Inferring file and website reputations by belief propagation leveraging machine reputation
First Claim
1. A computer-implemented method for detecting malicious computer files, comprising:
- generating a graph comprising nodes representing a plurality of clients and computer files residing thereon, wherein distinct clients and distinct computer files are represented by distinct nodes in the graph, wherein a node representing a client is connected to nodes representing computer files residing on that client through edges;
determining priors for nodes in the graph and edge potentials for edges in the graph based on domain knowledge, wherein a prior for a node representing a client comprises an assessment of a likelihood of the client getting infected by malware based on the domain knowledge, a prior for a node representing a computer file comprises an assessment of a likelihood of the computer file being malware based on the domain knowledge, and an edge potential reflects a relationship between nodes connected by an associated edge based on the domain knowledge;
iteratively propagating a probability of a computer file being legitimate among the nodes by transmitting messages along the edges in the graph, wherein a message transmitted by a node is generated based on a prior of the node and messages received by the node during any previous iterations; and
determining whether a computer file is classified as malicious based on a probability associated with a corresponding node in the graph.
2 Assignments
0 Petitions
Accused Products
Abstract
The probability of a computer file being malware is inferred by iteratively propagating domain knowledge among computer files, related clients, and/or related source domains. A graph is generated to include machine nodes representing clients, file nodes representing files residing on the clients, and optionally domain nodes representing source domains hosting the files. The graph also includes edges connecting the machine nodes with the related file nodes, and optionally edges connecting the domain nodes with the related file nodes. Priors and edge potentials are set for the nodes and the edges based on related domain knowledge. The domain knowledge is iteratively propagated and aggregated among the connected nodes through exchanging messages among the connected nodes. The iteration process ends when a stopping criterion is met. The classification and associated marginal probability for each file node are calculated based on the priors, the received messages, and the edge potentials associated with the edges through which the messages were received.
180 Citations
20 Claims
-
1. A computer-implemented method for detecting malicious computer files, comprising:
-
generating a graph comprising nodes representing a plurality of clients and computer files residing thereon, wherein distinct clients and distinct computer files are represented by distinct nodes in the graph, wherein a node representing a client is connected to nodes representing computer files residing on that client through edges; determining priors for nodes in the graph and edge potentials for edges in the graph based on domain knowledge, wherein a prior for a node representing a client comprises an assessment of a likelihood of the client getting infected by malware based on the domain knowledge, a prior for a node representing a computer file comprises an assessment of a likelihood of the computer file being malware based on the domain knowledge, and an edge potential reflects a relationship between nodes connected by an associated edge based on the domain knowledge; iteratively propagating a probability of a computer file being legitimate among the nodes by transmitting messages along the edges in the graph, wherein a message transmitted by a node is generated based on a prior of the node and messages received by the node during any previous iterations; and determining whether a computer file is classified as malicious based on a probability associated with a corresponding node in the graph. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A computer system for detecting malicious computer files, comprising:
a non-transitory computer-readable storage medium storing executable computer program code, the computer program code comprising program code for; generating a graph comprising nodes representing a plurality of clients and computer files residing thereon, wherein distinct clients and distinct computer files are represented by distinct nodes in the graph, wherein a node representing a client is connected to nodes representing computer files residing on that client through edges; determining priors for nodes in the graph and edge potentials for edges in the graph based on domain knowledge, wherein a prior for a node representing a client comprises an assessment of a likelihood of the client getting infected by malware based on the domain knowledge, a prior for a node representing a computer file comprises an assessment of a likelihood of the computer file being malware based on the domain knowledge, and an edge potential reflects a relationship between nodes connected by an associated edge based on the domain knowledge; iteratively propagating a probability of a computer file being legitimate among the nodes by transmitting messages along the edges in the graph, wherein a message transmitted by a node is generated based on a prior of the node and messages received by the node during any previous iterations; and determining whether a computer file is classified as malicious based on a probability associated with a corresponding node in the graph. - View Dependent Claims (18)
-
19. A non-transitory computer-readable storage medium encoded with executable computer program code for detecting malicious computer files, the computer program code comprising program code for:
-
generating a graph comprising nodes representing a plurality of clients and computer files residing thereon, wherein distinct clients and distinct computer files are represented by distinct nodes in the graph, wherein a node representing a client is connected to nodes representing computer files residing on that client through edges; determining priors for nodes in the graph and edge potentials for edges in the graph based on domain knowledge, wherein a prior for a node representing a client comprises an assessment of a likelihood of the client getting infected by malware based on the domain knowledge, a prior for a node representing a computer file comprises an assessment of a likelihood of the computer file being malware based on the domain knowledge, and an edge potential reflects a relationship between nodes connected by an associated edge based on the domain knowledge; iteratively propagating a probability of a computer file being legitimate among the nodes by transmitting messages along the edges in the graph, wherein a message transmitted by a node is generated based on a prior of the node and messages received by the node during any previous iterations; and determining whether a computer file is classified as malicious based on a probability associated with a corresponding node in the graph. - View Dependent Claims (20)
-
Specification