INTEGRATING MULTIPLE DATA SOURCES FOR MALWARE CLASSIFICATION

US 20130326625A1
Filed: 06/04/2013
Published: 12/05/2013
Est. Priority Date: 06/05/2012
Status: Active Grant

First Claim

Patent Images

1. A method, implemented at least in part by one or more computing devices, the method comprising:

generating at least one graph representation of at least one dynamic data source of at least one program;

generating at least one graph representation of at least one static data source of the at least one program; and

at least using the at least one graph representation of the at least one dynamic data source and the at least one graph representation of the at least one static data source, classifying the at least one program.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed herein are representative embodiments of tools and techniques for classifying programs. According to one exemplary technique, at least one graph representation of at least one dynamic data source of at least one program is generated. Also, at least one graph representation of at least one static data source of the at least one program is generated. Additionally, at least using the at least one graph representation of the at least one dynamic data source and the at least one graph representation of the at least one static data source, the at least one program is classified.

170 Citations

20 Claims

1. A method, implemented at least in part by one or more computing devices, the method comprising:
- generating at least one graph representation of at least one dynamic data source of at least one program;
  
  generating at least one graph representation of at least one static data source of the at least one program; and
  
  at least using the at least one graph representation of the at least one dynamic data source and the at least one graph representation of the at least one static data source, classifying the at least one program.
- View Dependent Claims (3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 3. The method of claim 1, wherein the classifying the program comprises classifying the program as malware or non-malware.
  - 4. The method of claim 1, wherein the at least one graph representation of the at least one dynamic data source or the at least one graph representation of the at least one static data source is based on a Markov chain graph.
  - 5. The method of claim 4, wherein the at least one graph representation of the at least one dynamic data source or the at least one graph representation of the at least one static data source comprises an adjacency matrix that represents the Markov chain graph.
  - 6. The method of claim 1, wherein the at least one static data source comprises a binary file of the at least one program, a disassembled binary of the at least one program, or a control flow graph of the at least one program.
  - 7. The method of claim 6, wherein the at least one static data source comprises a control flow graph of the at least one program;
    - andthe at least one graph representation of the control flow graph comprises the control flow graph of the program; and
      
      wherein at least using the control flow graph comprises generating at least one normalized probability vector.
  - 8. The method of claim 1, wherein the at least one dynamic data source comprises a dynamic instruction trace or a dynamic system call trace.
  - 9. The method of claim 1, further comprising:
    - generating at least one feature vector representation of at least one file information data source of the at least one program; and
      
      classifying the at least one program further based at least on the at least one feature vector representation of the at least one file information data source.
  - 10. The method of claim 9, wherein the at least one file information data source is based on one or more selected from the group consisting of:
    - an entropy of a binary file, a size of the binary file, a packed status, a number of instructions in a disassembled binary, a number of edges in a control flow graph, a number of vertices in the control flow graph, a number of dynamic instructions, and a number of dynamic system calls.
  - 11. The method of claim 1, wherein classifying the at least one program comprises generating at least one kernel.
  - 12. The method of claim 11, wherein the at least one kernel comprises a graph kernel, a squared exponential kernel, a graphlet kernel, a random walk kernel, a shortest paths kernel, a spectral kernel, or a combination of two or more kernels.
  - 13. The method of claim 11, further comprising determining a weight of the at least one kernel.
  - 14. The method of claim 11, wherein classifying the program further comprises training a classifier using the at least one kernel.
  - 15. The method of claim 1, wherein the classifying the at least one program comprises using a kernel-based classification algorithm.
  - 16. The method of claim 15, wherein the kernel-based classification algorithm comprises a support vector machine or a Gaussian process.
  - 17. The method of claim 1, wherein the generating the at least one graph representation of at least one dynamic data source comprises grouping system calls into categories;
    - andusing the categories as vertices in a Markov chain graph.

2. One or more computer readable storage media storing computer-executable instructions which when executed cause a computing device to perform a method, the method comprising:
- generating at least one graph representation of at least one dynamic data source of at least one program;
  
  generating at least one graph representation of at least one static data source of the at least one program; and
  
  at least using the at least one graph representation of the at least one dynamic data source and the at least one graph representation of the at least one static data source, classifying the at least one program.

18. A computing system comprising one or more processors and one or more computer-readable media storing computer executable instructions that cause the computing system to perform a method, the method comprising:
- generating at least one graph representation of at least one dynamic data source of at least one program;
  
  generating at least one graph representation of at least one static data source of the at least one program; and
  
  at least using the at least one graph representation of the at least one dynamic data source and the at least one graph representation of the at least one static data source, classifying the at least one program.
- View Dependent Claims (19, 20)
- - 19. The method of claim 18, wherein the at least one graph representation of the at least one dynamic data source or the at least one graph representation of the at least one static data source is based on a Markov chain graph.
  - 20. The method of claim 18, wherein the at least one static data source comprises a binary file of the at least one program, a disassembled binary of the at least one program, or a control flow graph of the at least one program.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
TRIAD National Security, LLC
Original Assignee
Los Alamos National Security LLC (Government of the United States of America)
Inventors
Anderson, Blake Harrell, Storlie, Curtis B., Lane, Terran

Granted Patent

US 9,021,589 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/56 Computer malware detection ...

G06F 21/566 Dynamic detection, i.e. det...

INTEGRATING MULTIPLE DATA SOURCES FOR MALWARE CLASSIFICATION

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

170 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

INTEGRATING MULTIPLE DATA SOURCES FOR MALWARE CLASSIFICATION

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

170 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links