Systems and methods for identifying polymorphic malware
First Claim
1. A computer-implemented method for identifying polymorphic malware, the method comprising:
- identifying a sample of a variant within a polymorphic malware strain;
identifying a set of filters for identifying the polymorphic malware strain;
determining that the set of filters incorrectly excludes the sample from being identified as within the polymorphic malware strain in response to at least one of;
determining that the set of filters excludes the sample from being identified as within the polymorphic malware strain and a proportion of filters within the set of filters identify the sample as within the polymorphic malware strain, and/orexamining how close the set of filters is to correctly categorizing the sample;
modifying the set of filters to not exclude the sample from being identified as within the polymorphic malware strain,wherein at least a portion of the method is being performed by a computing device comprising at least one processor.
2 Assignments
0 Petitions
Accused Products
Abstract
A computer-implemented method for identifying polymorphic malware may include identifying a sample of a variant within a polymorphic malware strain. The computer-implemented method may also include identifying a set of filters for identifying the polymorphic malware strain. The computer-implemented method may further include determining that the set of filters incorrectly excludes the sample from being identified as within the polymorphic malware strain. The computer-implemented method may additionally include modifying the set of filters to not exclude the sample from being identified as within the polymorphic malware strain. Various other methods, systems, and computer-readable media are also disclosed.
-
Citations
20 Claims
-
1. A computer-implemented method for identifying polymorphic malware, the method comprising:
-
identifying a sample of a variant within a polymorphic malware strain; identifying a set of filters for identifying the polymorphic malware strain; determining that the set of filters incorrectly excludes the sample from being identified as within the polymorphic malware strain in response to at least one of; determining that the set of filters excludes the sample from being identified as within the polymorphic malware strain and a proportion of filters within the set of filters identify the sample as within the polymorphic malware strain, and/or examining how close the set of filters is to correctly categorizing the sample; modifying the set of filters to not exclude the sample from being identified as within the polymorphic malware strain, wherein at least a portion of the method is being performed by a computing device comprising at least one processor. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A computer-implemented method for identifying polymorphic malware, the method comprising:
-
identifying an executable file subject to a scan for polymorphic malware; identifying a set of initial filters to apply to the executable file, wherein the set of initial filters was modified after determining that the set of initial filters incorrectly excluded a sample from being identified as within a polymorphic malware strain in response to at least one of; determining that the set of filters excluded the sample from being identified as within the polymorphic malware strain and a proportion of filters within the set of filters identified the sample as within the polymorphic malware strain, and/or examining how close the set of filters was to correctly categorizing the sample; applying the set of initial filters to the executable file; performing a security action on the executable file based at least in part on a result of applying the set of initial filters to the executable file, wherein at least a portion of the method is being performed by a computing device comprising at least one processor. - View Dependent Claims (12)
-
-
13. A system for identifying polymorphic malware, the system comprising:
-
an identification module programmed to; identify a sample of a variant within a polymorphic malware strain; identify a set of filters for identifying the polymorphic malware strain; a determination module programmed to determine that the set of filters incorrectly excludes the sample from being identified as within the polymorphic malware strain in response to at least one of; determining that the set of filters excludes the sample from being identified as within the polymorphic malware strain and a proportion of filters within the set of filters identify the sample as within the polymorphic malware strain, and/or examining how close the set of filters is to correctly categorizing the sample; a modification module programmed to modify the set of filters to not exclude the sample from being identified as within the polymorphic malware strain; at least one hardware processor configured to execute the identification module, the determination module, and the modification module. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
-
Specification