System and method for identifying a macro virus family using a macro virus definitions database
First Claim
1. A system for identifying a macro virus family using a macro virus definitions database, comprising:
- a macro virus definitions database comprising a set of indices and macro virus definition data files with each index referencing one or more of the macro virus definition data files and each macro virus definition data file defining macro virus attributes for known macro viruses that are each comprised of at least one macro, the sets of the indices and the macro virus definition data files being organized into a hierarchy according to macro virus families based on a type of application to which the macro applies;
a parser parsing a suspect file into tokens comprising one of individual string constants and source code text and storing the tokens as suspect strings into a hierarchical parse tree;
a macro virus checker comparing each suspect string to the macro virus attributes defined in the one or more macro virus definition data files for each macro virus family in the macro virus definitions database and determining each macro virus family to which the suspect string belongs from the index for each macro virus definition data file at least partially containing the suspect string;
the macro virus checker parsing the macro virus attributes from one or more file objects and analyzing the macro virus definition data files by index for each macro virus family; and
the macro virus checker iteratively retrieving each macro virus definition data file using the index for each macro virus family and providing the macro virus attributes defined in the retrieved macro virus definition data file;
wherein the macro virus definitions database stores at least one of string constants and source code text common to each macro virus family in the macro virus attributes for the macro virus definition data files; and
the macro virus checker compares each suspect string to the at least one of string constants and source code text in the one or more macro virus definition data files for each macro virus family;
wherein a parameter is utilized for specifying a threshold to matches of commonly shared at least one of string constants and source code text;
wherein the macro virus definition data files are indexed into the macro virus families categorized by a replication method employed;
wherein the suspect string comprises part of the suspect file, the suspect file comprising a plurality of individual suspect strings;
wherein the macro virus checker identifies the replication method common to the plurality of the individual suspect strings in the suspect file;
wherein the macro virus checker identifies the macro virus family by which the common replication method is indexed.
11 Assignments
0 Petitions
Accused Products
Abstract
A macro virus definitions database is maintained and includes a set of indices and associated macro virus definition data files. One or more of the macro virus definition data files are referenced by the associated index. Each macro virus definition data file defines macro virus attributes for known macro viruses. The sets of the indices and the macro virus definition data files are organized according to macro virus families. One or more strings stored in a suspect file are compared to the macro virus attributes defined in the one or more macro virus definition data files for each macro virus family in the macro virus definitions database. The macro virus family to which the suspect file belongs is determined from the indices for each of the macro virus definition data files at least partially containing the suspect file.
84 Citations
16 Claims
-
1. A system for identifying a macro virus family using a macro virus definitions database, comprising:
-
a macro virus definitions database comprising a set of indices and macro virus definition data files with each index referencing one or more of the macro virus definition data files and each macro virus definition data file defining macro virus attributes for known macro viruses that are each comprised of at least one macro, the sets of the indices and the macro virus definition data files being organized into a hierarchy according to macro virus families based on a type of application to which the macro applies; a parser parsing a suspect file into tokens comprising one of individual string constants and source code text and storing the tokens as suspect strings into a hierarchical parse tree; a macro virus checker comparing each suspect string to the macro virus attributes defined in the one or more macro virus definition data files for each macro virus family in the macro virus definitions database and determining each macro virus family to which the suspect string belongs from the index for each macro virus definition data file at least partially containing the suspect string; the macro virus checker parsing the macro virus attributes from one or more file objects and analyzing the macro virus definition data files by index for each macro virus family; and the macro virus checker iteratively retrieving each macro virus definition data file using the index for each macro virus family and providing the macro virus attributes defined in the retrieved macro virus definition data file; wherein the macro virus definitions database stores at least one of string constants and source code text common to each macro virus family in the macro virus attributes for the macro virus definition data files; and
the macro virus checker compares each suspect string to the at least one of string constants and source code text in the one or more macro virus definition data files for each macro virus family;wherein a parameter is utilized for specifying a threshold to matches of commonly shared at least one of string constants and source code text; wherein the macro virus definition data files are indexed into the macro virus families categorized by a replication method employed; wherein the suspect string comprises part of the suspect file, the suspect file comprising a plurality of individual suspect strings; wherein the macro virus checker identifies the replication method common to the plurality of the individual suspect strings in the suspect file; wherein the macro virus checker identifies the macro virus family by which the common replication method is indexed. - View Dependent Claims (2, 3, 4)
-
-
5. A method for identifying a macro virus family using a macro virus definitions database, comprising:
-
maintaining a macro virus definitions database comprising a set of indices and macro virus definition data files with each index referencing one or more of the macro virus definition data files and each macro virus definition data file defining macro virus attributes for known macro viruses that are each comprised of at least one macro; organizing the sets of the indices and the macro virus definition data files into a hierarchy according to macro virus families based on a type of application to which the macro applies; parsing a suspect file into tokens comprising one of individual string constants and source code text and storing the tokens as suspect strings into a hierarchical parse tree; comparing each suspect string to the macro virus attributes defined in the one or more macro virus definition data files for each macro virus family in the macro virus definitions database; and determining each macro virus family to which the suspect string belongs from the index for each macro virus definition data file at least partially containing the suspect string; parsing the macro virus attributes from one or more file objects and analyzing the macro virus definition data files by index for each macro virus family; and iteratively retrieving each macro virus definition data file using the index for each macro virus family and providing the macro virus attributes defined in the retrieved macro virus definition data file; wherein the macro virus definitions database stores at least one of string constants and source code text common to each macro virus family in the macro virus attributes for the macro virus definition data files; and
a comparison is performed between each suspect string and the at least one of string constants and source code text in the one or more macro virus definition data files for each macro virus family;wherein a parameter is utilized for specifying a threshold to matches of commonly shared at least one of string constants and source code text; wherein the macro virus definition data files are indexed into the macro virus families categorized by a replication method employed; wherein the suspect string comprises part of the suspect file, the suspect file comprising a plurality of individual suspect strings; wherein the replication method common to the plurality of the individual suspect strings in the suspect file is identified; wherein further included is an identification of the macro virus family by which the common replication method is indexed. - View Dependent Claims (6, 7, 8, 9)
-
-
10. A system for identifying a macro virus family using a macro virus definitions database, comprising:
-
a macro virus definitions database comprising a set of indices and associated macro virus definition data files, further comprising; one or more of the macro virus definition data files referenced by the associated index with each macro virus definition data file defining macro virus attributes for known macro viruses that are each comprised of at least one macro; a hierarchy organized according to a macro family to which each of the sets of the indices and the macro virus definition data files belong based on a type of application to which the macro applies; a parser parsing a suspect file into tokens comprising one of individual string constants and source code text and storing the tokens as strings into a hierarchical parse tree; a macro virus checker comparing one or more strings stored in a suspect file to the macro virus attributes defined in the one or more macro virus definition data files for each macro virus family in the macro virus definitions database and determining the macro virus family to which the suspect file belongs from the indices for each of the macro virus definition data files at least partially containing the suspect file; the macro virus checker parsing macro virus attributes from one or more file objects and analyzing the macro virus definition data files by index for each macro virus family; and the macro virus checker iteratively retrieving each macro virus definition data file using the index for each macro virus family and providing the macro virus attributes defined in the retrieved macro virus definition data file; wherein the macro virus definitions database stores at least one of string constants and source code text common to each macro virus family in the macro virus attributes for the macro virus definition data files; and
the macro virus checker compares a suspect string to the at least one of string constants and source code text in the one or more macro virus definition data files for each macro virus family;wherein a parameter is utilized for specifying a threshold to matches of commonly shared at least one of string constants and source code text; wherein the macro virus definition data files are indexed into the macro virus families categorized by a replication method employed; wherein the suspect string comprises part of the suspect file, the suspect file comprising a plurality of individual suspect strings; wherein the macro virus checker identifies the replication method common to the plurality of the individual suspect strings in the suspect file; wherein the macro virus checker identifies the macro virus family by which the common replication method is indexed. - View Dependent Claims (11, 12)
-
-
13. A method for identifying a macro virus family using a macro virus definitions database, comprising:
-
maintaining a macro virus definitions database comprising a set of indices and associated macro virus definition data files, further comprising; referencing one or more of the macro virus definition data files by the associated index with each macro virus definition data file defining macro virus attributes for known macro viruses that are each comprised of at least one macro; organizing the sets of the indices and the macro virus definition data files into a hierarchy according to macro virus families based on a type of application to which the macro applies; parsing a suspect file into tokens comprising one of individual string constants and source code text and storing the tokens as strings into a hierarchical parse tree; comparing the strings to the macro virus attributes defined in the one or more macro virus definition data files for each macro virus family in the macro virus definitions database; determining the macro virus family to which the suspect file belongs from the indices for each of the macro virus definition data files at least partially containing the suspect file; parsing macro virus attributes from one or more file objects and analyzing the macro virus definition data files by index for each macro virus family; and iteratively retrieving each macro virus definition data file using the index for each macro virus family and providing the macro virus attributes defined in the retrieved macro virus definition data file; wherein the macro virus definitions database stores at least one of string constants and source code text common to each macro virus family in the macro virus attributes for the macro virus definition data files; and
a comparison is performed between a suspect string and the at least one of string constants and source code text in the one or more macro virus definition data files for each macro virus family;wherein a parameter is utilized for specifying a threshold to matches of commonly shared at least one of string constants and source code text; wherein the macro virus definition data files are indexed into the macro virus families categorized by a replication method employed; wherein the suspect string comprises part of the suspect file, the suspect file comprising a plurality of individual suspect strings; wherein the replication method common to the plurality of the individual suspect strings in the suspect file is identified; wherein further included is an identification of the macro virus family by which the common replication method is indexed. - View Dependent Claims (14, 15, 16)
-
Specification