METHOD AND APPARATUS FOR DETECTING MALICIOUS SOFTWARE THROUGH CONTEXTUAL CONVICTIONS, GENERIC SIGNATURES AND MACHINE LEARNING TECHNIQUES
6 Assignments
0 Petitions
Accused Products
Abstract
Novel methods, components, and systems that enhance traditional techniques for detecting malicious software are presented. More specifically, methods, components, and systems that use important contextual information from a client system (such as recent history of events on that system), machine learning techniques, the automated deployment of generic signatures, and combinations thereof, to detect malicious software. The disclosed invention provides a significant improvement with regard to automation compared to previous approaches.
401 Citations
50 Claims
-
1-46. -46. (canceled)
-
47. A computer implemented method for determining whether a software application is malicious, comprising:
-
a) performing two or more of the following steps; (i) extracting a feature vector from said software application; (ii) extracting metadata about the application and gather contextual information about a system on which the application may be installed; (iii) computing a generic fingerprint for the application; b) transmitting information related to data obtained as a result of step (a) to a server application; c) receiving information from said server application relating to a determination as to whether the application is benign or malicious based, at least in part, on the information transmitted in step (b); and d) taking an action with respect to the application based on the information received from the server component.
-
-
48. A computer implemented method for determining whether a software application is malicious, comprising:
-
a) receiving at a server application information from a client application concerning two or more of the following; (i) a feature vector from said software application; (ii) metadata about the application and contextual information about a system on which the application may be installed; (iii) a generic fingerprint for the application; b) applying a machine-learning derived classification algorithm to a feature vector, if feature vector information is received from the client application; c) examining metadata concerning the software application and contextual information about the client system, if metadata and contextual information are received from the client system; d) determining whether the generic signature should be deemed malicious, if a generic signature for the software application is received from the client; e) making a determination as to whether the software application should be deemed malicious with regard to the client application; and f) transmitting information concerning the determination as to whether the software application should be deemed malicious to the client application.
-
-
49. Computer readable medium containing instructions for making a determination concerning whether a software application is malicious, said instructions comprising instructions for:
-
a) performing two or more of the following steps; (i) extracting a feature vector from said software application; (ii) extracting metadata about the application and gather contextual information about a system on which the application may be installed; (iii) computing a generic fingerprint for the application; b) transmitting information related to data obtained as a result of step (a) to a server application; c) receiving information from said server application relating to a determination as to whether the application is benign or malicious based, at least in part, on the information transmitted in step (b); and d) taking an action with respect to the application based on the information received from the server component.
-
-
50. Computer readable medium containing instructions for making a determination concerning whether a software application is malicious, said instructions comprising instructions for:
-
a) receiving at a server application information from a client application concerning two or more of the following; (i) a feature vector from said software application; (ii) metadata about the application and contextual information about a system on which the application may be installed; (iii) a generic fingerprint for the application; b) applying a machine-learning derived classification algorithm to a feature vector, if feature vector information is received from the client application; c) examining metadata concerning the software application and contextual information about the client system, if metadata and contextual information are received from the client system; d) determining whether the generic signature should be deemed malicious, if a generic signature for the software application is received from the client; e) making a determination as to whether the software application should be deemed malicious with regard to the client application; and f) transmitting information concerning the determination as to whether the software application should be deemed malicious to the client application.
-
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeSourcefire Incorporated (Cisco Systems, Inc.)
-
Original AssigneeSourcefire Incorporated (Cisco Systems, Inc.)
-
InventorsFRIEDRICHS, OLIVER, Huger, Alfred, O'Donnell, Adam J.
-
Granted Patent
-
Time in Patent OfficeDays
-
Field of Search
-
US Class Current726/22
-
CPC Class CodesG06F 21/564 by virus signature recognitionH04L 63/1416 Event detection, e.g. attac...
