METHOD, APPARATUS AND TERMINAL FOR DETECTING A MALWARE FILE

US 20170004306A1
Filed: 12/31/2015
Published: 01/05/2017
Est. Priority Date: 06/30/2015
Status: Active Grant

First Claim

Patent Images

1. A method for detecting a malware file, comprising:

acquiring a file to be inspected;

determining an entropy vector of the file; and

inspecting, using a trained inspection model, the determined entropy vector of the file to ascertain whether the file is a malware file, wherein a file type of the file is identical to a model file type corresponding to the inspection model.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present application discloses a method, an apparatus and a terminal for detecting a malware file. One embodiment of the method comprises: obtaining a file to be inspected; determining an entropy vector of the file; and inspecting the entropy vector of the file using a trained inspection model to determine if the file is a malware file, wherein a file type of the file is identical to the file type corresponding to the inspection model. This embodiment extracts the entropy vector of the file and determines if the file is a malware file based on the entropy vector of the file. Therefore, the technical problems existed in the art, such as a low speed, a poor capacity and a low efficiency of detecting and destroying the malware file, are addressed and the efficiency of detecting and destroying the malware file is enhanced.

27 Citations

View as Search Results

15 Claims

1. A method for detecting a malware file, comprising:
- acquiring a file to be inspected;
  
  determining an entropy vector of the file; and
  
  inspecting, using a trained inspection model, the determined entropy vector of the file to ascertain whether the file is a malware file, wherein a file type of the file is identical to a model file type corresponding to the inspection model.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the inspection model is obtained by:
    - acquiring a plurality of files with an identical file type and known security categories as training files, wherein the security categories include malware file categories and non-malware file categories;
      
      labeling the acquired training files with security category labels according to the known security categories;
      
      determining the entropy vectors of the training files; and
      
      training and outputting an inspection model based on the determined entropy vectors and the security category labels of the training files.
  - 3. The method of claim 2, wherein the training and outputting the inspection model comprises:
    - obtaining an initial inspection model based on the entropy vectors and the security category labels of the training files;
      
      determining if a misjudgment rate of the initial inspection model is below a predetermined threshold value;
      
      if the misjudgment rate is not below the predetermined threshold value, repeating a step of correcting the present inspection model and a step of determining if the misjudgment rate of the corrected inspection model is below the predetermined threshold value; and
      
      stopping the repeating, and outputting the corrected inspection model when the misjudgment rate of the corrected inspection model is below the predetermined threshold value.
  - 4. The method of claim 3, wherein the obtaining an initial inspection model comprises:
    - obtaining a subset of files from the training files as first files;
      
      performing a feature classification to the entropy vectors of the first files, resulting in a classification outcome; and
      
      obtaining the initial inspection model by a learning operation based on the classification outcome and the security category labels of the first files.
  - 5. The method of claim 4, wherein the determining if the misjudgment rate of the inspection model is below the predetermined threshold value comprises:
    - obtaining a second subset of files from the training files as second files;
      
      inspecting entropy vectors of the second files using an inspection model to be tested;
      
      determining the misjudgment rate based on the inspected entropy vectors and the security category labels of the second files; and
      
      comparing the determined misjudgment rate with the predetermined threshold value to determine if the misjudgment rate is below the predetermined threshold value,wherein the second files and the first files are mutually exclusive.
  - 6. The method of claim 5, wherein the correcting the present inspection model comprises at least one of:
    - increasing a number of the first files and obtaining the inspection model by a further learning operation; and
      
      adjusting a dimension of the entropy vectors and obtaining the inspection model by a further learning operation.
  - 7. The method of claim 1, wherein the determining the entropy vector of the file comprises:
    - dividing the file into a predetermined number of segments;
      
      obtaining an entropy value for each of the segments; and
      
      setting the number of the segments as a dimension of the entropy vector, wherein each of the segments corresponds to one direction of the entropy vector, and the entropy vector of the file is determined based on the entropy value of each of the segments.

8. An apparatus for detecting a malware file, the apparatus comprising:
- a processor;
  
  a memory storing computer-readable instructions;
  
  wherein, when the computer-readable instructions are executed by the processor, the processor is operable to;
  
  acquire a file to be inspected;
  
  determine an entropy vector of the file; and
  
  inspect, using a trained inspection model, the determined entropy vector of the file to ascertain whether the file is a malware file, wherein a file type of the file is identical to a model file type corresponding to the inspection model.
- View Dependent Claims (9, 10, 15)
- - 9. The apparatus of claim 8, wherein the inspection model is obtained by:
    - acquiring a plurality of files with an identical file type and known security categories as training files, wherein the security categories comprise malware file categories and non-malware file categories;
      
      labeling the acquired training files with security category labels according to the known security categories;
      
      determining the entropy vectors of the training files; and
      
      training and outputting an inspection model based on the determined entropy vectors and the security category labels of the training files.
  - 10. The apparatus of claim 8, wherein the determination module is adapted to:
    - divide the file into a predetermined number of segments;
      
      obtain an entropy value for each of the segments; and
      
      set the number of the segments as a dimension of the entropy vector, wherein each of the segments corresponds to one direction of the entropy vector, and the entropy vector of the file is determined based on the entropy value of each of the segments.
  - 15. The apparatus of claim 9, wherein the determination module is adapted to:
    - divide the file into a predetermined number of segments;
      
      obtain an entropy value for each of the segments; and
      
      set the number of the segments as a dimension of the entropy vector, wherein each of the segments corresponds to one direction of the entropy vector, and the entropy vector of the file is determined based on the entropy value of each of the segments.

11. A computer storage medium storing computer-readable instructions, wherein, when the computer-readable instructions are executed by a processor, the processor is operable to:
- obtain a file to be inspected, determine an entropy vector of the file; and
  
  inspect, using a trained inspection model, the determined entropy vector of the file to ascertain whether the file is a malware file, wherein a file type of the file is identical to a model file type corresponding to the inspection model.
- View Dependent Claims (12, 13, 14)
- - 12. The computer storage medium of claim 11, wherein the inspection model is obtained by:
    - acquiring a plurality of files with an identical file type and known security categories as training files, wherein the security categories include malware file categories and non-malware file categories;
      
      labeling the acquired training files with security category labels according to the known security categories;
      
      determining the entropy vectors of the training files; and
      
      training and outputting an inspection model based on the determined entropy vectors and the security category labels of the training files.
  - 13. The computer storage medium of claim 11, wherein the processor is further operable to:
    - divide the file into a predetermined number of segments;
      
      obtain an entropy value for each of the segments; and
      
      set the number of the segments as a dimension of the entropy vector, wherein each of the segments corresponds to one direction of the entropy vector, and the entropy vector of the file is determined based on the entropy value of each of the segments.
  - 14. The computer storage medium of claim 12, wherein the processor is further operable to:
    - divide the file into a predetermined number of segments;
      
      obtain an entropy value for each of the segments; and
      
      set the number of the segments as a dimension of the entropy vector, wherein each of the segments corresponds to one direction of the entropy vector, and the entropy vector of the file is determined based on the entropy value of each of the segments.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Beijing Baidu Netcom Science and Technology Company Limited (Baidu Incorporated)
Original Assignee
Iyuntian Co., Ltd.
Inventors
ZHANG, Zhuang, ZHAO, Changkun, DONG, Zhiqiang, CAO, Liang

Granted Patent

US 10,176,323 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/562   Static detection

G06N 20/00   Machine learning

G06N 99/00   Subject matter not provided...

G10L 2019/0014   Selection criteria for dist...

H04L 63/1416   Event detection, e.g. attac...

METHOD, APPARATUS AND TERMINAL FOR DETECTING A MALWARE FILE

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

27 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD, APPARATUS AND TERMINAL FOR DETECTING A MALWARE FILE

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

27 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links