发明名称 |
Fuzzy whitelisting anti-malware systems and methods |
摘要 |
In some embodiments, an anti-malware system accounts for benign differences between non-malicious data objects, such as differences introduced by compilers and other polymorphisms. A target object is separated into a multitude of code blocks, and a hash is calculated for each code block. The obtained set of target hashes is then compared against a database of hashes corresponding to code blocks extracted from whitelisted objects. A target object may be labeled as whitelisted (trusted, non-malicious) if it has a substantial number of hashes in common with a whitelisted object. Objects which are slightly different from known whitelisted objects may still receive whitelisting status. By allowing a certain degree of mismatch between the sets of hashes of distinct objects, some embodiments of the present invention increase the efficiency of whitelisting without an unacceptable decrease in safety. |
申请公布号 |
US9479520(B2) |
申请公布日期 |
2016.10.25 |
申请号 |
US201514807076 |
申请日期 |
2015.07.23 |
申请人 |
Bitdefender IPR Management Ltd. |
发明人 |
Topan Vlad I.;Dudea Sorin V.;Canja Viorel D. |
分类号 |
G06F21/56;H04L29/06 |
主分类号 |
G06F21/56 |
代理机构 |
Law Office of Andrei D Popovici, PC |
代理人 |
Law Office of Andrei D Popovici, PC |
主权项 |
1. A method comprising:
employing at least one hardware processor of a computer system to receive a plurality of target hashes computed for a target data object, each target hash representing a distinct sequence of processor instructions of the target data object; employing at least one hardware processor of the computer system to retrieve a plurality of reference hashes representing a whitelisted data object; and employing at least one hardware processor of the computer system to label the target data object as non-malicious in response to determining that the plurality of target hashes is not identical to the plurality of reference hashes, and in response to determining, according to a count of hashes common to both the plurality of target hashes and the plurality of reference hashes, that the plurality of target hashes and the plurality of reference hashes share a sufficient number of items. |
地址 |
Nicosia CY |