US 12,081,584 B2
Methods and apparatus to determine mutex entropy for malware classification
Niall Fitzgerald, Mahon (IE); German Lancioni, San Jose, CA (US); and Brian Gaither, Plano, TX (US)
Assigned to MCAFEE, LLC, San Jose, CA (US)
Filed by McAfee, LLC, San Jose, CA (US)
Filed on Dec. 23, 2021, as Appl. No. 17/645,925.
Prior Publication US 2023/0208872 A1, Jun. 29, 2023
Int. Cl. H04L 9/40 (2022.01); G06F 21/56 (2013.01); G06F 40/20 (2020.01); G06F 40/279 (2020.01)
CPC H04L 63/145 (2013.01) [G06F 21/56 (2013.01); G06F 40/20 (2020.01); H04L 63/1416 (2013.01); G06F 40/279 (2020.01)] 27 Claims
OG exemplary drawing
 
1. An electrical system to determine mutex entropy for malware classification comprising:
interface circuitry to access a mutex associated with a software application, the mutex to include a mutex identifier string;
machine readable instructions; and
programmable circuitry to at least one of instantiate or execute the machine readable instructions to:
normalize the mutex identifier string;
determine character probabilities of characters within the normalized mutex identifier string, the character probabilities based on a historical mutex character distribution;
determine an entropy value for the mutex based on the character probabilities by calculating:
a natural log of a character probability from the character probabilities, the character probability associated with a character within the normalized mutex identifier string;
a quotient determined by the natural log of the character probability divided by the natural log of two; and
a product determined by the quotient multiplied with the character probability;
classify the mutex as clean or malicious based on the entropy value; and
mitigate malicious activity based on the classification.