发明名称 |
Detect encrypted program based on CPU statistics |
摘要 |
Techniques are presented for detecting malware in an executable. The method includes receiving an executable to evaluate for malware, emulating an execution of the executable up to a first count of instructions, determining a number of cache misses that occur while emulating the executable up to the first count of instructions, comparing the number of cache misses to a threshold, and upon determining the number of cache misses exceeds the threshold, identifying the executable as potentially containing malware. |
申请公布号 |
US9607152(B1) |
申请公布日期 |
2017.03.28 |
申请号 |
US201514717939 |
申请日期 |
2015.05.20 |
申请人 |
SYMANTEC CORPORATION |
发明人 |
Kane David |
分类号 |
G06F21/00;G06F21/56;G06F11/00;G06F12/14;G06F12/16;G08B23/00 |
主分类号 |
G06F21/00 |
代理机构 |
Patterson + Sheridan, LLP |
代理人 |
Patterson + Sheridan, LLP |
主权项 |
1. A method for detecting malware in an executable, the method comprising:
receiving an executable to evaluate for malware; executing the executable up to a first count of instructions, determining a number of cache misses that occur while executing the executable up to the first count of instructions; comparing the number of cache misses to a threshold, wherein the threshold corresponds to an expected number of cache misses occurring when executing a program containing junk instructions; and upon determining the number of cache misses exceeds the threshold, identifying the executable as potentially containing malware based at least on the number of cache misses. |
地址 |
Mountain View CA US |