Method of modeling behavior pattern of instruction set in N-gram manner, computing device operating with the method, and program stored in storage medium to execute the method in computing device
First Claim
1. A non-transitory computer-readable storage medium storing a program configured to model a behavior pattern associated with system calls that occur by an instruction set executed in a computing device, the program executing a process, in the computing device, that comprises:
- hooking, by a processor of the computing device, the system calls while the instruction set is executed under a control of the processor;
extracting, by the processor, a category to which each of the hooked system calls belongs, with reference to category information stored in at least one of a first storage of the computing device or a second storage provided separately from the computing device;
extracting, by the processor, one or more behavior sequences expressed in an N-gram manner from a full sequence of the hooked system calls, with reference to the extracted category;
generating, by the processor, a model of the behavior pattern based on a number of times that each of the extracted N-gram behavior sequences occurs;
comparing at least one of the generated model of the behavior pattern or the stored model of the behavior pattern with a reference model; and
determining, based on the comparison, whether the executed instruction set is malicious or normal.
1 Assignment
0 Petitions
Accused Products
Abstract
A computing device configured to execute an instruction set is provided. The computing device includes a system call hooker for hooking system calls that occur by the instruction set while the instruction set is executed, a category extractor for extracting a category to which each of the hooked system calls belongs with reference to category information associated with a correspondence relationship between a system call and a category, a sequence extractor for extracting one or more behavior sequences expressed in an N-gram manner from a full sequence of the hooked system calls with reference to the extracted category, and a model generator for generating a behavior pattern model of the system calls that occur when the instruction set is executed, based on a number of times that each of the extracted behavior sequences occurs.
26 Citations
6 Claims
-
1. A non-transitory computer-readable storage medium storing a program configured to model a behavior pattern associated with system calls that occur by an instruction set executed in a computing device, the program executing a process, in the computing device, that comprises:
-
hooking, by a processor of the computing device, the system calls while the instruction set is executed under a control of the processor; extracting, by the processor, a category to which each of the hooked system calls belongs, with reference to category information stored in at least one of a first storage of the computing device or a second storage provided separately from the computing device; extracting, by the processor, one or more behavior sequences expressed in an N-gram manner from a full sequence of the hooked system calls, with reference to the extracted category; generating, by the processor, a model of the behavior pattern based on a number of times that each of the extracted N-gram behavior sequences occurs; comparing at least one of the generated model of the behavior pattern or the stored model of the behavior pattern with a reference model; and determining, based on the comparison, whether the executed instruction set is malicious or normal. - View Dependent Claims (2, 3)
-
-
4. A method for modeling a behavior pattern associated with system calls that occur by an instruction set executed in a computing device, the method comprising:
-
hooking, by the computing device, the system calls; extracting, by the computing device, a category to which each of the hooked system calls belongs; extracting, by the computing device, one or more behavior sequences expressed in an N-gram manner from a full sequence of the hooked system calls, with reference to the extracted category; generating, by the computing device, a model of the behavior pattern expressed in a vector format, based on a number of times that each of the extracted N-gram behavior sequences occurs; comparing at least one of the generated model of the behavior pattern or the stored model of the behavior pattern with a reference model determining, based on the comparison, whether the executed instruction set is malicious or normal. - View Dependent Claims (5, 6)
-
Specification