Abstract: Aspects of the subject disclosure may include, for example, obtaining a first group of Internet Protocol (IP) addresses from a group of network devices, and determining a second group of IP addresses from the first group of IP addresses includes possible malicious IP addresses utilizing a machine learning application. Further embodiments can include obtaining a first group of attributes of malicious IP addresses from a first repository, and determining a third group of IP addresses from the second group of IP addresses includes possible malicious IP addresses based on the first group of attributes. Additional embodiments can include receiving user-generated input indicating a fourth group of IP addresses from the third group of IP addresses includes possible malicious IP addresses, and transmitting a notification to a group of communication devices indicating that the fourth group of IP address includes possible malicious IP addresses. Other embodiments are disclosed.

Abstract: A method includes acquiring a plurality of hypertext transfer protocol (HTTP) session packets associated with activities of a plurality of known Trojans, wherein all of the Trojans are identified by a common signature identifier, extracting a plurality of request packets from the session packets, identifying a plurality of suspicious request packets within the plurality of request packets, grouping the plurality of suspicious request packets into a plurality of subsets, computing a centroid of one subset of the plurality of subsets, identifying a representative packet for the subset, wherein the representative packet is identified based on the centroid, and generating a signature for the one subset, based on the representative packet, wherein the signature is deployable by an intrusion detection system to detect an instance of a Trojan of the plurality of known Trojans.

Abstract: Techniques are disclosed relating to malware clustering based on function call graph similarity. In some embodiments, a computer system may access information corresponding to a plurality of malware samples and, based on the information, generate a function call graph for each of the malware samples. In some embodiments, generating the function call graph for a given malware sample includes identifying a plurality of function calls included in the information, assigning a label to each of the function calls, identifying relationships between the function calls, and generating the function call graph based on the relationships and the labels. Based on the function call graphs, the computer system may assign each of the plurality of malware samples into one of a plurality of clusters of related malware samples.

Abstract: Techniques are disclosed relating to malware clustering based on execution-behavior reports. In some embodiments, a computer system may access malware information that includes a plurality of reports corresponding to a plurality of malware samples. In some embodiments, each of the malware reports specifies a set of features relating to execution behavior of a corresponding malware sample. The computer system may, in various embodiments, process the plurality of reports to generate a plurality of vectors that includes, for each of the malware samples, a corresponding vector indicative of the execution behavior of the corresponding malware sample. Based on the plurality of vectors, the computer system may generate similarity values indicative of a similarity between ones of the plurality of vectors. Further, based on the similarity values, the computer system may assign each of the plurality of malware samples to one of a plurality of clusters of related malware samples.

Abstract: Techniques are disclosed relating to malware clustering based on function call graph similarity. In some embodiments, a computer system may access information corresponding to a plurality of malware samples and, based on the information, generate a function call graph for each of the malware samples. In some embodiments, generating the function call graph for a given malware sample includes identifying a plurality of function calls included in the information, assigning a label to each of the function calls, identifying relationships between the function calls, and generating the function call graph based on the relationships and the labels. Based on the function call graphs, the computer system may assign each of the plurality of malware samples into one of a plurality of clusters of related malware samples.

Abstract: Techniques are disclosed relating to malware clustering based on execution-behavior reports. In some embodiments, a computer system may access malware information that includes a plurality of reports corresponding to a plurality of malware samples. In some embodiments, each of the malware reports specifies a set of features relating to execution behavior of a corresponding malware sample. The computer system may, in various embodiments, process the plurality of reports to generate a plurality of vectors that includes, for each of the malware samples, a corresponding vector indicative of the execution behavior of the corresponding malware sample. Based on the plurality of vectors, the computer system may generate similarity values indicative of a similarity between ones of the plurality of vectors. Further, based on the similarity values, the computer system may assign each of the plurality of malware samples to one of a plurality of clusters of related malware samples.

Abstract: Techniques are disclosed relating to malware clustering based on function call graph similarity. In some embodiments, a computer system may access information corresponding to a plurality of malware samples and, based on the information, generate a function call graph for each of the malware samples. In some embodiments, generating the function call graph for a given malware sample includes identifying a plurality of function calls included in the information, assigning a label to each of the function calls, identifying relationships between the function calls, and generating the function call graph based on the relationships and the labels. Based on the function call graphs, the computer system may assign each of the plurality of malware samples into one of a plurality of clusters of related malware samples.

Abstract: Techniques are disclosed relating to malware clustering based on execution-behavior reports. In some embodiments, a computer system may access malware information that includes a plurality of reports corresponding to a plurality of malware samples. In some embodiments, each of the malware reports specifies a set of features relating to execution behavior of a corresponding malware sample. The computer system may, in various embodiments, process the plurality of reports to generate a plurality of vectors that includes, for each of the malware samples, a corresponding vector indicative of the execution behavior of the corresponding malware sample. Based on the plurality of vectors, the computer system may generate similarity values indicative of a similarity between ones of the plurality of vectors. Further, based on the similarity values, the computer system may assign each of the plurality of malware samples to one of a plurality of clusters of related malware samples.

Abstract: Techniques are disclosed relating to malware clustering based on execution-behavior reports. In some embodiments, a computer system may access malware information that includes a plurality of reports corresponding to a plurality of malware samples. In some embodiments, each of the malware reports specifies a set of features relating to execution behavior of a corresponding malware sample. The computer system may, in various embodiments, process the plurality of reports to generate a plurality of vectors that includes, for each of the malware samples, a corresponding vector indicative of the execution behavior of the corresponding malware sample. Based on the plurality of vectors, the computer system may generate similarity values indicative of a similarity between ones of the plurality of vectors. Further, based on the similarity values, the computer system may assign each of the plurality of malware samples to one of a plurality of clusters of related malware samples.

Abstract: Techniques are disclosed relating to malware clustering based on function call graph similarity. In some embodiments, a computer system may access information corresponding to a plurality of malware samples and, based on the information, generate a function call graph for each of the malware samples. In some embodiments, generating the function call graph for a given malware sample includes identifying a plurality of function calls included in the information, assigning a label to each of the function calls, identifying relationships between the function calls, and generating the function call graph based on the relationships and the labels. Based on the function call graphs, the computer system may assign each of the plurality of malware samples into one of a plurality of clusters of related malware samples.

Abstract: Techniques are disclosed relating to malware clustering based on execution-behavior reports. In some embodiments, a computer system may access malware information that includes a plurality of reports corresponding to a plurality of malware samples. In some embodiments, each of the malware reports specifies a set of features relating to execution behavior of a corresponding malware sample. The computer system may, in various embodiments, process the plurality of reports to generate a plurality of vectors that includes, for each of the malware samples, a corresponding vector indicative of the execution behavior of the corresponding malware sample. Based on the plurality of vectors, the computer system may generate similarity values indicative of a similarity between ones of the plurality of vectors. Further, based on the similarity values, the computer system may assign each of the plurality of malware samples to one of a plurality of clusters of related malware samples.