Malware determination device, malware determination system, malware determination method, and program
First Claim
1. A malware determination device comprising:
- a memory that stores a feature selection database including an attribute table and an attribute value table;
processing circuitry configured toprior to receiving input of an executable file, upon input of an attribute name of an attribute, register an attribute having the input attribute name in the attribute table as an attribute to be extracted, and upon input of an attribute value of an attribute, register the input attribute value in the attribute value table as an attribute value to be deleted or as an attribute value not to be deleted;
upon input of the executable file, extract a first attribute value of an attribute registered as an attribute to be extracted in the attribute table from the executable file to generate a feature vector including the extracted first attribute value as a feature;
perform deletion of a second attribute value registered as an attribute value to be deleted or deletion of an attribute value other than attribute values registered as attribute values not to be deleted in the attribute value table from the generated feature vector, to reconstruct the feature vector;
when the processing circuitry reconstructs a feature vector of an executable file to be learned, perform machine learning of the executable file to be learned based on the feature vector and information indicating whether the feature vector of the executable file to be learned is malware, and that, when the processing circuitry reconstructs a feature vector of an executable file to be determined, calculate a score of the likelihood of malware for the executable file to be determined based on a result of the machine learning and the feature vector; and
determine whether the executable file to be determined is malware based on the calculated score of the executable file to be determined.
1 Assignment
0 Petitions
Accused Products
Abstract
A malware determination device, in which, upon input of an attribute name and an attribute value of an attribute of an executable file, a feature-selection setting unit registers the attribute with the attribute name in an attribute table as an attribute to be extracted, and registers the attribute value as an attribute value to be deleted in an attribute value table. Upon input of an executable file to be learned or to be determined, a feature extraction unit extracts an attribute value of an attribute registered as an attribute to be extracted in the attribute table from the executable file, to generate a feature vector including the extracted attribute value as a feature. A feature selection unit performs deletion of an attribute value registered as an attribute value to be deleted in the attribute value table from the feature vector.
10 Citations
7 Claims
-
1. A malware determination device comprising:
-
a memory that stores a feature selection database including an attribute table and an attribute value table; processing circuitry configured to prior to receiving input of an executable file, upon input of an attribute name of an attribute, register an attribute having the input attribute name in the attribute table as an attribute to be extracted, and upon input of an attribute value of an attribute, register the input attribute value in the attribute value table as an attribute value to be deleted or as an attribute value not to be deleted; upon input of the executable file, extract a first attribute value of an attribute registered as an attribute to be extracted in the attribute table from the executable file to generate a feature vector including the extracted first attribute value as a feature; perform deletion of a second attribute value registered as an attribute value to be deleted or deletion of an attribute value other than attribute values registered as attribute values not to be deleted in the attribute value table from the generated feature vector, to reconstruct the feature vector; when the processing circuitry reconstructs a feature vector of an executable file to be learned, perform machine learning of the executable file to be learned based on the feature vector and information indicating whether the feature vector of the executable file to be learned is malware, and that, when the processing circuitry reconstructs a feature vector of an executable file to be determined, calculate a score of the likelihood of malware for the executable file to be determined based on a result of the machine learning and the feature vector; and determine whether the executable file to be determined is malware based on the calculated score of the executable file to be determined. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A malware determination method performed by a malware determination device, the malware determination method comprising:
-
a feature-selection setting step at which, prior to receiving input of an executable file, upon input of an attribute name of an attribute, the attribute with the input attribute name is registered in an attribute table as an attribute to be extracted, and upon input of an attribute value of an attribute, the input attribute value is registered in an attribute value table as an attribute value to be deleted or as an attribute value not to be deleted, a feature extraction step at which, upon input of the executable file, a first attribute value of an attribute registered as an attribute to be extracted in the attribute table is extracted from the executable file and a feature vector including the extracted first attribute value as a feature is generated, a feature selection step of performing deletion of a second attribute value registered as an attribute value to be deleted or deletion of an attribute value other than attribute values registered as attribute values not to be deleted in the attribute value table from the feature vector generated at the feature extraction step, to reconstruct the feature vector, a classification step at which, when a feature vector of an executable file to be learned is reconstructed at the feature selection step, machine learning of the executable file to be learned is performed based on the feature vector and information indicating whether the feature vector of the executable file to be learned is malware, and at which, when a feature vector of an executable file to be determined is reconstructed at the feature selection step, a score of likelihood of malware is calculated for the executable file to be determined based on a result of the machine learning and the feature vector, and a determination step of determining whether the executable file to be determined is malware based on the score of the executable file to be determined calculated at the classification step.
-
-
7. A non-transitory computer-readable recording medium having stored a program that causes a malware detection device to perform a method comprising:
-
a feature-selection setting step at which, prior to receiving input of an executable file, upon input of an attribute name of an attribute, the attribute with the input attribute name is registered in an attribute table as an attribute to be extracted, and upon input of an attribute value of an attribute, the input attribute value is registered in an attribute value table as an attribute value to be deleted or as an attribute value not to be deleted, a feature extraction step at which, upon input of the executable file, a first attribute value of an attribute registered as an attribute to be extracted in the attribute table is extracted from the executable file and a feature vector including the extracted first attribute value as a feature is generated, a feature selection step of performing deletion of a second attribute value registered as an attribute value to be deleted or deletion of an attribute value other than attribute values registered as attribute values not to be deleted in the attribute value table from the feature vector generated at the feature extraction step, to reconstruct the feature vector, a classification step at which, when a feature vector of an executable file to be learned is reconstructed at the feature selection step, machine learning of the executable file to be learned is performed based on the feature vector and information indicating whether the feature vector of the executable file to be learned is malware, and at which, when a feature vector of an executable file to be determined is reconstructed at the feature selection step, a score of likelihood of malware is calculated for the executable file to be determined based on a result of the machine learning and the feature vector, and a determination step of determining whether the executable file to be determined is malware based on the score of the executable file to be determined calculated at the classification step.
-
Specification