Decision forest compilation

US 10,296,742 B2
Filed: 10/31/2015
Issued: 05/21/2019
Est. Priority Date: 10/31/2015
Status: Active Grant

First Claim

Patent Images

1. A computer program product tangibly embodied on non-transient computer readable media, the computer program product comprising instructions operable when executed to:

receive a file from a network location;

extract, by an extraction module implemented at least partially in hardware, a plurality of features of a file;

categorize, by a categorization module implemented at least partially in hardware, each of the plurality of features to define a plurality of categories of features, wherein features unrelated to one another are categorized into a same category to define a category of unrelated features;

build, by a tree generator module implemented at least partially in hardware, a first decision tree based on a first category from the plurality of categories, the first category comprising a set of related features of the file;

build, by the tree generator module, a second decision tree based on a second category from the plurality of categories, the second category comprising a set of unrelated features of the file;

execute, by an execution module implemented at least partially in hardware, the first decision tree to generate a first decision result;

execute, by the execution module, the second decision tree to generate a second decision result; and

determine, by a classification module implemented at least partially in hardware, whether the file has malware based on the first decision result and the second decision result.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of the present disclosure include methods, devices, and computer program products for detecting malware in a file. Embodiments include identifying a plurality of features of the file, categorizing each of the plurality of features to define a plurality of categories of features, building a first decision tree based on a first category from the plurality of categories, the first category comprising a first set of features of the file, and building a second decision tree based on a second category from the plurality of categories, the second decision tree comprising a second set of features of the file, the second set different from the first set. Some embodiments include comparing results from each decision tree to determine the presence or absence of malware.

11 Citations

20 Claims

1. A computer program product tangibly embodied on non-transient computer readable media, the computer program product comprising instructions operable when executed to:
- receive a file from a network location;
  
  extract, by an extraction module implemented at least partially in hardware, a plurality of features of a file;
  
  categorize, by a categorization module implemented at least partially in hardware, each of the plurality of features to define a plurality of categories of features, wherein features unrelated to one another are categorized into a same category to define a category of unrelated features;
  
  build, by a tree generator module implemented at least partially in hardware, a first decision tree based on a first category from the plurality of categories, the first category comprising a set of related features of the file;
  
  build, by the tree generator module, a second decision tree based on a second category from the plurality of categories, the second category comprising a set of unrelated features of the file;
  
  execute, by an execution module implemented at least partially in hardware, the first decision tree to generate a first decision result;
  
  execute, by the execution module, the second decision tree to generate a second decision result; and
  
  determine, by a classification module implemented at least partially in hardware, whether the file has malware based on the first decision result and the second decision result.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computer program product of claim 1, wherein categorizing each of the plurality of features comprises:
    - identifying a relationship between each feature of the file; and
      
      identifying one or more categories for the features based on the relationship between each feature.
  - 3. The computer program product of claim 2, wherein identifying one or more categories for the features based on the relationship between each feature comprises categorizing related features into a same category to define a category of related features.
  - 4. The computer program product of claim 1, wherein categorizing each of the plurality of features to define a plurality of categories of features comprises associating each feature of the plurality of features of the file with one or more category.
  - 5. The computer program product of claim 4, wherein categorizing each of the plurality of features to define the plurality of categories of features comprises determining a degree of relation between two of more features of the plurality of features based on a number of overlapping categories associated with each of the two of more features, andthe instructions are further operable to augment, by the tree generator module, the first decision tree with a feature associated with a third category based on the degree of relation between the first category and the third category.
  - 6. The computer program product of claim 1, the instructions further operable to augment, by the tree generator module, the first decision tree with a feature that is not related to a feature in the set of related features based on the category of unrelated features.
  - 7. The computer program product of claim 1, the instructions further operable to augment, by the categorization module, one or more predefined categories with one or more features of the file.

8. A computer implemented method for assessing a file for malware, the method comprising:
- receiving the file from a network location;
  
  extracting, by extraction logic implemented at least partially in hardware, a plurality of features of the file;
  
  categorizing, by categorization logic implemented at least partially in hardware, each of the plurality of features to define a plurality of categories of features, wherein features unrelated to one another are categorized into a same category to define a category of unrelated features;
  
  building, by tree generator logic implemented at least partially in hardware, a first decision tree based on a first category from the plurality of categories, the first category comprising a set of related features of the file;
  
  building, by the tree generator logic implemented at least partially in hardware, a second decision tree based on a second category from the plurality of categories, the second category comprising a set of unrelated features of the fileexecuting, by execution logic implemented at least partially in hardware, the first decision tree to generate a first decision result;
  
  executing, by the execution logic implemented at least partially in hardware, the second decision tree to generate a second decision result; and
  
  determining, by classification logic implemented at least partially in hardware, whether the file has malware based on the first decision result and the second decision result.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer implemented method of claim 8, wherein categorizing each of the plurality of features comprises:
    - identifying a relationship between each feature of the file; and
      
      identifying one or more categories for the features based on the relationship between each feature.
  - 10. The computer implemented method of claim 9, wherein identifying one or more categories for the features based on the relationship between each feature comprises categorizing related features into a same category to define a category of related features.
  - 11. The computer implemented method of claim 8, wherein categorizing each of the plurality of features to define a plurality of categories of features comprises associating each feature of the plurality of features of the file with one or more category.
  - 12. The computer implemented method of claim 11, wherein categorizing each of the plurality of features to define the plurality of categories of features comprises determining a degree of relation between two of more features of the plurality of features based on a number of overlapping categories associated with each of the two of more features, andthe instructions are further operable to augment, by the tree generator module, the first decision tree with a feature associated with a third category based on the degree of relation between the first category and the third category.
  - 13. The computer implemented method of claim 8, further comprising augmenting, by the tree generator logic, the first decision tree with a feature that is not related to a feature in the set of related features based on the category of unrelated features.
  - 14. The computer implemented method of claim 8, further comprising augmenting, by the tree generator logic, one or more predefined categories with one or more features of the file.

15. A computing device comprising:
- extraction logic implemented at least partially in hardware to extract one or more features from a file;
  
  categorization logic implemented at least partially in hardware to categorize each of the plurality of features to define a plurality of categories of features, wherein features unrelated to one another are categorized into a same category to define a category of unrelated features; and
  
  tree generator logic implemented at least partially in hardware to;
  
  generate a first decision tree based on a first category from the plurality of categories, the first category comprising a set of related features of the file, andgenerate a second decision tree based on a second category from the plurality of categories, the second category comprising a set of unrelated features of the file;
  
  execution logic implemented at least partially in hardware to;
  
  execute the first decision tree to generate a first decision result, andexecute the second decision tree to generate a second decision result; and
  
  classification logic implemented at least partially in hardware to determine whether the file has malware based on the first decision result and the second decision result.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computing device of claim 15, wherein the categorization logic is further operable to:
    - identify a relationship between each of the one or more features of the file; and
      
      identify one or more categories for each of the one or more features based on the relationship between each feature.
  - 17. The computing device of claim 16, wherein identifying one or more categories for each of the one or more features based on the relationship between each feature comprises categorizing related features into a same category to define a category of related features.
  - 18. The computing device of claim 15, wherein categorizing each of the plurality of features to define a plurality of categories of features comprises associating each feature of the plurality of features of the file with one or more category.
  - 19. The computing device of claim 15, wherein the tree generator logic is further operable to augment the first decision tree with a feature that is not related to a feature in the set of related features based on the category of unrelated features.
  - 20. The computing device of claim 15, wherein categorizing each of the plurality of features to define the plurality of categories of features comprises determining a degree of relation between two or more features of the plurality of features based on a number of overlapping categories associated with each of the two or more features, andwherein the tree generator logic is further operable to augment the first decision tree with a feature from a third category based on the degree of relation between the first category and the third category.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, LLC
Inventors
Alme, Christoph, Gehweiler, Joachim, Marquardt, Oliver Helge
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
Nguy, Chi D

Application Number

US14/929,267
Publication Number

US 20170124325A1
Time in Patent Office

1,298 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/2246   Trees, e.g. B+trees

G06F 16/285   Clustering or classification

G06F 21/56   Computer malware detection ...

G06F 21/564   by virus signature recognition

Decision forest compilation

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

11 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Decision forest compilation

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

11 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others