×

Method and system for detecting malicious code

  • US 10,511,617 B2
  • Filed: 12/31/2015
  • Issued: 12/17/2019
  • Est. Priority Date: 05/27/2015
  • Status: Active Grant
First Claim
Patent Images

1. A method for detecting malicious code by a server storing a file reputation scoring policy and a plurality of malicious code detectors having different types of malicious code detection, the method comprising:

  • receiving, by the server, a testing sample sent by a client computer from a network, wherein the file reputation scoring policy associates each of the plurality of malicious code detectors with at least one type of malicious code each corresponding to a credibility scale and a reputation value, the file reputation scoring policy recording each type of the plurality of malicious code detectors, at least one type of malicious code detected by each type of the plurality of malicious code detectors, and the credibility scale and the reputation value of the at least one type of malicious code detected by each type of the plurality of malicious code detectors;

    testing, by the server, the testing sample with the plurality of malicious code detectors to acquire a plurality of testing results;

    comparing, by the server, the plurality of testing results with the type of malicious code recorded in the file reputation scoring policy;

    dismissing, by the server, testing results which do not match the type of malicious code recorded in the file reputation scoring policy;

    determining, by the server, the credibility scale and the reputation value for each of the testing results matching the type of malicious code recorded in the file reputation scoring policy based on the file reputation scoring policy, the credibility scale indicating whether the testing result is malicious, and the reputation value indicating a quantified trust level corresponding to the credibility scale; and

    determining, by the server, a final detection result of the testing sample based on the respective determined credibility scales and the reputation values of the testing results matching the type of malicious code recorded in the file reputation scoring policy, wherein the determining the final detection result of the testing sample based on the credibility scales and the reputation values of the testing results matching the type of malicious code recorded in the file reputation scoring policy comprises;

    processing the credibility scales and the reputation values of the testing results matching the type of malicious code recorded in the file reputation scoring policy based on a decision policy for the credibility scale and the reputation value to obtain the final detection result of the testing sample, wherein the credibility scale comprises any one of;

    black, white, gray, suspected black and suspected white, wherein black represents the testing sample being malicious, white represents the testing sample being safe, gray represents being uncertain, suspected black represents the sample being potentially malicious, and suspected white represents the testing sample being potentially safe,wherein the decision policy comprises;

    in response to the determination that the testing results are suspected black, the final detection result of the testing sample is determined to be black when a sum of the reputation values of the testing results is above a first preset threshold, otherwise the final detection result of the testing sample is determined to be gray;

    in response to the determination that the testing results are suspected white, the final detection result of the testing sample is determined to be white when a sum of the reputation values of the testing results is above a second preset threshold, otherwise the final detection result of the testing sample is determined to be gray, andin response to the determination that a conflict exists between the testing results, between two or more of the plurality of malicious code detectors, the conflict being that some of the testing results are suspected black while the rest are suspected white, the test result with higher reputation between the testing result of suspected black and the testing result of suspected white is determined as the final detection result of the testing sample, a difference between the reputation value of the testing result of suspected black and the reputation value of the testing result of suspected white being above a third preset threshold, otherwise the final detection result of the testing sample is determined to be gray;

    providing, by the server, the final detection result of the testing sample to the client computer;

    obtaining, by the server, false positive rates of respective types of the malicious code detectors according to the final detection result, different types of the malicious code detectors having different testing approaches; and

    setting, by the server, the reputation values of respective types of the malicious code detectors in the file reputation scoring policy based on the false positive rates of respective types of the malicious code detectors.

View all claims
  • 3 Assignments
Timeline View
Assignment View
    ×
    ×