Generation and use of trained file classifiers for malware detection
First Claim
Patent Images
1. A computing device comprising:
- a memory configured to store instructions to execute a file classifier; and
a processor configured to execute the instructions from the memory to perform operations comprising;
receiving, via a network from a remote computing device, a feature vector representing a file stored in a memory of the remote computing device, the feature vector including an entropy indicator n-gram vector, the entropy indicator n-gram vector including data indicating occurrences of a plurality of n-grams in a sequence of entropy indicators representing the file, a first entropy indicator of the sequence of entropy indicators corresponding to a first bin name associated with a first range of entropy values, and a second entropy indicator of the sequence of entropy indicators corresponding to a second bin name associated with a second range of entropy values;
generating, based on the feature vector, output including classification data associated with the file, the classification data indicating whether the file includes malware; and
transmitting the classification data to the remote computing device via the network, wherein access to the file or execution of the file at the remote computing device is restricted responsive to the classification data indicating that the file includes malware.
2 Assignments
0 Petitions
Accused Products
Abstract
A method includes receiving one or more n-gram vectors for a file as input to a file classifier, where the one or more n-gram vectors indicate occurrences of groups of entropy indicators in a sequence of entropy indicators representing the file. The method also includes generating, based on the one or more n-gram vectors, output including classification data associated with the file, the classification data indicating whether the file includes malware.
97 Citations
20 Claims
-
1. A computing device comprising:
-
a memory configured to store instructions to execute a file classifier; and a processor configured to execute the instructions from the memory to perform operations comprising; receiving, via a network from a remote computing device, a feature vector representing a file stored in a memory of the remote computing device, the feature vector including an entropy indicator n-gram vector, the entropy indicator n-gram vector including data indicating occurrences of a plurality of n-grams in a sequence of entropy indicators representing the file, a first entropy indicator of the sequence of entropy indicators corresponding to a first bin name associated with a first range of entropy values, and a second entropy indicator of the sequence of entropy indicators corresponding to a second bin name associated with a second range of entropy values; generating, based on the feature vector, output including classification data associated with the file, the classification data indicating whether the file includes malware; and transmitting the classification data to the remote computing device via the network, wherein access to the file or execution of the file at the remote computing device is restricted responsive to the classification data indicating that the file includes malware. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method comprising:
-
receiving, via a network from a remote computing device, a feature vector representing a file stored in a memory of the remote computing device, the feature vector including an entropy indicator n-gram vector, the entropy indicator n-gram vector including data indicating occurrences of a plurality of n-grams in a sequence of entropy indicators representing the file, a first entropy indicator of the sequence of entropy indicators corresponding to a first bin name associated with a first range of entropy values, and a second entropy indicator of the sequence of entropy indicators corresponding to a second bin name associated with a second range of entropy values; generating, based on the feature vector, output including classification data associated with the file, the classification data indicating whether the file includes malware; and transmitting the classification data to the remote computing device via the network, wherein access to the file or execution of the file at the remote computing device is restricted responsive to the classification data indicating that the file includes malware. - View Dependent Claims (10, 11, 12, 13, 14)
-
-
15. A computer-readable storage device storing instructions that, when executed, cause a computer to perform operations comprising:
-
receiving, via a network from a remote computing device, a feature vector representing a file stored in a memory of the remote computing device, the feature vector including an entropy indicator n-gram vector, the entropy indicator n-gram vector including data indicating occurrences of a plurality of n-grams in a sequence of entropy indicators representing the file, a first entropy indicator of the sequence of entropy indicators corresponding to a first bin name associated with a first range of entropy values, and a second entropy indicator of the sequence of entropy indicators corresponding to a second bin name associated with a second range of entropy values; generating, based on the feature vector, output including classification data associated with the file, the classification data indicating whether the file includes malware; and transmitting the classification data to the remote computing device via the network, wherein access to the file or execution of the file at the remote computing device is restricted responsive to the classification data indicating that the file includes malware. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification