Anti-malware device, server, and method of matching malware patterns

US 8,365,288 B2
Filed: 06/21/2011
Issued: 01/29/2013
Est. Priority Date: 06/21/2010
Status: Active Grant

First Claim

Patent Images

1. An anti-malware device comprising:

a computer processor comprising;

a communication unit which receives from a server, at least one hash coefficient and data;

a hash value generating unit which generates hash values for malware patterns and a hash value for target data by using a hash function having the at least one hash coefficient;

a table generating unit which generates a hash matcher table and a sub-matcher table based on the hash values for the malware patterns, the hash matcher table including indices as the hash values for the malware patterns associated with a value indicating that a collision occurs between two or more hash values mapped to a same index, and the sub-matcher table including the index associated with an offset collision pattern that maps the one of the two or more hash values to an alternate index, the sub-matcher table further associating at least one of the index and the alternate index with at least one of (i) a front value of the malware pattern and a middle value of the malware pattern and (ii) the middle value of the malware pattern and a tail value of the malware pattern, for resolving the collision;

a hash matcher unit which matches the hash value of the target data to the updated hash values of the malware patterns using the hash matcher table if the collision does not occur and the sub-matcher table if the collision occurs; and

a matching unit which matches the malware pattern and the target data if the hash matcher unit succeeds in the matching.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An efficient virus detection, malware detection, and packet filtering system in a mobile device by providing optimized hash functions from a server to a mobile device that reduce hash collisions during the virus detection, malware detection, and packet filtering in a system-on-chip configuration.

Citations

12 Claims

1. An anti-malware device comprising:
- a computer processor comprising;
  
  a communication unit which receives from a server, at least one hash coefficient and data;
  
  a hash value generating unit which generates hash values for malware patterns and a hash value for target data by using a hash function having the at least one hash coefficient;
  
  a table generating unit which generates a hash matcher table and a sub-matcher table based on the hash values for the malware patterns, the hash matcher table including indices as the hash values for the malware patterns associated with a value indicating that a collision occurs between two or more hash values mapped to a same index, and the sub-matcher table including the index associated with an offset collision pattern that maps the one of the two or more hash values to an alternate index, the sub-matcher table further associating at least one of the index and the alternate index with at least one of (i) a front value of the malware pattern and a middle value of the malware pattern and (ii) the middle value of the malware pattern and a tail value of the malware pattern, for resolving the collision;
  
  a hash matcher unit which matches the hash value of the target data to the updated hash values of the malware patterns using the hash matcher table if the collision does not occur and the sub-matcher table if the collision occurs; and
  
  a matching unit which matches the malware pattern and the target data if the hash matcher unit succeeds in the matching.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The anti-malware device of claim 1, wherein the communication unit, the hash value generating unit, the hash matcher unit, and the matching unit are disposed in a system-on-chip.
  - 3. The anti-malware device of claim 1, wherein the at least one hash coefficient and/or the hash function are determined based on a minimum hash collision result among hash collision results generated from a plurality of hash functions applied to the malware patterns.
  - 4. The anti-malware device of claim 1, wherein, when the malware patterns are updated to update malware patterns, the at least one hash coefficient and/or the hash function are changed based on a minimum hash collision result through a hash function for the update malware patterns.
  - 5. The anti-malware device of claim 4, wherein the changed at least one hash coefficient and/or the changed hash function are included in the update malware patterns,wherein the hash values for the malware patterns are first hash values and the hash value generating unit generates second hash values by using the changed at least one hash coefficient and/or the changed hash function included in the update malware patterns.
  - 6. The anti-malware device of claim 4, wherein an update malware pattern database (DB) including the update malware patterns comprises a header item in which header information is written and a hash item in which the changed at least one hash coefficient and/or the changed hash function are written.
  - 7. The anti-malware device of claim 1, wherein, when the hash values for the malware patterns to be transmitted to the anti-malware device are obtained, the hash function is determined so that a probability of collisions between the obtained hash values is minimized.
  - 8. The anti-malware device of claim 1, wherein the malware patterns comprise at least one of virus pattern for virus scanning and rule pattern for firewall filtering, and the at least one hash coefficient comprises at least one of a virus hash coefficient for the virus scanning and a rule hash coefficient for the firewall filtering.
  - 9. The anti-malware device of claim 1, wherein the anti-malware device corresponds to one of a system-on-chip (SOC) and a mobile device.
  - 10. The anti-malware device of claim 1, wherein the anti-malware device is a portable handheld device.
  - 11. The anti-malware device of claim 1, wherein the at least one hash coefficient and/or the hash function are received from the server connected to the anti-malware device over a network, with the malware patterns.
  - 12. The anti-malware device of claim 11, wherein the hash values of the malware patterns are first hash values and the hash value generating unit generates second hash values of update malware patterns by using a hash coefficient transmitted with the update malware patterns when the hash value generating unit receives the update malware patterns from the server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Samsung SDS (China) Co., Ltd. (Samsung Group)
Original Assignee
Samsung SDS (China) Co., Ltd. (Samsung Group)
Inventors
Yoo, InSeon
Primary Examiner(s)
Popham, Jeffrey D

Application Number

US13/165,429
Publication Number

US 20110314548A1
Time in Patent Office

588 Days
Field of Search

726 22- 25, 713/188
US Class Current

726/24
CPC Class Codes

G06F 21/56 Computer malware detection ...

Anti-malware device, server, and method of matching malware patterns

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Anti-malware device, server, and method of matching malware patterns

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links