US 12,169,556 B2
Systems and methods for executable code detection, automatic feature extraction and position independent code detection
Shlomi Salem, Tel Aviv (IL); Roy Ronen, Raanana (IL); Assaf Nativ, Tel Aviv-Jaffa (IL); Amit Zohar, Tel Aviv-Jaffa (IL); Gal Braun, Ness Ziona (IL); Pavel Ferencz, Beer Sheva (IL); Eitan Shterenbaum, Kiryat-Ono (IL); and Tal Maimon, Rishon LeZiyon (IL)
Assigned to SENTINEL LABS ISRAEL LTD., Tel Aviv (IL)
Filed by SENTINEL LABS ISRAEL LTD., Tel Aviv (IL)
Filed on Oct. 16, 2023, as Appl. No. 18/487,657.
Application 18/487,657 is a continuation of application No. 18/089,038, filed on Dec. 27, 2022, granted, now 11,790,079.
Application 18/089,038 is a continuation of application No. 17/448,327, filed on Sep. 21, 2021, granted, now 11,580,218, issued on Feb. 14, 2023.
Application 17/448,327 is a continuation of application No. 16/920,630, filed on Jul. 3, 2020, granted, now 11,210,392, issued on Dec. 28, 2021.
Application 16/920,630 is a continuation of application No. 16/879,625, filed on May 20, 2020, granted, now 10,762,200, issued on Sep. 1, 2020.
Claims priority of provisional application 62/854,118, filed on May 29, 2019.
Claims priority of provisional application 62/850,170, filed on May 20, 2019.
Claims priority of provisional application 62/850,182, filed on May 20, 2019.
Prior Publication US 2024/0184884 A1, Jun. 6, 2024
This patent is subject to a terminal disclaimer.
Int. Cl. G06F 21/56 (2013.01); G06F 21/54 (2013.01)
CPC G06F 21/54 (2013.01) [G06F 21/566 (2013.01); G06F 2221/033 (2013.01)] 20 Claims
OG exemplary drawing
 
1. A computer-implemented method for programmatically identifying executable code within a file, the method comprising:
accessing, by a computer system, a sequence of bytes from a portion of the file;
extracting, by the computer system, from the sequence of bytes, a number of n-grams, wherein each n-gram comprises a contiguous series of bytes in the sequence of bytes, and wherein the contiguous series of bytes of each respective n-gram comprises n number of bytes;
generating, by the computer system, an array of counters, each counter of the array associated with one of the n-grams, wherein each counter comprises an integer value based on a frequency of occurrence of the associated n-gram within the sequence of bytes; and
applying, by the computer system a predictive model to the array of counters to determine a probability that the sequence of bytes comprises executable code, wherein the computer system comprises a computer processor and an electronic storage medium.