Systems, apparatus, and methods for detecting malware
First Claim
1. A method comprising:
- creating a first fuzzy fingerprint of a known malware file, the first fuzzy fingerprint including a first set of calculated complexity approximations and weightings for each of a plurality of blocks within the known malware file;
creating a second fuzzy fingerprint of a file to be checked, the second fuzzy fingerprint including a second set of calculated complexity approximations and weightings for each of a plurality of blocks within the file to be checked;
comparing the second fuzzy fingerprint to the first fuzzy fingerprint via a computerized system, the comparing including comparing the calculated complexity approximations from the second fuzzy fingerprint with a plurality of the complexity approximations from the first fuzzy fingerprint using a plurality of block-wise comparisons of the plurality of blocks within the known malware file and the plurality of blocks within the file to be checked; and
calculating a similarity probability for each of the block-wise comparisons, the calculation including a respective weighting for each of the plurality of blocks within the known malware file and for each of the plurality of blocks within the file to be checked, and the calculation including an actual deviation of both blocks complexity approximation in relation to a maximum possible deviation, times a proximity factor for the comparison between an offset i in a first file x1 and an offset j in a second file x2; and
calculating an overall similarity probability for the plurality of blocks compared, the overall similarity probability therefore comprising a similarity probability between the known malware file and the file to be checked.
12 Assignments
0 Petitions
Accused Products
Abstract
Various embodiments, including a method comprising creating a first fuzzy fingerprint of a known malware file, the first fuzzy fingerprint including a first set of calculated complexity approximations and weightings for each of a plurality of blocks within the known malware file, creating a second fuzzy fingerprint of a file to be checked, the second fuzzy fingerprint including a second set of calculated complexity approximations and weightings for each of a plurality of blocks within the file to be checked, comparing the second fuzzy fingerprint to the first fuzzy fingerprint, calculating a similarity probability for each of the block-wise comparisons, the calculation including a respective weightings for each of the plurality of blocks within the known malware file and for each of the plurality of blocks within the file to be checked, and the calculation including a distance between the compared blocks; and calculating an overall similarity probability for the plurality of blocks compared.
-
Citations
21 Claims
-
1. A method comprising:
-
creating a first fuzzy fingerprint of a known malware file, the first fuzzy fingerprint including a first set of calculated complexity approximations and weightings for each of a plurality of blocks within the known malware file; creating a second fuzzy fingerprint of a file to be checked, the second fuzzy fingerprint including a second set of calculated complexity approximations and weightings for each of a plurality of blocks within the file to be checked; comparing the second fuzzy fingerprint to the first fuzzy fingerprint via a computerized system, the comparing including comparing the calculated complexity approximations from the second fuzzy fingerprint with a plurality of the complexity approximations from the first fuzzy fingerprint using a plurality of block-wise comparisons of the plurality of blocks within the known malware file and the plurality of blocks within the file to be checked; and calculating a similarity probability for each of the block-wise comparisons, the calculation including a respective weighting for each of the plurality of blocks within the known malware file and for each of the plurality of blocks within the file to be checked, and the calculation including an actual deviation of both blocks complexity approximation in relation to a maximum possible deviation, times a proximity factor for the comparison between an offset i in a first file x1 and an offset j in a second file x2; and calculating an overall similarity probability for the plurality of blocks compared, the overall similarity probability therefore comprising a similarity probability between the known malware file and the file to be checked. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. An apparatus comprising:
-
a gateway including an anti-malware engine coupled to a generated fuzzy fingerprints database including plurality of fuzzy fingerprints for known malware files, each fuzzy fingerprint for a known malware file including a first set of calculated complexity approximations and weightings for each of a plurality of blocks within the known malware file; a fuzzy fingerprint generator coupled to the anti-malware engine, the fuzzy fingerprint generator operable to produce a fuzzy fingerprint including a complexity approximation for each of a plurality of blocks for a file to be checked provided by the anti-malware engine; and a fingerprint comparator coupled to the anti-malware engine, the fingerprint comparator operable to compare a produced fingerprint from the fuzzy fingerprint generator with any one of the plurality of fuzzy fingerprints from the generated fuzzy fingerprints database by calculating a similarity probability for each of the block-wise comparisons, the calculation including respective weighting for each of the plurality of blocks within the known malware file and for each of the plurality of blocks within the file to be checked and the calculation including an actual deviation of both blocks complexity approximation in relation to a maximum possible deviation, times a proximity factor for the comparison between an offset i in a first file xi and an offset j in a second file x2, thereby producing a similarity probability between the known malware file and the file to be checked. - View Dependent Claims (10, 11, 12, 13, 14)
-
-
15. A system comprising:
-
a plurality of protected devices coupled to a network through a gateway, the gateway comprising a computerized system including an anti-malware engine; a generated fuzzy fingerprint database coupled to the anti-malware engine, the generated fingerprint database including plurality of fingerprints for known malware files coupled to the anti-malware engine, the fingerprint for each known malware file comprising a first set of calculated approximations and weightings for each of a plurality of blocks within the known malware file; a fuzzy fingerprint generator coupled to the anti-malware engine, the fuzzy fingerprint generator operable to produce a fuzzy executable fingerprint including a complexity approximation for each of a plurality of blocks in a file provided by the anti-malware engine; and a fuzzy fingerprint comparator coupled to the anti-malware engine, the fuzzy fingerprint comparator operable to compare a produced fuzzy executable fingerprint from the fingerprint generator for the file to be checked with any one of a plurality of fingerprints from the generated fingerprint database by calculating a similarity probability for each of the block-wise comparisons, the calculation including respective weighting for each of the plurality of blocks within the known malware file and for each of the plurality of blocks within the file to be checked, and the calculation including an actual deviation of both blocks complexity approximation in relation to a maximum possible deviation, times a proximity factor for the comparison between an offset i in a first file x1 and an offset i in a second file x2, thereby producing a similarity probability between the known malware file and the file to be checked. - View Dependent Claims (16, 17, 18, 19, 20, 21)
-
Specification