Modeling goodware characteristics to reduce false positive malware signatures

US 8,028,338 B1
Filed: 09/30/2008
Issued: 09/27/2011
Est. Priority Date: 09/30/2008
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of generating a model that specifies a likelihood of observing a characteristic in a set of goodware entities, the method comprising:

using a computer to perform steps comprising;

determining a set of likelihood values associated with a set of characteristics associated with the set of goodware entities, each likelihood value specifying a likelihood of observing a characteristic of the set of characteristics in the set of goodware entities, wherein determining the set of likelihood values comprises identifying a set of enumeration values indicating numbers of times characteristics of the set of characteristics are observed in the set of goodware entities, and the likelihood values are based on the set of enumeration values;

storing the set of characteristics in association with the set of likelihood values as a model;

generating a set of relative information gain values associated with the characteristics of the set of characteristics, wherein a relative information gain value describes an amount of information an associated characteristic adds to the model;

removing one or more characteristics from the model responsive to the relative information gain values associated with the one or more characteristics to produce a revised model; and

storing the revised model.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A set of likelihood values associated with a set of characteristics associated with the set of goodware entities is determined. The set of characteristics is stored in association with the set of likelihood values as a model. A set of relative information gain values associated with the characteristics of the set of characteristics is generated. One or more characteristics are removed from the model responsive to the relative information gain values associated with the one or more characteristics to produce a revised model.

Citations

17 Claims

1. A computer-implemented method of generating a model that specifies a likelihood of observing a characteristic in a set of goodware entities, the method comprising:
- using a computer to perform steps comprising;
  
  determining a set of likelihood values associated with a set of characteristics associated with the set of goodware entities, each likelihood value specifying a likelihood of observing a characteristic of the set of characteristics in the set of goodware entities, wherein determining the set of likelihood values comprises identifying a set of enumeration values indicating numbers of times characteristics of the set of characteristics are observed in the set of goodware entities, and the likelihood values are based on the set of enumeration values;
  
  storing the set of characteristics in association with the set of likelihood values as a model;
  
  generating a set of relative information gain values associated with the characteristics of the set of characteristics, wherein a relative information gain value describes an amount of information an associated characteristic adds to the model;
  
  removing one or more characteristics from the model responsive to the relative information gain values associated with the one or more characteristics to produce a revised model; and
  
  storing the revised model.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein a characteristic in the set of characteristics comprises a sequence derived from a goodware entity.
  - 3. The method of claim 2, wherein the model comprises a trie data structure that represents the sequence.
  - 4. The method of claim 1, wherein a characteristic in the set of characteristics comprises a sequence derived from a goodware entity and storing the set of characteristics in association with the set of likelihood values as a model comprises:
    - determining a likelihood value associated with a prefix of the sequence;
      
      determining that the likelihood value associated with the prefix is greater than a specified value; and
      
      storing the sequence in the model in association with the likelihood value associated with the prefix responsive to determining that the likelihood value is greater than the specified value.
  - 5. The method of claim 1, wherein a characteristic in the set of characteristics comprises a sequence derived from a goodware entity and generating the set of relative information gain values associated with the set of characteristics comprises:
    - determining a likelihood value associated with a suffix of the sequence; and
      
      generating a relative information gain value associated with the sequence based on a likelihood value associated with the sequence and the likelihood value associated with the suffix of the sequence.
  - 6. The method of claim 1, further comprising:
    - identifying a malware characteristic associated with a malware entity;
      
      identifying a malware likelihood value associated with the malware characteristic based on the model, wherein the malware likelihood value specifies a likelihood of observing the malware characteristic in a goodware entity; and
      
      determining whether to include the malware characteristic in a malware signature for detecting the malware responsive to the identified malware likelihood value.
  - 7. The method of claim 1, wherein a goodware entity is an entity that does not contain malware.

8. A non-transitory computer-readable storage medium comprising program code for generating a model that specifies a likelihood of observing a characteristic in a set of goodware entities, the program code comprising program code for:
- determining a set of likelihood values associated with a set of characteristics associated with the set of goodware entities, each likelihood value specifying a likelihood of observing a characteristic of the set of characteristics in the set of goodware entities, wherein determining the set of likelihood values comprises identifying a set of enumeration values indicating numbers of times characteristics of the set of characteristics are observed in the set of goodware entities, and the likelihood values are based on the set of enumeration values;
  
  storing the set of characteristics in association with the set of likelihood values as a model;
  
  generating a set of relative information gain values associated with the characteristics of the set of characteristics, wherein a relative information gain value describes an amount of information an associated characteristic adds to the model;
  
  removing one or more characteristics from the model responsive to the relative information gain values associated with the one or more characteristics to produce a revised model; and
  
  storing the revised model.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The medium of claim 8, wherein a characteristic in the set of characteristics comprises a sequence derived from a goodware entity.
  - 10. The medium of claim 9, wherein the model comprises a trie data structure that represents the sequence.
  - 11. The medium of claim 8, wherein a characteristic in the set of characteristics comprises a sequence derived from a goodware entity and program code for storing the set of characteristics in association with the set of likelihood values as a model comprises program code for:
    - determining a likelihood value associated with a prefix of the sequence;
      
      determining that the likelihood value associated with the prefix is greater than a specified value; and
      
      storing the sequence in the model in association with the likelihood value associated with the prefix responsive to determining that the likelihood value is greater than the specified value.
  - 12. The medium of claim 8, wherein a characteristic in the set of characteristics comprises a sequence derived from a goodware entity and program code for generating the set of relative information gain values associated with the set of characteristics comprises program code for:
    - determining a likelihood value associated with a suffix of the sequence; and
      
      generating a relative information gain value associated with the sequence based on a likelihood value associated with the sequence and the likelihood value associated with the suffix of the sequence.
  - 13. The medium of claim 8, further comprising program code for:
    - identifying a malware characteristic associated with a malware entity;
      
      identifying a malware likelihood value associated with the malware characteristic based on the model, wherein the malware likelihood value specifies a likelihood of observing the malware characteristic in a goodware entity; and
      
      determining whether to include the malware characteristic in a malware signature for detecting the malware responsive to the identified likelihood value associated with the malware characteristic.
  - 14. The medium of claim 8, wherein a goodware entity is an entity that does not contain malware.

15. A computer system for generating a malware signature for detecting a malware entity, the system comprising:
- a memory;
  
  a processor;
  
  a goodware model engine stored in the memory and executable by the processor to generate a model that specifies a likelihood of observing a characteristic in a goodware dataset comprising a set of goodware entities; and
  
  a malware signature engine stored in the memory and executable by the processor to use the model to determine a likelihood that a characteristic derived from the malware entity is found in the goodware dataset and to generate a malware signature using the characteristic responsive to the likelihood that the characteristic derived from the malware entity is found in the goodware dataset being below a threshold.
- View Dependent Claims (16, 17)
- - 16. The system of claim 15, wherein the goodware model engine is further executable by the processor to:
    - determine set of likelihood values associated with a set of characteristics associated with the set of goodware entities, each likelihood value specifying a likelihood of observing an associated characteristic of the set of characteristics in the set of goodware entities;
      
      store the set of characteristics in association with the set of likelihood values as a model;
      
      generate a set of relative information gain values associated with the characteristics of the set of characteristics, wherein a relative information gain value describes an amount of information an associated characteristic adds to the model; and
      
      remove one or more characteristics from the model responsive to the relative information gain values associated with the one or more characteristics to produce a revised model; and
      
      store the revised model.
  - 17. The system of claim 15, wherein the characteristic derived from the malware entity comprises a sequence of computer program instructions found within the malware entity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Griffin, Kent, Schneider, Scott
Primary Examiner(s)
LaForgia; Christian

Application Number

US12/241,852
Time in Patent Office

1,092 Days
Field of Search

726 22- 24, 713/188
US Class Current

726/24
CPC Class Codes

G06F 21/564   by virus signature recognition

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/033   Test or assess software

G06F 2221/2145   Inheriting rights or proper...

Modeling goodware characteristics to reduce false positive malware signatures

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Modeling goodware characteristics to reduce false positive malware signatures

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links