Malware determination device, malware determination system, malware determination method, and program

US 10,268,820 B2
Filed: 06/08/2015
Issued: 04/23/2019
Est. Priority Date: 06/11/2014
Status: Active Grant

First Claim

Patent Images

1. A malware determination device comprising:

a memory that stores a feature selection database including an attribute table and an attribute value table;

processing circuitry configured toprior to receiving input of an executable file, upon input of an attribute name of an attribute, register an attribute having the input attribute name in the attribute table as an attribute to be extracted, and upon input of an attribute value of an attribute, register the input attribute value in the attribute value table as an attribute value to be deleted or as an attribute value not to be deleted;

upon input of the executable file, extract a first attribute value of an attribute registered as an attribute to be extracted in the attribute table from the executable file to generate a feature vector including the extracted first attribute value as a feature;

perform deletion of a second attribute value registered as an attribute value to be deleted or deletion of an attribute value other than attribute values registered as attribute values not to be deleted in the attribute value table from the generated feature vector, to reconstruct the feature vector;

when the processing circuitry reconstructs a feature vector of an executable file to be learned, perform machine learning of the executable file to be learned based on the feature vector and information indicating whether the feature vector of the executable file to be learned is malware, and that, when the processing circuitry reconstructs a feature vector of an executable file to be determined, calculate a score of the likelihood of malware for the executable file to be determined based on a result of the machine learning and the feature vector; and

determine whether the executable file to be determined is malware based on the calculated score of the executable file to be determined.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A malware determination device, in which, upon input of an attribute name and an attribute value of an attribute of an executable file, a feature-selection setting unit registers the attribute with the attribute name in an attribute table as an attribute to be extracted, and registers the attribute value as an attribute value to be deleted in an attribute value table. Upon input of an executable file to be learned or to be determined, a feature extraction unit extracts an attribute value of an attribute registered as an attribute to be extracted in the attribute table from the executable file, to generate a feature vector including the extracted attribute value as a feature. A feature selection unit performs deletion of an attribute value registered as an attribute value to be deleted in the attribute value table from the feature vector.

10 Citations

View as Search Results

7 Claims

1. A malware determination device comprising:
- a memory that stores a feature selection database including an attribute table and an attribute value table;
  
  processing circuitry configured toprior to receiving input of an executable file, upon input of an attribute name of an attribute, register an attribute having the input attribute name in the attribute table as an attribute to be extracted, and upon input of an attribute value of an attribute, register the input attribute value in the attribute value table as an attribute value to be deleted or as an attribute value not to be deleted;
  
  upon input of the executable file, extract a first attribute value of an attribute registered as an attribute to be extracted in the attribute table from the executable file to generate a feature vector including the extracted first attribute value as a feature;
  
  perform deletion of a second attribute value registered as an attribute value to be deleted or deletion of an attribute value other than attribute values registered as attribute values not to be deleted in the attribute value table from the generated feature vector, to reconstruct the feature vector;
  
  when the processing circuitry reconstructs a feature vector of an executable file to be learned, perform machine learning of the executable file to be learned based on the feature vector and information indicating whether the feature vector of the executable file to be learned is malware, and that, when the processing circuitry reconstructs a feature vector of an executable file to be determined, calculate a score of the likelihood of malware for the executable file to be determined based on a result of the machine learning and the feature vector; and
  
  determine whether the executable file to be determined is malware based on the calculated score of the executable file to be determined.
- View Dependent Claims (2, 3, 4, 5)
- - 2. A malware determination system comprising the malware determination device according to claim 1, and further comprising a feature-selection trial device, whereinthe feature-selection trial device includesprocessing circuitry configured torepeat a process of selecting one set from sets obtained by combining one or more sets of features including an attribute name and an attribute value of an attribute of an executable file and inputting the selected set to the malware determination device,that each time the malware detection device inputs the set, repeat a process of inputting an executable file to be determined after inputting an executable file to be learned to the malware determination device, andeach time the malware detection device inputs the set, acquire a determination result including a score of the executable file to be determined and information indicating whether the executable file to be determined has been determined to be malware, for each of executable files to be determined that have been input repeatedly to the processing circuitry, from the malware determination device, to calculate an index indicating a degree of determination accuracy of the malware determination device based on the determination result, andselect a set having a highest calculated index from the sets input to the malware detection device and input the selected set to the malware detection device.
  - 3. The malware determination system according to claim 2, wherein the processing circuitry of the feature-selection trial device calculates the index by using a detection rate, which is a rate of determining an executable file to be determined that is malware to be malware correctly, or an erroneous detection rate, which is a rate of erroneously determining an executable file to be determined that is not malware to be malware.
  - 4. A malware determination system comprising the malware determination device according to claim 1, and further comprising a user interface, whereinthe user interface is configured toacquire an attribute name and an attribute value of an attribute of an executable file, anddisplay a setting screen including a list of attribute names and attribute values acquired by the user interface ,display attribute names on the setting screen together with a first check box, and regarding an attribute name of an attribute registered as an attribute to be extracted in the attribute table, checks the first check box,display attribute values on the setting screen together with a second check box, and regarding an attribute value other than attribute values registered as attribute values to be deleted or an attribute value registered as an attribute value not to be deleted in the attribute value table, checks the second check box, andwhen a checked state of the first check box or the second check box is manually changed, input an attribute name checked in the first check box after the change to the malware determination device, and input an attribute value not checked in the second check box or a checked attribute value after the change to the malware determination device.
  - 5. The malware determination system according to claim 4, wherein the user interface displays an attribute value on the setting screen together with number of appearances, which is number of executable files in which the attribute value appears, and total number of executable files.

6. A malware determination method performed by a malware determination device, the malware determination method comprising:
- a feature-selection setting step at which, prior to receiving input of an executable file, upon input of an attribute name of an attribute, the attribute with the input attribute name is registered in an attribute table as an attribute to be extracted, and upon input of an attribute value of an attribute, the input attribute value is registered in an attribute value table as an attribute value to be deleted or as an attribute value not to be deleted,a feature extraction step at which, upon input of the executable file, a first attribute value of an attribute registered as an attribute to be extracted in the attribute table is extracted from the executable file and a feature vector including the extracted first attribute value as a feature is generated,a feature selection step of performing deletion of a second attribute value registered as an attribute value to be deleted or deletion of an attribute value other than attribute values registered as attribute values not to be deleted in the attribute value table from the feature vector generated at the feature extraction step, to reconstruct the feature vector,a classification step at which, when a feature vector of an executable file to be learned is reconstructed at the feature selection step, machine learning of the executable file to be learned is performed based on the feature vector and information indicating whether the feature vector of the executable file to be learned is malware, and at which, when a feature vector of an executable file to be determined is reconstructed at the feature selection step, a score of likelihood of malware is calculated for the executable file to be determined based on a result of the machine learning and the feature vector, anda determination step of determining whether the executable file to be determined is malware based on the score of the executable file to be determined calculated at the classification step.

7. A non-transitory computer-readable recording medium having stored a program that causes a malware detection device to perform a method comprising:
- a feature-selection setting step at which, prior to receiving input of an executable file, upon input of an attribute name of an attribute, the attribute with the input attribute name is registered in an attribute table as an attribute to be extracted, and upon input of an attribute value of an attribute, the input attribute value is registered in an attribute value table as an attribute value to be deleted or as an attribute value not to be deleted,a feature extraction step at which, upon input of the executable file, a first attribute value of an attribute registered as an attribute to be extracted in the attribute table is extracted from the executable file and a feature vector including the extracted first attribute value as a feature is generated,a feature selection step of performing deletion of a second attribute value registered as an attribute value to be deleted or deletion of an attribute value other than attribute values registered as attribute values not to be deleted in the attribute value table from the feature vector generated at the feature extraction step, to reconstruct the feature vector,a classification step at which, when a feature vector of an executable file to be learned is reconstructed at the feature selection step, machine learning of the executable file to be learned is performed based on the feature vector and information indicating whether the feature vector of the executable file to be learned is malware, and at which, when a feature vector of an executable file to be determined is reconstructed at the feature selection step, a score of likelihood of malware is calculated for the executable file to be determined based on a result of the machine learning and the feature vector, anda determination step of determining whether the executable file to be determined is malware based on the score of the executable file to be determined calculated at the classification step.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nippon Telegraph and Telephone Corporation
Original Assignee
Nippon Telegraph and Telephone Corporation
Inventors
Okano, Yasushi, Orihara, Shingo, Abe, Tetsuya, Asakura, Hiroshi, Kumagai, Atsutoshi
Primary Examiner(s)
Rahman, Shawnchoy

Application Number

US15/315,903
Publication Number

US 20170098074A1
Time in Patent Office

1,415 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/567   using dedicated hardware

G06N 20/00   Machine learning

H04L 63/1433   Vulnerability analysis

Malware determination device, malware determination system, malware determination method, and program

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

10 Citations

7 Claims

Specification

Use Cases

Quick Links

Others

Malware determination device, malware determination system, malware determination method, and program

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

10 Citations

7 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others