主权项 |
1. A method of creating a blacklist to detect malicious software, said method comprising:
receiving a plurality of known malicious software applications, each of said applications including a plurality of functions; extracting said functions from said malicious applications; comparing said functions to one another by comparing instructions of each of said functions and calculating a similarity value for each of said comparisons, each of said functions being compared with the remaining of said functions; clustering those of said compared functions that have a similarity value that is less than a threshold value together and determining that said clustered functions are similar to one another; determining at least one set of said functions that are in common between greater than at least three of said malicious applications, wherein one of said functions in said set is deemed to be present in one of said malicious applications because a similar function is present in said one malicious application, even though said one of said functions is not present in all of said malicious applications; determining that each of said functions in said set of functions is malicious before performing the step of adding; and adding an indication of said set of functions to a blacklist database, wherein said set of functions identifies a malicious application. |