SYSTEMS AND METHODS FOR BEHAVIOR-BASED AUTOMATED MALWARE ANALYSIS AND CLASSIFICATION
First Claim
1. A method of analyzing a set of samples of malware, comprising:
- accessing the set of samples;
extracting a set of artifacts from the set of samples;
accessing a set of algorithms to analyze a set of features derived from the set of artifacts for one sample in the set of sample;
selecting one of the set of algorithms based on one or more selection features or parameters; and
analyzing the set of features using the selected algorithm to at least one of classify or cluster samples in the set of samples.
2 Assignments
0 Petitions
Accused Products
Abstract
Embodiments relate to systems and methods for behavior-based automated malware analysis and classification. Aspects relate to platforms and techniques which access a set of samples of malware, and extract or capture a set of low-level behavioral artifacts produced by those samples. The low-level artifacts can be used to organize or identify a set of features, based upon which the sample can be classified and/or clustered into different labels, groups, or categories. The artifacts and/or features can be analyzed by one or more selectable algorithms, whose accuracy, efficiency, and other characteristics can be compared to one another for purposes of performing a classification or clustering task. The algorithm(s) can be selected by a user to achieve desired run times, accuracy levels, and/or other effects.
97 Citations
20 Claims
-
1. A method of analyzing a set of samples of malware, comprising:
-
accessing the set of samples; extracting a set of artifacts from the set of samples; accessing a set of algorithms to analyze a set of features derived from the set of artifacts for one sample in the set of sample; selecting one of the set of algorithms based on one or more selection features or parameters; and analyzing the set of features using the selected algorithm to at least one of classify or cluster samples in the set of samples. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A malware analysis system, comprising:
-
an interface to a data store storing a set of samples of malware; and a processor, communicating with data store via the interface, the processor being configured to— access the set of samples, extract a set of artifacts from the set of samples, access a set of algorithms to analyze a set of features derived from the set of artifacts for one sample in the set of sample, select one of the set of algorithms based on one or more selection features or parameters, and analyze the set of features using the selected algorithm to at least one of classify or cluster samples in the set of samples. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
Specification