Mitigation of malware
First Claim
1. At least one non-transitory, computer-readable medium including one or more instructions that, when executed by at least one processor, cause the at least one processor to perform a method comprising:
- determining a first checksum at a first region or area of a first file;
comparing the first checksum to a root in a checksum tree, the root indicating a checksum at a point of a second file or a fuzzy checksum at the point of the second file;
determining a second checksum at a second region or area of the first file offset from the first region or area of the first file, if the first checksum matches the root;
comparing the second checksum to a descendant node of the root in the checksum tree, the descendant node indicating a checksum or fuzzy checksum, wherein the checksum or fuzzy checksum indicated by the descendant node is offset from the point of the second file;
assigning a classification to the first file, if the second checksum matches the descendant node, wherein the classification indicates malware or a benign file; and
assigning a percentage to the classification.
2 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods are provided in example embodiments for mitigating malicious calls. The system can be configured to determine a series of checksums for a file, compare the series of checksums to a checksum tree, where the checksum tree includes a plurality of nodes that each include a fuzzy checksum of known malware, and assign one or more classifications to the file, where each of the one or more classifications is based on each node of the checksum tree that matches a checksum in the series of checksums and includes whether the file includes malware or benign checksums.
-
Citations
14 Claims
-
1. At least one non-transitory, computer-readable medium including one or more instructions that, when executed by at least one processor, cause the at least one processor to perform a method comprising:
-
determining a first checksum at a first region or area of a first file; comparing the first checksum to a root in a checksum tree, the root indicating a checksum at a point of a second file or a fuzzy checksum at the point of the second file; determining a second checksum at a second region or area of the first file offset from the first region or area of the first file, if the first checksum matches the root; comparing the second checksum to a descendant node of the root in the checksum tree, the descendant node indicating a checksum or fuzzy checksum, wherein the checksum or fuzzy checksum indicated by the descendant node is offset from the point of the second file; assigning a classification to the first file, if the second checksum matches the descendant node, wherein the classification indicates malware or a benign file; and assigning a percentage to the classification. - View Dependent Claims (2, 3, 4, 5)
-
-
6. An apparatus, comprising:
-
a memory; and a processor configured to determine a first checksum at a first region or area of a first file; to compare the first checksum to a root in a checksum tree, the root indicating a checksum at a point of a second file or a fuzzy checksum at the point of the second file; to determine a second checksum at a second region or area of the first file offset from the first region or area of the first file, if the first checksum matches the root; to compare the second checksum to a descendant node of the root in the checksum tree, the descendant node indicating a checksum or fuzzy checksum, wherein the checksum or fuzzy checksum indicated by the descendant node is offset from the point of the second file; to assign a classification to the first file, if the second checksum matches the descendant node, wherein the classification indicates malware or a benign file; and to assign a percentage to the classification. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A method, comprising:
-
determining a first checksum at a first region or area of a first file; comparing the first checksum to a root in a checksum tree, the root indicating a checksum at a point of a second file or a fuzzy checksum at the point of the second file; determining a second checksum at a second region or area of the first file offset from the first region or area of the first file, if the first checksum matches the root; comparing the second checksum to a descendant node of the root in the checksum tree, the descendant node indicating a checksum or fuzzy checksum, wherein the checksum or fuzzy checksum indicated by the descendant node is offset from the point of the second file; assigning a classification to the first file, if the second checksum matches the descendant node, wherein the classification indicates malware or a benign file; and assigning a percentage to the classification. - View Dependent Claims (12, 13, 14)
-
Specification