REALTIME MULTIPLE ENGINE SELECTION AND COMBINING

US 20120084859A1
Filed: 09/30/2010
Published: 04/05/2012
Est. Priority Date: 09/30/2010
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented engine selection system having computer readable media that store executable instructions executed by a processor, comprising:

an engine component that includes multiple different classification engines for processing of unknown entities;

an inspection component that inspects an unknown entity for entity properties; and

a selection component that makes a selection of one or more candidate classification engines of the different classification engines to process the unknown entity, the selection based at least in part on the entity properties.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Architecture that selects a classification engine based on the expertise of the engine to process a given entity (e.g., a file). Selection of an engine is based on a probability that the engine will detect an unknown entity classification using properties of the entity. One or more of the highest ranked engines are activated in order to achieve the desired performance. A statistical, performance-light module is employed to skip or select several performance-demanding processes. Methods and algorithms are utilized for learning based on matching the best classification engine(s) to detect the entity class based on the entity properties. A user selection option is provided for specifying a maximum number of ranked, classification engines to consider for each state of the machine. A user can also select the minimum probability of detection for a specific entity (e.g., unknown file). The best classifications are re-evaluated over time as the classification engines are updated.

362 Citations

20 Claims

1. A computer-implemented engine selection system having computer readable media that store executable instructions executed by a processor, comprising:
- an engine component that includes multiple different classification engines for processing of unknown entities;
  
  an inspection component that inspects an unknown entity for entity properties; and
  
  a selection component that makes a selection of one or more candidate classification engines of the different classification engines to process the unknown entity, the selection based at least in part on the entity properties.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system of claim 1, wherein the one or more candidate classification engines process the unknown entity and each candidate classification engine outputs classification information that is used to detect the unknown entity.
  - 3. The system of claim 2, wherein the one or more candidate classification engines are selected based on expertise of each candidate engine to identify an entity class.
  - 4. The system of claim 2, wherein the classification information is re-evaluated over time based on updates to the multiple different classification engines.
  - 5. The system of claim 1, wherein at least one of the multiple different classification engines or the one or more candidate classification engines are ranked.
  - 6. The system of claim 1, wherein the candidate classification engines are selected based on a probability that the candidate engines will detect an unknown entity of a specific class.
  - 7. The system of claim 1, wherein the entity includes an unknown file and the classification engines are malware engines that are applied in realtime to determine if the unknown file is malware.
  - 8. The system of claim 1, further comprising a learning component that learns which of the different classification engines is applied to a class of the entities.
  - 9. The system of claim 1, further comprising a configuration component for specifying a number of ranked candidate engines for each state of a machine and a probability of detection threshold.

10. A computer-implemented engine selection system having computer readable media that store executable instructions executed by a processor, comprising:
- an engine component that includes multiple different anti-malware classification engines for processing of unknown files;
  
  an inspection component that receives and inspects an unknown file for file properties;
  
  a selection component that makes a selection of one or more candidate anti-malware classification engines from the different anti-malware classification engines to process the unknown file, the selection based at least in part on the file properties input to a given candidate classification engine; and
  
  a learning component that learns the candidate anti-malware classification engines based on successful matching of the candidate anti-malware classification engines to the unknown file.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The system of claim 10, wherein the one or more candidate anti-malware classification engines process the unknown file in realtime and each outputs classification information as to a type of the unknown file, the one or more candidate anti-malware classification engines selected based on a likelihood that each candidate engine will correctly identify a type of malware file.
  - 12. The system of claim 10, wherein the one or more candidate anti-malware classification engines process the unknown file in realtime and each associated candidate classification engine outputs classification information as a predicted accuracy as to type of the unknown file, the predicted accuracy of each anti-malware classification engine is based in part on at least one of false positives, false negatives, or errors in a training model used to train a given engine.
  - 13. The system of claim 12, wherein the selection component employs one or more selection classifiers that compute the predicted accuracy of the unknown file for each of the anti-malware classification engines.
  - 14. The system of claim 10, wherein two or more candidate anti-malware classification engines are selected based in part on a voting process or a ranking process and associated outputs are combined to output an overall detection output.
  - 15. The system of claim 10, wherein the input to a candidate anti-malware classification engine includes at least one of a program file or a source location of the program file.

16. A computer-implemented engine selection method executed by a processor, comprising:
- inspecting file properties of an unknown file;
  
  selecting one or more candidate anti-malware classification engines from a set of classification engines based on the file properties;
  
  processing the unknown file using the one or more candidate anti-malware classification engines to output classification information for each of the candidate anti-malware classification engines; and
  
  classifying the unknown file based on a single output or multiple outputs of the one or more of the candidate anti-malware classification engines.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The method of claim 16, further comprising selecting the one or more candidate anti-malware classification engines based on expertise or probability that the candidate engine will detect the unknown file as malware.
  - 18. The method of claim 16, further comprising activating the one or more candidate anti-malware classification engines based on a ranking process or a voting process.
  - 19. The method of claim 16, further comprising applying a probabilistic mechanism to skip or select a performance-demanding process.
  - 20. The method of claim 16, further comprising re-evaluating the one or more candidate anti-malware classification engines over time based on updates to the engines.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Varshavsky, Roy, Stokes, Jack W., Holostov, Vladimir, Radinsky, Kira, Schaefer, Edward

Granted Patent

US 8,869,277 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/563   by source code analysis

G06Q 10/06   Resources, workflows, human...

G06Q 30/00   Commerce

REALTIME MULTIPLE ENGINE SELECTION AND COMBINING

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

362 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

REALTIME MULTIPLE ENGINE SELECTION AND COMBINING

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

362 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links