-
公开(公告)号:US08402541B2
公开(公告)日:2013-03-19
申请号:US12402861
申请日:2009-03-12
申请人: Cristian Craioveanu , Ying Lin , Peter Ferrie , Bruce Dang
发明人: Cristian Craioveanu , Ying Lin , Peter Ferrie , Bruce Dang
IPC分类号: G06F21/00
CPC分类号: G06F21/563
摘要: Malware detection systems and methods for determining whether a collection of data not expected to include executable code is suspected of containing malicious executable code. In some embodiments, a malware detection system may disassemble a collection of data to obtain a sequence of possible instructions and determine whether the collection of data is suspected of containing malicious executable code based, at least partially, on an analysis of the sequence of possible instructions. In one embodiment, the analysis of the sequence of possible instructions may comprise determining whether the sequence of possible instructions comprises an execution loop. In a further embodiment, a control flow of the sequence of possible instructions may be analyzed. In a further embodiment, the analysis of the sequence of possible instructions may comprise assigning a weight that is indicative of a level of suspiciousness of the sequence of possible instructions. In a further embodiment, the sequence of possible instructions may begin with a possible instruction that comprises at least one candidate operation code (opcode) that has been determined to occur frequently in executable code.
摘要翻译: 恶意软件检测系统和用于确定是否包含可预期包含可执行代码的数据的集合被怀疑包含恶意可执行代码的方法。 在一些实施例中,恶意软件检测系统可以反汇编数据集合以获得可能的指令序列,并且至少部分地基于对可能指令序列的分析来确定数据的收集是否被怀疑包含恶意可执行代码 。 在一个实施例中,可能指令的序列的分析可以包括确定可能指令的序列是否包括执行循环。 在另一实施例中,可以分析可能指令序列的控制流程。 在另一实施例中,对可能指令的序列的分析可以包括分配指示可能指令序列的可疑程度的权重。 在另一个实施例中,可能的指令的序列可以以可能的指令开始,该指令包括已被确定为在可执行代码中频繁发生的至少一个候选操作码(操作码)。
-
公开(公告)号:US20100175133A1
公开(公告)日:2010-07-08
申请号:US12349506
申请日:2009-01-06
CPC分类号: G06F21/568
摘要: Structured document files, such as those utilized by standard productivity applications or for portable documents can have malicious computer executable instructions embedded within them. Modifications to such files can prevent the execution of such malware. Modifications can operate at a file sector level, such as either fragmenting or defragmenting the file, or they can operate at a file record level, such as removing records, adding records, or rearranging the order of records. Other modifications include writing random data into records deemed likely to have malware, removing unaccounted for space, or removing records that are not known to be good and are inordinately large. A scan of the structured document file can identify relevant information and inform the selection of the modifications to be applied.
摘要翻译: 诸如标准生产力应用程序或便携式文档所使用的结构化文档文件可能会在其中嵌入恶意的计算机可执行指令。 对这些文件的修改可以防止这种恶意软件的执行。 修改可以在文件扇区级别进行操作,例如对文件进行碎片化或碎片整理,或者可以在文件记录级别进行操作,例如删除记录,添加记录或重新排列记录顺序。 其他修改包括将随机数据写入被认为可能具有恶意软件的记录,删除未占用空间的记录,或删除不被认为是好的且非常大的记录。 结构化文档文件的扫描可以识别相关信息并通知选择要应用的修改。
-
公开(公告)号:US08281398B2
公开(公告)日:2012-10-02
申请号:US12349506
申请日:2009-01-06
CPC分类号: G06F21/568
摘要: Structured document files, such as those utilized by standard productivity applications or for portable documents can have malicious computer executable instructions embedded within them. Modifications to such files can prevent the execution of such malware. Modifications can operate at a file sector level, such as either fragmenting or defragmenting the file, or they can operate at a file record level, such as removing records, adding records, or rearranging the order of records. Other modifications include writing random data into records deemed likely to have malware, removing unaccounted for space, or removing records that are not known to be good and are inordinately large. A scan of the structured document file can identify relevant information and inform the selection of the modifications to be applied.
摘要翻译: 诸如标准生产力应用程序或便携式文档所使用的结构化文档文件可能会在其中嵌入恶意计算机可执行指令。 对这些文件的修改可以防止这种恶意软件的执行。 修改可以在文件扇区级别进行操作,例如对文件进行碎片化或碎片整理,或者可以在文件记录级别进行操作,例如删除记录,添加记录或重新排列记录顺序。 其他修改包括将随机数据写入被认为可能具有恶意软件的记录,删除未占用空间的记录,或删除不被认为是好的且非常大的记录。 结构化文档文件的扫描可以识别相关信息并通知选择要应用的修改。
-
公开(公告)号:US20100235913A1
公开(公告)日:2010-09-16
申请号:US12402861
申请日:2009-03-12
申请人: Cristian Craioveanu , Ying Lin , Peter Ferrie , Bruce Dang
发明人: Cristian Craioveanu , Ying Lin , Peter Ferrie , Bruce Dang
IPC分类号: G06F21/00
CPC分类号: G06F21/563
摘要: Malware detection systems and methods for determining whether a collection of data not expected to include executable code is suspected of containing malicious executable code. In some embodiments, a malware detection system may disassemble a collection of data to obtain a sequence of possible instructions and determine whether the collection of data is suspected of containing malicious executable code based, at least partially, on an analysis of the sequence of possible instructions. In one embodiment, the analysis of the sequence of possible instructions may comprise determining whether the sequence of possible instructions comprises an execution loop. In a further embodiment, a control flow of the sequence of possible instructions may be analyzed. In a further embodiment, the analysis of the sequence of possible instructions may comprise assigning a weight that is indicative of a level of suspiciousness of the sequence of possible instructions. In a further embodiment, the sequence of possible instructions may begin with a possible instruction that comprises at least one candidate operation code (opcode) that has been determined to occur frequently in executable code.
摘要翻译: 恶意软件检测系统和用于确定是否包含可预期包含可执行代码的数据的集合被怀疑包含恶意可执行代码的方法。 在一些实施例中,恶意软件检测系统可以反汇编数据集合以获得可能的指令序列,并且至少部分地基于对可能指令序列的分析来确定数据的收集是否被怀疑包含恶意可执行代码 。 在一个实施例中,可能指令的序列的分析可以包括确定可能指令的序列是否包括执行循环。 在另一实施例中,可以分析可能指令序列的控制流程。 在另一实施例中,对可能指令的序列的分析可以包括分配指示可能指令序列的可疑程度的权重。 在另一个实施例中,可能的指令的序列可以以可能的指令开始,该指令包括已被确定为可执行代码频繁发生的至少一个候选操作码(操作码)。
-
-
-
搜索结果
4 条记录 (耗时 0.012 秒)
