Decision tree induction that is sensitive to attribute computational complexity

US 8,495,096 B1
Filed: 04/18/2012
Issued: 07/23/2013
Est. Priority Date: 09/15/2009
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for constructing a decision tree for classifying computer files based on the computational complexities of attributes of the files, comprising:

creating a plurality of attribute vectors for a plurality of training files, each training file classified as legitimate or malware, and each attribute vector comprising values of a predetermined set of attributes for an associated training file;

determining a computational complexity score for each attribute in the predetermined set of attributes, the computational complexity score measuring a cost associated with determining a value of an associated attribute for a training file;

recursively growing the decision tree based on the plurality of attribute vectors and the computational complexity scores; and

providing the recursively grown decision tree to a client system, the client system adapted to traverse the decision tree to classify a target file at the client system as legitimate or malware.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A decision tree for classifying computer files is constructed. Computational complexities of a set of candidate attributes are determined. A set of attribute vectors are created for a set of training files with known classification. A node is created to represent the set. A weighted impurity reduction score is calculated for each candidate attribute based on the computational complexity of the attribute. If a stopping criterion is satisfied then the node is set as a leaf node. Otherwise the node is set as a branch node and the attribute with the highest weighted impurity reduction score is selected as the splitting attribute for the branch node. The set of attribute vectors are split into subsets based on their attribute values of the splitting attribute. The above process is repeated for each subset. The tree is then pruned based on the computational complexities of the splitting attributes.

Citations

20 Claims

1. A computer-implemented method for constructing a decision tree for classifying computer files based on the computational complexities of attributes of the files, comprising:
- creating a plurality of attribute vectors for a plurality of training files, each training file classified as legitimate or malware, and each attribute vector comprising values of a predetermined set of attributes for an associated training file;
  
  determining a computational complexity score for each attribute in the predetermined set of attributes, the computational complexity score measuring a cost associated with determining a value of an associated attribute for a training file;
  
  recursively growing the decision tree based on the plurality of attribute vectors and the computational complexity scores; and
  
  providing the recursively grown decision tree to a client system, the client system adapted to traverse the decision tree to classify a target file at the client system as legitimate or malware.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computer-implemented method of claim 1, wherein recursively growing the decision tree comprises:
    - recursively applying a decision tree induction procedure based on the computational complexity scores of the attributes and how well the attributes separate the plurality of attribute vectors according to the associated training files'"'"' classifications.
  - 3. The computer-implemented method of claim 1, wherein recursively growing the decision tree comprises:
    - determining a weighted impurity reduction score for at least one attribute of the predetermined set of attributes based on the computational complexity score of the at least one attribute, the weighted impurity reduction score quantifying a cost-benefit tradeoff for the at least one attribute in separating the plurality of attribute vectors according to the associated training files'"'"' classifications.
  - 4. The computer-implemented method of claim 3, wherein determining the weighted impurity reduction score comprises:
    - determining an impurity reduction score for the at least one attribute, wherein the impurity reduction score for the at least one attribute measures how well the at least one attribute separates the plurality of attribute vectors according to the associated training files'"'"' classifications and the weighted impurity reduction score for the at least one attribute is determined based on the impurity reduction score and the complexity score of the at least one attribute.
  - 5. The computer-implemented method of claim 1, further comprising:
    - pruning the decision tree based on a plurality of examining files.
  - 6. The computer-implemented method of claim 1, wherein recursively growing the decision tree comprises:
    - (1) setting the plurality of attribute vectors as a current set;
      
      (2) determining a weighted impurity reduction score for at least one attribute of the predetermined set of attributes based on the complexity score of the attribute, the weighted impurity reduction score quantifying a cost-benefit tradeoff for an associated attribute in classifying the current set;
      
      (3) selecting a splitting attribute from the at least one attribute of the predetermined set of attributes;
      
      (4) splitting the current set into subsets using the splitting attribute; and
      
      (5) repeating steps (2) through (4) for each of the subsets as the current set.
  - 7. The computer-implemented method of claim 1, further comprising:
    - receiving a request from a security module of the client system for the decision tree; and
      
      providing the decision tree to the security module responsive to the request.

8. A computer system for constructing a decision tree for classifying computer files that takes into account computational complexities of attributes of the files, comprising:
- a computer-readable storage medium storing executable computer program code; and
  
  a processor for executing the executable computer program code, wherein the computer program code is executable to perform steps comprising;
  
  creating a plurality of attribute vectors for a plurality of training files, each training file classified as legitimate or malware, and each attribute vector comprising values of a predetermined set of attributes for an associated training file;
  
  determining a computational complexity score for each attribute in the predetermined set of attributes, the computational complexity score measuring a cost associated with determining a value of an associated attribute for a training file;
  
  recursively growing the decision tree based on the plurality of attribute vectors and the computational complexity scores; and
  
  providing the recursively grown decision tree to a client system, the client system adapted to traverse the decision tree to classify a target file at the client system as legitimate or malware.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer system of claim 8, wherein recursively growing the decision tree comprises:
    - recursively applying a decision tree induction procedure based on the computational complexity scores of the attributes and how well the attributes separate the plurality of attribute vectors according to the associated training files'"'"' classifications.
  - 10. The computer system of claim 8, wherein recursively growing the decision tree comprises:
    - determining a weighted impurity reduction score for at least one attribute of the predetermined set of attributes based on the computational complexity score of the at least one attribute, the weighted impurity reduction score quantifying a cost-benefit tradeoff for the at least one attribute in separating the plurality of attribute vectors according to the associated training files'"'"' classifications.
  - 11. The computer system of claim 10, wherein determining the weighted impurity reduction score comprises:
    - determining an impurity reduction score for the at least one attribute, wherein the impurity reduction score for the at least one attribute measures how well the at least one attribute separates the plurality of attribute vectors according to the associated training files'"'"' classifications and the weighted impurity reduction score for the at least one attribute is determined based on the impurity reduction score and the complexity score of the at least one attribute.
  - 12. The computer system of claim 8, wherein the code is further executable to perform steps comprising:
    - pruning the decision tree based on a plurality of examining files.
  - 13. The computer system of claim 8, wherein recursively growing the decision tree comprises:
    - (1) setting the plurality of attribute vectors as a current set;
      
      (2) determining a weighted impurity reduction score for at least one attribute of the predetermined set of attributes based on the complexity score of the attribute, the weighted impurity reduction score quantifying a cost-benefit tradeoff for an associated attribute in classifying the current set;
      
      (3) selecting a splitting attribute from the at least one attribute of the predetermined set of attributes;
      
      (4) splitting the current set into subsets using the splitting attribute; and
      
      (5) repeating steps (2) through (4) for each of the subsets as the current set.
  - 14. The computer system of claim 8, wherein the code is further executable to perform steps comprising:
    - receiving a request from a security module of the client system for the decision tree; and
      
      providing the decision tree to the security module responsive to the request.

15. A computer-implemented method of detecting malware at a client, comprising:
- receiving, at the client, a decision tree from a remote security system via a network, the decision tree constructed using steps comprising;
  
  creating a plurality of attribute vectors for a plurality of training files, each training file classified as legitimate or malware, and each attribute vector comprising values of a predetermined set of attributes for an associated training file;
  
  determining a computational complexity score for each attribute in the predetermined set of attributes, the computational complexity score measuring a cost associated with determining a value of an associated attribute for a training file; and
  
  recursively growing a decision tree based on the plurality of attribute vectors and the computational complexity scores, traversal of the grown decision tree indicating whether a target file is legitimate or malware;
  
  identifying a target file at the client; and
  
  classifying, using the decision tree, the identified target file as legitimate or malware.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer-implemented method of claim 15, wherein classifying the target file as legitimate or malware comprises:
    - traversing nodes of the decision tree based on attribute values of the target file to reach a leaf node having an associated classification; and
      
      classifying the target file as legitimate or malware responsive to the classification associated with the leaf node.
  - 17. The computer-implemented method of claim 15, wherein recursively growing the decision tree comprises:
    - recursively applying a decision tree induction procedure based on the computational complexity scores of the attributes and how well the attributes separate the plurality of attribute vectors according to the associated training files'"'"' classifications.
  - 18. The computer-implemented method of claim 15, wherein recursively growing the decision tree comprises:
    - determining a weighted impurity reduction score for at least one attribute of the predetermined set of attributes based on the computational complexity score of the at least one attribute, the weighted impurity reduction score quantifying a cost-benefit tradeoff for the at least one attribute in separating the plurality of attribute vectors according to the associated training files'"'"' classifications.
  - 19. The computer-implemented method of claim 15, further comprising:
    - pruning the decision tree based on a plurality of examining files.
  - 20. The computer-implemented method of claim 15, wherein recursively growing the decision tree comprises:
    - (1) setting the plurality of attribute vectors as a current set;
      
      (2) determining a weighted impurity reduction score for at least one attribute of the predetermined set of attributes based on the complexity score of the attribute, the weighted impurity reduction score quantifying a cost-benefit tradeoff for an associated attribute in classifying the current set;
      
      (3) selecting a splitting attribute from the at least one attribute of the predetermined set of attributes;
      
      (4) splitting the current set into subsets using the splitting attribute; and
      
      (5) repeating steps (2) through (4) for each of the subsets as the current set.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Pereira, Shane, Ramzan, Zulfikar, Satish, Sourabh
Primary Examiner(s)
Corrielus, Jean M

Application Number

US13/450,390
Time in Patent Office

461 Days
Field of Search

707/792, 707/749, 707/780, 706/20, 706/48, 706/52, 706/12, 726/22, 726/23, 726/24, 726/26, 713/188, 713/502
US Class Current

707/792
CPC Class Codes

G06F 21/562 Static detection

G06F 21/566 Dynamic detection, i.e. det...

Decision tree induction that is sensitive to attribute computational complexity

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Decision tree induction that is sensitive to attribute computational complexity

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links