公开(公告)号：US08925087B1

公开(公告)日：2014-12-30

申请号：US12487959

申请日：2009-06-19

Applicant: Jonathan James Oliver ,  Yifun Liang

Inventor： Jonathan James Oliver ,  Yifun Liang

IPC: G06F11/30 ,  G06F12/14 ,  H04L29/06 ,  H04L12/58 ,  H04L29/12 ,  H04L9/06

CPC classification number: H04L63/1416 ,  H04L9/0643 ,  H04L51/12 ,  H04L61/1511 ,  H04L63/145

Abstract: One embodiment relates to an apparatus for in-the-cloud identification of spam and/or malware. The apparatus includes computer-readable code configured to be executed by the processor so as to receive queries, the queries including hash values embedded therein. The apparatus further includes computer-readable code configured to be executed by the processor so as to detect a group of hash codes which are similar and to identify the group as corresponding to an undesirable network outbreak. Another embodiment relates to an apparatus for in-the-cloud detection of spam and/or malware. The apparatus includes computer-readable code configured to be executed by the processor so as to receive an electronic message, calculate a locality-sensitive hash based on the message, embed the locality-sensitive hash into a query, and send the query to a central analysis system via a network interface. Other embodiments, aspects and features are also disclosed.

Abstract translation: 一个实施例涉及用于在云中识别垃圾邮件和/或恶意软件的装置。 该装置包括被配置为由处理器执行以便接收查询的计算机可读代码，该查询包括嵌入其中的哈希值。 该装置还包括被配置为由处理器执行的计算机可读代码，以便检测类似的一组散列码，并将该组识别为对应于不期望的网络爆发。 另一个实施例涉及用于在云中检测垃圾邮件和/或恶意软件的装置。 该装置包括被配置为由处理器执行以接收电子消息的计算机可读代码，基于该消息计算位置敏感散列，将该区域敏感散列嵌入到查询中，并将查询发送到中央 分析系统通过网络接口。 还公开了其它实施例，方面和特征。

公开(公告)号：US08375450B1

公开(公告)日：2013-02-12

申请号：US12573300

申请日：2009-10-05

Applicant: Jonathan James Oliver ,  Cheng-Lin Hou ,  Lili Diao ,  YiFun Liang ,  Jennifer Rihn

Inventor： Jonathan James Oliver ,  Cheng-Lin Hou ,  Lili Diao ,  YiFun Liang ,  Jennifer Rihn

IPC: G06F21/00

CPC classification number: H04L63/1416 ,  G06F21/564 ,  G06F21/565 ,  G06F21/567

Abstract: A training model for malware detection is developed using common substrings extracted from known malware samples. The probability of each substring occurring within a malware family is determined and a decision tree is constructed using the substrings. An enterprise server receives indications from client machines that a particular file is suspected of being malware. The suspect file is retrieved and the decision tree is walked using the suspect file. A leaf node is reached that identifies a particular common substring, a byte offset within the suspect file at which it is likely that the common substring begins, and a probability distribution that the common substring appears in a number of malware families. A hash value of the common substring is compared (exact or approximate) against the corresponding substring in the suspect file. If positive, a result is returned to the enterprise server indicating the probability that the suspect file is a member of a particular malware family.

Abstract translation: 使用从已知恶意软件样本中提取的常见子串开发恶意软件检测的培训模型。 确定在恶意软件系列内发生每个子串的概率，并使用该子串构建一个决策树。 企业服务器从客户机接收到特定文件被怀疑是恶意软件的指示。 检索可疑文件，并使用可疑文件行进决策树。 到达一个叶节点，标识一个特定的共同子串，可疑文件中可能是公共子串开始的字节偏移量，以及常见子字符串出现在多个恶意软件系列中的概率分布。 将公共子串的哈希值与可疑文件中的相应子字符串进行比较（精确或近似）。 如果为肯定，则返回给企业服务器的结果，指示可疑文件是特定恶意软件系列成员的概率。