System and method for determining data entropy to identify malware
First Claim
Patent Images
1. A malware detection method, the method comprising the steps of:
- calculating a global entropy value for a block of data, said block of data comprising a plurality of data samples;
iteratively calculating an individual sample entropy value for each of the plurality of data samples to create a plurality of individual sample entropy values, wherein each of the plurality of data samples contains at least a portion of data overlapping at least one of an immediately preceding data sample and an immediately subsequent data sample;
performing a statistical method on the plurality of individual sample entropy values;
comparing at least one of the global entropy value and an individual sample entropy value to a threshold value; and
recording the block of data as suspicious when at least one of the global entropy value and an individual sample entropy value exceeds the threshold value.
9 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods for performing malware detection for determining suspicious data based on data entropy are provided. The method includes acquiring a block of data, calculating an entropy value for the block of data, comparing the entropy value to a threshold value, and recording the block of data as suspicious when the entropy value exceeds the threshold value. An administrator may then investigate suspicious data.
337 Citations
16 Claims
-
1. A malware detection method, the method comprising the steps of:
-
calculating a global entropy value for a block of data, said block of data comprising a plurality of data samples; iteratively calculating an individual sample entropy value for each of the plurality of data samples to create a plurality of individual sample entropy values, wherein each of the plurality of data samples contains at least a portion of data overlapping at least one of an immediately preceding data sample and an immediately subsequent data sample; performing a statistical method on the plurality of individual sample entropy values; comparing at least one of the global entropy value and an individual sample entropy value to a threshold value; and recording the block of data as suspicious when at least one of the global entropy value and an individual sample entropy value exceeds the threshold value. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A computer-readable device having computer-executable instructions for performing a method of malware, the method comprising the steps of:
-
calculating a global entropy value for a block of data, said block of data comprising a plurality of data samples; iteratively calculating an individual sample entropy value for each of the plurality of data samples to create a plurality of individual sample entropy values, wherein each of the plurality of data samples contains at least a portion of data overlapping at least one of an immediately preceding data sample and an immediately subsequent data sample; performing a statistical method on the plurality of individual sample entropy values; comparing at least one of the global entropy value and an individual sample entropy value to a threshold value; and recording the block of data as suspicious when at least one of the global entropy value and an individual sample entropy value exceeds the threshold value. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
Specification