Generic and static detection of malware installation packages
First Claim
1. A method comprising:
- receiving, by a computing device, an executable application or a part thereof;
extracting, by the computing device, a package name associated with the received application;
classifying, by the computing device, the received executable application as being malicious or non-malicious based on evaluation of the package name using a language model; and
when the received executable application is classified as being non-malicious by the language model, performing, by the computing device, a further classification process on the received executable application by;
extracting one or more icons associated with the received executable application; and
evaluating a set of icons from the one or more icons using a deep neural network (DNN) model.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems and methods for generic and static detection of malware using machine learning are provided. According to one embodiment, a computing device receives an executable application or a part thereof. A package name associated with the received application is extracted. The received executable application is classified as being malicious or non-malicious based on evaluation of the package name using a language model. When the received executable application is classified as being non-malicious by the language model, then a further classification process is performed on the received executable application by extracting one or more icons associated with the received executable application. A set of icons of the one or more icons is evaluated using a deep neural network (DNN) model.
-
Citations
29 Claims
-
1. A method comprising:
-
receiving, by a computing device, an executable application or a part thereof; extracting, by the computing device, a package name associated with the received application; classifying, by the computing device, the received executable application as being malicious or non-malicious based on evaluation of the package name using a language model; and when the received executable application is classified as being non-malicious by the language model, performing, by the computing device, a further classification process on the received executable application by; extracting one or more icons associated with the received executable application; and evaluating a set of icons from the one or more icons using a deep neural network (DNN) model. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A system comprising:
-
a non-transitory storage device having embodied therein one or more routines operable to detect malicious executable application; and one or more processors coupled to the non-transitory storage device and operable to execute the one or more routines, wherein the one or more routines include; an executable application receiving module, which when executed by the one or more processors, receives an executable application or a part thereof; a package name extraction module, which when executed by the one or more processors, extracts a package name associated with the received executable application; a package name based classification module, which when executed by the one or more processors, classifies the application as being malicious or non-malicious based on evaluation of the package name using a language model; and an icon-based classification module, which when executed by the one or more processors, performs a further classification process on the received executable application when the received executable application is classified as being non-malicious by the language model by; extracting one or more icons associated with the received executable application; and evaluating a set of icons from the one or more icons using a deep neural network (DNN) model. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
-
-
29. A non-transitory computer-readable storage medium embodying a set of instructions, which when executed by one or more processors of a mobile device, causes the one or more processors to perform a method comprising:
-
receiving an executable application or a part thereof; extracting a package name associated with the received application; classifying the received executable application as being malicious or non-malicious based on evaluation of the package name using a language model, wherein the language model detects, among other indications of malware, whether the package name is suggestive of the package name being programmatically generated; and when the received executable application is classified as being non-malicious by the language model, performing a further classification process on the received executable application by; extracting one or more icons associated with the received executable application; and detecting use of a social engineering technique by the received executable application involving exploitation of an icon resembling that of a well-known legitimate application or company by the received executable application by evaluating a set of icons from the one or more icons using a deep neural network (DNN) model.
-
Specification