System and Method to Extract and Utilize Disassembly Features to Classify Software Intent

US 20140283037A1
Filed: 04/19/2013
Published: 09/18/2014
Est. Priority Date: 03/15/2013
Status: Active Grant

First Claim

Patent Images

1. A method to extract and utilize disassembly features to classify an intent of a software program, the method comprising the steps of:

disassembling, at least partially, a software program;

extracting at least one feature from the at least partially disassembled software program;

processing the at least one feature using an algorithm; and

classifying the software program based on a result yielded from processing the at least one feature using the algorithm.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method operable to identify malicious software by extracting one or more features disassembled from software suspected to be malicious software and employing one or more of those features in a machine-learning algorithm to classify such software.

215 Citations

18 Claims

1. A method to extract and utilize disassembly features to classify an intent of a software program, the method comprising the steps of:
- disassembling, at least partially, a software program;
  
  extracting at least one feature from the at least partially disassembled software program;
  
  processing the at least one feature using an algorithm; and
  
  classifying the software program based on a result yielded from processing the at least one feature using the algorithm.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method according to claim 1, wherein the algorithm is a machine-learning algorithm.
  - 3. The method according to claim 1, wherein the algorithm is an unsupervised machine-learning algorithm that does not require explicitly labeled input.
  - 4. The method according to claim 1, wherein the algorithm utilizes a model created by labeling at least one of known malicious software and known benign software performed before the step of processing the at least one feature using the algorithm.
  - 5. The method according to claim 4, wherein the at least one of a malicious software and a benign software is contained in a memory of the system.
  - 6. The method according to claim 1, wherein the algorithm is at least partially manually created by a user.
  - 7. The method according to claim 1, wherein the algorithm is at least partially automatically created using pre-labeled malicious software.
  - 8. The method according to claim 1, wherein the algorithm is unsupervised and produces clustered results.
  - 9. The method according to claim 1, wherein the processing step using the algorithm includes the step of creating a model using one or more features extracted using one or more plug-ins.
  - 10. The method according to claim 1, wherein the at least one feature from the at least partially disassembled software program is one or more plug-ins.

11. A system operable to extract and utilize disassembly features to classify software intent of a software program, the system comprising:
- a disassembly tool operable to at least partially disassemble a software program;
  
  an extractor operable to extract at least one feature from the at least partially disassembled software program;
  
  a processor operable to process the at least one feature using an algorithm; and
  
  a classifier operable to classify the software program based on a result yielded from processing the at least one feature using the algorithm.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. The system according to claim 11, wherein the algorithm is a machine-learning algorithm.
  - 13. The system according to claim 11, wherein the algorithm utilizes a model that is created by labeling at least one of known malicious software and known benign software before processing the at least one feature using the algorithm.
  - 14. The system according to claim 13, wherein at least one of a malicious software and a benign software is contained in a memory of the system.
  - 15. The system according to claim 11, wherein the algorithm is at least partially manually created by a user.
  - 16. The system according to claim 11, wherein the algorithm is at least partially automatically created using pre-labeled malicious software.
  - 17. The system according to claim 11, wherein the processor is configured to create a model using one or more plug-ins.
  - 18. The system according to claim 11, wherein the at least one feature from the at least partially disassembled software program is one or more plug-ins.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google LLC (Alphabet Inc.)
Original Assignee
FireEye, Inc.
Inventors
Sikorski, Michael, Ballenthin, William

Granted Patent

US 10,713,358 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

G06F 21/563   by source code analysis

H04L 63/1433   Vulnerability analysis

H04L 63/145   the attack involving the pr...

System and Method to Extract and Utilize Disassembly Features to Classify Software Intent

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

215 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

System and Method to Extract and Utilize Disassembly Features to Classify Software Intent

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

215 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links