Malware detection system attack prevention

US 10,333,961 B2
Filed: 06/27/2017
Issued: 06/25/2019
Est. Priority Date: 06/27/2017
Status: Active Grant

First Claim

Patent Images

1. A method for preventing attacks on a malware detection system, the method comprising:

modeling a time series of directed graphs using incoming binary files during training of a machine learning system to detect malware attacks;

detecting, during a time-window of the time series, an anomaly based on a directed graph of the time series of directed graphs; and

providing an alert that the anomaly has corrupted the machine learning system; and

wherein vertices of the directed graph are functions corresponding to the incoming binary files and an edge of the directed graph is a call relationship between functions of respective vertices connected by the edge.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods may be used to prevent attacks on a malware detection system. A method may include modeling a time series of directed graphs using incoming binary files during training of a machine learning system and detecting, during a time-window of the dine series, an anomaly based on a directed graph of the time series of directed graphs. The method may include providing an alert that the anomaly has corrupted the machine learning system. The method may include preventing or remedying corruption of the machine learning system.

Citations

22 Claims

1. A method for preventing attacks on a malware detection system, the method comprising:
- modeling a time series of directed graphs using incoming binary files during training of a machine learning system to detect malware attacks;
  
  detecting, during a time-window of the time series, an anomaly based on a directed graph of the time series of directed graphs; and
  
  providing an alert that the anomaly has corrupted the machine learning system; and
  
  wherein vertices of the directed graph are functions corresponding to the incoming binary files and an edge of the directed graph is a call relationship between functions of respective vertices connected by the edge.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein the directed graph corresponds to the time-window.
  - 3. The method of claim 1, wherein the directed graph corresponds to a previous time-window that occurred before the time-window.
  - 4. The method of claim 1, wherein detecting the anomaly includes:
    - deriving scan statistics for a plurality of subgraphs of the directed graph, the plurality of subgraphs including respective vertices a number of connected edges away from a particular vertex in the directed graph; and
      
      detecting a change-point of the scan statistics within the time-window, the change-point representing the anomaly and corresponding to a value of a scan statistic of the scan statistics that is above a threshold.
  - 5. The method of claim 4, wherein the scan statistic includes a count of a maximum of the number of connected edges of a subgraph of the plurality of subgraphs over the time-window, and wherein the number of connected edges away from a particular vertex of the subgraph includes a set of k-nearest neighbors vertices from the particular vertex.
  - 6. The method of claim 4, wherein the scan statistic includes a count of a maximum of the number of connected edges of a subgraph of the plurality of subgraphs over a previous time-window.
  - 7. The method of claim 4, wherein the scan statistic includes a weighted geometric average of locality statistics derived over the time-window and a scan statistic derived over a previous time-window.
  - 8. The method of claim 4, wherein deriving the scan statistics includes performing temporal normalization on the scan statistics to smooth the scan statistics over the time-window.
  - 9. The method of claim 1, wherein the directed graphs are call graphs.
  - 10. The method of claim 1, further comprising preventing at least one of the binary files from reaching the machine learning system.
  - 11. The method of claim 1, further comprising blocking an IP address of a source of at least one of the binary files.
  - 12. The method of claim 1, further comprising causing the machine learning system to perform a roll back to a previous state before a first detected anomaly.

13. A malware detection system for preventing poison attacks, the malware detection system comprising:
- a processor of an anomaly detection system; and
  
  memory, the memory including instructions, which when executed by the processor, cause the processor to;
  
  model a time series of directed graphs using incoming binary files during training of a machine learning system to detect malware attacks;
  
  detect, during a time-window of the time series, an anomaly based on a directed graph of the time series of directed graphs; and
  
  provide an alert that the anomaly has corrupted the machine learning system; and
  
  wherein vertices of the directed graph are functions corresponding to the incoming binary files and an edge of the directed graph is a call relationship between functions of respective vertices connected by the edge.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The malware detection system of claim 13, wherein the directed graph corresponds to the time-window.
  - 15. The malware detection system of claim 13, wherein the directed graph corresponds to a previous time-window that occurred before the time-window.
  - 16. The malware detection system of claim 13, wherein to detect the anomaly, the anomaly detection system is to:
    - derive scan statistics for a plurality of subgraphs of the directed graph, the plurality of subgraphs including respective vertices a number of connected edges away from a particular vertex in the directed graph; and
      
      detect a change-point of the scan statistics within the time-window, the change-point representing the anomaly and corresponding to a value of a scan statistic of the scan statistics that is above a threshold.
  - 17. The malware detection system of claim 16, wherein the scan statistic includes a count of a maximum of the number of connected edges of a subgraph of the plurality of subgraphs over the time-window, and wherein the number of connected edges away from a particular vertex of the subgraph includes a set of k-nearest neighbors vertices from the particular vertex.

18. At least one non-transitory machine-readable medium including instructions for preventing attacks on a malware detection system, which when executed by a machine, cause the machine to:
- model a time series of directed graphs using incoming binary files during training of a machine learning system to detect malware attacks;
  
  detect, during a time-window of the time series, an anomaly based on a directed graph of the time series of directed graphs; and
  
  provide an alert that the anomaly has corrupted the machine learning system; and
  
  wherein vertices of the directed graph are functions corresponding to the incoming binary files and an edge of the directed graph is a call relationship between functions of respective vertices connected by the edge.
- View Dependent Claims (19, 20, 21, 22)
- - 19. The at least one machine-readable medium of claim 18, wherein the directed graph corresponds to the time-window.
  - 20. The at least one machine-readable medium of claim 18, wherein the directed graph corresponds to a previous time-window that occurred before the time-window.
  - 21. The at least one machine-readable medium of claim 18, wherein detecting the anomaly includes:
    - deriving scan statistics for a plurality of subgraphs of the directed graph, the plurality of subgraphs including respective vertices a number of connected edges away from a particular vertex in the directed graph; and
      
      detecting a change-point of the scan statistics within the time-window, the change-point representing the anomaly and corresponding to a value of a scan statistic of the scan statistics that is above a threshold.
  - 22. The at least one machine-readable medium of claim 21, wherein the scan statistic includes a count of a maximum of the number of connected edges of a subgraph of the plurality of subgraphs over a previous time-window.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Chen, Li
Primary Examiner(s)
Dada, Beemnet W

Application Number

US15/634,685
Publication Number

US 20180375885A1
Time in Patent Office

728 Days
Field of Search
US Class Current
CPC Class Codes

G06N 20/00   Machine learning

G06N 5/01   Dynamic search techniques; ...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

Malware detection system attack prevention

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Malware detection system attack prevention

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links