Generic and static detection of malware installation packages

US 10,621,343 B1
Filed: 11/30/2017
Issued: 04/14/2020
Est. Priority Date: 11/30/2017
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, by a computing device, an executable application or a part thereof;

extracting, by the computing device, a package name associated with the received application;

classifying, by the computing device, the received executable application as being malicious or non-malicious based on evaluation of the package name using a language model; and

when the received executable application is classified as being non-malicious by the language model, performing, by the computing device, a further classification process on the received executable application by;

extracting one or more icons associated with the received executable application; and

evaluating a set of icons from the one or more icons using a deep neural network (DNN) model.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for generic and static detection of malware using machine learning are provided. According to one embodiment, a computing device receives an executable application or a part thereof. A package name associated with the received application is extracted. The received executable application is classified as being malicious or non-malicious based on evaluation of the package name using a language model. When the received executable application is classified as being non-malicious by the language model, then a further classification process is performed on the received executable application by extracting one or more icons associated with the received executable application. A set of icons of the one or more icons is evaluated using a deep neural network (DNN) model.

Citations

29 Claims

1. A method comprising:
- receiving, by a computing device, an executable application or a part thereof;
  
  extracting, by the computing device, a package name associated with the received application;
  
  classifying, by the computing device, the received executable application as being malicious or non-malicious based on evaluation of the package name using a language model; and
  
  when the received executable application is classified as being non-malicious by the language model, performing, by the computing device, a further classification process on the received executable application by;
  
  extracting one or more icons associated with the received executable application; and
  
  evaluating a set of icons from the one or more icons using a deep neural network (DNN) model.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, wherein the DNN model is trained based on a corpus of icons, wherein the corpus of icons are collected by crawling for icons of legitimate applications and wherein the corpus of icons are labeled and grouped into a plurality of classes.
  - 3. The method of claim 2, wherein each class of the plurality of classes corresponds to one application.
  - 4. The method of claim 1, wherein the DNN model incorporates machine learning.
  - 5. The method of claim 1, wherein the DNN model is based on an inception-v4 architecture.
  - 6. The method of claim 1, wherein the DNN model is developed based on normalization of icons, and training of a neural network underlying the DNN model for n steps.
  - 7. The method of claim 6, wherein said training of the neural network for n steps is performed using Root Mean Square Propagation (RMSprop) optimizer.
  - 8. The method of claim 1, wherein the language model is developed by:
    - building of a corpus of any or a combination of words, domain names, and package names;
      
      training an N-gram for the corpus, wherein N is a customizable length parameter of the N-gram; and
      
      labeling elements of said corpus as malicious or non-malicious, said elements being any or a combination of the words, the domain names, and the package names.
  - 9. The method of claim 1, wherein the language model is trained in multiple natural languages.
  - 10. The method of claim 1, wherein said classifying, by the computing device, the received executable application as being malicious or non-malicious based on evaluation of the package name using a language model comprises classifying the received executable using the language model based solely on the package name.
  - 11. The method of claim 1, wherein the received executable application employs a social engineering technique to lull an end user of the computing device to invoke or install the received executable application.
  - 12. The method of claim 11, wherein the social engineering technique comprises use of the one or more icons, including an icon that resembles an icon associated with a well-known legitimate application.
  - 13. The method of claim 1, wherein the computing device comprises a mobile device.
  - 14. The method of claim 13, wherein the mobile device comprises a mobile phone.

15. A system comprising:
- a non-transitory storage device having embodied therein one or more routines operable to detect malicious executable application; and
  
  one or more processors coupled to the non-transitory storage device and operable to execute the one or more routines, wherein the one or more routines include;
  
  an executable application receiving module, which when executed by the one or more processors, receives an executable application or a part thereof;
  
  a package name extraction module, which when executed by the one or more processors, extracts a package name associated with the received executable application;
  
  a package name based classification module, which when executed by the one or more processors, classifies the application as being malicious or non-malicious based on evaluation of the package name using a language model; and
  
  an icon-based classification module, which when executed by the one or more processors, performs a further classification process on the received executable application when the received executable application is classified as being non-malicious by the language model by;
  
  extracting one or more icons associated with the received executable application; and
  
  evaluating a set of icons from the one or more icons using a deep neural network (DNN) model.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 16. The system of claim 15, wherein the DNN model is trained based on a corpus of icons, wherein the corpus of icons are collected by crawling for icons of legitimate applications and wherein the corpus of icons are labeled and grouped into a plurality of classes.
  - 17. The system of claim 16, wherein each class of the plurality of classes corresponds to one application.
  - 18. The system of claim 15, wherein the DNN model incorporates machine learning.
  - 19. The system of claim 15, wherein the DNN model is based on an inception-v4 architecture.
  - 20. The system of claim 15, wherein the DNN model is developed based on normalization of icons, and training of a neural network underlying the DNN model for n steps.
  - 21. The system of claim 20, wherein said training of the neural network for n steps is performed using Root Mean Square Propagation (RMSprop) optimizer.
  - 22. The system of claim 15, wherein the language model is developed by:
    - building of a corpus of any or a combination of words, domain names, and package names;
      
      training an N-gram for the corpus, wherein N is a customizable length parameter of the N-gram; and
      
      labeling elements of said corpus as malicious or non-malicious, said elements being any or a combination of the words, the domain names, and the package names.
  - 23. The system of claim 15, wherein the language model is trained in multiple natural languages.
  - 24. The system of claim 15, wherein package name based classification module classifies the application using the language model based solely on the package name.
  - 25. The system of claim 15, wherein the received executable application employs a social engineering technique to lull an end user of the computing device to invoke or install the received executable application.
  - 26. The system of claim 25, wherein the social engineering technique comprises use of the one or more icons, including an icon that resembles an icon associated with a well-known legitimate application.
  - 27. The system of claim 15, wherein the system comprises a mobile device.
  - 28. The system of claim 27, wherein the mobile device comprises a mobile phone.

29. A non-transitory computer-readable storage medium embodying a set of instructions, which when executed by one or more processors of a mobile device, causes the one or more processors to perform a method comprising:
- receiving an executable application or a part thereof;
  
  extracting a package name associated with the received application;
  
  classifying the received executable application as being malicious or non-malicious based on evaluation of the package name using a language model, wherein the language model detects, among other indications of malware, whether the package name is suggestive of the package name being programmatically generated; and
  
  when the received executable application is classified as being non-malicious by the language model, performing a further classification process on the received executable application by;
  
  extracting one or more icons associated with the received executable application; and
  
  detecting use of a social engineering technique by the received executable application involving exploitation of an icon resembling that of a well-known legitimate application or company by the received executable application by evaluating a set of icons from the one or more icons using a deep neural network (DNN) model.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Fortinet Inc.
Inventors
Maciejak, David, Tran, Minh
Primary Examiner(s)
Li, Meng
Assistant Examiner(s)
Wade, Shaqueal D

Application Number

US15/826,969
Time in Patent Office

866 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/562   Static detection

G06F 2221/034   Test or assess a computer o...

G06N 3/04   Architecture, e.g. intercon...

G06N 3/045   Combinations of networks

G06N 3/08   Learning methods

G06N 3/084   Backpropagation, e.g. using...

Generic and static detection of malware installation packages

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

Generic and static detection of malware installation packages

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links