| 发明名称 | Clustering processing method and device for virus files | ||
| 摘要 | A method and device for clustering virus files is provided. The method involves statically analyzing binary data of virus files to be clustered, so as to obtain PE structure data of the virus files. Further, based on a comparison of the PE structure data, those virus files with PE structure data meeting a specific similarity may be categorized into the same category. The device may include a first data analyzing module configured to extract PE structure data of virus files to be clustered by static analysis of binary data of the virus files. A first clustering module of the device may compare the PE structure data and cluster the virus files having the PE structure data meeting a specific similarity into the same category. The solution may improve efficiency of clustering computer virus files, reduce resource consumption, and avoid the risk of virus infection caused by dynamically running the virus files. | ||
| 申请公布号 | US8881286(B2) | 申请公布日期 | 2014.11.04 |
| 申请号 | US201214125042 | 申请日期 | 2012.07.03 |
| 申请人 | Tencent Technology (Shenzhen) Company Limited | 发明人 | Yu Tao |
| 分类号 | G06F21/56 | 主分类号 | G06F21/56 |
| 代理机构 | Brinks Gilson & Lione | 代理人 | Brinks Gilson & Lione |
| 主权项 | 1. A method for cluster classifying virus files, comprising: A: statically analyzing, with a processor, binary data of each virus files among virus files which need to be classified, so as to obtain portable executable structure data of the each virus file; B: classifying, with the processor, the virus files which need to be classified into categories by comparing the portable executable structure data of the virus files which need to be classified, and classifying virus files with the portable executable structure data meeting a specified similarity condition into a particular category; and C: performing, with the processor, a secondary cluster classification on categorized virus files in each of the categories classified in step B, wherein for the categorized virus files in the particular category classified in the step B, the secondary cluster classification comprises: C1: statically analyzing binary data of each of the categorized virus files to obtain section data of each categorized virus file;C2: performing block-division on the section data of the each categorized virus file to obtain section data blocks of the each categorized virus file, the block-division performed with a same block division mode, and calculating a hash value of each section data block; andC3: comparing the hash values of the section data blocks of the categorized virus files, and further classifying the categorized virus files with the hash values of the section data blocks meeting a specified hash similarity into a secondary category. | ||
| 地址 | Shenzhen, Guangdong CN | ||