| 摘要 |
A method, and apparatus for accomplishing the method, to extract and/or evaluate a signature of a computer virus or other undesirable software entity. The method includes a first step of inputting to a digital data processor at least one portion of a undesirable software entity, the at least one portion including a sequence of bytes of the undesirable software entity that is likely to remain substantially invariant from one instance of that entity to another instance, and it is from this portion or portions that candidate computer virus signatures are drawn. A second step constructs a list of unique n-grams from the sequence of bytes, each of the unique n-grams being comprised of from one to a specified maximum number of sequential bytes of the sequence of bytes. A third step estimates, for each of the unique n-grams, a probability of an occurrence of a unique n-gram within sequences of bytes obtained from a corpus of computer programs that are typically executed upon the digital data processor. For each candidate signature that is comprised of one or more of the unique n-grams, a fourth step estimates a probability of an occurrence of the candidate virus signature within the sequences of bytes obtained from the corpus. A fifth step accepts the candidate signature as a valid signature if the estimated probability of the occurrence of the candidate virus signature is less than a threshold probability. The threshold probabilities have values selected to reduce the possibility of an occurrence of a false positive indication during the subsequent use of the valid virus signature by a virus scanner.
|
