Advanced malware classification

US 10,360,380 B2
Filed: 01/19/2017
Issued: 07/23/2019
Est. Priority Date: 01/19/2017
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

at least one processor; and

at least one memory including program code which when executed by the at least one processor provides operations comprising;

providing, to a display, contextual information associated with a file to at least enable a classification of the file and an estimated amount of time required to classify the file, when a malware classifier is unable to classify the file, the estimated amount of time being determined by a machine learning model trained based on training data comprising previously classified files and corresponding timestamps for when each such file was first encountered and when each such file was classified;

receiving, in response to the providing of the contextual information, the classification of the file; and

updating, based at least on the received classification of the file, the malware classifier to enable the malware classifier to classify the file.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one respect, there is provided a system for classifying malware. The system may include a data processor and a memory. The memory may include program code that provides operations when executed by the processor. The operations may include: providing, to a display, contextual information associated with a file to at least enable a classification of the file, when a malware classifier is unable to classify the file; receiving, in response to the providing of the contextual information, the classification of the file; and updating, based at least on the received classification of the file, the malware classifier to enable the malware classifier to classify the file. Methods and articles of manufacture, including computer program products, are also provided.

7 Citations

View as Search Results

32 Claims

1. A system, comprising:
- at least one processor; and
  
  at least one memory including program code which when executed by the at least one processor provides operations comprising;
  
  providing, to a display, contextual information associated with a file to at least enable a classification of the file and an estimated amount of time required to classify the file, when a malware classifier is unable to classify the file, the estimated amount of time being determined by a machine learning model trained based on training data comprising previously classified files and corresponding timestamps for when each such file was first encountered and when each such file was classified;
  
  receiving, in response to the providing of the contextual information, the classification of the file; and
  
  updating, based at least on the received classification of the file, the malware classifier to enable the malware classifier to classify the file.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The system of claim 1, wherein the classification of the file indicates that the file is a malicious file or a benign file.
  - 3. The system of claim 1, wherein the malware classifier comprises a machine learning model.
  - 4. The system of claim 3, wherein the updating of the malware classifier comprises training, based at least on the file and the classification of the file, the machine learning model.
  - 5. The system of claim 1, wherein the malware classifier is updated, based at least on the received classification of the file, to further enable the malware classifier to classify at least one other file that is identical or similar to the file.
  - 6. The system of claim 1, wherein the contextual information includes a taxonomical classification of the file.
  - 7. The system of claim 6, wherein the taxonomical classification comprises a type of malware, a type of potentially unwanted program, and/or a type of trusted application.
  - 8. The system of claim 1, wherein the contextual information includes one or more other files that are similar to the file, wherein the one or more other files being identified based at least on a distance between the file and one or more clusters, and the one or more clusters being generated by at least clustering the one or more other files.
  - 9. The system of claim 8, wherein the one or more other files are clustered based at least on one or more features associated with the one or more other files, the one or more features including a filepath, an instruction sequence, a string of characters, a string of binary digits, file size, file metadata, and/or file type.
  - 10. The system of claim 1, wherein the contextual information includes one or more features of the file that contribute to a classification of the file.
  - 11. The system of claim 10, wherein the one or more features include an anomalous behavior, a deceptive behavior, a data loss capability, a data collection capability, and/or a destructive behavior exhibited by the file.
  - 12. The system of claim 1, wherein the contextual information includes a measure of a prevalence of the file.
  - 13. The system of claim 12, wherein the prevalence of the file corresponds to a frequency with which the malware classifier has encountered files having a same hash value as the file.
  - 14. The system of claim 1, wherein the contextual information includes a measure of a prevalence of a feature present in the file.
  - 15. The system of claim 14, wherein the prevalence of the feature corresponds to a frequency with which the malware classifier has encountered a same feature as the feature present in the file.

16. A method, comprising:
- providing, to a display, contextual information associated with a file to at least enable a classification of the file and an estimated amount of time required to classify the file, when a malware classifier is unable to classify the file, the estimated amount of time being determined by a machine learning model trained based on training data comprising previously classified files and corresponding timestamps for when each such file was first encountered and when each such file was classified;
  
  receiving, in response to the providing of the contextual information, the classification of the file; and
  
  updating, based at least on the received classification of the file, the malware classifier to enable the malware classifier to classify the file.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 17. The method of claim 16, wherein the classification of the file indicates that the file is a malicious file or a benign file.
  - 18. The method of claim 16, wherein the malware classifier comprises a machine learning model.
  - 19. The method of claim 18, wherein the updating of the malware classifier comprises training, based at least on the file and the classification of the file, the machine learning model.
  - 20. The method of claim 16, wherein the malware classifier is updated, based at least on the received classification of the file, to further enable the malware classifier to classify at least one other file that is identical or similar to the file.
  - 21. The method of claim 16 wherein the contextual information includes a taxonomical classification of the file.
  - 22. The method of claim 21, wherein the taxonomical classification comprises a type of malware, a type of potentially unwanted program, and/or a type of trusted application.
  - 23. The method of claim 16, wherein the contextual information includes one or more other files that are similar to the file, the one or more other files being identified based at least on a distance between the file and one or more clusters, and the one or more clusters being generated by at least clustering the one or more other files.
  - 24. The method of claim 23, wherein the one or more other files are clustered based at least on one or more features associated with the one or more other files, the one or more features including a filepath, an instruction sequence, a string of characters, a string of binary digits, file size, file metadata, and/or file type.
  - 25. The method of claim 16, wherein the contextual information includes one or more features of the file that contribute to a classification of the file.
  - 26. The method of claim 25, wherein the one or more features include an anomalous behavior, a deceptive behavior, a data loss capability, a data collection capability, and/or a destructive behavior exhibited by the file.
  - 27. The method of claim 16, wherein the contextual information includes a measure of a prevalence of the file.
  - 28. The method of claim 27, wherein the prevalence of the file corresponds to a frequency with which the malware classifier has encountered files having a same hash value as the file.
  - 29. The method of claim 16, wherein the contextual information includes a measure of a prevalence of a feature present in the file.
  - 30. The method of claim 29, wherein the prevalence of the feature corresponds to a frequency with which the malware classifier has encountered a same feature as the feature present in the file.

31. A non-transitory computer-readable storage medium including program code which when executed by at least one processor causes operations comprising:
- providing, to a display, contextual information associated with a file to at least enable a classification of the file and an estimated amount of time required to classify the file, when a malware classifier is unable to classify the file, the estimated amount of time being determined by a machine learning model trained based on training data comprising previously classified files and corresponding timestamps for when each such file was first encountered and when each such file was classified;
  
  receiving, in response to the providing of the contextual information, the classification of the file; and
  
  updating, based at least on the received classification of the file, the malware classifier to enable the malware classifier to classify the file.

32. An apparatus, comprising:
- means for providing, to a display, contextual information associated with a file to at least enable a classification of the file and an estimated amount of time required to classify the file, when a malware classifier is unable to classify the file, the estimated amount of time being determined by a machine learning model trained based on training data comprising previously classified files and corresponding timestamps for when each such file was first encountered and when each such file was classified;
  
  means for receiving, in response to the providing of the contextual information, the classification of the file; and
  
  means for updating, based at least on the received classification of the file, the malware classifier to enable the malware classifier to classify the file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cylance Inc. (Blackberry Limited)
Original Assignee
Cylance Inc. (Blackberry Limited)
Inventors
Maisel, Matthew, Permeh, Ryan, Wolff, Matthew, Acevedo, Gabriel, Davis, Andrew, Brock, John, Strong, Homer, Wojnowicz, Michael, Beets, Kevin
Primary Examiner(s)
Gee, Jason K

Application Number

US15/410,599
Publication Number

US 20180203998A1
Time in Patent Office

915 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/563   by source code analysis

G06F 21/565   by checking file integrity

G06F 2221/033   Test or assess software

G06N 20/00   Machine learning

G06N 7/01   Probabilistic graphical mod...

Advanced malware classification

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

7 Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

Advanced malware classification

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

7 Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links