Obfuscated malware detection
US8499352B2 · kind B2 · utility
Assignee
Inventors
Key dates
| Filing date | Apr 5, 2012 |
| Grant date | Jul 30, 2013 |
| Priority date | — |
| Expiry date | Apr 5, 2032 |
Classification
- Technology area (CPC G)Physics
- CPC primaryG06F21/577
- WIPO fieldComputer technology
- WIPO sectorElectrical engineering
Abstract
Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for detecting obfuscated malware. In one aspect, a method includes identifying call instructions in a binary executable; executing the call instruction; executing instructions subsequent to a target of the call instruction; determining that an address identified by a stack pointer is different from the return address; in response to the determination that the address is different, determining if there is a non-obfuscation signal; if there is a non-obfuscation signal, identifying the call instruction as a non-obfuscated call instruction; if there is not a non-obfuscation signal, identifying the call instruction as a possibly obfuscated call instruction; determining whether the call instructions identified as possibly obfuscated call instructions exceeds a threshold; in response to the determination that the call instructions identified as possibly obfuscated call instructions exceeds the threshold, identifying the executable as an obfuscated executable.
Source: USPTO / EPO open patent data. Objective bibliographic and citation counts.