Detecting malicious code in sections of computer files

US 10,169,581 B2
Filed: 08/29/2016
Issued: 01/01/2019
Est. Priority Date: 08/29/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of evaluating a file for malicious code, the method comprising:

receiving a plurality of normal files and a plurality of malicious files;

dividing each of the normal files and each of the malicious files into a plurality of file sections;

labeling each file section of the normal files as a normal file section;

labeling each file section of the malicious files as a malicious file section;

generating a machine learning model using a machine learning training data set comprising the labeled file sections of the normal files and the malicious files; and

using the machine learning model to identify which particular section of a target file contains malicious code.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A training data set for training a machine learning module is prepared by dividing normal files and malicious files into sections. Each section of a normal file is labeled as normal. Each section of a malicious file is labeled as malicious regardless of whether or not the section is malicious. The sections of the normal files and malicious files are used to train the machine learning module. The trained machine learning module is packaged as a machine learning model, which is provided to an endpoint computer. In the endpoint computer, an unknown file is divided into sections, which are input to the machine learning model to identify a malicious section of the unknown file, if any is present in the unknown file.

39 Citations

View as Search Results

17 Claims

1. A computer-implemented method of evaluating a file for malicious code, the method comprising:
- receiving a plurality of normal files and a plurality of malicious files;
  
  dividing each of the normal files and each of the malicious files into a plurality of file sections;
  
  labeling each file section of the normal files as a normal file section;
  
  labeling each file section of the malicious files as a malicious file section;
  
  generating a machine learning model using a machine learning training data set comprising the labeled file sections of the normal files and the malicious files; and
  
  using the machine learning model to identify which particular section of a target file contains malicious code.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The computer-implemented method of claim 1, wherein using the machine learning model to identify which particular section of the target fie contains malicious code comprises:
    - dividing the target file into a plurality of sections; and
      
      using the machine learning model to classify each of the sections of the target file.
  - 3. The computer-implemented method of claim 1, wherein the machine learning model is generated by training a Support Vector Machine using the training data set.
  - 4. The computer-implemented method of claim 1, further comprising:
    - providing the machine learning model to an endpoint computer system over a computer network,wherein the endpoint computer system receives the target file over the computer network and classifies individual sections of the target file using the machine learning model.
  - 5. The computer-implemented method of claim 1, wherein the normal files, the malicious files, and the target file are executable files.
  - 6. The computer-implemented method of claim 1, wherein the normal files, the malicious files, and the target file are in Portable Executable format.

7. A system for evaluating files for malicious code, the system comprising:
- a backend computer system that is configured to divide each of a plurality of normal files into file sections, divide each of a plurality of malicious files into file sections, label each file section of the normal files as a normal file section, label each file section of the malicious files as a malicious file section, and generate a machine learning model using a machine learning training data set comprising labeled file sections of the normal files and the malicious files; and
  
  an endpoint computer that is configured to receive the machine learning model over a computer network, receive a target file, and use the machine learning model to identify which particular section of the target file contains malicious code.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The system of claim 7, wherein the endpoint computer divides the target file into a plurality of sections and inputs the sections of the target file into the machine learning model.
  - 9. The system of claim 7, wherein the backend computer system generates the machine learning model by training a Support Vector Machine using the training data set.
  - 10. The system of claim 7, wherein the normal files, the malicious files, and the target file are executable files.
  - 11. The system of claim 7, wherein the normal files, the malicious files, and the target file are in Portable Executable format.
  - 12. The system of claim 7, wherein the endpoint computer divides the target file into a plurality of sections and inputs the sections of the target file into the machine learning model.

13. A non-transitory computer-readable medium comprising instructions stored thereon, that when executed by a processor, perform the steps of:
- dividing each of a plurality of normal files and each of a plurality of malicious files into a plurality of file sections;
  
  labeling each file section of the normal files as a normal file section;
  
  labeling each file section of the malicious files as a malicious file section;
  
  generating a machine learning model using a machine learning training data set comprising labeled file sections of the normal files and the malicious files; and
  
  providing the machine learning model to an endpoint computer system to detect malicious files in the endpoint computer system.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The non-transitory computer-readable medium of claim 13, wherein the machine learning model is generated by training a Support Vector Machine using the training data set.
  - 15. The non-transitory computer-readable medium of claim 13, wherein the normal files and the malicious files are executable files.
  - 16. The non-transitory computer-readable medium of claim 13, wherein the normal files and the malicious files are in Portable Executable format.
  - 17. The non-transitory computer-readable medium of claim 13, wherein the machine learning model is provided to the endpoint computer system over the Internet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trend Micro Inc.
Original Assignee
Trend Micro Inc.
Inventors
Tsao, Wen-Kwang, Wu, PingHuan, Liu, Wei-Zhi
Primary Examiner(s)
Dinh, Minh

Application Number

US15/249,702
Publication Number

US 20180060576A1
Time in Patent Office

855 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/562   Static detection

G06F 2221/034   Test or assess a computer o...

G06N 20/00   Machine learning

G06N 20/10   using kernel methods, e.g. ...

Detecting malicious code in sections of computer files

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

39 Citations

17 Claims

Specification

Use Cases

Quick Links

Others

Detecting malicious code in sections of computer files

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

39 Citations

17 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others