Automatic Inline Detection based on Static Data

US 20180013772A1
Filed: 07/05/2016
Published: 01/11/2018
Est. Priority Date: 07/05/2016
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

at least one processor; and

memory coupled to the at least one processor, the memory comprising computer executable instructions that, when executed by the at least one processor, performs a method for automatic inline detection based on static data, the method comprising;

receiving input corresponding to a downloading executable file;

determining a format for the executable file;

based on the determined format, parsing the received input to identify static data;

extracting the static data;

creating one or more feature vectors using the extracted static data;

determining one or more scores from the one or more feature vectors; and

based on the one or more scores, determining whether to terminate the download of the executable file.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Examples of the present disclosure describe systems and methods of automatic inline detection based on static data. In aspects, a file being received by a recipient device may be analyzed using an inline parser. The inline parser may identify sections of the file and feature vectors may be created for the identified sections. The feature vectors may be used to calculate a score corresponding to the malicious status of the file as the information is being analyzed. If a score is determined to exceed a predetermined threshold, the file download process may be terminated. In aspects, the received files, file fragments, feature vectors and/or additional data may be collected and analyzed to build a probabilistic model used to identify potentially malicious files.

Citations

20 Claims

1. A system comprising:
- at least one processor; and
  
  memory coupled to the at least one processor, the memory comprising computer executable instructions that, when executed by the at least one processor, performs a method for automatic inline detection based on static data, the method comprising;
  
  receiving input corresponding to a downloading executable file;
  
  determining a format for the executable file;
  
  based on the determined format, parsing the received input to identify static data;
  
  extracting the static data;
  
  creating one or more feature vectors using the extracted static data;
  
  determining one or more scores from the one or more feature vectors; and
  
  based on the one or more scores, determining whether to terminate the download of the executable file.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The system of claim 1, wherein the executable file is a portable executable format type.
  - 3. The system of claim 1, wherein parsing the received input comprises identifying state information related to the progress of the parsing operation, the state information corresponding to at least one of a position in the file and a time value.
  - 4. The system of claim 1, wherein creating one or more feature vectors comprises at least one of:
    - grouping static data fields, labeling identified anomalies, converting data into hex representations, building n-grams and encapsulating special characters.
  - 5. The system of claim 1, wherein the one or more scores represent at least one of:
    - a similarity between at least one of the one or more feature vectors and a predefined feature vector, whether the feature vector exceeds a threshold, the degree of similarity between the feature vector and known malicious content, the probability that the feature vector includes potentially unwanted content, an identified threat as a percentage of the analyzed file, and unexpected content.
  - 6. The system of claim 1, wherein determining the one or more scores comprises providing the one or more feature vectors as input to a machine learning mechanism, wherein the machine learning mechanism uses the one or more feature vectors to train one or more predictive models.
  - 7. The system of claim 6, wherein the machine learning mechanism is at least one of:
    - a support vector machine (SVM), a restricted Boltzmann machine and a decision tree algorithm.
  - 8. The system of claim 6, wherein the one or more predictive models generate scores using at least one of:
    - a rule set, fuzzy logic, a machine-learned model and a weighting algorithm.
  - 9. The system of claim 1, wherein determining whether to terminate the download comprises comparing the one or more scores to a threshold value, wherein, when the one or more scores exceed the threshold value, the download is terminated.
  - 10. The system of claim 9, wherein terminating the download comprises:
    - preventing a portion of the input from being transmitted to an intended recipient;
      
      downloading a remainder of the input to the computing device; and
      
      transmitting the downloaded input from the computing device to a secure environment.
  - 11. The system of claim 10, wherein comparing the one or more scores to a threshold value comprises determining whether the executable file is at least one of:
    - malicious, potentially unwanted and benign.

12. A method for automatic inline detection based on static data, the method comprising:
- receiving, by a computing device, a set of labeled data, wherein the set of labeled data is associated with one or more executable files comprising one or more security determinations;
  
  training one or more predictive models to determine the one or more security determinations using at least a portion of the set of labeled data;
  
  receiving, by the computing device, input, the input corresponding to a downloading executable file;
  
  determining a format for the executable file;
  
  based on the determined format, parsing the received input to identify static data;
  
  extracting the static data;
  
  creating one or more feature vectors using the extracted static data;
  
  using the one or more trained predictive models to determine one or more scores from the one or more feature vectors;
  
  based on the one or more scores, generating a security determination from the downloading executable file; and
  
  based on the security determination, determining whether to terminate the download of the downloading executable file.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The method of claim 12, wherein the one or more security determinations were labeled by at least one of a subject matter expert, an application developer, a member of a crowdsourcing community, and a judge.
  - 14. The method of claim 12, wherein training one or more predictive models comprises:
    - making the one or more scores from the one or more feature vectors accessible to a user,receiving feedback from the user; and
      
      using the feedback to modify at least one of the one or more predictive models and the one or more scores.
  - 15. The method of claim 12, wherein the extracted static data is subdivided into a set of families and a predictive model is trained for each family in the set of families.
  - 16. The method of claim 15, wherein at least two of the trained predictive models each generate a classification score, wherein the classification scores are combined into a final classification score indicating whether the executable file is malicious.

17. A computer-readable media storing computer executable instructions that when executed cause a computing system to perform a method for automatic inline detection based on static data, the method comprising:
- receiving a set of labeled data, wherein the set of labeled data is associated with one or more executable files comprising one or more security determinations;
  
  training one or more predictive models to determine the one or more security determinations using at least a portion of the set of labeled data;
  
  receiving input, the input corresponding to a downloading executable file;
  
  determining a format for the executable file;
  
  based on the determined format, parsing the received input to identify static data;
  
  extracting the static data;
  
  creating one or more feature vectors using the extracted static data;
  
  using the one or more trained predictive models to determine one or more scores from the one or more feature vectors; and
  
  based on the one or more scores, determining a security determination of the executable file.
- View Dependent Claims (18, 19, 20)
- - 18. The computer-readable media of claim 17, wherein the executable file is a portable executable format type, and wherein parsing the received input comprises analyzing a data stream of the executable file.
  - 19. The method of claim 17, wherein training one or more predictive models comprises:
    - making the one or more scores from the one or more feature vectors accessible to a user,receiving, from the user, feedback related to the one or more scores; and
      
      using the feedback to modify at least one of the one or more predictive models and the one or more scores.
  - 20. The computer-readable media of claim 17, wherein determining whether the security status comprises comparing the one or more scores to one or more threshold values, the one or more threshold values corresponding to at least one security status in the group consisting of:
    - malicious, potentially unwanted and benign.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Carbonite LLC (Open Text Corporation)
Original Assignee
Webroot Inc. (Open Text Corporation)
Inventors
Schmidtler, Mauritius, Yoosoofmiya, Reza M., Theroux, Kristina

Granted Patent

US 10,972,482 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/564   by virus signature recognition

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

H04L 67/06   specially adapted for file ...

Automatic Inline Detection based on Static Data

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Automatic Inline Detection based on Static Data

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links