MACHINE LEARNING MODEL FOR MALWARE DYNAMIC ANALYSIS

US 20180322287A1
Filed: 05/05/2017
Published: 11/08/2018
Est. Priority Date: 05/05/2016
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

at least one processor; and

at least one memory including program code which when executed by the at least one processor causes operations comprising;

analyzing a series of events contained in received data, the series of events comprising events that occur during the execution of a data object, and the series of events being analyzed to at least extract, from the series of events, one or more subsequences of events;

determining, by a machine learning model, a classification for the received data, the machine learning model classifying the received data based at least on whether the one or more subsequences of events are malicious; and

providing the classification indicative of whether the received data is malicious.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In some implementations there may be provided a system. The system may include a processor and a memory. The memory may include program code which causes operations when executed by the processor. The operations may include analyzing a series of events contained in received data. The series of events may include events that occur during the execution of a data object. The series of events may be analyzed to at least extract, from the series of events, subsequences of events. A machine learning model may determine a classification for the received data. The machine learning model may classify the received data based at least on whether the subsequences of events are malicious. The classification indicative of whether the received data is malicious may be provided. Related methods and articles of manufacture, including computer program products, are also disclosed.

18 Citations

View as Search Results

32 Claims

1. A system comprising:
- at least one processor; and
  
  at least one memory including program code which when executed by the at least one processor causes operations comprising;
  
  analyzing a series of events contained in received data, the series of events comprising events that occur during the execution of a data object, and the series of events being analyzed to at least extract, from the series of events, one or more subsequences of events;
  
  determining, by a machine learning model, a classification for the received data, the machine learning model classifying the received data based at least on whether the one or more subsequences of events are malicious; and
  
  providing the classification indicative of whether the received data is malicious.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The system according to claim 1, wherein the one or more subsequences of events are extracted by at least:
    - determining a plurality of subsequences in the series of events;
      
      identifying a plurality of most frequent subsequences in the plurality of subsequences; and
      
      selecting, from the plurality of the most frequent subsequences, the one or more subsequences of events.
  - 3. The system according to claim 2, wherein the selecting of the one or more subsequence of events is based on a frequency of occurrence of the plurality of most frequent subsequences exceeding a predetermined threshold.
  - 4. The system according to claim 2, wherein the plurality of the most frequent subsequences are identified by at least applying an Apriori algorithm.
  - 5. The system according to claim 4, wherein the Apriori algorithm is configured to at least:
    - identify a most frequent event; and
      
      identify, based at least on the most frequent event, a most frequent subsequence of events, the most frequent subsequence of events including the most frequent event and at least one other event.
  - 6. The system according to claim 1, wherein the machine learning model comprises a recurrent neural network.
  - 7. The system according to claim 6, wherein the recurrent neural network comprises a long short term memory network.
  - 8. The system according to claim 7, wherein the long short term memory network comprises a memory cell, the memory cell being configured maintain a value, the memory cell being further configured to determine, based at least on an event, whether to update, output, discard, and/or continue to maintain the value.
  - 9. The system according to claim 1, wherein the machine learning model determines the classification for the received data by at least:
    - generating a representation the one or more subsequences of events;
      
      determining an average representation of the one or more subsequences of events over a plurality of time steps associated with the series of events;
      
      determining a logistic regression of an average representation of the one or more subsequences of events; and
      
      determining, based on the logistic regression, the classification for the received data.
  - 10. The system according to claim 1, further comprising:
    - determining whether the series of events includes at least one malicious event; and
      
      classifying the received data based at least on a presence of the at least one malicious event in the series of events.
  - 11. The system according to claim 10, further comprising:
    - determining that an event is malicious based at least on a filename and/or a filepath associated with the event.
  - 12. The system according to claim 11, wherein the filename and/or the filepath associated with the event is analyzed based at least on a pattern associated with one or more filenames and/or filepaths that are known to be non-malicious.
  - 13. The system according to claim 12, wherein the pattern associated with the one or more non-malicious filenames and/or filepaths is modeled using a Markov chain.
  - 14. The system according to claim 11, wherein the data object comprises a file, a function, and/or a software program.
  - 15. The system according to claim 1, wherein the one or more subsequence of events comprise consecutive and/or non-consecutive events from the series of events.

16. A computer-implemented method, comprising:
- analyzing a series of events contained in received data, the series of events comprising events that occur during the execution of a data object, and the series of events being analyzed to at least extract, from the series of events, one or more subsequences of events;
  
  determining, by a machine learning model, a classification for the received data, the machine learning model classifying the received data based at least on whether the one or more subsequences of events are malicious; and
  
  providing the classification indicative of whether the received data is malicious.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 17. The computer-implemented method according to claim 16, wherein the one or more subsequences of events are extracted by at least:
    - determining a plurality of subsequences in the series of events;
      
      identifying a plurality of most frequent subsequences in the plurality of subsequences; and
      
      selecting, from the plurality of the most frequent subsequences, the one or more subsequences of events.
  - 18. The computer-implemented method according to claim 17, wherein the selecting of the one or more subsequence of events is based on a frequency of occurrence of the plurality of most frequent subsequences exceeding a predetermined threshold.
  - 19. The computer-implemented method according to claim 17, wherein the plurality of the most frequent subsequences are identified by at least applying an Apriori algorithm.
  - 20. The computer-implemented method according to claim 19, wherein the Apriori algorithm is configured to at least:
    - identify a most frequent event; and
      
      identify, based at least on the most frequent event, a most frequent subsequence of events, the most frequent subsequence of events including the most frequent event and at least one other event.
  - 21. The computer-implemented method according to claim 16, wherein the machine learning model comprises a recurrent neural network.
  - 22. The computer-implemented method according to claim 21, wherein the recurrent neural network comprises a long short term memory network.
  - 23. The computer-implemented method according to claim 22, wherein the long short term memory network comprises a memory cell, the memory cell being configured maintain a value, the memory cell being further configured to determine, based at least on an event, whether to update, output, discard, and/or continue to maintain the value.
  - 24. The computer-implemented method according to claim 16, wherein the machine learning model determines the classification for the received data by at least:
    - generating a representation the one or more subsequences of events;
      
      determining an average representation of the one or more subsequences of events over a plurality of time steps associated with the series of events;
      
      determining a logistic regression of an average representation of the one or more subsequences of events; and
      
      determining, based on the logistic regression, the classification for the received data.
  - 25. The computer-implemented method according to claim 16, further comprising:
    - determining whether the series of events includes at least one malicious event; and
      
      classifying the received data based at least on a presence of the at least one malicious event in the series of events.
  - 26. The computer-implemented method according to claim 25, further comprising:
    - determining that an event is malicious based at least on a filename and/or a filepath associated with the event.
  - 27. The computer-implemented method according to claim 26, wherein the filename and/or the filepath associated with the event is analyzed based at least on a pattern associated with one or more filenames and/or filepaths that are known to be non-malicious.
  - 28. The computer-implemented method according to claim 27, wherein the pattern associated with the one or more non-malicious filenames and/or filepaths is modeled using a Markov chain.
  - 29. The computer-implemented method of claim 26, wherein the data object comprises a file, a function, and/or a software program.
  - 30. The computer-implemented method according to claim 16, wherein the one or more subsequence of events comprise consecutive and/or non-consecutive events from the series of events.

31. A non-transitory computer-readable storage medium including program code, which when executed by at least one data processor, cause operations comprising:
- analyzing a series of events contained in received data, the series of events comprising events that occur during the execution of a data object, and the series of events being analyzed to at least extract, from the series of events, one or more subsequences of events;
  
  determining, by a machine learning model, a classification for the received data, the machine learning model classifying the received data based at least on whether the one or more subsequences of events are malicious; and
  
  providing the classification indicative of whether the received data is malicious.

32. An apparatus, comprising:
- means for analyzing a series of events contained in received data, the series of events comprising events that occur during the execution of a data object, and the series of events being analyzed to at least extract, from the series of events, one or more subsequences of events;
  
  means for determining, by a machine learning model, a classification for the received data, the machine learning model classifying the received data based at least on whether the one or more subsequences of events are malicious; and
  
  means for providing the classification indicative of whether the received is malicious.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cylance Inc. (Blackberry Limited)
Original Assignee
Cylance Inc. (Blackberry Limited)
Inventors
Zhao, Xuan, Kapoor, Aditya, Wolff, Matthew, Davis, Andrew, Soeder, Derek, Permeh, Ryan

Granted Patent

US 10,685,112 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/566   Dynamic detection, i.e. det...

G06F 3/048   Interaction techniques base...

G06N 20/00   Machine learning

G06N 20/10   using kernel methods, e.g. ...

G06N 20/20   Ensemble learning

G06N 3/044   Recurrent networks, e.g. Ho...

G06N 3/08   Learning methods

G06N 5/01   Dynamic search techniques; ...

G06N 5/025   Extracting rules from data

G06N 7/01   Probabilistic graphical mod...

H04L 63/145   the attack involving the pr...

MACHINE LEARNING MODEL FOR MALWARE DYNAMIC ANALYSIS

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

18 Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

MACHINE LEARNING MODEL FOR MALWARE DYNAMIC ANALYSIS

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

18 Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links