摘要 |
Various embodiments include an apparatus comprising a detection database including a tree structure of descriptor parts including one or more root nodes and one or more child nodes linked to from one or more parent descriptor parts chains, each of the root nodes representing a descriptor part, and each root node linked to at least one of the child nodes, each root node and each child node linked to any possible additional child nodes, wherein the possible additional child nodes include any possible successor child nodes and a descriptor comparator coupled to the detection database, the descriptor comparator operable to receive data including a plurality of logic entities, once or successively, and to continuously compare logic entities provided to the tree structure of descriptor parts stored in detection database, and to provide an output based on the comparison. |
主权项 |
1. An apparatus for updating a detection database comprising:
a detection database stored in a memory including a tree structure of descriptor parts including one or more root nodes and one or more child nodes linked to from one or more parent descriptor parts chains, each of the root nodes representing a descriptor part, and each root node linked to at least one of the child nodes, each root node and each child node linked to any possible additional child nodes,
wherein the possible additional child nodes include any possible successor child nodes, andwherein each descriptor part corresponds to one or more of process flow statement logical structures, application programming interface calls, and algorithmic data operations; and a descriptor comparator including a processor and operatively coupled to the detection database, the descriptor comparator operable to
receive data including a plurality of logic entities each consisting of one or more of process flow statement logical structures, application programming interface calls, and algorithmic data operations, once or successively;continuously compare each of the plurality of received logic entities to nodes of the tree structure of descriptor parts stored in detection database; andprovide an output based on the comparison, wherein the output includes:
a probability value indicative of a likelihood that a sequence of logic entities matched by the descriptor comparator with a sequence of nodes of the tree structure of descriptor parts beginning at a root node of the tree structure is malicious code; anddetermine whether the received data corresponds to malware, responsive to the probability value; andautomatically update the detection database with descriptor parts corresponding to the sequence of logic entities matched by the descriptor comparator, improving the detection of malware in upcoming files. |