Method and apparatus for identifying malicious software

US 10,635,812 B2
Filed: 12/07/2017
Issued: 04/28/2020
Est. Priority Date: 11/18/2015
Status: Active Grant

First Claim

Patent Images

1. A method for identifying malicious software implemented by a server, the method comprising:

obtaining, according to a source code of a software detected on a terminal, a function call diagram of the software;

generating a feature sequence of the software according to the function call diagram, the feature sequence comprising an eigenvalue of at least one feature of the software, wherein the at least one feature is a function included in a preset function library, and wherein the eigenvalue of the at least one feature is a quantity of times the function is called by the software; and

determining whether the software is malicious software according to the feature sequence and a random forest, the random forest comprising at least one decision tree comprising reference eigenvalues of multiple features of the software.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus are disclosed for identifying malicious software in the technical field of computers. The method includes: obtaining, according to a source code of to-be-detected software, a function call diagram of the software; generating a feature sequence of the software according to the function call diagram, the feature sequence including an eigenvalue of at least one feature, the feature being a function in a preset function library, and the eigenvalue of the feature being a quantity of times of calling of the function by the software; and identifying whether the software is malicious software according to the feature sequence and a random forest, the random forest including at least one decision tree, and the decision tree including reference eigenvalues of multiple features. The apparatus includes: an obtaining module, a generation module, and an identification module. The present disclosure may improve identification accuracy.

13 Citations

20 Claims

1. A method for identifying malicious software implemented by a server, the method comprising:
- obtaining, according to a source code of a software detected on a terminal, a function call diagram of the software;
  
  generating a feature sequence of the software according to the function call diagram, the feature sequence comprising an eigenvalue of at least one feature of the software, wherein the at least one feature is a function included in a preset function library, and wherein the eigenvalue of the at least one feature is a quantity of times the function is called by the software; and
  
  determining whether the software is malicious software according to the feature sequence and a random forest, the random forest comprising at least one decision tree comprising reference eigenvalues of multiple features of the software.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method according to claim 1, wherein the obtaining, according to the source code of the software, the function call diagram of the software comprises:
    - decompiling the source code of the software;
      
      obtaining a decompilation code of the software based on the decompiling;
      
      parsing the decompilation code; and
      
      obtaining the function call diagram based on the parsing of the decompiliation code.
  - 3. The method according to claim 1, wherein generating the feature sequence of the software according to the function call diagram comprises:
    - obtaining a quantity of times each function in the preset function library is called by the software in the preset function library according to the function call diagram; and
      
      composing the quantity of times each function is called into the feature sequence of the software.
  - 4. The method according to claim 3, wherein the at least one feature further comprises rights in a preset right library, and the eigenvalue of the at least one feature is used for indicating whether the right is an eigenvalue accessed by the software;
    - wherein before composing the quantity of times each function is called into the feature sequence of the software, the method further comprising;
      
      obtaining an access right of being requested to access by the software and a non-access right of not being requested to access by the software in the preset right library according to a right of the software for requesting access; and
      
      setting an eigenvalue of the access right to a first value and setting an eigenvalue of the non-access right to a second value; and
      
      wherein composing the quantity of times each function is called into the feature sequence of the software further comprises;
      
      including an eigenvalue of each right in the preset right library into the feature sequence of the software.
  - 5. The method according to claim 1, wherein identifying whether the software is malicious software according to the feature sequence and a random forest comprises:
    - determining whether the software is malicious software according to each decision tree comprised in the random forest and the feature sequence, to obtain an identification result corresponding to each decision tree;
      
      collecting, according to the identification result of each decision tree, statistics on a quantity of first results that the identification result is that the software is malicious software and statistics on a quantity of second results that the software is non-malicious software; and
      
      determining, according to a comparison result of the quantity of first results and the quantity of second results, whether the software is malicious software.
  - 6. The method according to claim 5, wherein the decision tree in the random forest comprises multiple feature paths, each of the multiple feature paths comprises multiple reference eigenvalues, and each feature path corresponds to an identification result;
    - wherein determining whether the software is malicious software according to each decision tree comprised in the random forest and the feature sequence, to obtain the identification result corresponding to each decision tree, comprises;
      
      obtaining a feature path matching the feature sequence from multiple feature paths comprised in a first decision tree according to the feature sequence, wherein the first decision tree is any decision tree in the random forest; and
      
      using an identification result corresponding to the obtained feature path as an identification result of the first decision tree.
  - 7. The method according to claim 1, further comprising:
    - determining, according to a sample feature sequence set, a location in the decision tree of a feature in the sample feature sequence set and a reference eigenvalue of the feature, wherein the sample feature sequence set comprises a sample feature sequence of at least one piece of malicious software and a sample feature sequence of at least one piece of non-malicious software; and
      
      composing the reference eigenvalue of the feature into the decision tree according to the location in the decision tree of the feature.

8. An apparatus for identifying malicious software, the apparatus comprising:
- a processing circuitry; and
  
  a non-transitory storage medium configured to store executable instructions that, when executed, cause the processing circuitry to;
  
  execute an obtaining module to obtain, according to a source code of a software, a function call diagram of the software;
  
  execute a generation module to generate a feature sequence of the software according to the function call diagram, the feature sequence comprising an eigenvalue of at least one feature of the software, wherein the at least one feature is a function in a preset function library, and wherein the eigenvalue of the at least one feature is a quantity of times of calling of the function by the software; and
  
  execute an identification module to determine whether the software is malicious software according to the feature sequence and a random forest, the random forest comprising at least one decision tree comprising reference eigenvalues of multiple features.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The apparatus according to claim 8, wherein the non-transitory storage medium is configured to further store executable instructions that, when executed, cause the processing circuitry to:
    - execute the obtaining module to decompile the source code of the to-be-detected software, and obtain a decompilation code of the software based on the decompiled source code; and
      
      execute the obtaining module to parse the decompilation code, and obtain the function call diagram of the software based on the parsing of the decompilation code.
  - 10. The apparatus according to claim 8, wherein the non-transitory storage medium is configured to further store executable instructions that, when executed, cause the processing circuitry to:
    - execute the generation module to obtain a quantity of times each function is called by the software in the preset function library according to the function call diagram; and
      
      execute the generation module to compose the quantity of times each function is called into the feature sequence of the software.
  - 11. The apparatus according to claim 10, wherein the feature further comprises rights in a preset right library, and the eigenvalue of the at least one feature is used for indicating whether the right is an eigenvalue accessed by the software;
    - wherein the non-transitory storage medium is configured to further store executable instructions that, when executed, cause the processing circuitry to;
      
      execute the generation module to obtain an access right of being requested to access by the software and a non-access right of not being requested to access by the software in the preset right library according to a right of the software for requesting access; and
      
      execute the generation module to set an eigenvalue of the access right to a first value and set an eigenvalue of the non-access right to a second value; and
      
      execute the generation module to include an eigenvalue of each right in the preset right library into the feature sequence of the software.
  - 12. The apparatus according to claim 8, wherein the non-transitory storage medium is configured to further store executable instructions that, when executed, cause the processing circuitry to:
    - execute the identification module to determine whether the software is malicious software according to each decision tree comprised in the random forest and the feature sequence, to obtain an identification result corresponding to each decision tree;
      
      execute the identification module to collect, according to the identification result of each decision tree, statistics on a quantity of first results that the identification result is that the software is malicious software and statistics on a quantity of second results that the software is non-malicious software; and
      
      execute the identification module to determine, according to a comparison result of the quantity of first results and the quantity of second results, whether the software is malicious software.
  - 13. The apparatus according to claim 12, wherein the decision tree in the random forest comprises multiple feature paths, each of the multiple feature paths comprises multiple reference eigenvalues, and each feature path corresponds to an identification result;
    - wherein the non-transitory storage medium is configured to further store executable instructions that, when executed, cause the processing circuitry to;
      
      execute the identification module to obtain a feature path matching the feature sequence from multiple feature paths comprised in a first decision tree according to the feature sequence, wherein the first decision tree is any decision tree in the random forest; and
      
      execute the identification module to use an identification result corresponding to the obtained feature path as an identification result of the first decision tree.
  - 14. The apparatus according to claim 8, non-transitory storage medium is configured to further store executable instructions that, when executed, cause the processing circuitry to:
    - execute a determining module to determine, according to a sample feature sequence set, a location in the decision tree of a feature in the sample feature sequence set and a reference eigenvalue of each feature, wherein the sample feature sequence set comprises a sample feature sequence of at least one piece of malicious software and a sample feature sequence of at least one piece of non-malicious software; and
      
      execute a composition module to compose the reference eigenvalue of the feature into the decision tree according to the location in the decision tree of the feature.

15. An apparatus for identifying malicious software, comprising one or more processors and a non-transitory storage medium storing operation instructions, wherein executing the operation instructions causes the processors to:
- obtain, according to a source code of a software detected on a terminal, a function call diagram of the software;
  
  generate a feature sequence of the software according to the function call diagram, the feature sequence comprising an eigenvalue of at least one feature of the software, wherein the at least one feature is a function included in a preset function library, and wherein the eigenvalue of the at least one feature is a quantity of times the function is called by the software; and
  
  determine whether the software is malicious software according to the feature sequence and a random forest, the random forest comprising at least one decision tree comprising reference eigenvalues of multiple features of the software.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The apparatus according to claim 15, wherein executing the operation instructions causes the processors to further:
    - decompile the source code of the software;
      
      obtain a decompilation code of the software based on the decompiling;
      
      parse the decompilation code; and
      
      obtain the function call diagram based on the parsing of the decompiliation code.
  - 17. The apparatus according to claim 15, wherein executing the operation instructions causes the processors to generate the feature sequence of the software according to the function call diagram by:
    - obtaining a quantity of times each function in the preset function library is called by the software in the preset function library according to the function call diagram; and
      
      composing the quantity of times each function is called into the feature sequence of the software.
  - 18. The apparatus according to claim 17, wherein the at least one feature further comprises rights in a preset right library, and the eigenvalue of the at least one feature is used for indicating whether the right is an eigenvalue accessed by the software;
    - wherein before composing the quantity of times of calling of each function into the feature sequence of the software, the processors are further configured to;
      
      obtain an access right of being requested to access by the software and a non-access right of not being requested to access by the software in the preset right library according to a right of the software for requesting access; and
      
      set an eigenvalue of the access right to a first value and set an eigenvalue of the non-access right to a second value; and
      
      wherein the processors are configured to compose the quantity of times each function is called into the feature sequence of the software by further including an eigenvalue of each right in the preset right library into the feature sequence of the software.
  - 19. The apparatus according to claim 15, wherein executing the operation instructions causes the processors to identify whether the software is malicious software according to the feature sequence and a random forest by:
    - determining whether the software is malicious software according to each decision tree comprised in the random forest and the feature sequence, to obtain an identification result corresponding to each decision tree;
      
      collecting, according to the identification result of each decision tree, statistics on a quantity of first results that the identification result is that the software is malicious software and statistics on a quantity of second results that the software is non-malicious software; and
      
      determining, according to a comparison result of the quantity of first results and the quantity of second results, whether the software is malicious software.
  - 20. The apparatus according to claim 19, wherein the decision tree in the random forest comprises multiple feature paths, each of the multiple feature paths comprises multiple reference eigenvalues, and each feature path corresponds to an identification result;
    - wherein the processors are further configured to;
      
      obtain a feature path matching the feature sequence from multiple feature paths comprised in a first decision tree according to the feature sequence, wherein the first decision tree is any decision tree in the random forest; and
      
      use an identification result corresponding to the obtained feature path as an identification result of the first decision tree.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Tencent Technology Company Limited (Tencent Holdings Limited)
Original Assignee
Tencent Technology Company Limited (Tencent Holdings Limited)
Inventors
Hao, Xu, Yi, Yang, Tao, Yu, Xin, Li Lu
Primary Examiner(s)
Mehedi, Morshed

Application Number

US15/834,985
Publication Number

US 20180096146A1
Time in Patent Office

873 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/563   by source code analysis

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/62   Protecting access to data v...

G06F 8/10   Requirements analysis; Spec...

G06F 8/20   Software design

G06F 8/427   Parsing

G06F 8/53   Decompilation; Disassembly

G06F 8/61   Installation

G06F 8/75   Structural analysis for pro...

G06N 20/20   Ensemble learning

G06N 5/01   Dynamic search techniques; ...

G06N 5/04   Inference or reasoning models

Method and apparatus for identifying malicious software

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

13 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for identifying malicious software

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

13 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links