METHOD AND SYSTEM FOR CLASSIFICATION OF SOFTWARE USING CHARACTERISTICS AND COMBINATIONS OF SUCH CHARACTERISTICS
First Claim
1. A computer program product embodied in a computer readable medium that, when executing on one or more computers, performs the steps of:
- a. identifying a functional code block that performs a particular function within executable code;
b. transforming the functional code block into a generic code representation of its functionality by tokenizing the functional code block;
c. comparing the generic code representation with a previously characterized malicious code representation; and
d. in response to a positive correlation from the comparison, identifying the executable code as containing malicious code.
9 Assignments
0 Petitions
Accused Products
Abstract
In embodiments of the present invention improved capabilities are described for the steps of identifying a functional code block that performs a particular function within executable code; transforming the functional code block into a generic code representation of its functionality by tokenizing, refactoring, or the like, the functional code block; comparing the generic code representation with a previously characterized malicious code representation; and in response to a positive correlation from the comparison, identifying the executable code as containing malicious code.
339 Citations
24 Claims
-
1. A computer program product embodied in a computer readable medium that, when executing on one or more computers, performs the steps of:
-
a. identifying a functional code block that performs a particular function within executable code; b. transforming the functional code block into a generic code representation of its functionality by tokenizing the functional code block; c. comparing the generic code representation with a previously characterized malicious code representation; and d. in response to a positive correlation from the comparison, identifying the executable code as containing malicious code. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 18, 19, 20, 21, 22, 23)
-
-
12. A computer program product embodied in a computer readable medium that, when executing on one or more computers, performs the steps of:
-
a. identifying a functional code block that performs a particular function within executable code; b. transforming the functional code block into a generic code representation of its functionality by refactoring the functional code block; c. comparing the generic code representation with a previously characterized malicious code representation; and d. in response to a positive correlation from the comparison, identifying the executable code as containing malicious code. - View Dependent Claims (13, 14, 15, 16, 17)
-
-
24. A computer program product embodied in a computer readable medium that, when executing on one or more computers, performs the steps of:
-
a. identifying a plurality of functional code blocks within executable code; b. transforming the plurality of functional code blocks into a plurality of generic code representations of its functionality by at least one of refactoring and tokenizing the plurality of functional code blocks; c. comparing each of the plurality of generic code representations with a plurality of previously characterized malicious code representations; and d. in response to a positive correlation from the comparison, identifying the executable code as containing malicious code.
-
Specification