| 发明名称 |
FUZZY HASH OF BEHAVIORAL RESULTS |
| 摘要 |
A computerized method is described in which a received object is analyzed by a malicious content detection (MCD) system to determine whether the object is malware or non-malware. The analysis may include the generation of a fuzzy hash based on a collection of behaviors for the received object. The fuzzy hash may be used by the MCD system to determine the similarity of the received object with one or more objects in previously classified/analyzed clusters. Upon detection of a “similar” object, the suspect object may be associated with the cluster and classified based on information attached to the cluster. This similarity matching provides 1) greater flexibility in analyzing potential malware objects, which may share multiple characteristics and behaviors but are also slightly different from previously classified objects and 2) a more efficient technique for classifying/assigning attributes to objects. |
| 申请公布号 |
US2015096023(A1) |
申请公布日期 |
2015.04.02 |
| 申请号 |
US201314042454 |
申请日期 |
2013.09.30 |
| 申请人 |
FireEye, Inc. |
发明人 |
Mesdaq Ali;Westin, III Paul L. |
| 分类号 |
H04L29/06 |
主分类号 |
H04L29/06 |
| 代理机构 |
|
代理人 |
|
| 主权项 |
1. A computerized method for classifying objects in a malware system, comprising:
receiving, by a malicious content detection (MCD) system, an object to be classified; detecting behaviors of the received object, wherein the behaviors are detected after processing the received object; generating a fuzzy hash for the received object based on the detected behaviors; comparing the fuzzy hash for the received object with a fuzzy hash of an object in a preexisting cluster to generate a similarity measure; associating the received object with the preexisting cluster in response to determining that the similarity measure is above a predefined threshold value; and reporting, via a communications interface, results of the association to a client device. |
| 地址 |
Milpitas CA US |
