Deployment of machine learning models for discernment of threats

US 10,372,913 B2
Filed: 06/06/2017
Issued: 08/06/2019
Est. Priority Date: 06/08/2016
Status: Active Grant

First Claim

Patent Images

1. A method for implementation by one or more data processors forming part of at least one computing device, the method comprising:

detecting, by at least one data processor, a mismatch between model-based classifications produced by a first version of a computer-implemented machine learning threat discernment model and a second version of a computer-implemented machine learning threat discernment model for a file;

analyzing, by at least one data processor, the mismatch to determine appropriate handling for the file, the analyzing comprising comparing a human-generated classification for a file, a first model version status that reflects classification by the first version of the computer-implemented machine learning threat discernment model, and a second model version status that reflects classification by the second version of the computer-implemented machine learning threat discernment model, the analyzing further comprising allowing the human-generated classification to dominate when it is available; and

taking, by at least one data processor, an action based on the analyzing, the action comprising;

presenting, by at least one data processor, the file via user interface functionality of an administrative interface with a choice of creating a new human-generated classification of the file as safe or allowing the second model version classification to govern when the file is deemed safe by the first model version but unsafe by the second model version, and when the human-generated classification is unavailable for the file;

quarantining, by at least one data processor, a file deemed unsafe by the first version of the computer-implemented machine learning threat discernment model but safe by the second version of the computer-implemented machine learning threat discernment model when the human-generated classification is unavailable for the file; and

presenting, by at least one data processor, the file via the user interface functionality of the administrative interface with a second choice of designating the file for local analysis and/or allowing the second model version classification to continue to block use of the file until the human-generated classification becomes available when the file is deemed unsafe by the second model version and the human human-generated classification is unavailable and when the first model version has not previously classified the file.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A mismatch between model-based classifications produced by a first version of a machine learning threat discernment model and a second version of a machine learning threat discernment model for a file is detected. The mismatch is analyzed to determine appropriate handling for the file, and taking an action based on the analyzing. The analyzing includes comparing a human-generated classification status for a file, a first model version status that reflects classification by the first version of the machine learning threat discernment model, and a second model version status that reflects classification by the second version of the machine learning threat discernment model. The analyzing can also include allowing the human-generated classification status to dominate when it is available.

Citations

27 Claims

1. A method for implementation by one or more data processors forming part of at least one computing device, the method comprising:
- detecting, by at least one data processor, a mismatch between model-based classifications produced by a first version of a computer-implemented machine learning threat discernment model and a second version of a computer-implemented machine learning threat discernment model for a file;
  
  analyzing, by at least one data processor, the mismatch to determine appropriate handling for the file, the analyzing comprising comparing a human-generated classification for a file, a first model version status that reflects classification by the first version of the computer-implemented machine learning threat discernment model, and a second model version status that reflects classification by the second version of the computer-implemented machine learning threat discernment model, the analyzing further comprising allowing the human-generated classification to dominate when it is available; and
  
  taking, by at least one data processor, an action based on the analyzing, the action comprising;
  
  presenting, by at least one data processor, the file via user interface functionality of an administrative interface with a choice of creating a new human-generated classification of the file as safe or allowing the second model version classification to govern when the file is deemed safe by the first model version but unsafe by the second model version, and when the human-generated classification is unavailable for the file;
  
  quarantining, by at least one data processor, a file deemed unsafe by the first version of the computer-implemented machine learning threat discernment model but safe by the second version of the computer-implemented machine learning threat discernment model when the human-generated classification is unavailable for the file; and
  
  presenting, by at least one data processor, the file via the user interface functionality of the administrative interface with a second choice of designating the file for local analysis and/or allowing the second model version classification to continue to block use of the file until the human-generated classification becomes available when the file is deemed unsafe by the second model version and the human human-generated classification is unavailable and when the first model version has not previously classified the file.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein each of the first version of the computer-implemented machine learning threat discernment model and the second version of the computer-implemented machine learning threat discernment model for a file output a respective threat score, wherein the mismatch is based on differences between the threat scores.
  - 3. The method of claim 1, wherein the action comprises:
    - executing or otherwise accessing code that generated the respective threat scores without quarantining.
  - 4. The method of claim 1, wherein the first version of the computer-implemented machine learning threat discernment model and the second version of the computer-implemented machine learning threat discernment model for the file are on different and remote computing systems.
  - 5. The method of claim 1, wherein the first version of the computer-implemented machine learning threat discernment model and the second version of the computer-implemented machine learning threat discernment model for the file are on the same computing system.
  - 6. The method of claim 1, wherein the computer-implemented machine learning threat discernment model identifies at least one of:
    - malware, viruses, unauthorized access of files, unauthorized access of data, unauthorized execution of files, or unauthorized execution of data.
  - 7. The method of claim 1 further comprising:
    - collecting features characterizing the file and/or an environment in which the file is being executed or is to be executed; and
      
      passing at least a portion of the collected features to both of the first version of the computer-implemented machine learning threat discernment model and the second version of the computer-implemented machine learning threat discernment model.
  - 8. The method of claim 1, wherein the computer-implemented machine learning threat discernment model incorporates at least one of:
    - neural networks, support vector machines, logistic regressions, scorecard models, Bayesian algorithms, or decision trees.
  - 9. The method of claim 1 further comprising:
    - displaying classification information derived from a third version of the computer-implemented machine learning threat discernment model in the administrative interface.

10. A computer program product comprising a non-transitory machine-readable medium storing instructions that, when executed by at least one data processor forming part of at least one computing device, cause the at least one data processor to perform operations comprising:
- detecting a mismatch between model-based classifications produced by a first version of a computer-implemented machine learning threat discernment model and a second version of a computer-implemented machine learning threat discernment model for a file;
  
  analyzing the mismatch to determine appropriate handling for the file, the analyzing comprising comparing a human-generated classification for a file, a first model version status that reflects classification by the first version of the computer-implemented machine learning threat discernment model, and a second model version status that reflects classification by the second version of the computer-implemented machine learning threat discernment model, the analyzing further comprising allowing the human-generated classification to dominate when it is available; and
  
  taking an action based on the analyzing, the action comprising;
  
  presenting the file via user interface functionality of an administrative interface with a choice of creating a new human-generated classification of the file as safe or allowing the second model version classification to govern when the file is deemed safe by the first model version but unsafe by the second model version, and when the human-generated classification is unavailable for the file;
  
  quarantining a file deemed unsafe by the first version of the computer-implemented machine learning threat discernment model but safe by the second version of the computer-implemented machine learning threat discernment model when the human-generated classification is unavailable for the file; and
  
  presenting the file via the user interface functionality of the administrative interface with a second choice of designating the file for local analysis and/or allowing the second model version classification to continue to block use of the file until the human-generated classification becomes available when the file is deemed unsafe by the second model version and the human human-generated classification is unavailable and when the first model version has not previously classified the file.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The computer program product of claim 10, wherein each of the first version of the computer-implemented machine learning threat discernment model and the second version of the computer-implemented machine learning threat discernment model for a file output a respective threat score, wherein the mismatch is based on differences between the threat scores.
  - 12. The computer program product of claim 10, wherein the action comprises:
    - executing or otherwise accessing code that generated the respective threat scores without quarantining if a difference in the threat scores is below a pre-defined threshold.
  - 13. The computer program product of claim 10, wherein the first version of the computer-implemented machine learning threat discernment model and the second version of the computer-implemented machine learning threat discernment model for the file are on different and remote computing systems.
  - 14. The computer program product of claim 10, wherein the first version of the computer-implemented machine learning threat discernment model and the second version of the computer-implemented machine learning threat discernment model for the file are on the same computing system.
  - 15. The computer program product of claim 10, wherein the computer-implemented machine learning threat discernment model identifies at least one of:
    - malware, viruses, unauthorized access of files, unauthorized access of data, unauthorized execution of files, or unauthorized execution of data.
  - 16. The computer program product of claim 10, wherein the operations further comprise:
    - collecting features characterizing the file and/or an environment in which the file is being executed or is to be executed; and
      
      passing at least a portion of the collected features to both of the first version of the computer-implemented machine learning threat discernment model and the second version of the computer-implemented machine learning threat discernment model.
  - 17. The computer program product of claim 10, wherein the computer-implemented machine learning threat discernment model incorporates at least one of:
    - neural networks, support vector machines, logistic regressions, scorecard models, Bayesian algorithms, or decision trees.
  - 18. The computer program product of claim 10, wherein the operations further comprise:
    - displaying classification information derived from a third version of the computer-implemented machine learning threat discernment model in the administrative interface.

19. A system comprising:
- at least one data processor; and
  
  memory storing instructions which, when executed by the at least one data processor, result in operations comprising;
  
  detecting a mismatch between model-based classifications produced by a first version of a computer-implemented machine learning threat discernment model and a second version of a computer-implemented machine learning threat discernment model for a file;
  
  analyzing the mismatch to determine appropriate handling for the file, the analyzing comprising comparing a human-generated classification for a file, a first model version status that reflects classification by the first version of the computer-implemented machine learning threat discernment model, and a second model version status that reflects classification by the second version of the computer-implemented machine learning threat discernment model, the analyzing further comprising allowing the human-generated classification to dominate when it is available; and
  
  taking an action based on the analyzing, the action comprising;
  
  presenting the file via user interface functionality of an administrative interface with a choice of creating a new human-generated classification of the file as safe or allowing the second model version classification to govern when the file is deemed safe by the first model version but unsafe by the second model version, and when the human-generated classification is unavailable for the file;
  
  quarantining a file deemed unsafe by the first version of the computer-implemented machine learning threat discernment model but safe by the second version of the computer-implemented machine learning threat discernment model when the human-generated classification is unavailable for the file; and
  
  presenting the file via the user interface functionality of the administrative interface with a second choice of designating the file for local analysis and/or allowing the second model version classification to continue to block use of the file until the human-generated classification becomes available when the file is deemed unsafe by the second model version and the human human-generated classification is unavailable and when the first model version has not previously classified the file.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27)
- - 20. The system of claim 19, wherein the first version of the computer-implemented machine learning threat discernment model and the second version of the computer-implemented machine learning threat discernment model for the file are on the same computing system.
  - 21. The system of claim 19, wherein each of the first version of the computer-implemented machine learning threat discernment model and the second version of the computer-implemented machine learning threat discernment model for a file output a respective threat score, wherein the mismatch is based on differences between the threat scores.
  - 22. The system of claim 19, wherein the action comprises:
    - executing or otherwise accessing code that generated the respective threat scores without quarantining.
  - 23. The system of claim 19, wherein the first version of the computer-implemented machine learning threat discernment model and the second version of the computer-implemented machine learning threat discernment model for the file are on different and remote computing systems.
  - 24. The system of claim 19, wherein the computer-implemented machine learning threat discernment model identifies at least one of:
    - malware, viruses, unauthorized access of files, unauthorized access of data, unauthorized execution of files, or unauthorized execution of data.
  - 25. The system of claim 19, wherein the operations further comprise:
    - collecting features characterizing the file and/or an environment in which the file is being executed or is to be executed; and
      
      passing at least a portion of the collected features to both of the first version of the computer-implemented machine learning threat discernment model and the second version of the computer-implemented machine learning threat discernment model.
  - 26. The system of claim 19, wherein the computer-implemented machine learning threat discernment model incorporates at least one of:
    - neural networks, support vector machines, logistic regressions, scorecard models, Bayesian algorithms, or decision trees.
  - 27. The system of claim 19, wherein the operations further comprise:
    - displaying classification information derived from a third version of the computer-implemented machine learning threat discernment model in the administrative interface.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cylance Inc. (Blackberry Limited)
Original Assignee
Cylance Inc. (Blackberry Limited)
Inventors
Harms, Kristopher William, Song, Renee, Rajamani, Raj, Rusell, Braden, Sohn, Yoojin, Ipsen, Kiefer
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
Murphy, J. Brant

Application Number

US15/615,609
Publication Number

US 20170357807A1
Time in Patent Office

791 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/51   at application loading time...

G06F 21/562   Static detection

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/568   eliminating virus, restorin...

G06F 2221/033   Test or assess software

G06F 3/048   Interaction techniques base...

G06N 20/00   Machine learning

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

Deployment of machine learning models for discernment of threats

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Deployment of machine learning models for discernment of threats

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links