Classifying malware by order of network behavior artifacts

US 9,489,514 B2
Filed: 10/06/2014
Issued: 11/08/2016
Est. Priority Date: 10/11/2013
Status: Active Grant

First Claim

Patent Images

1. A method of determining whether an executable file is malware by using network behavioral artifacts, the method comprising:

identifying a training corpus comprising plurality of benign executable files and a plurality of malware executable files;

associating, by an electronic hardware processor, each of a plurality of network behavioral artifacts with a respective character set;

assigning, by an electronic hardware processor, each executable file from the training corpus a respective string of character sets, wherein each string of character sets represents temporally ordered network behavior artifacts of a respective executable file from the training corpus, whereby a plurality of strings of character sets is obtained;

obtaining, by an electronic hardware processor, for each of the plurality of strings of character sets and for a fixed n>

1, a respective set of contiguous substrings of length n;

ordering, by an electronic hardware processor, a union of the respective sets of contiguous substrings of length n, whereby an ordered universe of contiguous substrings of length n is obtained;

forming, for each executable file from the training corpus and by an electronic hardware processor, a respective feature vector, wherein each respective feature vector comprises a tally list comprising counts of contiguous substrings of length n in the respective set of contiguous n-grams for the respective executable file from the training corpus, whereby a plurality of feature vectors is obtained;

classifying, by an electronic hardware processor, each respective feature vector of the plurality of feature vectors as associated with either a benign executable file or a malware executable file from the training corpus, whereby a set of classified feature vectors is obtained;

training a machine learning system with the set of classified feature vectors, wherein the machine learning system comprises an electronic hardware processor;

identifying an unknown executable file;

generating, by an electronic hardware processor, a feature vector for the unknown executable file;

submitting the feature vector for the unknown executable file to the machine learning system;

obtaining, by an electronic hardware processor, a classification of the unknown executable file as one of likely benign and likely malware; and

outputting, by an electronic hardware processor, the classification of the unknown executable file.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention generally relates to systems and methods for classifying executable files as likely malware or likely benign. The techniques utilize temporally-ordered network behavioral artifacts together with machine learning techniques to perform the classification. Because they rely on network behavioral artifacts, the disclosed techniques may be applied to executable files with obfuscated code.

22 Citations

View as Search Results

20 Claims

1. A method of determining whether an executable file is malware by using network behavioral artifacts, the method comprising:
- identifying a training corpus comprising plurality of benign executable files and a plurality of malware executable files;
  
  associating, by an electronic hardware processor, each of a plurality of network behavioral artifacts with a respective character set;
  
  assigning, by an electronic hardware processor, each executable file from the training corpus a respective string of character sets, wherein each string of character sets represents temporally ordered network behavior artifacts of a respective executable file from the training corpus, whereby a plurality of strings of character sets is obtained;
  
  obtaining, by an electronic hardware processor, for each of the plurality of strings of character sets and for a fixed n>
  
  1, a respective set of contiguous substrings of length n;
  
  ordering, by an electronic hardware processor, a union of the respective sets of contiguous substrings of length n, whereby an ordered universe of contiguous substrings of length n is obtained;
  
  forming, for each executable file from the training corpus and by an electronic hardware processor, a respective feature vector, wherein each respective feature vector comprises a tally list comprising counts of contiguous substrings of length n in the respective set of contiguous n-grams for the respective executable file from the training corpus, whereby a plurality of feature vectors is obtained;
  
  classifying, by an electronic hardware processor, each respective feature vector of the plurality of feature vectors as associated with either a benign executable file or a malware executable file from the training corpus, whereby a set of classified feature vectors is obtained;
  
  training a machine learning system with the set of classified feature vectors, wherein the machine learning system comprises an electronic hardware processor;
  
  identifying an unknown executable file;
  
  generating, by an electronic hardware processor, a feature vector for the unknown executable file;
  
  submitting the feature vector for the unknown executable file to the machine learning system;
  
  obtaining, by an electronic hardware processor, a classification of the unknown executable file as one of likely benign and likely malware; and
  
  outputting, by an electronic hardware processor, the classification of the unknown executable file.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the plurality of network behavioral artifacts comprise artifacts of the following types:
    - traffic direction type, protocol type, port number type, size type, domain name system (DNS) record type, and hypertext transfer protocol (HTTP) method type.
  - 3. The method of claim 2, whereinthe traffic direction type comprises an inbound traffic artifact and an outbound traffic artifact;
    - the protocol type comprises a user datagram protocol (UDP) artifact and a transmission control protocol (TCP) artifact;
      
      the port number type comprises a port 53 artifact, a port 80 artifact, a port 442 artifact, a port 8080 artifact, and a port 8000 artifact;
      
      the size type comprises a first quartile artifact, a second quartile artifact, a third quartile artifact and a fourth quartile artifact;
      
      the DNS record type comprises an A record artifact, an MX record artifact, and an SDA record artifact; and
      
      the HTTP method type comprises a GET method artifact, a POST record artifact, and a HEAD record artifact.
  - 4. The method of claim 1, wherein the assigning comprises executing a respective executable file from the training corpus in a virtualized environment.
  - 5. The method of claim 1, wherein the assigning comprises observing network traffic.
  - 6. The method of claim 1, wherein the machine learning system comprises at least one of:
    - a support vector machine, a decision tree, and a k-nearest-neighbor classifier.
  - 7. The method of claim 1, wherein the outputting comprises at least one of:
    - displaying, storing in persistent storage, and providing to a software module.
  - 8. The method of claim 1, wherein the generating the feature vector for the unknown executable file comprises executing the unknown executable file in a virtualized environment.
  - 9. The method of claim 1, wherein the generating the feature vector for the unknown executable file comprises observing network traffic of the unknown executable file.
  - 10. The method of claim 1, wherein the obtaining a classification of the unknown executable file as one of likely benign and likely malware comprises obtaining a classification of the unknown executable file as likely malware, the method further comprising blocking network traffic from an entity associated with the unknown executable file.

11. A system for determining whether an executable file is malware by using network behavioral artifacts, the system comprising at least one hardware electronic processor configured to:
- identify a training corpus comprising plurality of benign executable files and a plurality of malware executable files;
  
  associate each of a plurality of network behavioral artifacts with a respective character set;
  
  assign each executable file from the training corpus a respective string of character sets, wherein each string of character sets represents temporally ordered network behavior artifacts of a respective executable file from the training corpus, whereby a plurality of strings of character sets is obtained;
  
  obtain for each of the plurality of strings of character sets and for a fixed n>
  
  1, a respective set of contiguous substrings of length n;
  
  order a union of the respective sets of contiguous substrings of length n, whereby an ordered universe of contiguous substrings of length n is obtained;
  
  form, for each executable file from the training corpus, a respective feature vector, wherein each respective feature vector comprises a tally list comprising counts of contiguous substrings of length n in the respective set of contiguous n-grams for the respective executable file from the training corpus, whereby a plurality of feature vectors is obtained;
  
  classify each respective feature vector of the plurality of feature vectors as associated with either a benign executable file or a malware executable file from the training corpus, whereby a set of classified feature vectors is obtained;
  
  train machine learning system with the set of classified feature vectors;
  
  identify an unknown executable file;
  
  generate a feature vector for the unknown executable file;
  
  submit the feature vector for the unknown executable file to the machine learning system;
  
  obtain a classification of the unknown executable file as one of likely benign and likely malware; and
  
  output the classification of the unknown executable file.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The system of claim 11, wherein the plurality of network behavioral artifacts comprise artifacts of the following types:
    - traffic direction type, protocol type, port number type, size type, domain name system (DNS) record type, and hypertext transfer protocol (HTTP) method type.
  - 13. The system of claim 12, wherein the traffic direction type comprises an inbound traffic artifact and an outbound traffic artifact;
    - the protocol type comprises a user datagram protocol (UDP) artifact and a transmission control protocol (TCP) artifact;
      
      the port number type comprises a port 53 artifact, a port 80 artifact, a port 442 artifact, a port 8080 artifact, and a port 8000 artifact;
      
      the size type comprises a first quartile artifact, a second quartile artifact, a third quartile artifact and a fourth quartile artifact;
      
      the DNS record type comprises an A record artifact, an MX record artifact, and an SDA record artifact; and
      
      the HTTP method type comprises a GET method artifact, a POST record artifact, and a HEAD record artifact.
  - 14. The system of claim 11, wherein the at least one hardware electronic processor is further configured to assign each executable file from the training corpus a respective string of character sets by executing a respective executable file from the training corpus in a virtualized environment.
  - 15. The system of claim 11, wherein the at least one hardware electronic processor is further configured to assign each executable file from the training corpus a respective string of character sets by observing network traffic.
  - 16. The system of claim 11, wherein the machine learning system comprises at least one of:
    - a support vector machine, a decision tree, and a k-nearest-neighbor classifier.
  - 17. The system of claim 11, wherein the at least one processor configured to output is further configured to at least one of:
    - display, storing in persistent storage, and provide to a software module.
  - 18. The system of claim 11, wherein the at least one processor configured to generate the feature vector for the unknown executable file is further configured to execute the unknown executable file in a virtualized environment.
  - 19. The system of claim 11, wherein the at least one processor configured to generate the feature vector for the unknown executable file is further configured to observe network traffic of the unknown executable file.
  - 20. The system of claim 11, wherein the at least one processor configured to obtain a classification of the unknown executable file as one of likely benign and likely malware is further configured to block network traffic from an entity associated with the unknown executable file upon a classification as likely malware.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
VeriSign, Inc.
Original Assignee
VeriSign, Inc.
Inventors
Mankin, Allison, Mohaisen, Abedelaziz, Tonn, Trevor
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Getachew, Abiy

Application Number

US14/507,330
Publication Number

US 20150106931A1
Time in Patent Office

764 Days
Field of Search

726/23
US Class Current

1/1
CPC Class Codes

G06F 21/562   Static detection

G06F 2221/034   Test or assess a computer o...

G06N 20/00   Machine learning

H04L 63/1408   by monitoring network traff...

H04L 63/145   the attack involving the pr...

Classifying malware by order of network behavior artifacts

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

22 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Classifying malware by order of network behavior artifacts

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

22 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others