METHODS AND SYSTEMS FOR ENCODING COMPUTER PROCESSES FOR MALWARE DETECTION
First Claim
1. In a managed network of computers, a method for encoding computer processes for malicious program detection, comprising the steps of:
- (a) randomly sampling a trace of system calls collected over an observation interval, each system call including context information and memory addresses for the function being monitored;
(b) computing system address differences from the trace of system calls and retaining the computed values;
(c) forming a group of n-grams (words) of retained differences of system addresses from the trace of system calls;
(d) forming a series of process snippets, each process snippet including context information and the retained differences of system addresses;
(e) transforming each process snippet to form a compact representation (process dot) comprising a pair of elements c, a, wherein c includes the context information and a is a sparse vector that encodes information derived from the group of n-grams;
(f) forming clusters of compact representations;
(g) obtaining clusters of compact representations from one or more malicious program-free computers; and
(h) comparing the clusters formed in step (f) to those obtained in step (g) and determining the presence of malicious program from the comparison;
1 Assignment
0 Petitions
Accused Products
Abstract
A method for encoding computer processes for malicious program detection. The method includes the steps of (a) randomly sampling a trace of system calls collected over a predetermined interval, each system call including context information and memory addresses for the function being monitored; (b) computing system address differences from the trace of system calls and retaining the computed values; (c) forming a group of n-grams (words) of retained differences of system addresses from the trace of system calls; (d) forming a series of process snippets, each process snippet including context information and the retained differences of system addresses; (e) transforming each process snippet to form a compact representation (process dot) comprising a pair of elements c, a, wherein c includes the context information and a is a sparse vector that encodes information derived from the group of n-grams; (f) forming clusters of compact representations; (g) obtaining clusters of compact representations from one or more malicious program-free computers; and (h) comparing the clusters formed in step (f) to those obtained in step (g) and determining the presence of malicious program from the comparison.
-
Citations
41 Claims
-
1. In a managed network of computers, a method for encoding computer processes for malicious program detection, comprising the steps of:
-
(a) randomly sampling a trace of system calls collected over an observation interval, each system call including context information and memory addresses for the function being monitored; (b) computing system address differences from the trace of system calls and retaining the computed values; (c) forming a group of n-grams (words) of retained differences of system addresses from the trace of system calls; (d) forming a series of process snippets, each process snippet including context information and the retained differences of system addresses; (e) transforming each process snippet to form a compact representation (process dot) comprising a pair of elements c, a, wherein c includes the context information and a is a sparse vector that encodes information derived from the group of n-grams; (f) forming clusters of compact representations; (g) obtaining clusters of compact representations from one or more malicious program-free computers; and (h) comparing the clusters formed in step (f) to those obtained in step (g) and determining the presence of malicious program from the comparison; - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A method for encoding computer processes for malicious program detection, comprising the steps of:
-
(a) randomly sampling a trace of system calls collected over a predetermined interval, each system call including context information and memory addresses for the function being monitored; (b) computing system address differences from the trace of system calls and retaining the computed values; (c) forming a group of n-grams (words) of retained differences of system addresses from the trace of system calls; (d) forming a series of process snippets, each process snippet including context information and the retained differences of system addresses; (e) transforming each process snippet to form a compact representation (process dot) comprising a pair of elements c, a, wherein c includes the context information and a is a sparse vector that encodes information derived from the group of n-grams; (f) forming clusters of compact representations; and (g) comparing the clusters formed in step (f) to a library of malicious programs samples. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
-
-
27. A system for detecting malicious program on at least one computer, comprising:
- a sensor installed on the at least one computer, the sensor structured and arranged to collect information on the at least one computer'"'"'s resource utilization; and
a machine learning daemon structured and arranged to receive bundles of information from the sensor and determine the probability that the computer is infected with malicious programs. - View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41)
- a sensor installed on the at least one computer, the sensor structured and arranged to collect information on the at least one computer'"'"'s resource utilization; and
Specification