Malware Modeling Detection System And Method for Mobile Platforms
First Claim
1. A method of developing a probability model for a plurality of malware, said method comprising:
- extracting a feature set from a plurality of executables, said feature set comprising one or more feature elements;
heuristically training one or more rules using a plurality of predetermined malware-free and malware-infected executables, wherein said rules describe a malicious probability relationship of said feature elements in said feature set; and
,creating the probability model from said rules and said feature set.
15 Assignments
0 Petitions
Accused Products
Abstract
A system and method for detecting malware by modeling the behavior of malware and comparing a suspect executable with the model. The system and method extracts feature elements from malware-infected applications, groups the feature elements into feature sets, and develops rules describing a malicious probability relationship between the feature elements. Using malware-free and malware-infected applications as training data, the system and method heuristically trains the rules and creates a probability model for identifying malware. To detect malware, the system and method scans the suspect executable for feature sets and applies the results to the probability model to determine the probability that the suspect executable is malware-infected.
-
Citations
40 Claims
-
1. A method of developing a probability model for a plurality of malware, said method comprising:
-
extracting a feature set from a plurality of executables, said feature set comprising one or more feature elements; heuristically training one or more rules using a plurality of predetermined malware-free and malware-infected executables, wherein said rules describe a malicious probability relationship of said feature elements in said feature set; and
,creating the probability model from said rules and said feature set. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A method of detecting malware, comprising:
-
selecting a probability model, each of said probability models comprising one or more rules and one or more feature sets, said feature sets each comprising a set of feature elements, and each of said rules describing a malicious probability relationships of said feature elements in one of said feature sets; scanning a target executable to determine a presence of one or more feature elements of a feature set to determine a set of present feature elements; and
,applying said present feature elements to said probability model to calculate a probability of malware in said target executable. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21)
-
-
22. A system for developing a probability model for a plurality of malware comprising:
-
an extracting means for extracting a feature set from a plurality of executables, said feature set comprising one or more feature elements; a training means for heuristically training one or more rules using a plurality of predetermined malware-free and malware-infected executables, wherein said rules describe a malicious probability relationship of said feature elements in said feature set; and
,a modeling means for creating the probability model from said rules and said feature set. - View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
-
-
34. A system for detecting malware, comprising:
-
one or more probability models, each of said probability models comprising one or more rules and one or more feature sets, said feature sets each comprising a set of feature elements, and each of said rules describing a malicious probability relationships of said feature elements in one of said feature sets; a selecting means for selected a probability model from said one or more probability models; a scanning means for scanning a target executable to determine a presence of one or more feature elements of a feature set associated with said probability model to determine a set of present feature elements; and
,a computing means for applying said present feature elements to said probability model to calculate a probability of malware in said target executable. - View Dependent Claims (35, 36, 37, 38, 39, 40)
-
Specification