Microsoft Corporation
Computer security using context triggered piecewise hashing

Abstract:

Generally discussed herein are devices, systems, and methods for clustering based on context triggered piecewise hashing (CTPH). A method can include determining a first index of a first CTPH string of the file. The first index can include contiguous bits of the CTPH string. The first index can be smaller than the CTPH string, such as to be a proper subset of the CTPH string. The method can include determining the first index matches a second index of a cluster of files and in response to determining the first index matches the second index of the cluster, associating the file with the cluster. The method can include determining that the file includes malware based on the cluster.