Mitigation of malware
First Claim
1. At least one non-transitory, computer-readable medium including one or more instructions that, when executed by at least one processor, cause the at least one processor to perform a method comprising:
- determining a first checksum at a first region of a first file;
comparing the first checksum to a root in a checksum tree, the root indicating a checksum at a point of a second file;
determining a second checksum at a second region of the first file offset from the first region of the first file, if the first checksum matches the root;
comparing the second checksum to a fuzzy checksum indicated by a child node of the root in the checksum tree, wherein the fuzzy checksum is of at least a portion of malware offset from the point of the second file; and
assigning a classification to the first file, if the second checksum matches the child node, the classification indicating the malware.
9 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods are provided in example embodiments for mitigating malicious calls. The system can be configured to determine a series of checksums for a file, compare the series of checksums to a checksum tree, where the checksum tree includes a plurality of nodes that each include a fuzzy checksum of known malware, and assign one or more classifications to the file, where each of the one or more classifications is based on each node of the checksum tree that matches a checksum in the series of checksums and includes whether the file includes malware or benign checksums.
33 Citations
22 Claims
-
1. At least one non-transitory, computer-readable medium including one or more instructions that, when executed by at least one processor, cause the at least one processor to perform a method comprising:
-
determining a first checksum at a first region of a first file; comparing the first checksum to a root in a checksum tree, the root indicating a checksum at a point of a second file; determining a second checksum at a second region of the first file offset from the first region of the first file, if the first checksum matches the root; comparing the second checksum to a fuzzy checksum indicated by a child node of the root in the checksum tree, wherein the fuzzy checksum is of at least a portion of malware offset from the point of the second file; and assigning a classification to the first file, if the second checksum matches the child node, the classification indicating the malware. - View Dependent Claims (2, 3, 4, 5, 6, 7, 21, 22)
-
-
8. An apparatus, comprising:
-
a memory; and a processor configured to determine a first checksum at a first region of a first file; to compare the first checksum to a root in a checksum tree, the root indicating a checksum at a point of a second file; to determine a second checksum at a second region of the first file offset from the first region of the first file, if the first checksum matches the root; to compare the second checksum to a fuzzy checksum indicated by a child node of the root in the checksum tree, the fuzzy checksum being of at least a portion of malware offset from the point of the second file; and to assign a classification to the first file, if the second checksum matches the child node, the classification indicating the malware. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A method, comprising:
-
determining a first checksum at a first region of a first file; comparing the first checksum to a root in a checksum tree, the root indicating a checksum at a point of a second file; determining a second checksum at a second region of the first file offset from the first region of the first file, if the first checksum matches the root; comparing the second checksum to a fuzzy checksum indicated by a child node of the root in the checksum tree, wherein the fuzzy checksum is of at least a portion of malware offset from the point of the second file; and assigning a classification to the first file, if the second checksum matches the child node, the classification indicating the malware. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification