Zero day malware scanner

Assignee

• Trend Micro Incorporated · JP

Inventors

• Jonathan J. Oliver · Melbourne, AU
• Cheng-Lin Hou · San Jose, US
• Lili Diao · Nanjing, CN
• Yifun Liang · Milpitas, US
• Jennifer Rihn · Mountain View, US

Key dates

Classification

• Technology area (CPC G)Physics
• CPC primaryG06F21/567
• WIPO fieldComputer technology
• WIPO sectorElectrical engineering

Abstract

A training model for malware detection is developed using common substrings extracted from known malware samples. The probability of each substring occurring within a malware family is determined and a decision tree is constructed using the substrings. An enterprise server receives indications from client machines that a particular file is suspected of being malware. The suspect file is retrieved and the decision tree is walked using the suspect file. A leaf node is reached that identifies a particular common substring, a byte offset within the suspect file at which it is likely that the common substring begins, and a probability distribution that the common substring appears in a number of malware families. A hash value of the common substring is compared (exact or approximate) against the corresponding substring in the suspect file. If positive, a result is returned to the enterprise server indicating the probability that the suspect file is a member of a particular malware family.