Method and product for providing a predictive security product and evaluating existing security products

US 10,110,619 B2
Filed: 09/18/2017
Issued: 10/23/2018
Est. Priority Date: 02/10/2013
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a non-transitory memory; and

one or more hardware processors coupled to the non-transitory memory and configured to read instructions from the non-transitory memory to cause the system to perform operations comprising;

gathering trace data for variants of a malware specimen;

categorizing the trace data into malicious characteristics and non-malicious characteristics;

building malware detectors that distinguish between the malicious characteristics and the non-malicious characteristics;

determining a rating for each of the malware detectors, the rating based on an amount of the malicious characteristics detected and an amount of the non-malicious characteristics incorrectly detected;

selecting, for mutation, a malware detector having a rating above a predetermined threshold; and

mutating the selected malware detector having the rating above the predetermined threshold.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, product and computer program product for building a malware detector, the method including the steps of: receiving at least one characteristic for each of a plurality of malware variants; categorizing each of the characteristics as a malicious characteristic or a non-malicious characteristic; generating a detector; training the detector to distinguish between the malicious characteristic and the non-malicious characteristic; and rating the detector based on an accuracy of detection of an amount of malicious characteristics for each malware variant.

47 Citations

20 Claims

1. A system comprising:
- a non-transitory memory; and
  
  one or more hardware processors coupled to the non-transitory memory and configured to read instructions from the non-transitory memory to cause the system to perform operations comprising;
  
  gathering trace data for variants of a malware specimen;
  
  categorizing the trace data into malicious characteristics and non-malicious characteristics;
  
  building malware detectors that distinguish between the malicious characteristics and the non-malicious characteristics;
  
  determining a rating for each of the malware detectors, the rating based on an amount of the malicious characteristics detected and an amount of the non-malicious characteristics incorrectly detected;
  
  selecting, for mutation, a malware detector having a rating above a predetermined threshold; and
  
  mutating the selected malware detector having the rating above the predetermined threshold.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1, wherein the determining of the rating of the malware detector is further based on a length of a set of symbols of the malware detector.
  - 3. The system of claim 1, wherein the determining of the rating of the malware detector includes awarding points for detecting a malicious variant or detracting points for incorrectly detecting a non-malicious variant.
  - 4. The system of claim 1, wherein the malware detector includes a set of symbols that are matched to a trace to detect a malicious characteristic.
  - 5. The system of claim 1, wherein the trace data includes at least one of network traffic data, code, an operating system call, an application programming interface (API) call, central processing unit (CPU) activity data, or a memory footprint.
  - 6. The system of claim 1, wherein the building of the malware detectors includes syntax learning.
  - 7. The system of claim 1, wherein the building of the malware detectors includes grammar induction.

8. A non-transitory machine-readable medium having stored thereon machine-readable instructions executable to cause a machine to perform operations comprising:
- receiving trace data for variants of a malware specimen;
  
  categorizing the trace data into malicious characteristics and non-malicious characteristics;
  
  building a plurality of detectors that distinguish between the malicious characteristics and the non-malicious characteristics;
  
  determining a rating for a detector of the plurality of detectors, the rating based on an amount of the malicious characteristics detected and an amount of the non-malicious characteristics incorrectly detected;
  
  selecting, for mutation, the detector when it has a determined rating that is above a predetermined threshold; and
  
  mutating the selected detector having the rating above the predetermined threshold.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The non-transitory machine-readable medium of claim 8, wherein the determining of the rating of the detector is further based on a length of a set of symbols of the detector.
  - 10. The non-transitory machine-readable medium of claim 8, wherein the detector includes a set of symbols that are matched to a trace to detect a malicious characteristic.
  - 11. The non-transitory machine-readable medium of claim 8, wherein the trace data includes at least one of network traffic data, code, an operating system call, an application programming interface (API) call, central processing unit (CPU) activity data, or a memory footprint.
  - 12. The non-transitory machine-readable medium of claim 8, wherein the building of the plurality of detectors includes at least one of syntax learning or grammar induction.
  - 13. The non-transitory machine-readable medium of claim 8, wherein a previously mutated malware detector is used to build the malware detectors that distinguish between the malicious characteristics and the non-malicious characteristics.

14. A method comprising:
- collecting trace data for variants of a malware specimen;
  
  categorizing the trace data into malicious characteristics and non-malicious characteristics;
  
  building a plurality of detectors that distinguish between the malicious characteristics and the non-malicious characteristics;
  
  determining a rating for a detector of the plurality of detectors, the rating based on an amount of the malicious characteristics detected and an amount of the non-malicious characteristics incorrectly detected;
  
  selecting, for mutation, the detector when it has a determined rating that is above a predetermined threshold; and
  
  mutating the selected detector having the rating above the predetermined threshold.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The method of claim 14, wherein the determining of the rating of the detector is further based on a length of a set of symbols of the detector.
  - 16. The method of claim 14, wherein the determining of the rating of the detector includes awarding points for detecting a malicious variant or detracting points for incorrectly detecting a non-malicious variant.
  - 17. The method of claim 14, wherein the detector includes a set of symbols that are matched to a trace to detect a malicious characteristic.
  - 18. The method of claim 14, wherein the trace data includes at least one of network traffic data, code, an operating system call, an application programming interface (API) call, central processing unit (CPU) activity data, or a memory footprint.
  - 19. The method of claim 14, wherein the building of the plurality of detectors includes syntax learning or grammar induction.
  - 20. The method of claim 14, wherein a previously mutated malware detector is used to build the malware detectors that distinguish between the malicious characteristics and the non-malicious characteristics.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
PayPal, Inc. (PayPal Holdings, Inc.)
Original Assignee
PayPal, Inc. (PayPal Holdings, Inc.)
Inventors
Boutnaru, Shiomi, Tancman, Liran, Markzon, Michael
Primary Examiner(s)
Chang, Kenneth W

Application Number

US15/707,973
Publication Number

US 20180131707A1
Time in Patent Office

400 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/564   by virus signature recognition

G06F 21/567   using dedicated hardware

G06F 2221/033   Test or assess software

G06F 2221/2145   Inheriting rights or proper...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

Method and product for providing a predictive security product and evaluating existing security products

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

47 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method and product for providing a predictive security product and evaluating existing security products

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

47 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links