US 11,989,293 B2
Systems, methods, and media for identifying and responding to malicious files having similar features
Joel R. Spurlock, Portland, OR (US); and Leonardo Frittelli, Cordoba (AR)
Assigned to McAfee, LLC, San Jose, CA (US)
Filed by McAfee, LLC, San Jose, CA (US)
Filed on Mar. 8, 2021, as Appl. No. 17/195,130.
Application 17/195,130 is a continuation of application No. 16/370,328, filed on Mar. 29, 2019, abandoned.
Claims priority of provisional application 62/745,919, filed on Oct. 15, 2018.
Prior Publication US 2021/0374240 A1, Dec. 2, 2021
Int. Cl. G06F 21/56 (2013.01); H04L 9/40 (2022.01)
CPC G06F 21/565 (2013.01) [G06F 21/567 (2013.01); H04L 63/14 (2013.01); H04L 63/145 (2013.01); G06F 2221/033 (2013.01)] 20 Claims
OG exemplary drawing
 
8. A method for identifying and responding to malicious files having similar features, comprising:
receiving, at a hardware processor, feature information extracted from a file, wherein the feature information includes at least two of static feature information, environmental feature information, and behavioral feature information;
for each cluster of a plurality of clusters of files:
for a first portion of the feature information corresponding to one of the static feature information, the environmental feature information, and the behavioral feature information:
determining a first number of features in the first portion of the feature information that match the cluster; and
determining a first score based on a ratio of the first number of features and a total number of features in the first portion of the feature information;
for a second portion of the feature information corresponding to another of the static feature information, the environmental feature information, and the behavioral feature information:
determining a second number of features in the second portion of the feature information that match the cluster; and
determining a second score based on a ratio of the second number of features and a total number of features in the second portion of the feature information; and
determining a combined score for the cluster based on a combination of at least the first score and the second score, wherein the combined score is one of a plurality of combined scores;
identifying one of the plurality of clusters with a best of the plurality of combined scores as matching the file;
determining, using the hardware processor, that the file is malicious; and
reporting to a plurality of endpoints that other files corresponding to the one of the plurality of clusters is malicious.