-implemented method, comprising:<div class="claim_text">obtaining, by a server, a plurality of software samples;</div>
                <div class="claim_text">computing, by the server, a plurality of first hash results for each of the plurality of software samples by disassembling each of the plurality of software samples to obtain a plurality of functions in the respective software sample and performing a first hashing for each of the plurality of obtained functions to obtain the plurality of first hash results, wherein each first hash result corresponds to a respective obtained function in a respective software sample;</div>
                <div class="claim_text">computing, by the server, one or more second hash results for each of the plurality of software samples based on the plurality of first hash results by performing, for each software sample, a second hashing for the plurality of first hash results of the respective software sample to generate the one or more second hash results of the respective software sample, wherein an amount of the one or more second hash results is less than an amount of the plurality of first hash results;</div>
                <div class="claim_text">grouping the plurality of software samples into a plurality of stride subgroups based on the second hash results of the plurality of software samples, wherein the grouping the plurality of software samples into the plurality of stride subgroups based on the second hash results comprises:<div class="claim_text">comparing the second hash result of each of the plurality of software samples; and</div>
                  <div class="claim_text">grouping two software samples that share at least one same second hash result into a same stride subgroup, wherein in each of the plurality of stride subgroups, each software sample in the respective stride subgroup shares at least one same second hash result;</div>
                </div>
                <div class="claim_text">determining, by the server, a similarity output based on the one or more second hash results of two of the plurality of software samples in a same stride subgroup;</div>
                <div class="claim_text">clustering, by the server, the plurality of software samples based on the similarity output to generate one or more software sample clusters; and</div>
                <div class="claim_text">detecting malware samples by using the one or more software sample clusters.</div>
              </div>
            </td>
          </tr>
        </table>
      </div>
    
  </body>
</html>