Systems and methods for evaluating infection risks based on profiled user behaviors

US 10,116,680 B1
Filed: 06/21/2016
Issued: 10/30/2018
Est. Priority Date: 06/21/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for evaluating infection risks based on profiled user behaviors, at least a portion of the method being performed by a computing device comprising at least one hardware processor, the method comprising:

collecting, by the computing device comprising the at least one hardware processor, a plurality of user-behavior profiles that comprises at least one of;

a plurality of labeled profiles that comprises at least one of;

a plurality of infected profiles, wherein each of the plurality of infected profiles comprises a profile of user behaviors that occurred at an associated infected computing system that is known to have encountered malware;

ora plurality of clean profiles, wherein each of the plurality of clean profiles comprises a profile of user behaviors that occurred at an associated clean computing system that is known to be free of malware;

ora plurality of unlabeled profiles, wherein each of the plurality of unlabeled profiles comprises a profile of user behaviors that occurred at an associated computing system that is not known to have encountered malware and not known to be free of malware;

training, using features and labels of the plurality of user-behavior profiles, a decision tree to distinguish infected profiles from clean profiles by;

determining, at each internal node in the decision tree, whether there are any infected profiles, clean profiles, or unlabeled profiles at the internal node; and

selecting, from a plurality of splitting rules based on whether there are any infected profiles, clean profiles, or unlabeled profiles at the internal node, a suitable splitting rule to apply at the internal node; and

using the decision tree to predict at least one of;

a likelihood that a computing system of a user will become infected based at least in part on a profile of user behaviors of the user;

ora likelihood that a user behavior in the plurality of user-behavior profiles will result in a computing-system infection.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The disclosed computer-implemented method for evaluating infection risks based on profiled user behaviors may include (1) collecting user-behavior profiles that may include labeled profiles (e.g., infected profiles and/or clean profiles) and/or unlabeled profiles, (2) training a classification model to distinguish infected profiles from clean profiles using features and labels of the user-behavior profiles, and (3) using the classification model to predict (a) a likelihood that a computing system of a user will become infected based on a profile of user behaviors of the user and/or (b) a likelihood that a user behavior in the user-behavior profiles will result in a computing-system infection. Various other methods, systems, and computer-readable media are also disclosed.

60 Citations

View as Search Results

19 Claims

1. A computer-implemented method for evaluating infection risks based on profiled user behaviors, at least a portion of the method being performed by a computing device comprising at least one hardware processor, the method comprising:
- collecting, by the computing device comprising the at least one hardware processor, a plurality of user-behavior profiles that comprises at least one of;
  
  a plurality of labeled profiles that comprises at least one of;
  
  a plurality of infected profiles, wherein each of the plurality of infected profiles comprises a profile of user behaviors that occurred at an associated infected computing system that is known to have encountered malware;
  
  ora plurality of clean profiles, wherein each of the plurality of clean profiles comprises a profile of user behaviors that occurred at an associated clean computing system that is known to be free of malware;
  
  ora plurality of unlabeled profiles, wherein each of the plurality of unlabeled profiles comprises a profile of user behaviors that occurred at an associated computing system that is not known to have encountered malware and not known to be free of malware;
  
  training, using features and labels of the plurality of user-behavior profiles, a decision tree to distinguish infected profiles from clean profiles by;
  
  determining, at each internal node in the decision tree, whether there are any infected profiles, clean profiles, or unlabeled profiles at the internal node; and
  
  selecting, from a plurality of splitting rules based on whether there are any infected profiles, clean profiles, or unlabeled profiles at the internal node, a suitable splitting rule to apply at the internal node; and
  
  using the decision tree to predict at least one of;
  
  a likelihood that a computing system of a user will become infected based at least in part on a profile of user behaviors of the user;
  
  ora likelihood that a user behavior in the plurality of user-behavior profiles will result in a computing-system infection.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The computer-implemented method of claim 1, further comprising assigning, before training the decision tree, a pseudo label to each of the plurality of unlabeled profiles by labeling a first group of the plurality of unlabeled profiles as infected profiles and a second group of the plurality of unlabeled profiles as clean profiles.
  - 3. The computer-implemented method of claim 2, wherein assigning the pseudo label to each of the plurality of unlabeled profiles comprises:
    - calculating a similarity between the unlabeled profile and at least one labeled profile in the plurality of labeled profiles;
      
      calculating a soft risk score for the unlabeled profile based at least in part on the similarity and a risk score of the labeled profile;
      
      labeling the unlabeled profile as either an infected profile or a clean profile based at least in part on the soft risk score.
  - 4. The computer-implemented method of claim 3, wherein training the decision tree comprises using the soft risk score as a weighting factor of the pseudo label of the unlabeled profile.
  - 5. The computer-implemented method of claim 2, wherein assigning the pseudo label to each of the plurality of unlabeled profiles comprises:
    - mapping each of the plurality of unlabeled profiles to a feature space;
      
      splitting the feature space into a first region and a second region along a lowest-density region of the feature space;
      
      labeling unlabeled profiles in the first region as infected profiles;
      
      labeling unlabeled profiles in the second region as clean profiles.
  - 6. The computer-implemented method of claim 2, wherein:
    - assigning the pseudo label to each of the plurality of unlabeled profiles comprises using the decision tree to reassign pseudo labels to the plurality of unlabeled profiles;
      
      training the decision tree comprises retraining, after reassigning pseudo labels, the decision tree until the pseudo labels of the plurality of unlabeled profiles converge.
  - 7. The computer-implemented method of claim 1, wherein the plurality of splitting rules comprises a splitting rule that best:
    - minimizes a classification error of any labeled profiles at an internal node; and
      
      splits a feature space to which any unlabeled profiles at the internal node are mapped along a low-density region of the feature space.
  - 8. The computer-implemented method of claim 1, wherein the plurality of splitting rules comprises a splitting rule that maximizes mutual information.
  - 9. The computer-implemented method of claim 1, wherein the plurality of splitting rules comprises a splitting rule that splits user-behavior profiles at an internal node into two subsets in a way that maximizes a divergence between the two subsets.
  - 10. The computer-implemented method of claim 1, wherein using the decision tree comprises using the decision tree to predict the likelihood that the computing system of the user will become infected.
  - 11. The computer-implemented method of claim 1, wherein using the decision tree comprises using the decision tree to predict the likelihood that the user behavior will result in a computing-system infection.

12. A system for evaluating infection risks based on profiled user behaviors, the system comprising:
- a hardware processor;
  
  a collecting module, with instructions stored in memory and executed by the hardware processor, that collects a plurality of user-behavior profiles that comprises at least one of;
  
  a plurality of labeled profiles that comprises at least one of;
  
  a plurality of infected profiles, wherein each of the plurality of infected profiles comprises a profile of user behaviors that occurred at an associated infected computing system that is known to have encountered malware;
  
  ora plurality of clean profiles, wherein each of the plurality of clean profiles comprises a profile of user behaviors that occurred at an associated clean computing system that is known to be free of malware;
  
  ora plurality of unlabeled profiles, wherein each of the plurality of unlabeled profiles comprises a profile of user behaviors that occurred at an associated computing system that is not known to have encountered malware and not known to be free of malware;
  
  a training module, with instructions stored in memory and executed by the hardware processor, that trains, using features and labels of the plurality of user-behavior profiles, a decision tree to distinguish infected profiles from clean profiles by;
  
  determining, at each internal node in the decision tree, whether there are any infected profiles, clean profiles, or unlabeled profiles at the internal node; and
  
  selecting, from a plurality of splitting rules based on whether there are any infected profiles, clean profiles, or unlabeled profiles at the internal node, a suitable splitting rule to apply at the internal node; and
  
  a risk-evaluating module, with instructions stored in memory and executed by the hardware processor, that uses the decision tree to predict at least one of;
  
  a likelihood that a computing system of a user will become infected based at least in part on a profile of user behaviors of the user;
  
  ora likelihood that a user behavior in the plurality of user-behavior profiles will result in a computing-system infection.
- View Dependent Claims (13, 14, 15, 16, 17, 18)
- - 13. The system of claim 12, further comprising a labeling module, with instructions stored in memory and executed by the hardware processor, that assigns, before the decision tree is trained, a pseudo label to each of the plurality of unlabeled profiles by labeling a first group of the plurality of unlabeled profiles as infected profiles and a second group of the plurality of unlabeled profiles as clean profiles.
  - 14. The system of claim 13, wherein the labeling module assigns the pseudo label to each of the plurality of unlabeled profiles by:
    - calculating a similarity between the unlabeled profile and at least one labeled profile in the plurality of labeled profiles;
      
      calculating a soft risk score for the unlabeled profile based at least in part on the similarity and a risk score of the labeled profile;
      
      labeling the unlabeled profile as either an infected profile or a clean profile based at least in part on the soft risk score.
  - 15. The system of claim 13, wherein the labeling module assigns the pseudo label to each of the plurality of unlabeled profiles by:
    - mapping each of the plurality of unlabeled profiles to a feature space;
      
      splitting the feature space into a first region and a second region along a lowest-density region of the feature space;
      
      labeling unlabeled profiles in the first region as infected profiles;
      
      labeling unlabeled profiles in the second region as clean profiles.
  - 16. The system of claim 13, wherein:
    - the labeling module assigns the pseudo label to each of the plurality of unlabeled profiles by using the decision tree to assign pseudo labels to the plurality of unlabeled profiles;
      
      the training module trains the decision tree by retraining the decision tree until the pseudo labels of the plurality of unlabeled profiles converge.
  - 17. The system of claim 12, wherein the risk-evaluating module uses the decision tree by using the decision tree to predict the likelihood that the computing system of the user will become infected.
  - 18. The system of claim 12, wherein the risk-evaluating module uses the decision tree by using the decision tree to predict the likelihood that the user behavior will result in a computing-system infection.

19. A non-transitory computer-readable medium comprising one or more computer-executable instructions that, when executed by at least one hardware processor of a computing device, cause the computing device to:
- collect a plurality of user-behavior profiles that comprises at least one of;
  
  a plurality of labeled profiles that comprises at least one of;
  
  a plurality of infected profiles, wherein each of the plurality of infected profiles comprises a profile of user behaviors that occurred at an associated infected computing system that is known to have encountered malware;
  
  ora plurality of clean profiles, wherein each of the plurality of clean profiles comprises a profile of user behaviors that occurred at an associated clean computing system that is known to be free of malware;
  
  ora plurality of unlabeled profiles, wherein each of the plurality of unlabeled profiles comprises a profile of user behaviors that occurred at an associated computing system that is not known to have encountered malware and not known to be free of malware;
  
  train, using features and labels of the plurality of user-behavior profiles, a decision tree to distinguish infected profiles from clean profiles by;
  
  determining, at each internal node in the decision tree, whether there are any infected profiles, clean profiles, or unlabeled profiles at the internal node; and
  
  selecting, from a plurality of splitting rules based on whether there are any infected profiles, clean profiles, or unlabeled profiles at the internal node, a suitable splitting rule to apply at the internal node; and
  
  use the decision tree to predict at least one of;
  
  a likelihood that a computing system of a user will become infected based at least in part on a profile of user behaviors of the user;
  
  ora likelihood that a user behavior in the plurality of user-behavior profiles will result in a computing-system infection.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Gen Digital Inc.
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Han, Yufei, Yumer, Leylya, Vervier, Pierre-Antoine, Dell'Amico, Matteo
Primary Examiner(s)
Holder, Bradley

Application Number

US15/188,956
Time in Patent Office

861 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/9027   Trees

G06F 21/552   involving long-term monitor...

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/1433   Vulnerability analysis

Systems and methods for evaluating infection risks based on profiled user behaviors

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

60 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for evaluating infection risks based on profiled user behaviors

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

60 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links