Using sequencing and timing information of behavior events in machine learning to detect malware

US 8,401,982 B1
Filed: 01/14/2010
Issued: 03/19/2013
Est. Priority Date: 01/14/2010
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for constructing a classifier for classifying computer files that takes into account behavior sequencing and timing information of the computer files, comprising:

monitoring runtime behavior of a training file of a known classification;

detecting a plurality of behavior events exhibited by the training file, the plurality of behavior events detected at ones of a plurality of points in time;

responsive to detecting the plurality of behavior events at ones of the plurality of points in time, identifying (1) an event sequence exhibited by the training file reflecting the runtime behavior at the ones of the plurality of points in time and (2) timing information indicating, for each of the plurality of behavior events, a time gap between a process launch of the training file and a point in time when the associated behavior event is detected;

generating, for each of the plurality of behavior events, a feature vector encoded with information related to the training file at the point in time the associated behavior event is detected, the related information comprising values of a predetermined set of file attributes, an exhibited event sequence, and timing information;

constructing a classifier based on the feature vectors and the known classification of the training file; and

storing the classifier.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A decision tree for classifying computer files is constructed. A set of training files known to be legitimate or malicious are executed and their runtime behaviors are monitored. When a behavior event is detected for one of the training file at a point in time, a feature vector is generated for that training file. Behavior sequencing and timing information for the training file at that point in time is identified and encoded in the feature vector. Feature vectors for each of the training files at various points in time are fed into a decision tree induction algorithm to construct a decision tree that takes into account of the sequencing and timing information.

Citations

19 Claims

1. A computer-implemented method for constructing a classifier for classifying computer files that takes into account behavior sequencing and timing information of the computer files, comprising:
- monitoring runtime behavior of a training file of a known classification;
  
  detecting a plurality of behavior events exhibited by the training file, the plurality of behavior events detected at ones of a plurality of points in time;
  
  responsive to detecting the plurality of behavior events at ones of the plurality of points in time, identifying (1) an event sequence exhibited by the training file reflecting the runtime behavior at the ones of the plurality of points in time and (2) timing information indicating, for each of the plurality of behavior events, a time gap between a process launch of the training file and a point in time when the associated behavior event is detected;
  
  generating, for each of the plurality of behavior events, a feature vector encoded with information related to the training file at the point in time the associated behavior event is detected, the related information comprising values of a predetermined set of file attributes, an exhibited event sequence, and timing information;
  
  constructing a classifier based on the feature vectors and the known classification of the training file; and
  
  storing the classifier.
- View Dependent Claims (2, 3, 4, 5, 6, 18, 19)
- - 2. The method of claim 1, wherein each of the plurality of behavior events belongs to one of a plurality of event types, and wherein the feature vector associated with a behavior event comprises a feature for each of the plurality of event types, and wherein the value of a feature associated with an event type comprises the event type of a behavior event the training file exhibited before a behavior event of the associated event type.
  - 3. The method of claim 2, wherein the plurality of event types comprise at least two of the following:
    - file create, file write, file delete, registry modify, registry delete, process launch, process terminate, thread create, and thread terminate.
  - 4. The method of claim 1, wherein each of the plurality of behavior events belongs to one of a plurality of event types, and wherein the feature vector associated with a behavior event comprises a feature for each of the plurality of event types, and wherein the value of a feature associated with a event type comprises a sequencing number of a behavior event of the associated event type.
  - 5. The method of claim 1, wherein the training file comprises a plurality of threads, and wherein generating a feature vector comprises:
    - generating, for each behavior event of each of the plurality of threads, a feature vector encoded with information related to the thread at a point in time the associated behavior event is detected, the related information comprising an event sequence exhibited by the thread and a time gap between a thread creation and the point in time.
  - 6. The method of claim 1, wherein the known classification of the training files comprises legitimate file and malware, and wherein the classifier is a decision tree used by a client system to classify a file residing on the client system as legitimate or malware.
  - 18. The computer-implemented method of claim 1, wherein the timing information further indicating a time gap between detection of at least one of the plurality of behavior events and of another one of the plurality of behavior events, the another one of the plurality of behavior events adjacent to the at least one of the plurality of behavior events.
  - 19. The computer-implemented method of claim 1, further comprising:
    - monitoring runtime behavior of a file of unknown classification;
      
      identifying an event sequence and timing information for the file of unknown classification; and
      
      using the classifier, classifying the file of unknown classification as legitimate or malicious based on the identified event sequence and timing information for the file.

7. A computer system for constructing a classifier for classifying computer files that takes into account behavior sequencing and timing information of the computer files, comprising:
- a non-transitory computer-readable storage medium storing executable computer program code comprising;
  
  a feature determination module for monitoring runtime behavior of a training file of a known classification, detecting a plurality of behavior events exhibited by the training file, the plurality of behavior events detected at ones of a plurality of points in time, identifying (1) an event sequence exhibited by the training file reflecting the runtime behavior at the ones of the plurality of points in time and (2) timing information indicating, for each of the plurality of behavior events, a time gap between a process launch of the training file and a point in time when the associated behavior event is detected in response to detecting the plurality of behavior events at ones of the plurality of points in time, and generating, for each of the plurality of behavior events, a feature vector encoded with information related to the training file at the point in time the associated behavior event is detected, the related information comprising values of a predetermined set of file attributes, an exhibited event sequence, and timing information,a machine learning engine for constructing a classifier based on the feature vectors and the known classification of the training file, anda data store for storing the classifier; and
  
  a processor for executing the computer program code.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The computer system of claim 7, wherein each of the plurality of behavior events belongs to one of a plurality of event types, and wherein the feature vector associated with a behavior event comprises a feature for each of the plurality of event types, and wherein the value of a feature associated with an event type comprises the event type of a behavior event the training file exhibited before a behavior event of the associated event type.
  - 9. The computer system of claim 8, wherein the plurality of event types comprise at least two of the following:
    - file create, file write, file delete, registry modify, registry delete, process launch, process terminate, thread create, and thread terminate.
  - 10. The computer system of claim 7, wherein each of the plurality of behavior events belongs to one of a plurality of event types, and wherein the feature vector associated with a behavior event comprises a feature for each of the plurality of event types, and wherein the value of a feature associated with a event type comprises a sequencing number of a behavior event of the associated event type.
  - 11. The computer system of claim 7, wherein the training file comprises a plurality of threads, and wherein the feature determination module is further configured for generating, for each behavior event of each of the plurality of threads, a feature vector encoded with information related to the thread at a point in time the associated behavior event is detected, the related information comprising an event sequence exhibited by the thread and a time gap between a thread creation and the point in time.
  - 12. The computer system of claim 7, wherein the known classification of the training files comprises legitimate file and malware, and wherein the classifier is a decision tree used by a client system to classify a file residing on the client system as legitimate or malware.

13. A non-transitory computer-readable storage medium encoded with executable computer program code for constructing a classifier for classifying computer files that takes into account behavior sequencing and timing information of the computer files, the computer program code comprising program code for:
- monitoring runtime behavior of a training file of a known classification;
  
  detecting a plurality of behavior events exhibited by the training file, the plurality of behavior events detected at ones of a plurality of points in time;
  
  responsive to detecting the plurality of behavior events at ones of the plurality of points in time, identifying (1) an event sequence exhibited by the training file reflecting the runtime behavior at the one of the plurality of points in time and (2) timing information indicating, for each of the plurality of behavior events, a time gap between a process launch of the training file and a point in time when the associated behavior event is detected;
  
  generating, for each of the plurality of behavior events, a feature vector encoded with information related to the training file at the point in time the associated behavior event is detected, the related information comprising values of a predetermined set of file attributes, an exhibited event sequence, and timing information;
  
  constructing a classifier based on the feature vectors and the known classification of the training file; and
  
  storing the classifier.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The non-transitory computer-readable storage medium of claim 13, wherein each of the plurality of behavior events belongs to one of a plurality of event types, and wherein the feature vector associated with a behavior event comprises a feature for each of the plurality of event types, and wherein the value of a feature associated with the event type comprises the event type of a behavior event the training file exhibited before a behavior event of the associated event type.
  - 15. The non-transitory computer-readable storage medium of claim 14, wherein the plurality of event types comprise at least two of the following:
    - file create, file write, file delete, registry modify, registry delete, process launch, process terminate, thread create, and thread terminate.
  - 16. The non-transitory computer-readable storage medium of claim 13, wherein each of the plurality of behavior events belongs to one of a plurality of event types, and wherein the feature vector associated with a behavior event comprises a feature for each of the plurality of event types, and wherein the value of a feature associated with a event type comprises a sequencing number of a behavior event of the associated event type.
  - 17. The non-transitory computer-readable storage medium of claim 13, wherein the known classification of the training files comprises legitimate file and malware, and wherein the classifier is a decision tree used by a client system to classify a file residing on the client system as legitimate or malware.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NortonLifeLock Inc.
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Satish, Sourabh, Ramzan, Zulfikar
Primary Examiner(s)
CHEN, ALAN S

Application Number

US12/687,767
Time in Patent Office

1,160 Days
Field of Search

None
US Class Current

706/20
CPC Class Codes

G06F 21/566 Dynamic detection, i.e. det...

G06N 20/00 Machine learning

Using sequencing and timing information of behavior events in machine learning to detect malware

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Using sequencing and timing information of behavior events in machine learning to detect malware

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links