-
公开(公告)号:US08402541B2
公开(公告)日:2013-03-19
申请号:US12402861
申请日:2009-03-12
申请人: Cristian Craioveanu , Ying Lin , Peter Ferrie , Bruce Dang
发明人: Cristian Craioveanu , Ying Lin , Peter Ferrie , Bruce Dang
IPC分类号: G06F21/00
CPC分类号: G06F21/563
摘要: Malware detection systems and methods for determining whether a collection of data not expected to include executable code is suspected of containing malicious executable code. In some embodiments, a malware detection system may disassemble a collection of data to obtain a sequence of possible instructions and determine whether the collection of data is suspected of containing malicious executable code based, at least partially, on an analysis of the sequence of possible instructions. In one embodiment, the analysis of the sequence of possible instructions may comprise determining whether the sequence of possible instructions comprises an execution loop. In a further embodiment, a control flow of the sequence of possible instructions may be analyzed. In a further embodiment, the analysis of the sequence of possible instructions may comprise assigning a weight that is indicative of a level of suspiciousness of the sequence of possible instructions. In a further embodiment, the sequence of possible instructions may begin with a possible instruction that comprises at least one candidate operation code (opcode) that has been determined to occur frequently in executable code.
摘要翻译: 恶意软件检测系统和用于确定是否包含可预期包含可执行代码的数据的集合被怀疑包含恶意可执行代码的方法。 在一些实施例中,恶意软件检测系统可以反汇编数据集合以获得可能的指令序列,并且至少部分地基于对可能指令序列的分析来确定数据的收集是否被怀疑包含恶意可执行代码 。 在一个实施例中,可能指令的序列的分析可以包括确定可能指令的序列是否包括执行循环。 在另一实施例中,可以分析可能指令序列的控制流程。 在另一实施例中,对可能指令的序列的分析可以包括分配指示可能指令序列的可疑程度的权重。 在另一个实施例中,可能的指令的序列可以以可能的指令开始,该指令包括已被确定为在可执行代码中频繁发生的至少一个候选操作码(操作码)。
-
公开(公告)号:US20100235913A1
公开(公告)日:2010-09-16
申请号:US12402861
申请日:2009-03-12
申请人: Cristian Craioveanu , Ying Lin , Peter Ferrie , Bruce Dang
发明人: Cristian Craioveanu , Ying Lin , Peter Ferrie , Bruce Dang
IPC分类号: G06F21/00
CPC分类号: G06F21/563
摘要: Malware detection systems and methods for determining whether a collection of data not expected to include executable code is suspected of containing malicious executable code. In some embodiments, a malware detection system may disassemble a collection of data to obtain a sequence of possible instructions and determine whether the collection of data is suspected of containing malicious executable code based, at least partially, on an analysis of the sequence of possible instructions. In one embodiment, the analysis of the sequence of possible instructions may comprise determining whether the sequence of possible instructions comprises an execution loop. In a further embodiment, a control flow of the sequence of possible instructions may be analyzed. In a further embodiment, the analysis of the sequence of possible instructions may comprise assigning a weight that is indicative of a level of suspiciousness of the sequence of possible instructions. In a further embodiment, the sequence of possible instructions may begin with a possible instruction that comprises at least one candidate operation code (opcode) that has been determined to occur frequently in executable code.
摘要翻译: 恶意软件检测系统和用于确定是否包含可预期包含可执行代码的数据的集合被怀疑包含恶意可执行代码的方法。 在一些实施例中,恶意软件检测系统可以反汇编数据集合以获得可能的指令序列,并且至少部分地基于对可能指令序列的分析来确定数据的收集是否被怀疑包含恶意可执行代码 。 在一个实施例中,可能指令的序列的分析可以包括确定可能指令的序列是否包括执行循环。 在另一实施例中,可以分析可能指令序列的控制流程。 在另一实施例中,对可能指令的序列的分析可以包括分配指示可能指令序列的可疑程度的权重。 在另一个实施例中,可能的指令的序列可以以可能的指令开始,该指令包括已被确定为可执行代码频繁发生的至少一个候选操作码(操作码)。
-
搜索结果
2 条记录 (耗时 0.009 秒)
