Recurrent neural networks for malware analysis

US 10,691,799 B2
Filed: 04/15/2016
Issued: 06/23/2020
Est. Priority Date: 04/16/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

receiving or accessing executable code comprising instructions;

disassembling the executable code to generate a trace of the instructions;

applying a recurrent neural network (RNN) to the trace to generate a hidden state corresponding to each instruction to form a feature vector;

generating a concatenation of the feature vector with hand-engineered features extracted from the executable code;

determining, using a classifier and the concatenation, a likelihood that the executable code comprises malicious code; and

disallowing, based on the determining, the code from executing;

wherein the classifier is different from the RNN.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Using a recurrent neural network (RNN) that has been trained to a satisfactory level of performance, highly discriminative features can be extracted by running a sample through the RNN, and then extracting a final hidden state hh where i is the number of instructions of the sample. This resulting feature vector may then be concatenated with the other hand-engineered features, and a larger classifier may then be trained on hand-engineered as well as automatically determined features. Related apparatus, systems, techniques and articles are also described.

Citations

20 Claims

1. A computer-implemented method comprising:
- receiving or accessing executable code comprising instructions;
  
  disassembling the executable code to generate a trace of the instructions;
  
  applying a recurrent neural network (RNN) to the trace to generate a hidden state corresponding to each instruction to form a feature vector;
  
  generating a concatenation of the feature vector with hand-engineered features extracted from the executable code;
  
  determining, using a classifier and the concatenation, a likelihood that the executable code comprises malicious code; and
  
  disallowing, based on the determining, the code from executing;
  
  wherein the classifier is different from the RNN.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the applying further comprises:
    - dividing the trace into a plurality of regions;
      
      determining an entropy of each of the plurality of regions; and
      
      ignoring each region with a low entropy.
  - 3. The method of claim 1, wherein the disassembling further comprises:
    - determining an entry point of the executable code; and
      
      generating a time-based trace of the instructions based on the entry point.
  - 4. The method of claim 1, wherein an input to the RNN is set to a fixed length of 4 or 8 bytes per instruction.
  - 5. The method of claim 1, wherein an instruction set of the executable code comprises an x86 instruction set.
  - 6. The method of claim 1, wherein the RNN is at least one of an Elman network, a long short-term memory network, a clockwork RNN, or an echo-state network.
  - 7. The method of claim 1, wherein applying the recurrent neural network further comprises applying backpropagation through time (BPTT).
  - 8. The method of claim 1, wherein applying the recurrent neural network further comprises deobfuscating or decompressing the trace.

9. A system comprising:
- one or more data processors having memory storing instructions, which when executed result in operations comprising;
  
  receiving or accessing executable code comprising instructions;
  
  disassembling the executable code to generate a trace of the instructions;
  
  applying a recurrent neural network (RNN) to the trace to generate a hidden state corresponding to each instruction to form a feature vector;
  
  generating a concatenation of the feature vector with hand-engineered features extracted from the executable code;
  
  determining, using a classifier and the concatenation, a likelihood that the executable code comprises malicious code; and
  
  disallowing, based on the determining, the code from executing;
  
  wherein the classifier is different from the RNN.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The system of claim 9, wherein the applying further comprises:
    - dividing the trace into a plurality of regions;
      
      determining an entropy of each of the plurality of regions; and
      
      ignoring each region with a low entropy.
  - 11. The system of claim 9, wherein the disassembling further comprises:
    - determining an entry point of the executable code; and
      
      generating a time-based trace of the instructions based on the entry point.
  - 12. The system of claim 9, wherein an input to the RNN is set to a fixed length of 4 or 8 bytes per instruction.
  - 13. The system of claim 9, wherein an instruction set of the executable code comprises an x86 instruction set.
  - 14. The system of claim 9, wherein the RNN is at least one of an Elman network, a long short-term memory network, a clockwork RNN, or an echo-state network.
  - 15. The system of claim 9, wherein applying the recurrent neural network further comprises applying backpropagation through time (BPTT).
  - 16. The system of claim 9, wherein applying the recurrent neural network further comprises deobfuscating or decompressing the trace.

17. A non-transitory computer readable storage medium storing one or more programs configured to be executed by one or more data processors, the one or more programs comprising instructions, the instructions comprising:
- receiving executable code;
  
  disassembling the executable code;
  
  generating a hidden state for each of a plurality of instructions by applying a recurrent neural network (RNN) to the disassembled executable code to generate a feature vector; and
  
  determining, using a classifier, a likelihood that the executable code comprises malicious code based on the feature vector;
  
  wherein the classifier is different from the RNN.
- View Dependent Claims (18, 19, 20)
- - 18. The non-transitory computer readable storage medium of claim 17, wherein the applying further comprises:
    - dividing the trace into a plurality of regions;
      
      determining an entropy of each of the plurality of regions; and
      
      ignoring each region with a low entropy.
  - 19. The non-transitory computer readable storage medium of claim 17, wherein the disassembling further comprises:
    - determining an entry point of the executable code; and
      
      generating a time-based trace of the instructions based on the entry point.
  - 20. The non-transitory computer readable storage medium of claim 17, wherein applying the recurrent neural network further comprises deobfuscating or decompressing the trace.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cylance Inc. (Blackberry Limited)
Original Assignee
Cylance Inc. (Blackberry Limited)
Inventors
Davis, Andrew, Wolff, Matthew, Soeder, Derek A., Chisholm, Glenn
Primary Examiner(s)
Pyzocha, Michael
Assistant Examiner(s)
Tafaghodi, Zoha Piyadehghibi

Application Number

US15/566,687
Publication Number

US 20180101681A1
Time in Patent Office

1,530 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/564   by virus signature recognition

G06F 21/566   Dynamic detection, i.e. det...

G06N 3/04   Architecture, e.g. intercon...

G06N 3/044   Recurrent networks, e.g. Ho...

G06N 3/08   Learning methods

G06N 3/084   Backpropagation, e.g. using...

Recurrent neural networks for malware analysis

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Recurrent neural networks for malware analysis

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links