System and method to extract and utilize disassembly features to classify software intent

US 10,713,358 B2
Filed: 04/19/2013
Issued: 07/14/2020
Est. Priority Date: 03/15/2013
Status: Active Grant

First Claim

Patent Images

1. A method to extract and utilize disassembly features to classify an intent of a software program, the method comprising:

generating a model based, at least in part, on features associated with at least (i) one or more samples from labeled malicious software, and (ii) one or more samples from labeled benign software extracted from training files, the model to maintain statistics associated with each particular type of sample; and

classifying an unknown sample being a software program in accordance with the model being utilized by a classifier, the classifying of the software program comprisesdisassembling the unknown sample being a software program selectable via a user interface, the disassembling includes parsing the software program, identifying machine code instructions within the parsed software program, and analyzing a structure of the software program by identifying at least one of code blocks, function boundaries, and stack frames, wherein at least one or more of the identified code blocks, function boundaries or stack frames corresponding to at least one feature of the unknown sample;

analyzing the at least one feature by a machine-learning algorithm operating in accordance with the model by comparing the at least one feature to features contained in the model, the machine-learning algorithm being executed by a hardware processor; and

classifying the software program based on a result yielded from the analyzing of the at least one feature.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method operable to identify malicious software by extracting one or more features disassembled from software suspected to be malicious software and employing one or more of those features in a machine-learning algorithm to classify such software.

Citations

21 Claims

1. A method to extract and utilize disassembly features to classify an intent of a software program, the method comprising:
- generating a model based, at least in part, on features associated with at least (i) one or more samples from labeled malicious software, and (ii) one or more samples from labeled benign software extracted from training files, the model to maintain statistics associated with each particular type of sample; and
  
  classifying an unknown sample being a software program in accordance with the model being utilized by a classifier, the classifying of the software program comprisesdisassembling the unknown sample being a software program selectable via a user interface, the disassembling includes parsing the software program, identifying machine code instructions within the parsed software program, and analyzing a structure of the software program by identifying at least one of code blocks, function boundaries, and stack frames, wherein at least one or more of the identified code blocks, function boundaries or stack frames corresponding to at least one feature of the unknown sample;
  
  analyzing the at least one feature by a machine-learning algorithm operating in accordance with the model by comparing the at least one feature to features contained in the model, the machine-learning algorithm being executed by a hardware processor; and
  
  classifying the software program based on a result yielded from the analyzing of the at least one feature.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method according to claim 1, wherein the stack frame corresponds to a collection of information on a software stack pertaining to the software program.
  - 3. The method according to claim 1, wherein a sample, being a first sample from the labeled malicious software or a second sample from the labeled benign software, includes at least a communication path to the first sample or the second sample.
  - 4. The method according to claim 1, wherein the analyzing of the at least one feature includes utilizing the model created by labeling at least one of known malicious software and known benign software, wherein the model is generated before the analyzing of the at least one feature.
  - 5. The method according to claim 4, wherein the at least one of the known malicious software and the known benign software is contained in a memory accessible by the hardware processor.
  - 6. The method according to claim 1, wherein the classifying of the unknown samples includes extracting the statistics associated with the software program, the statistics include at least a count or ratio associated with particular instructions.
  - 7. The method according to claim 1, wherein the machine-learning algorithm is at least partially automatically created using pre-labeled malicious software.
  - 8. The method according to claim 1, wherein each of the one or more samples of the labeled malicious software and the one or more samples of the labeled benign software is a plug-in including a name of a plug-in and a path to the plug-in.
  - 9. The method according to claim 1, wherein the one or more samples from labeled malicious software includes at least one feature of the labeled malicious software.
  - 10. The method according to claim 1, wherein the parsing of the software program includes parsing a file format of the software program.
  - 11. The method according to claim 1, further comprising:
    - executing a search to identify one or more plug-ins of the at least partially disassembled software program, wherein, the at least one feature is extracted from the one or more plug-ins of the at least partially disassembled software program.
  - 12. The method according to claim 1, wherein the labeled malicious software and one or more samples from the labeled benign software are samples from one or more plug-ins.

13. A system operable to extract and utilize disassembly features to classify software intent of a software program, the system comprising:
- a model generation tool operable to generate a model based, at least in part, on features associated with at least (i) one or more samples from labeled malicious software, and (ii) one or more samples from labeled benign software extracted from training files, the model to maintain statistics associated with each particular type of sample;
  
  a disassembly tool operable to (i) at least partially disassemble an unknown sample being a software program selectable via a user interface, the disassembling includes parsing the software program, identifying machine code instructions within the parsed software program, and analyzing a structure of the software program by at least identifying one or more of code blocks, function boundaries or stack frames, wherein one or more of the identified code blocks, function boundaries or stack frames corresponds to at least one feature of the unknown sample;
  
  an extractor operable to extract the at least one feature by at least extracting the statistics associated with the software program, the statistics include at least a count or ratio associated with particular instructions;
  
  a processor operable to process the at least one feature using a machine-learning algorithm operating in accordance with the model by comparing the at least one feature to features contained in the model, the machine-learning algorithm being executed by the processor; and
  
  a classifier operable to classify, in accordance with the model, the software program based on a result yielded from the processing of the at least one feature.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The system according to claim 13, wherein the processing utilizes the model that is generated by labeling at least one of known malicious software and known benign software before the processor processes the at least one feature.
  - 15. The system according to claim 14, wherein at least one of the labeled malicious software and the labeled benign software is contained in a memory of the system.
  - 16. The system according to claim 13, wherein the statistics include at least a count or ratio associated with the particular instructions being instructions used to detect or identify when executable code is executing in a virtual environment.
  - 17. The system according to claim 13, wherein the machine-learning algorithm is at least partially automatically created using pre-labeled malicious software.
  - 18. The system according to claim 13, wherein the processor is configured to generate the model using the at least one feature.
  - 19. The system according to claim 13, wherein the disassembly tool to parse the software program includes analyzing the structure of the at least partially disassembled software program by at least one of identifying blocks, identifying function boundaries, and identifying stack frames.
  - 20. The system according to claim 13, wherein one or more plug-ins of the at least partially disassembled software program are identified via a search for the one or more plug-ins, and the at least one feature is extracted from the one or more plug-ins of the at least partially disassembled software program.

21. A method to extract and utilize disassembly features to classify an intent of a software program, the method comprising:
- generating a model based, at least in part, on features associated with at least (i) one or more samples from labeled malicious software, and (ii) one or more samples from labeled benign software extracted from training files;
  
  classifying an unknown sample being a software program in accordance with the model being utilized by a classifier, the classifying of the software program comprisesdisassembling the unknown sample being a software program, the disassembling includes parsing the software program, identifying machine code instructions within the parsed software program, and analyzing a structure of the software program by identifying at least one of code blocks, function boundaries and stack frames, wherein at least one or more of the identified code blocks, function boundaries or stack frames corresponding to at least one feature of the unknown sample;
  
  disassembling, at least partially using a disassembly tool, the unknown sample being a software program selectable via a user interface, the disassembling includes parsing the software program, identifying machine code instructions within the parsed software program, and analyzing a structure of the software program by identifying at least one of code blocks, function boundaries and stack frames, wherein at least one or more of the identified code blocks, function boundaries or stack frames corresponding to at least one feature of the unknown sampleanalyzing the at least one feature by a machine-learning algorithm operating in accordance with the model by comparing the at least one feature to features contained in the model, the machine-learning algorithm being executed by a hardware processor; and
  
  classifying the software program based on a result yielded from the analyzing of the at least one feature.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google LLC (Alphabet Inc.)
Original Assignee
FireEye, Inc. (Alphabet Inc.)
Inventors
Sikorski, Michael, Ballenthin, William
Primary Examiner(s)
Bayou, Yonas A

Application Number

US13/866,645
Publication Number

US 20140283037A1
Time in Patent Office

2,643 Days
Field of Search

726 22
US Class Current
CPC Class Codes

G06F 21/563   by source code analysis

H04L 63/1433   Vulnerability analysis

H04L 63/145   the attack involving the pr...

System and method to extract and utilize disassembly features to classify software intent

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

System and method to extract and utilize disassembly features to classify software intent

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links