CPC G06F 21/568 (2013.01) [G06F 9/545 (2013.01); G06F 11/00 (2013.01); G06F 21/552 (2013.01); G06F 21/554 (2013.01); G06F 21/566 (2013.01)] | 20 Claims |
1. A computer-implemented method for generating a representation for behavior similarity comparison, the method comprising:
generating, by a computer system, a program-level stateful model of one or more entities in a computer operating system, the program-level stateful model comprising:
a data structure representing a state of a program, wherein the data structure comprises:
a network of one or more interconnected objects representing the one or more entities,
wherein the one or more interconnected objects are derived from a sequence of operations performed in a live environment; and
one or more object groups, wherein the one or more object groups are formed by dividing the one or more interconnected objects according to a predefined grouping rule set;
generating, by the computer system, an updated representation of the program based on the program-level stateful model;
searching, by the computer system, for at least one other representation of another program-level stateful model similar to the updated representation of the program; and
comparing, by the computer system, the updated representation of the program to the at least one other representation of another program-level stateful model, wherein the computer system comprises a processor and memory.
|