公开(公告)号：US20170091451A1

公开(公告)日：2017-03-30

申请号：US15275179

申请日：2016-09-23

Applicant: Avast Software s.r.o.

Inventor： Peter Kovác

IPC: G06F21/56

CPC classification number: G06F21/562 ,  G06F21/564 ,  G06F2221/034 ,  H04L63/145

Abstract: Systems and methods automatically determine rules for detecting malware. A fingerprint representing a file is received. A set of nearest neighbor fingerprints from at least a set of malware fingerprints that are nearest neighbors are determined. The set of malware fingerprints are analyzed to determine a representative fingerprint. A malicious file detection rule is generated based, at least in part, on the representative fingerprint.

公开(公告)号：US11550910B2

公开(公告)日：2023-01-10

申请号：US16588704

申请日：2019-09-30

Applicant: Avast Software s.r.o.

Inventor： Peter Kovác

IPC: G06F21/56 ,  G06F16/28

Abstract: Systems and methods use negative feedback to create generic rules for a high dimensional sparse feature space. A system receives a set of fingerprints, where a fingerprint can be a set of features of a file. The fingerprints can be clustered according to similarity. For each cluster, a proto-rule is created that has a condition for each feature. The proto-rule is simplified using negative feedback to create a well-formed rule having a comparatively small subset of the conditions in the proto-rule that are useful in determining malware. The well-formed rule can be added to a set of rules used in a malware detection system.

公开(公告)号：US20210097179A1

公开(公告)日：2021-04-01

申请号：US16588704

申请日：2019-09-30

Applicant: Avast Software s.r.o.

Inventor： Peter Kovác

IPC: G06F21/56 ,  G06F16/28

Abstract: Systems and methods use negative feedback to create generic rules for a high dimensional sparse feature space. A system receives a set of fingerprints, where a fingerprint can be a set of features of a file. The fingerprints can be clustered according to similarity. For each cluster, a proto-rule is created that has a condition for each feature. The proto-rule is simplified using negative feedback to create a well-formed rule having a comparatively small subset of the conditions in the proto-rule that are useful in determining malware. The well-formed rule can be added to a set of rules used in a malware detection system.

公开(公告)号：US20180293330A1

公开(公告)日：2018-10-11

申请号：US15941668

申请日：2018-03-30

Applicant: Avast Software s.r.o.

Inventor： Peter Kovác

IPC: G06F17/30 ,  G06F21/56 ,  G06F17/11

Abstract: Analyzing a large number of files to identify malicious software including evaluating a multigraph including determining a graph having a plurality of nodes, including a source node and target nodes from a data set and merging the graph into a multigraph in response to a node score above a threshold level, for each target node; determining one or more specificity indexes for target node and determining a node score for the target node based, at least in part, on a specificity index

公开(公告)号：US20230283632A1

公开(公告)日：2023-09-07

申请号：US17653379

申请日：2022-03-03

Applicant: Avast Software s.r.o.

Inventor： David Jursa ,  Jirí Sembera ,  Peter Kovác ,  Tomás Trnka ,  Elnaz Babayeva

IPC: H04L9/40 ,  G06F16/955

CPC classification number: H04L63/1483 ,  G06F16/9566

Abstract: Malicious redirects in a redirect chain as a result of loading a web address are detected and blocked. A suspicion score is determined for a subject redirection domain based at least in part on the subject redirection domain's web address, and a rate of occurrence of the subject redirection domain in redirect chains leading to a malicious landing domain is calculated. Loading the subject redirection domain is blocked if the suspicion score exceeds a suspicion threshold or the rate of occurrence of the subject redirection domain exceeds a rate of occurrence threshold.

公开(公告)号：US11436331B2

公开(公告)日：2022-09-06

申请号：US16745230

申请日：2020-01-16

Applicant: Avast Software s.r.o.

Inventor： Peter Kovác ,  Jan Piskácek

IPC: G06F21/00 ,  G06F21/56 ,  H04L9/40

Abstract: A method of generating a similarity hash for an executable includes extracting a plurality of characteristics for one or more classes in the executable, and transforming the plurality of characteristics into a set of one or more class fingerprint strings corresponding to the one or more classes. The set of class fingerprint strings is transformed into a hash string using minwise hashing, such that a difference between hash strings for different executables is representative of the degree of difference between the executables. The hash of a target executable is compared with hashes of known malicious executables to determine whether the target executable is likely malicious.

公开(公告)号：US20210224390A1

公开(公告)日：2021-07-22

申请号：US16745230

申请日：2020-01-16

Applicant: Avast Software s.r.o.

Inventor： Peter Kovác ,  Jan Piskácek

IPC: G06F21/56

Abstract: A method of generating a similarity hash for an executable includes extracting a plurality of characteristics for one or more classes in the executable, and transforming the plurality of characteristics into a set of one or more class fingerprint strings corresponding to the one or more classes. The set of class fingerprint strings is transformed into a hash string using minwise hashing, such that a difference between hash strings for different executables is representative of the degree of difference between the executables. The hash of a target executable is compared with hashes of known malicious executables to determine whether the target executable is likely malicious.