System and method for detecting malicious executable files based on similarity of their resources

摘要

Disclosed are systems, methods and computer program products for detection of malicious executable files based on the similarity of various types of extractable resources of the executable files. In one aspect, the system determines a type of an executable file being analyzed and determines types of extractable resources of the executable file based on the type of the executable file. The system then extracts the identified extractable resources of the executable file and compares the extracted resources to known resources of malicious executable files. The system then determines a degree of similarity between the compared resources. The system then determines whether the executable file is malicious based on a degree of similarity of the one or more compared resources.

主权项

1. A method for detection of malicious executable files, the method comprising:
determining a type of an executable file; determining types of extractable resources of the executable file based on the type of the executable file; extracting the identified extractable resources of the executable file; comparing the extracted resources of the executable file to a plurality of known resources of malicious executable files, each resource being defined with a plurality of attributes and each attribute being associated with a parameter; determining a degree of similarity between the one or more resource of the executable file and the plurality of known resources of malicious executable files based at least on parameters of the plurality of attributes of resources; and determining whether the executable file is malicious based on the determined degree of similarity of the one or more compared resources, wherein different thresholds of the degrees of similarity are used in determining the maliciousness of different types of resources.