Abstract: Detecting malware includes monitoring an event stream for an executable program, where the event stream includes a plurality of events such as API call events. A first plurality of hash values is determined for the event stream. In response to an occurrence of a trigger event in the event stream, the first plurality of hash values for the event stream can be compared with a second plurality of hash values that represents an event stream for a known malware executable. A determination can be made if a behavior represented by the first plurality of hash values is a permitted behavior based on the comparison.

Abstract: Systems and methods are described which integrate file properties that in conventional systems has been considered weaker evidence of malware and analyzes the information to produce reliable results. Properties such as file paths, file names, source domains, IP protocol ASNs, section checksums, digital signatures that are not always present and not always reliable can be integrated into the classification process using a graph. A 1-neighborhood of object values in the graph may be created and analyzed to suggest a malware family label based on files having similar properties.

Abstract: A similarity fingerprint for a data object such as a file can be automatically determined using one or more anchor values. The one or more anchor values can be provided or determined. For each anchor value, a set of distances between each instance of the anchor value in the data object is determined. The set of distances for the instance of the anchor value is aggregated into a single value. The single value is added as a component of the similarity fingerprint. Thus, if there are N anchor values, there can be N components of the similarity fingerprint. The similarity fingerprints of different data objects can be compared and the results of the comparison can be used to determine how similar the data objects are.

Abstract: Systems and methods analyze input files to automatically determine malware signatures. A set of input files known to contain a particular type of malware can be provided to a file analyzer. The file analyzer can analyze the file using a sliding window to create vectors from values that are provided by multiple filters that process each window. The vectors created for a file define a response matrix. The response matrices for a set of input files can be analyzed by a classifier to determine useful vector components that can define a signature for the malware.