×

Methods and apparatus for evaluating and extracting signatures of computer viruses and other undesirable software entities

  • US 5,452,442 A
  • Filed: 04/14/1995
  • Issued: 09/19/1995
  • Est. Priority Date: 01/19/1993
  • Status: Expired due to Term
First Claim
Patent Images

1. A method for operating a digital data processor to obtain one or more valid signatures of an undesirable software entity, the digital data processor including a memory that is bidirectionally coupled to the digital data processor, the method comprising the steps of:

  • storing in the memory a corpus of computer programs that are representative of computer programs that are likely to be infected by an undesirable software entity;

    inputting to the digital data processor at least one portion of the undesirable software entity, the at least one portion including a sequence of bytes of the undesirable software entity that are likely to remain substantially invariant from a first instance of the undesirable software entity to a second instance of the undesirable software entity;

    storing the at least one inputted portion in the memory;

    selecting at least one candidate signature of the undesirable software entity from the stored at least one portion of the undesirable software entity;

    constructing with the digital data processor a list of unique n-grams from the sequence of bytes, each of the unique n-grams being comprised of from one to a chosen maximal number of sequential bytes (B) of the sequence of bytes, the constructed list of unique n-grams being stored in the memory;

    for each of the unique n-grams of the stored list, estimating with the digital data processor a probability of an occurrence of the unique n-gram within sequences of bytes obtained from the stored corpus of computer programs;

    for each candidate signature that is comprised of one or more of the unique n-grams, estimating with the digital data processor a false-positive probability of an occurrence of the candidate signature within the sequences of bytes obtained from the corpus of computer programs;

    comparing the estimated false-positive probabilities of the candidate signatures with one another and with a set threshold probabilities, the threshold probabilities having values selected to reduce a likelihood of an occurrence of a false positive indication during the use of a signature; and

    outputting at least one signature for subsequent use in identifying an occurrence of the undesirable software entity or a modified version of the undesirable software entity, the outputted at least one signature being determined to exhibit a false alarm probability that is comparable to or less than a lowest false alarm probability of others of the candidate signatures.

View all claims
  • 1 Assignment
Timeline View
Assignment View
    ×
    ×