Framework for classifying an object as malicious with machine learning for deploying updated predictive models

US 10,366,231 B1
Filed: 06/26/2017
Issued: 07/30/2019
Est. Priority Date: 12/22/2014
Status: Active Grant

First Claim

Patent Images

1. An apparatus comprising:

one or more processors; and

a non-transitory storage medium communicatively coupled to the one or more processors, the non-transitory storage medium comprisesa first analysis engine that, during execution by the one or more processors, analyzes an object to determine if one or more features of the object indicate that the object is malicious, anda second analysis engine that, during execution by the one or more processors, receives results of the analysis of the object conducted by the first analysis engine, and analyzes, based at least in part on the results from the first analysis engine, whether the object is malicious in accordance with a predictive model,wherein, in response to the first analysis engine and the second analysis engine differing in a determination as to whether the object is classified as malicious, uploading information associated with an analysis of the object by at least one of the first analysis engine and the second analysis engine for determining whether an update of the predictive model is to occur, the update of the predictive model being trained using one or more features of the object.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to one embodiment, an apparatus comprises a first analysis engine and a second analysis engine. The first analysis engine analyzes an object to determine if the object is malicious. The second analysis engine is configured to (i) receive results of the analysis of the object from the first analysis engine and (ii) analyze, based at least in part on the analysis by the first analysis engine, whether the object is malicious in accordance with a predictive model. Responsive to the first analysis engine and the second analysis engine differing in determinations as to whether the object is malicious, information associated with an analysis of the object by at least one of the first analysis engine and the second analysis engine is uploaded for determining whether an update of the predictive model is to occur. An update of the predictive model is subsequently received by the classification engine.

Citations

25 Claims

1. An apparatus comprising:
- one or more processors; and
  
  a non-transitory storage medium communicatively coupled to the one or more processors, the non-transitory storage medium comprisesa first analysis engine that, during execution by the one or more processors, analyzes an object to determine if one or more features of the object indicate that the object is malicious, anda second analysis engine that, during execution by the one or more processors, receives results of the analysis of the object conducted by the first analysis engine, and analyzes, based at least in part on the results from the first analysis engine, whether the object is malicious in accordance with a predictive model,wherein, in response to the first analysis engine and the second analysis engine differing in a determination as to whether the object is classified as malicious, uploading information associated with an analysis of the object by at least one of the first analysis engine and the second analysis engine for determining whether an update of the predictive model is to occur, the update of the predictive model being trained using one or more features of the object.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The apparatus of claim 1, wherein the second analysis engine further receives the update of the predictive model in response to the first analysis engine determining that the object is malicious while the second analysis engine determining that the object is non-malicious.
  - 3. The apparatus of claim 1, wherein the second analysis engine further receives the update of the predictive model in response to (i) a confirmation that the apparatus subscribes to a service that automatically updates predictive models used by the second analysis engine and (ii) the first analysis engine determines that the object is malicious while the second analysis engine determines that the object is non-malicious.
  - 4. The apparatus of claim 1, wherein the first analysis engine and the second analysis engine are part of a static analysis engine that performs pattern checking operations on the object including heuristic or determinative rule-based analysis.
  - 5. The apparatus of claim 4, wherein the one or more features includes information associated with the object obtained from at least the first analysis engine.
  - 6. The apparatus of claim 5, wherein the first analysis engine is part of a static analysis engine.
  - 7. The apparatus of claim 1, wherein the first analysis engine is part of a static analysis engine and the second analysis engine is part of a dynamic analysis engine, the dynamic analysis engine includes one or more virtual machines that process the object and are configured in accordance with one or more software configurations.
  - 8. The apparatus of claim 1, wherein the uploaded information is transmitted to a cloud computing service and comprises (1) an identifier of the object, and (2) the one or more features of the object for use by the predictive model to classify the object as malicious or non-malicious.
  - 9. The apparatus of claim 8, wherein the uploaded information further comprises (3) results from a preliminary classification of the object by the second analysis engine.
  - 10. The apparatus of claim 8, wherein the identifier of the object is a hash value of the object.
  - 11. The apparatus of claim 8, wherein the uploaded information further comprises (3) the results from a preliminary classification of the object by the first analysis engine.
  - 12. The apparatus of claim 1, wherein the first analysis engine and the second analysis engine differing in the determination as to whether the object is classified as malicious when the detection engine determines that the object is associated with a first level of maliciousness and the classification engine determines that the object is associated with a second level of maliciousness, the second level of maliciousness differing from the first level of maliciousness by at least a prescribed threshold.
  - 13. The system of claim 1, wherein the one or more features includes information associated with the object obtained from static analysis of the object.

14. An apparatus comprising:
- one or more processors; and
  
  a memory coupled to the one or more processors, the memory comprisesa detection engine that, when executed by the one or more processors, analyzes an object to determine whether the object includes one or more features that indicate the object is malicious; and
  
  a classification engine that, when executed by the one or more processors, analyzes whether the object is malicious in accordance with a predictive model maintained at a cloud computing service based at least in part on results from the detection engine,wherein, in response to the detection engine and the classification engine differing in a determination as to whether the object is malicious, uploading information associated with at least a portion of results from the analysis of the object by at least one of the detection engine and the classification engine for determining whether an update of the predictive model is to occur, the update of the predictive model being received from the cloud computing device by the classification engine.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The apparatus of claim 14, wherein the classification engine to receive the update of the predictive model subsequent and in response to the detection engine determining that the object is malicious and the classification engine determining that the object is non-malicious.
  - 16. The apparatus of claim 14, wherein the classification engine to receive the update of the predictive model subsequent and in response to (i) the apparatus subscribing to a service that automatically updates predictive models used by the classification engine and (ii) the detection engine determining that the object is malicious and the classification engine determining that the object is non-malicious.
  - 17. The apparatus of claim 14, wherein the detection engine is part of a static analysis engine and the classification engine is part of a dynamic analysis engine, the dynamic analysis engine includes one or more virtual machines that process the object and are configured in accordance with one or more software configurations.
  - 18. The apparatus of claim 14, wherein the uploaded information comprises (1) an identifier of the object, and (2) one or more features of the object that can be used by the predictive model to classify the object as malicious.
  - 19. The apparatus of claim 18, wherein the uploaded information further comprises (3) the results from a preliminary classification of the object by the classification engine that include a confidence score that identifies a likelihood of the object being malicious.
  - 20. The apparatus of claim 14, wherein the detection engine and the classification engine differing in the determination as to whether the object is malicious when the detection engine determines that the object is associated with a first level of maliciousness and the classification engine determines that the object is associated with a second level of maliciousness, the second level of maliciousness differing from the first level of maliciousness by at least a prescribed threshold.

21. An apparatus comprising:
- a detection engine including circuitry that analyzes an object to determine if one or more features of the object indicate that the object is malicious; and
  
  a classification engine communicatively coupled to the detection engine, the classification engine being configured to (i) receive results of the analysis of the object conducted by the detection engine, (ii) determine, based at least in part on the results from the detection engine and in accordance with values assigned to different parameters of a predictive model to identify features of the object that tend to be associated with malware and a confidence score associated with the object, the confidence score corresponds to a probability of the object being malicious,wherein, in response to the detection engine and the classification engine differing in a determination as to whether the object is classified as malicious, uploading information including at least the features of the object and the confidence score to cloud computing services for training a reference model to be returned to the classification engine upon determining that an update of values associated with one or more parameters of the predictive model is needed.
- View Dependent Claims (22, 23, 24, 25)
- - 22. The apparatus of claim 21, wherein the classification engine to receive the update of the values associated with the one or more parameters of the predictive model subsequent and in response to the detection engine determining that the object is malicious and the classification engine determining that the object is non-malicious.
  - 23. The apparatus of claim 21, wherein the detection engine and the classification engine differing in the determination as to whether the object is classified as malicious when the detection engine determining that the object is associated with a first level of maliciousness and the classification engine determining that the object is associated with a second level of maliciousness, the second level of maliciousness differing from the first level of maliciousness by at least a prescribed threshold.
  - 24. The apparatus of claim 21, wherein the classification engine to receive the update of the values associated with the one or more parameters of the predictive model subsequent and in response to (i) the apparatus subscribing to a service that automatically updates predictive models used by the classification engine and (ii) the detection engine determining that the object is malicious and the classification engine determining that the object is non-malicious.
  - 25. The apparatus of claim 21, wherein the detection engine is part of a static analysis engine and the classification engine is part of a dynamic analysis engine, the dynamic analysis engine includes one or more virtual machines that process the object and are configured in accordance with one or more software configurations.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
FireEye, Inc. (Alphabet Inc.)
Inventors
Singh, Abhishek, Mesdaq, Ali, Das, Anirban, Jain, Varun
Primary Examiner(s)
Pearson, David J

Application Number

US15/633,072
Time in Patent Office

764 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06N 5/02   Knowledge representation; S...

G06N 5/025   Extracting rules from data

G06N 5/045   Explanation of inference; E...

H04L 63/1425   Traffic logging, e.g. anoma...

Framework for classifying an object as malicious with machine learning for deploying updated predictive models

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Framework for classifying an object as malicious with machine learning for deploying updated predictive models

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links