Recurrent neural networks for malware analysis

US 10,558,804 B2
Filed: 08/12/2016
Issued: 02/11/2020
Est. Priority Date: 04/16/2015
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

computer hardware configured to perform operations comprising;

feeding data encapsulating a sample of at least a portion of one or more files into a recurrent neural network trained using historical data;

extracting, by the RNN, a plurality of final hidden states in a hidden layer of the recurrent neural network; and

determining, using the recurrent neural network and the plurality of final hidden states, whether at least a portion of the sample comprises malicious code;

wherein;

the recurrent neural network comprises an Elman network that parameterizes a function ƒ

(x, ht−

1) as ht=g(W1x+Rht−

1);

where the hidden state h_tcomprises a time-dependent function of the input x as well as a previous hidden state ht−

1, W₁is a matrix defining input-to-hidden connections, R is a matrix defining the recurrent connections, and g(⋅

) is a differentiable nonlinearity.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Using a recurrent neural network (RNN) that has been trained to a satisfactory level of performance, highly discriminative features can be extracted by running a sample through the RNN, and then extracting a final hidden state h_i, where i is the number of instructions of the sample. This resulting feature vector may then be concatenated with the other hand-engineered features, and a larger classifier may then be trained on hand-engineered as well as automatically determined features. Related apparatus, systems, techniques and articles are also described.

45 Citations

View as Search Results

20 Claims

1. A system comprising:
- computer hardware configured to perform operations comprising;
  
  feeding data encapsulating a sample of at least a portion of one or more files into a recurrent neural network trained using historical data;
  
  extracting, by the RNN, a plurality of final hidden states in a hidden layer of the recurrent neural network; and
  
  determining, using the recurrent neural network and the plurality of final hidden states, whether at least a portion of the sample comprises malicious code;
  
  wherein;
  
  the recurrent neural network comprises an Elman network that parameterizes a function ƒ
  
  (x, ht−
  
  1) as ht=g(W1x+Rht−
  
  1);
  
  where the hidden state h_tcomprises a time-dependent function of the input x as well as a previous hidden state ht−
  
  1, W₁is a matrix defining input-to-hidden connections, R is a matrix defining the recurrent connections, and g(⋅
  
  ) is a differentiable nonlinearity.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The system of claim 1, wherein the operations further comprise:
    - receiving and/or accessing the data as at least part of a data stream.
  - 3. The system of claim 1, wherein the sample comprises a series of fixed-length encoded words.
  - 4. The system of claim 1, wherein the sample comprises a series of instructions.
  - 5. The system of claim 1, wherein a hidden state at a time t(h_t) is defined by:
    - ht=ƒ
      
      (x,ht−
      
      1), and wherein the hidden state ht comprises a time-dependent function of an input x as well as a previous hidden state ht−
      
      1.
  - 6. The system of claim 1, wherein the Elman network comprises deep transition or decoding functions.
  - 7. The system of claim 1, wherein the operations further comprise:
    - adding an output layer on top of at least one hidden layer of the plurality of hidden layers such that σ
      
      t=σ
      
      (W2ht) where o_tis an output, W₂defines a linear transformation of hidden activations, and a σ
      
      (⋅
      
      ) is a logistic function.
  - 8. The system of claim 7, wherein the operations further comprise:
    - applying backpropagation through time by which W₂, W₁, and R are iteratively refined to drive the output of to a desired value as portions of the sample are passed through the RNN.
  - 9. The system of claim 1, wherein the operations further comprise:
    - providing a characterization of the sample as malicious or not malicious based at least in part on the determining.
  - 10. The system of claim 1, wherein the providing of the characterization comprises at least one of:
    - transmitting the data to a remote computing system, loading the data into memory, or storing the data.
  - 11. The system of claim 1, wherein the one or more files comprise binary files and/or executable files.
  - 12. The system of claim 1, wherein the computer hardware comprises a programmable data processor and a memory storing instructions that when executed by the at least one programmable data processor, result in at least some of the operations.

13. A method for implementation by at least one computing device comprising:
- feeding data encapsulating a sample of at least a portion of one or more files into a recurrent neural network trained using historical data;
  
  extracting, by the RNN, a plurality of final hidden states in a hidden layer of the recurrent neural network; and
  
  determining, using the recurrent neural network and the plurality of final hidden states, whether at least a portion of the sample to comprises malicious code;
  
  wherein;
  
  the recurrent neural network comprises an Elman network that parameterizes a function ƒ
  
  (x, ht−
  
  1) as ht=g(W1x+Rht−
  
  1);
  
  where the hidden state h_tcomprises a time-dependent function of the input x as well as a previous hidden state ht−
  
  1, W₁is a matrix defining input-to-hidden connections, R is a matrix defining the recurrent connections, and g(⋅
  
  ) is a differentiable nonlinearity.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The method of claim 13 further comprising:
    - receiving and/or accessing the data as at least part of a data stream.
  - 15. The method of claim 13, wherein the sample comprises a series of fixed-length encoded words and/or a series of instructions.
  - 16. The method of claim 13, wherein a hidden state at a time t(h_t) is defined by:
    - ht=ƒ
      
      (x, ht−
      
      1), and wherein the hidden state ht comprises a time-dependent function of an input x as well as a previous hidden state ht−
      
      1.
  - 17. The method of claim 13, wherein the Elman network comprises deep transition or decoding functions.
  - 18. The method of claim 13 further comprising:
    - adding an output layer on top of at least one hidden layer of the plurality of hidden layers such that σ
      
      t=σ
      
      (W2ht) where of is an output, W₂defines a linear transformation of hidden activations, and a σ
      
      (⋅
      
      ) is a logistic function; and
      
      applying backpropagation through time by which W₂, W₁, and R are iteratively refined to drive the output of to a desired value as portions of the sample are passed through the RNN.
  - 19. The method of claim 13 further comprising:
    - providing a characterization of the sample as malicious or not malicious based at least in part on the determining;
      
      wherein the providing of the characterization comprises at least one of;
      
      transmitting the data to a remote computing system, loading the data into memory, or storing the data;
      
      wherein the one or more files comprise binary files and/or executable files.

20. A non-transitory computer program product storing instructions which, when executed by at least one programmable data processor forming part of at least one computing device, result in operations comprising:
- feeding data encapsulating a sample of at least a portion of one or more files into a recurrent neural network trained using historical data;
  
  extracting, by the RNN, a plurality of final hidden states in a hidden layer of the recurrent neural network; and
  
  determining, using the recurrent neural network and the plurality of final hidden states, whether at least a portion of the sample is comprises malicious code;
  
  wherein;
  
  the recurrent neural network comprises an Elman network that parameterizes a function ƒ
  
  (x, ht−
  
  1) as ht=g(W1x+Rht−
  
  1);
  
  where the hidden state h_tcomprises a time-dependent function of the input x as well as a previous hidden state ht−
  
  1, W₁is a matrix defining input-to-hidden connections, R is a matrix defining the recurrent connections, and g(⋅
  
  ) is a differentiable nonlinearity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cylance Inc. (Blackberry Limited)
Original Assignee
Cylance Inc. (Blackberry Limited)
Inventors
Davis, Andrew, Wolff, Matthew, Soeder, Derek A., Chisholm, Glenn, Permeh, Ryan
Primary Examiner(s)
Chen, Alan

Application Number

US15/236,289
Publication Number

US 20160350532A1
Time in Patent Office

1,278 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/564   by virus signature recognition

G06F 21/566   Dynamic detection, i.e. det...

G06N 3/04   Architecture, e.g. intercon...

G06N 3/044   Recurrent networks, e.g. Ho...

G06N 3/08   Learning methods

G06N 3/084   Backpropagation, e.g. using...

Recurrent neural networks for malware analysis

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

45 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Recurrent neural networks for malware analysis

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

45 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links