Systems and methods for byte-level context diversity-based automatic malware signature generation
First Claim
1. A computer-implemented method for facilitating automatic malware signature generation, at least a portion of the method being performed by a computing system comprising at least one processor, the method comprising:
- providing a byte sequence marked for possible inclusion within one or more malware signatures;
determining a context diversity of the byte sequence within malware files each containing the byte sequence in accordance with a diversity-based heuristic, the containing malware files being a subset of a plurality of malware files, the context diversity of the byte sequence identifying differences between the containing malware files such that a higher context diversity level of the byte sequence indicates that the byte sequence has a likelihood of being representative of a sequence found in goodware and a lower context diversity of the byte sequence has a likelihood of being representative of a sequence found in malware;
preventing the byte sequence from being included within the one or more malware signatures in accordance with the determined context diversity.
2 Assignments
0 Petitions
Accused Products
Abstract
A computer-implemented method for facilitating automatic malware signature generation may comprise providing a byte sequence marked for possible inclusion within one or more malware signatures, determining a context diversity of the byte sequence within malware files each containing the byte sequence in accordance with a diversity-based heuristic, and preventing the byte sequence from being included within the one or more malware signatures in accordance with the determined context diversity. Corresponding systems and computer-readable storage media are also disclosed.
92 Citations
20 Claims
-
1. A computer-implemented method for facilitating automatic malware signature generation, at least a portion of the method being performed by a computing system comprising at least one processor, the method comprising:
-
providing a byte sequence marked for possible inclusion within one or more malware signatures; determining a context diversity of the byte sequence within malware files each containing the byte sequence in accordance with a diversity-based heuristic, the containing malware files being a subset of a plurality of malware files, the context diversity of the byte sequence identifying differences between the containing malware files such that a higher context diversity level of the byte sequence indicates that the byte sequence has a likelihood of being representative of a sequence found in goodware and a lower context diversity of the byte sequence has a likelihood of being representative of a sequence found in malware; preventing the byte sequence from being included within the one or more malware signatures in accordance with the determined context diversity. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A system for facilitating automatic malware signature generation, the system comprising:
-
a byte sequence marking module configured to mark a byte sequence for possible inclusion within one or more malware signatures; a context diversity determination module communicatively coupled to a malware signature generation module and configured to determine a context diversity of the byte sequence within malware files each containing the byte sequence in accordance with a diversity-based heuristic, the containing malware files being a subset of a plurality of malware files, the context diversity of the byte sequence identifying differences between the containing malware files such that a higher context diversity level of the byte sequence indicates that the byte sequence has a likelihood of being representative of a sequence found in goodware and a lower context diversity of the byte sequence has a likelihood of being representative of a sequence found in malware; a prevention module communicatively coupled to the context diversity determination module and configured to prevent the byte sequence from being included within the one or more malware signatures in accordance with the determined context diversity; at least one hardware processor configured to execute the byte sequence marking module, the context diversity determination module, and the prevention module. - View Dependent Claims (14, 15, 16, 17, 18)
-
-
19. A non-transitory computer-readable-storage medium including instructions configured to direct a computing system to:
-
provide a byte sequence marked for possible inclusion within one or more malware signatures; determine a context diversity of the byte sequence within malware files each containing the byte sequence in accordance with a diversity-based heuristic, the containing malware files being a subset of a plurality of malware files, the context diversity of the byte sequence identifying differences between the containing malware files such that a higher context diversity level of the byte sequence indicates that the byte sequence has a likelihood of being representative of a sequence found in goodware and a lower context diversity of the byte sequence has a likelihood of being representative of a sequence found in malware; prevent the byte sequence from being included within the one or more malware signatures in accordance with the determined context diversity. - View Dependent Claims (20)
-
Specification