Method and apparatus for detecting malicious software using generic signatures
First Claim
1. A computer implemented method for determining whether a software application is likely malicious, comprising:
- receiving, at a server component, both a specific fingerprint and a generic fingerprint computed at a client component for a software application received at the client component;
storing, at the server component, a blacklist comprising a plurality of specific fingerprints of software applications known to be malicious;
storing, at the server component, a data structure comprising a plurality of known generic fingerprints and, for each known generic fingerprint, a set of specific fingerprints associated with the known generic fingerprint;
determining whether the software application is conclusively malicious by comparing the received specific fingerprint to the blacklist of specific fingerprints;
in the event the software application is not determined to be conclusively malicious from comparing the received specific fingerprint to the blacklist of specific fingerprints, determining that the software application is conclusively malicious in response to the number of malicious specific fingerprints associated with one of the known generic fingerprints that matches the received generic fingerprint exceeding a predetermined threshold; and
transmitting to the client component an indication of whether the software application is malicious or benign from processing the received specific fingerprint and the received generic fingerprint.
5 Assignments
0 Petitions
Accused Products
Abstract
Novel methods, components, and systems for automatically detecting malicious software are presented. More specifically, methods, components, and systems for the automated deployment of generic signatures to detect malicious software. Even more specifically, computer implemented methods for determining whether a software application is likely malicious including computing at a client component a generic fingerprint for a software application, transmitting the generic fingerprint data to a server component, receiving at the client component information from the server component relating to the generic fingerprint of the software application, and following a prescribed set of actions based on the information received from the server.
14 Citations
18 Claims
-
1. A computer implemented method for determining whether a software application is likely malicious, comprising:
-
receiving, at a server component, both a specific fingerprint and a generic fingerprint computed at a client component for a software application received at the client component; storing, at the server component, a blacklist comprising a plurality of specific fingerprints of software applications known to be malicious; storing, at the server component, a data structure comprising a plurality of known generic fingerprints and, for each known generic fingerprint, a set of specific fingerprints associated with the known generic fingerprint; determining whether the software application is conclusively malicious by comparing the received specific fingerprint to the blacklist of specific fingerprints; in the event the software application is not determined to be conclusively malicious from comparing the received specific fingerprint to the blacklist of specific fingerprints, determining that the software application is conclusively malicious in response to the number of malicious specific fingerprints associated with one of the known generic fingerprints that matches the received generic fingerprint exceeding a predetermined threshold; and transmitting to the client component an indication of whether the software application is malicious or benign from processing the received specific fingerprint and the received generic fingerprint. - View Dependent Claims (4, 5, 6, 7, 8)
-
-
2. A non-transitory computer readable storage medium, provided at a server component, encoded with software comprising computer executable instructions and when the software is executed operable to:
-
receive both a specific fingerprint and a generic fingerprint computed at a client component for a software application received at the client component; store in a memory a blacklist comprising a plurality of specific fingerprints of software applications known to be malicious; store in the memory a data structure comprising a plurality of known generic fingerprints and, for each known generic fingerprint, a set of specific fingerprints associated with the known generic fingerprint; determine whether the software application is conclusively malicious by comparing the received specific fingerprint to the blacklist of specific fingerprints; in the event the software application is not determined to be conclusively malicious from comparing the received specific fingerprint to the blacklist of specific fingerprints, determine that the software application is conclusively malicious in response to the number of malicious specific fingerprints associated with one of the known generic fingerprints that matches the received generic fingerprint exceeding a predetermined threshold; and transmit to the client component an indication of whether the software application is malicious or benign from processing the received specific fingerprint and the received generic fingerprint. - View Dependent Claims (9, 10, 11, 12, 13)
-
-
3. An apparatus, comprising:
-
a memory configured to store a blacklist comprising a plurality of specific fingerprints of software applications known to be malicious and to store a data structure comprising a plurality of known generic fingerprints and, for each known generic fingerprint, a set of specific fingerprints associated with the known generic fingerprint; and a processor configured to; receive both a specific fingerprint and a generic fingerprint computed at a client component for a software application received at the client component; determine whether the software application is conclusively malicious by comparing the received specific fingerprint to the blacklist of specific fingerprints; in the event the software application is not determined to be conclusively malicious from comparing the received specific fingerprint to the blacklist of specific fingerprints, determine that the software application is conclusively malicious in response to the number of malicious specific fingerprints associated with one of the known generic fingerprints that matches the received generic fingerprint exceeding a predetermined threshold; and transmit to the client component an indication of whether the software application is malicious or benign from processing the received specific fingerprint and the received generic fingerprint. - View Dependent Claims (14, 15, 16, 17, 18)
-
Specification