Classifying software modules based on comparisons using a neighborhood distance metric

摘要

A method comprises obtaining at least a first software module not classified as benign or potentially malicious, extracting a set of features associated with the first software module, the set of features comprising static features, behavior features and context features, identifying a first cluster comprising one or more known software modules previously classified as benign, computing distance metrics between the extracted feature set of the first software module and feature sets of respective ones of the known software modules in the first cluster, classifying the first software module as one of benign and potentially malicious based on a comparison between the computed distance metrics and a neighborhood distance metric based on distances between feature sets of the known software modules in the first cluster, and modifying access by a given client device to the first software module responsive to classifying the first software module as potentially malicious.