| 发明名称 | Statistical fingerprinting for malware detection and classification | ||
| 摘要 | A system detects malware in a computing architecture with an unknown pedigree. The system includes a first computing device having a known pedigree and operating free of malware. The first computing device executes a series of instrumented functions that, when executed, provide a statistical baseline that is representative of the time it takes the software application to run on a computing device having a known pedigree. A second computing device executes a second series of instrumented functions that, when executed, provides an actual time that is representative of the time the known software application runs on the second computing device. The system detects malware when there is a difference in execution times between the first and the second computing devices. | ||
| 申请公布号 | US9135440(B2) | 申请公布日期 | 2015.09.15 |
| 申请号 | US201313955784 | 申请日期 | 2013.07.31 |
| 申请人 | UT-Battelle, LLC | 发明人 | Prowell Stacy J.;Rathgeb Christopher T. |
| 分类号 | G06F21/56 | 主分类号 | G06F21/56 |
| 代理机构 | Brinks Gilson & Lione | 代理人 | Brinks Gilson & Lione |
| 主权项 | 1. A system that determines if malware exists in a computing architecture with an unknown pedigree comprising: a first computing device having a known pedigree and operating free of malware, the first computing device operating a known software application that comprises a series of instrumented functions that, when executed, provide a statistical baseline time that is representative of the time it takes the software application to run on a computing device having a known pedigree and operating free of malware; and a second computing device having an unknown pedigree and with the potential of operating with malware, the second computing device operating the known software application that further comprises a series of instrumented functions that, when executed, provides an actual time that is representative of the time the known software application runs on the second computing device having an unknown pedigree and operating with the potential of operating with malware; where the instrumented functions are injected into the known software application through a code injection that facilitates accessing a plurality of subroutines that is shared by a plurality of software applications; and where the difference in times between the statistical baseline time and the actual time identifies a malware status of the second machine. | ||
| 地址 | Oak Ridge TN US | ||