SYSTEMS, APPARATUS, AND METHODS FOR DETECTING MALWARE
First Claim
1. A method comprising:
- creating a first fuzzy fingerprint of a known malware file, the first fuzzy fingerprint including a first set of calculated complexity approximations and weightings for each of a plurality of blocks within the known malware file;
creating a second fuzzy fingerprint of a file to be checked, the second fuzzy fingerprint including a second set of calculated complexity approximations and weightings for each of a plurality of blocks within the file to be checked;
comparing the second fuzzy fingerprint to the first fuzzy fingerprint including comparing the calculated complexity approximations from the second fuzzy fingerprint with a plurality of the complexity approximations from the first fuzzy fingerprint using a block-wise comparison; and
calculating an similarity probability for each of the block-wise comparisons, the calculation including a respective weighting for each of the plurality of blocks within the known malware file and for each of the plurality of blocks within the file to be checked, and the calculation including a distance between the compared blocks; and
calculating an overall similarity probability for the plurality of blocks compared.
12 Assignments
0 Petitions
Accused Products
Abstract
Various embodiments, including a method comprising creating a first fuzzy fingerprint of a known malware file, the first fuzzy fingerprint including a first set of calculated complexity approximations and weightings for each of a plurality of blocks within the known malware file, creating a second fuzzy fingerprint of a file to be checked, the second fuzzy fingerprint including a second set of calculated complexity approximations and weightings for each of a plurality of blocks within the file to be checked, comparing the second fuzzy fingerprint to the first fuzzy fingerprint, calculating a similarity probability for each of the block-wise comparisons, the calculation including a respective weightings for each of the plurality of blocks within the known malware file and for each of the plurality of blocks within the file to be checked, and the calculation including a distance between the compared blocks; and calculating an overall similarity probability for the plurality of blocks compared.
78 Citations
27 Claims
-
1. A method comprising:
-
creating a first fuzzy fingerprint of a known malware file, the first fuzzy fingerprint including a first set of calculated complexity approximations and weightings for each of a plurality of blocks within the known malware file; creating a second fuzzy fingerprint of a file to be checked, the second fuzzy fingerprint including a second set of calculated complexity approximations and weightings for each of a plurality of blocks within the file to be checked; comparing the second fuzzy fingerprint to the first fuzzy fingerprint including comparing the calculated complexity approximations from the second fuzzy fingerprint with a plurality of the complexity approximations from the first fuzzy fingerprint using a block-wise comparison; and calculating an similarity probability for each of the block-wise comparisons, the calculation including a respective weighting for each of the plurality of blocks within the known malware file and for each of the plurality of blocks within the file to be checked, and the calculation including a distance between the compared blocks; and calculating an overall similarity probability for the plurality of blocks compared. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. An apparatus comprising:
-
a gateway including an anti-malware engine coupled to a generated fuzzy fingerprints database including plurality of fingerprints for known malware files; a fuzzy fingerprint generator coupled to the anti-malware engine, the fuzzy fingerprint generator operable to produce a fuzzy fingerprint including a complexity approximation for each of a plurality of blocks for a file provided by the anti-malware engine; and a fingerprint comparator coupled to the anti-malware engine, the fingerprint comparator operable to compare a produced fingerprint from the fingerprint generator with any one of the plurality fingerprints for the generated fuzzy fingerprints database and to produce a similarity probability on a block-wise basis. - View Dependent Claims (11, 12, 13, 14, 15, 16)
-
-
17. A system comprising:
-
A plurality of protected devices coupled to a network through a gateway, the gateway including an anti-malware engine; a generated fuzzy fingerprint database coupled to the anti-malware engine, the generated fingerprint database including plurality of fingerprints for known malware files coupled to the anti-malware engine; a fuzzy fingerprint generator coupled to the anti-malware engine, the fuzzy fingerprint generator operable to produce a fuzzy executable fingerprint including a complexity approximation for each of a plurality of blocks in a file provided by the anti-malware engine; and a fuzzy fingerprint comparator coupled to the anti-malware engine, the fuzzy fingerprint comparator operable to compare a produced fuzzy executable fingerprint from the fingerprint generator with any one of the plurality of fingerprints from the generated fingerprint database and to produce a similarity probability on a block-by-block basis. - View Dependent Claims (18, 19, 20, 21, 22, 23)
-
-
24. A method comprising:
-
storing as at least one training set a plurality of files known to be malware; generating for each file of the plurality of files known to be malware a fuzzy executable fingerprint, each fuzzy executable fingerprint including a first set of calculated complexity approximations and weightings for each of a plurality of blocks within each individual ones of the plurality of files known to be malware; and providing to one or more anti-malware engines the generated fuzzy executable fingerprints for each file of the plurality of files. - View Dependent Claims (25, 26, 27)
-
Specification