DOE Patents title logo U.S. Department of Energy
Office of Scientific and Technical Information

Title: Statistical fingerprinting for malware detection and classification

Abstract

A system detects malware in a computing architecture with an unknown pedigree. The system includes a first computing device having a known pedigree and operating free of malware. The first computing device executes a series of instrumented functions that, when executed, provide a statistical baseline that is representative of the time it takes the software application to run on a computing device having a known pedigree. A second computing device executes a second series of instrumented functions that, when executed, provides an actual time that is representative of the time the known software application runs on the second computing device. The system detects malware when there is a difference in execution times between the first and the second computing devices.

Inventors:
;
Issue Date:
Research Org.:
Oak Ridge National Laboratory (ORNL), Oak Ridge, TN (United States)
Sponsoring Org.:
USDOE
OSTI Identifier:
1214592
Patent Number(s):
9135440
Application Number:
13/955,784
Assignee:
UT-Battelle, LLC (Oak Ridge, TN)
Patent Classifications (CPCs):
G - PHYSICS G06 - COMPUTING G06F - ELECTRIC DIGITAL DATA PROCESSING
DOE Contract Number:  
AC05-00OR22725
Resource Type:
Patent
Resource Relation:
Patent File Date: 2013 Jul 31
Country of Publication:
United States
Language:
English
Subject:
97 MATHEMATICS AND COMPUTING

Citation Formats

Prowell, Stacy J., and Rathgeb, Christopher T. Statistical fingerprinting for malware detection and classification. United States: N. p., 2015. Web.
Prowell, Stacy J., & Rathgeb, Christopher T. Statistical fingerprinting for malware detection and classification. United States.
Prowell, Stacy J., and Rathgeb, Christopher T. Tue . "Statistical fingerprinting for malware detection and classification". United States. https://www.osti.gov/servlets/purl/1214592.
@article{osti_1214592,
title = {Statistical fingerprinting for malware detection and classification},
author = {Prowell, Stacy J. and Rathgeb, Christopher T.},
abstractNote = {A system detects malware in a computing architecture with an unknown pedigree. The system includes a first computing device having a known pedigree and operating free of malware. The first computing device executes a series of instrumented functions that, when executed, provide a statistical baseline that is representative of the time it takes the software application to run on a computing device having a known pedigree. A second computing device executes a second series of instrumented functions that, when executed, provides an actual time that is representative of the time the known software application runs on the second computing device. The system detects malware when there is a difference in execution times between the first and the second computing devices.},
doi = {},
journal = {},
number = ,
volume = ,
place = {United States},
year = {2015},
month = {9}
}

Works referenced in this record:

Automatic analysis of a computer virus structure and means of attachment to its hosts
patent, January 1996


Behavioral detection of malware: from a survey towards an established taxonomy
journal, February 2008


Countering code-injection attacks with instruction-set randomization
conference, January 2003

  • Kc, Gaurav S.; Keromytis, Angelos D.; Prevelakis, Vassilis
  • CCS '03 Proceedings of the 10th ACM conference on Computer and communications security, p. 272-280
  • https://doi.org/10.1145/948109.948146