| 摘要 |
<p>PROBLEM TO BE SOLVED: To effectively and accurately eliminate self-changing malware that alters a data structure of a file by performing encryption and obfuscation whenever creating an own copy.SOLUTION: A fuzzy hash value (hereinafter, FH value) of a file determined as malware is found with a server device, by using a fuzzy hash algorithm for generating a coincident or similar value to data with a similar structure, and is distributed to a client device. Then, files with the same FH value are enumerated in the client device, a white list DB storing the Exact hash value of a regular file is referred, a decision is made that the file is self-changing malware when the received file is not present in the DB, and the file is eliminated from the client device. When the received file is present in the DB, a decision is made that collision is generated between the malware and the FH value of the regular file, and a threshold value of the FH algorithm is improved.</p> |
