Recurrent neural networks for malware analysis
First Claim
Patent Images
1. A system comprising:
- computer hardware configured to perform operations comprising;
feeding data encapsulating a sample of at least a portion of one or more files into a recurrent neural network trained using historical data;
extracting, by the RNN, a plurality of final hidden states in a hidden layer of the recurrent neural network; and
determining, using the recurrent neural network and the plurality of final hidden states, whether at least a portion of the sample comprises malicious code;
wherein;
the recurrent neural network comprises an Elman network that parameterizes a function ƒ
(x, ht−
1) as ht=g(W1x+Rht−
1);
where the hidden state ht comprises a time-dependent function of the input x as well as a previous hidden state ht−
1, W1 is a matrix defining input-to-hidden connections, R is a matrix defining the recurrent connections, and g(⋅
) is a differentiable nonlinearity.
1 Assignment
0 Petitions
Accused Products
Abstract
Using a recurrent neural network (RNN) that has been trained to a satisfactory level of performance, highly discriminative features can be extracted by running a sample through the RNN, and then extracting a final hidden state hi, where i is the number of instructions of the sample. This resulting feature vector may then be concatenated with the other hand-engineered features, and a larger classifier may then be trained on hand-engineered as well as automatically determined features. Related apparatus, systems, techniques and articles are also described.
45 Citations
20 Claims
-
1. A system comprising:
-
computer hardware configured to perform operations comprising; feeding data encapsulating a sample of at least a portion of one or more files into a recurrent neural network trained using historical data; extracting, by the RNN, a plurality of final hidden states in a hidden layer of the recurrent neural network; and determining, using the recurrent neural network and the plurality of final hidden states, whether at least a portion of the sample comprises malicious code; wherein; the recurrent neural network comprises an Elman network that parameterizes a function ƒ
(x, ht−
1) as ht=g(W1x+Rht−
1);where the hidden state ht comprises a time-dependent function of the input x as well as a previous hidden state ht−
1, W1 is a matrix defining input-to-hidden connections, R is a matrix defining the recurrent connections, and g(⋅
) is a differentiable nonlinearity. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A method for implementation by at least one computing device comprising:
-
feeding data encapsulating a sample of at least a portion of one or more files into a recurrent neural network trained using historical data; extracting, by the RNN, a plurality of final hidden states in a hidden layer of the recurrent neural network; and determining, using the recurrent neural network and the plurality of final hidden states, whether at least a portion of the sample to comprises malicious code; wherein; the recurrent neural network comprises an Elman network that parameterizes a function ƒ
(x, ht−
1) as ht=g(W1x+Rht−
1);where the hidden state ht comprises a time-dependent function of the input x as well as a previous hidden state ht−
1, W1 is a matrix defining input-to-hidden connections, R is a matrix defining the recurrent connections, and g(⋅
) is a differentiable nonlinearity. - View Dependent Claims (14, 15, 16, 17, 18, 19)
-
-
20. A non-transitory computer program product storing instructions which, when executed by at least one programmable data processor forming part of at least one computing device, result in operations comprising:
-
feeding data encapsulating a sample of at least a portion of one or more files into a recurrent neural network trained using historical data; extracting, by the RNN, a plurality of final hidden states in a hidden layer of the recurrent neural network; and determining, using the recurrent neural network and the plurality of final hidden states, whether at least a portion of the sample is comprises malicious code; wherein; the recurrent neural network comprises an Elman network that parameterizes a function ƒ
(x, ht−
1) as ht=g(W1x+Rht−
1);where the hidden state ht comprises a time-dependent function of the input x as well as a previous hidden state ht−
1, W1 is a matrix defining input-to-hidden connections, R is a matrix defining the recurrent connections, and g(⋅
) is a differentiable nonlinearity.
-
Specification