Method and Apparatus for Modeling Computer Program Behaviour for Behavioural Detection of Malicious Program
First Claim
1. A method of modeling a behavior of a computer program that is executed in a computer system, the method comprising:
- collecting system use information about resources of the computer system that the computer program uses;
extracting a behavior signature of the computer program from the collected system use information; and
encoding the extracted behavior signature to generate a behavior vector.
1 Assignment
0 Petitions
Accused Products
Abstract
A method and apparatus for modeling a behavior of a computer program that is executed in a computer system is described. The method and apparatus for modeling a behavior of a computer program may be used to detect a malicious program based on the behavior of the computer program. A method includes collecting system use information about resources of the computer system the computer program uses; extracting a behavior signature of the computer program from the collected system use information; and encoding the extracted behavior signature to generate a behavior vector. As a result, behaviors of a particular computer program may be modeled to enable a malicious program detection program and to determine whether the computer program is either normal or malicious.
58 Citations
29 Claims
-
1. A method of modeling a behavior of a computer program that is executed in a computer system, the method comprising:
-
collecting system use information about resources of the computer system that the computer program uses; extracting a behavior signature of the computer program from the collected system use information; and encoding the extracted behavior signature to generate a behavior vector. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. An apparatus to model a behavior of a computer program that is executed in a computer system, the apparatus comprising:
-
a collector to collect system use information about resources of the computer system the computer program uses; an extractor to extract a behavior signature of the computer program from the collected system use information; and an encoder to encode the extracted behavior signature to generate a behavior vector. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
-
-
28. A computer-readable recording medium storing a program for implementing a method of modeling a behavior of a computer program that is executed in a computer system, the program including instructions to cause a computer to:
-
collect system use information about resources of the computer system the computer program uses; extract a behavior signature of the computer program from the collected system use information; and encode the extracted behavior signature to generate a behavior vector.
-
-
29. A computer-readable recording medium storing data for access by a computer program being executed by a computer system, the data comprising:
a data frame stored in the computer medium, the data frame including; a frequency storage region to store an execution frequency of a plurality of operational functions with respect to the computer program; and a precedence relation storage region which stores a temporal relation between the plurality of operational functions generated based on a correlation between a plurality of system use information about resources of the computer system that the computer program uses.
Specification