Fuzzy whitelisting anti-malware systems and methods

摘要

In some embodiments, an anti-malware system accounts for benign differences between non-malicious data objects, such as differences introduced by compilers and other polymorphisms. A target object is separated into a multitude of code blocks, and a hash is calculated for each code block. The obtained set of target hashes is then compared against a database of hashes corresponding to code blocks extracted from whitelisted objects. A target object may be labeled as whitelisted (trusted, non-malicious) if it has a substantial number of hashes in common with a whitelisted object. Objects which are slightly different from known whitelisted objects may still receive whitelisting status. By allowing a certain degree of mismatch between the sets of hashes of distinct objects, some embodiments of the present invention increase the efficiency of whitelisting without an unacceptable decrease in safety.

主权项

1. A method comprising:
employing at least one hardware processor of a computer system to receive a plurality of target hashes computed for a target data object, each target hash representing a distinct sequence of processor instructions of the target data object; employing at least one hardware processor of the computer system to retrieve a plurality of reference hashes representing a whitelisted data object; and employing at least one hardware processor of the computer system to label the target data object as non-malicious in response to determining that the plurality of target hashes is not identical to the plurality of reference hashes, and in response to determining, according to a count of hashes common to both the plurality of target hashes and the plurality of reference hashes, that the plurality of target hashes and the plurality of reference hashes share a sufficient number of items.