Framework for classifying an object as malicious with machine learning for deploying updated predictive models
First Claim
1. An apparatus comprising:
- one or more processors; and
a non-transitory storage medium communicatively coupled to the one or more processors, the non-transitory storage medium comprisesa first analysis engine that, during execution by the one or more processors, analyzes an object to determine if one or more features of the object indicate that the object is malicious, anda second analysis engine that, during execution by the one or more processors, receives results of the analysis of the object conducted by the first analysis engine, and analyzes, based at least in part on the results from the first analysis engine, whether the object is malicious in accordance with a predictive model,wherein, in response to the first analysis engine and the second analysis engine differing in a determination as to whether the object is classified as malicious, uploading information associated with an analysis of the object by at least one of the first analysis engine and the second analysis engine for determining whether an update of the predictive model is to occur, the update of the predictive model being trained using one or more features of the object.
7 Assignments
0 Petitions
Accused Products
Abstract
According to one embodiment, an apparatus comprises a first analysis engine and a second analysis engine. The first analysis engine analyzes an object to determine if the object is malicious. The second analysis engine is configured to (i) receive results of the analysis of the object from the first analysis engine and (ii) analyze, based at least in part on the analysis by the first analysis engine, whether the object is malicious in accordance with a predictive model. Responsive to the first analysis engine and the second analysis engine differing in determinations as to whether the object is malicious, information associated with an analysis of the object by at least one of the first analysis engine and the second analysis engine is uploaded for determining whether an update of the predictive model is to occur. An update of the predictive model is subsequently received by the classification engine.
-
Citations
25 Claims
-
1. An apparatus comprising:
-
one or more processors; and a non-transitory storage medium communicatively coupled to the one or more processors, the non-transitory storage medium comprises a first analysis engine that, during execution by the one or more processors, analyzes an object to determine if one or more features of the object indicate that the object is malicious, and a second analysis engine that, during execution by the one or more processors, receives results of the analysis of the object conducted by the first analysis engine, and analyzes, based at least in part on the results from the first analysis engine, whether the object is malicious in accordance with a predictive model, wherein, in response to the first analysis engine and the second analysis engine differing in a determination as to whether the object is classified as malicious, uploading information associated with an analysis of the object by at least one of the first analysis engine and the second analysis engine for determining whether an update of the predictive model is to occur, the update of the predictive model being trained using one or more features of the object. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. An apparatus comprising:
-
one or more processors; and a memory coupled to the one or more processors, the memory comprises a detection engine that, when executed by the one or more processors, analyzes an object to determine whether the object includes one or more features that indicate the object is malicious; and a classification engine that, when executed by the one or more processors, analyzes whether the object is malicious in accordance with a predictive model maintained at a cloud computing service based at least in part on results from the detection engine, wherein, in response to the detection engine and the classification engine differing in a determination as to whether the object is malicious, uploading information associated with at least a portion of results from the analysis of the object by at least one of the detection engine and the classification engine for determining whether an update of the predictive model is to occur, the update of the predictive model being received from the cloud computing device by the classification engine. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
-
21. An apparatus comprising:
-
a detection engine including circuitry that analyzes an object to determine if one or more features of the object indicate that the object is malicious; and a classification engine communicatively coupled to the detection engine, the classification engine being configured to (i) receive results of the analysis of the object conducted by the detection engine, (ii) determine, based at least in part on the results from the detection engine and in accordance with values assigned to different parameters of a predictive model to identify features of the object that tend to be associated with malware and a confidence score associated with the object, the confidence score corresponds to a probability of the object being malicious, wherein, in response to the detection engine and the classification engine differing in a determination as to whether the object is classified as malicious, uploading information including at least the features of the object and the confidence score to cloud computing services for training a reference model to be returned to the classification engine upon determining that an update of values associated with one or more parameters of the predictive model is needed. - View Dependent Claims (22, 23, 24, 25)
-
Specification