Malware detection using pattern classification

US 8,161,548 B1
Filed: 08/15/2005
Issued: 04/17/2012
Est. Priority Date: 08/15/2005
Status: Active Grant

- Alert
- Pin

First Claim

Patent Images

1. A method of training a malware classifier, said method comprising:

determining a classification label that represents a type of malware, said type of malware not including benign software;

determining a classification label that represents a second type of malware;

creating a feature definition file that includes first features relevant to the classification of said type of malware and that includes second features relevant to the classification of said second type of malware, wherein said first and second features are combined into one feature set in said feature definition file, wherein said features include characteristics of said type of malware, DLL names and function names executed by said type of malware, and alphanumeric strings used by said type of malware;

selecting software training data including software of the same type as said type of malware and software that is benign;

executing a training application on a computer associated with said malware classifier and inputting said feature definition file and said software training data into said training application; and

outputting a training model associated with said malware classifier on said computer, whereby said training model is arranged to assist in the identification of said type of malware and said second type of malware.

View all claims

2 Assignments

Timeline View

Assignment View

Litigations

0 Petitions

Accused Products

Abstract

A malware classifier uses features of suspect software to classify the software as malicious or not. The classifier uses a pattern classification algorithm to statistically analyze computer software. The classifier takes a feature representation of the software and maps it to the classification label with the use of a trained model. The feature representation of the input computer software includes the relevant features and the values of each feature. These features include the categories of: applicable software characteristics of a particular type of malware; dynamic link library (DLL) and function name strings typically occurring in the body of the malware; and other alphanumeric strings commonly found in malware. By providing these features and their values to the classifier, the classifier is better able to identify a particular type of malware.

210 Citations

22 Claims

1. A method of training a malware classifier, said method comprising:
- determining a classification label that represents a type of malware, said type of malware not including benign software;
  
  determining a classification label that represents a second type of malware;
  
  creating a feature definition file that includes first features relevant to the classification of said type of malware and that includes second features relevant to the classification of said second type of malware, wherein said first and second features are combined into one feature set in said feature definition file, wherein said features include characteristics of said type of malware, DLL names and function names executed by said type of malware, and alphanumeric strings used by said type of malware;
  
  selecting software training data including software of the same type as said type of malware and software that is benign;
  
  executing a training application on a computer associated with said malware classifier and inputting said feature definition file and said software training data into said training application; and
  
  outputting a training model associated with said malware classifier on said computer, whereby said training model is arranged to assist in the identification of said type of malware and said second type of malware.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 15)
- - 2. A method as recited in claim 1 wherein said type of malware is a virus, a worm, a Trojan horse, a dropper, a wabbit, a fork bomb, spyware, adware, a backdoor, ratware, an exploit, a root kit, key logger software, a dialer or URL injection software.
  - 3. A method as recited in claim 1 wherein said type of malware is a worm, spyware or a dialer.
  - 4. A method as recited in claim 1 wherein said characteristics of said type of malware include header fields.
  - 5. A method as recited in claim 4 wherein header fields include a packed field, a number of sections field, a code size field, an import table size field, and a resource table size field, all of a portable executable format.
  - 6. A method as recited in claim 1 wherein said malware classifier is based on the support vector machine (SVM) algorithm.
  - 7. A method as recited in claim 1 further comprising:
    - validating said training model by using as input into said malware classifier a previously un-used software program of said type of malware, said software program not being included in said software training data; and
      
      outputting said classification label for said previously un-used input software program indicating said type of malware.
  - 8. A method as recited in claim 1 wherein executing a training application further comprises:
    - using a first parameter that controls a trade-off between a margin and one or more misclassified samples and a second parameter for selecting a kernel function.
  - 15. A method as recited in claim 8 further comprising:
    - performing said steps of claim 8 using a malware classifier, wherein said malware classifier is integrated into an anti-spyware software product; and
      
      inputting said subset of features into said classification algorithm when said software program is accessed.

9. A method of classifying a suspect software program, said method comprising:
- selecting a group of features relevant to the identification of a particular type of malware, wherein said particular type of malware does not include benign software and wherein said group of features include characteristics of said type of malware, DLL names and function names executed by said type of malware, and alphanumeric strings used by said type of malware;
  
  selecting a second group of features relevant to the identification of a second particular type of malware;
  
  combining said first and second groups of features into one selected feature set;
  
  selecting a trained model, said trained model being trained to identify said particular type of malware and said second particular type of malware;
  
  extracting a subset of said first and second features and their corresponding values from said suspect software program utilizing said selected feature set;
  
  executing a classification algorithm on a computer and inputting said subset of features, said corresponding values, and said trained model, wherein said classification algorithm combines logic of classification functions for detecting said type of malware and said second type of malware; and
  
  outputting a classification label using said computer for said suspect software program that identifies said type of malware or said second type of malware.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. A method as recited in claim 9 wherein said type of malware is a virus, a worm, a Trojan horse, a dropper, a wabbit, a fork bomb, spyware, adware, a backdoor, ratware, an exploit, a root kit, key logger software, a dialer or URL injection software.
  - 11. A method as recited in claim 9 wherein said type of malware is a worm, spyware or a dialer.
  - 12. A method as recited in claim 9 wherein said characteristics of said type of malware include header fields.
  - 13. A method as recited in claim 12 wherein header fields include a packed field, a number of sections field, a code size field, an import table size field, and a resource table size field, all of a portable executable format.
  - 14. A method as recited in claim 9 wherein said classification algorithm is based on the support vector machine (SVM) algorithm.

16. A malware classifier apparatus implemented on a computer for classifying suspect software, said malware classifier comprising:
- a feature definition file including first features relevant to the identification of a type of malware and second features relevant to the identification of a second particular type of malware, wherein said first and second features are combined into one feature set in said feature definition file, said type of malware not including benign software and, wherein said features include characteristics of said type of malware, DLL names and function names executed by said type of malware, and alphanumeric strings used by said type of malware;
  
  a trained model, said model being trained to identify said type of malware and said second particular type of malware;
  
  a feature extraction module arranged to accept as input computer software and said feature definition file and to extract a subset of said first and second features and their values from said computer software using a computer;
  
  a pattern classification algorithm that accepts said subset of features and their values and uses said trained model to output a classification label using said computer for said input computer software that identifies said type of malware or said second type of malware, wherein said pattern classification algorithm combines logic of classification functions for detecting said type of malware and said second type of malware.
- View Dependent Claims (17, 18, 19, 20, 21, 22)
- - 17. The malware classifier apparatus as recited in claim 16 wherein said type of malware is a virus, a worm, a Trojan horse, a dropper, a wabbit, a fork bomb, spyware, adware, a backdoor, ratware, an exploit, a root kit, key logger software, a dialer or URL injection software.
  - 18. The malware classifier apparatus as recited in claim 16 wherein said type of malware is a worm, spyware or a dialer.
  - 19. The malware classifier apparatus as recited in claim 16 wherein said characteristics of said type of malware include header fields.
  - 20. The malware classifier apparatus as recited in claim 19 wherein header fields include a packed field, a number of sections field, a code size field, an import table size field, and a resource table size field, all of a portable executable format.
  - 21. The malware classifier apparatus as recited in claim 16 wherein said pattern classification algorithm is based on the support vector machine (SVM) algorithm.
  - 22. The malware classifier apparatus as recited in claim 16 wherein said malware classifier apparatus is integrated into an anti-spyware software product, and wherein said computer software is input when said computer software is accessed.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
Incorporated Trend M
Original Assignee
Trend Micro Inc.
Inventors
Wan, Justin
Primary Examiner(s)
Srivastava, Vivek
Assistant Examiner(s)
TRUONG, THONG P

Application Number

US11/204,567
Time in Patent Office

2,437 Days
Field of Search

709/206, 726 22- 25, 713/188, 706/20
US Class Current

726/22
CPC Class Codes

G06F 18/211   Selection of the most signi...

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/033   Test or assess software

Malware detection using pattern classification

First Claim

2 Assignments

Litigations

0 Petitions

Accused Products

Abstract

210 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Malware detection using pattern classification

First Claim

2 Assignments

Subscription Required

Subscription Required

Litigations

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

210 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links