Method and product for providing a predictive security product and evaluating existing security products
First Claim
Patent Images
1. A system comprising:
- a non-transitory memory; and
one or more hardware processors coupled to the non-transitory memory and configured to read instructions from the non-transitory memory to cause the system to perform operations comprising;
gathering trace data for variants of a malware specimen;
categorizing the trace data into malicious characteristics and non-malicious characteristics;
building malware detectors that distinguish between the malicious characteristics and the non-malicious characteristics;
determining a rating for each of the malware detectors, the rating based on an amount of the malicious characteristics detected and an amount of the non-malicious characteristics incorrectly detected;
selecting, for mutation, a malware detector having a rating above a predetermined threshold; and
mutating the selected malware detector having the rating above the predetermined threshold.
2 Assignments
0 Petitions
Accused Products
Abstract
A method, product and computer program product for building a malware detector, the method including the steps of: receiving at least one characteristic for each of a plurality of malware variants; categorizing each of the characteristics as a malicious characteristic or a non-malicious characteristic; generating a detector; training the detector to distinguish between the malicious characteristic and the non-malicious characteristic; and rating the detector based on an accuracy of detection of an amount of malicious characteristics for each malware variant.
-
Citations
20 Claims
-
1. A system comprising:
-
a non-transitory memory; and one or more hardware processors coupled to the non-transitory memory and configured to read instructions from the non-transitory memory to cause the system to perform operations comprising; gathering trace data for variants of a malware specimen; categorizing the trace data into malicious characteristics and non-malicious characteristics; building malware detectors that distinguish between the malicious characteristics and the non-malicious characteristics; determining a rating for each of the malware detectors, the rating based on an amount of the malicious characteristics detected and an amount of the non-malicious characteristics incorrectly detected; selecting, for mutation, a malware detector having a rating above a predetermined threshold; and mutating the selected malware detector having the rating above the predetermined threshold. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A non-transitory machine-readable medium having stored thereon machine-readable instructions executable to cause a machine to perform operations comprising:
-
receiving trace data for variants of a malware specimen; categorizing the trace data into malicious characteristics and non-malicious characteristics; building a plurality of detectors that distinguish between the malicious characteristics and the non-malicious characteristics; determining a rating for a detector of the plurality of detectors, the rating based on an amount of the malicious characteristics detected and an amount of the non-malicious characteristics incorrectly detected; selecting, for mutation, the detector when it has a determined rating that is above a predetermined threshold; and mutating the selected detector having the rating above the predetermined threshold. - View Dependent Claims (9, 10, 11, 12, 13)
-
-
14. A method comprising:
-
collecting trace data for variants of a malware specimen; categorizing the trace data into malicious characteristics and non-malicious characteristics; building a plurality of detectors that distinguish between the malicious characteristics and the non-malicious characteristics; determining a rating for a detector of the plurality of detectors, the rating based on an amount of the malicious characteristics detected and an amount of the non-malicious characteristics incorrectly detected; selecting, for mutation, the detector when it has a determined rating that is above a predetermined threshold; and mutating the selected detector having the rating above the predetermined threshold. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
Specification