Recurrent neural networks for malware analysis

US 9,495,633 B2
Filed: 07/01/2015
Issued: 11/15/2016
Est. Priority Date: 04/16/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving or accessing data encapsulating a sample of at least a portion of one or more files;

feeding at least a portion of the received or accessed data as a time-based sequence into a recurrent neural network (RNN) trained using historical data;

extracting, by the RNN, a final hidden state h_iin a hidden layer of the RNN in which i is a number of elements of the sample; and

determining, using the RNN and the final hidden state, whether at least a portion of the sample is likely to comprise malicious code.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Using a recurrent neural network (RNN) that has been trained to a satisfactory level of performance, highly discriminative features can be extracted by running a sample through the RNN, and then extracting a final hidden state h_i, where i is the number of instructions of the sample. This resulting feature vector may then be concatenated with the other hand-engineered features, and a larger classifier may then be trained on hand-engineered as well as automatically determined features. Related apparatus, systems, techniques and articles are also described.

Citations

20 Claims

1. A method comprising:
- receiving or accessing data encapsulating a sample of at least a portion of one or more files;
  
  feeding at least a portion of the received or accessed data as a time-based sequence into a recurrent neural network (RNN) trained using historical data;
  
  extracting, by the RNN, a final hidden state h_iin a hidden layer of the RNN in which i is a number of elements of the sample; and
  
  determining, using the RNN and the final hidden state, whether at least a portion of the sample is likely to comprise malicious code.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The method of claim 1, wherein the received or accessed data forms at least part of a data stream.
  - 3. The method of claim 1, wherein the at least a portion of the received or accessed data comprises a series of fixed-length encoded words.
  - 4. The method of claim 1, wherein the elements comprises a series of instructions.
  - 5. The method of claim 1, wherein the hidden state is defined by:
    - h_t=f (x, h_t-1), wherein hidden state h_tis a time-dependent function of input x as well as a previous hidden state h_t-1.
  - 6. The method of claim 1, wherein the RNN is an Elman network.
  - 7. The method of claim 6, wherein the Elman network has deep transition or decoding functions.
  - 8. The method of claim 6, wherein the Elman network parameterizes f (x, h_t-1) as h_t=g (W_1X+Rh_t-1);
    - where hidden state h_tis a time-dependent function of input x as well as previous hidden state h_t-1, W₁is a matrix defining input-to-hidden connections, R is a matrix defining the recurrent connections, and g (•
      
      ) is a differentiable nonlinearity.
  - 9. The method of claim 8 further comprising:
    - adding an output layer on top of the hidden layer, such that o_t=a (W₂h_t) where o_tis output, W₂defines a linear transformation of hidden activations, and σ
      
      (•
      
      ) is a logistic function.
  - 10. The method of claim 9 further comprising:
    - applying backpropagation through time by which parameters of network W₂, W₁, and R are iteratively refined to drive the output o_tto a desired value as portions of the received or accessed data are passed through the RNN.
  - 11. The method of claim 1, wherein the RNN is a long short term memory network.
  - 12. The method of claim 1, wherein the RNN is a clockwork RNN.
  - 13. The method of claim 1, wherein the RNN is a deep transition function.
  - 14. The method of claim 1, wherein the RNN is an echo-state network.
  - 15. The method of claim 1 further comprising:
    - providing data characterizing the determination.
  - 16. The method of claim 15, wherein providing data comprises at least one of:
    - transmitting the data to a remote computing system, loading the data into memory, or storing the data.
  - 17. The method of claim 1, wherein the files are binary files.
  - 18. The method of claim 1, wherein the files are executable files.

19. A system comprising:
- at least one programmable data processor; and
  
  memory storing instructions which, when executed by the at least one programmable data processor, result in operations comprising;
  
  receiving or accessing data encapsulating a sample of at least a portion of one or more files;
  
  feeding at least a portion of the received or accessed data as a time-based sequence into a recurrent neural network (RNN) trained using historical data;
  
  extracting, by the RNN, a final hidden state h_iin a hidden layer of the RNN in which i is a number of elements of the sample; and
  
  determining, using the RNN and the final hidden state, whether at least a portion of the sample is likely to comprise malicious code.

20. A non-transitory computer program product storing instructions which, when executed by at least one programmable data processor forming part of at least one computing device, result in operations comprising:
- receiving or accessing data encapsulating a sample of at least a portion of one or more files;
  
  feeding at least a portion of the received or accessed data as a time-based sequence into a recurrent neural network (RNN) trained using historical data;
  
  extracting, by the RNN, a final hidden state h_iin a hidden layer of the RNN in which i is a number of elements of the sample; and
  
  determining, using the RNN and the final hidden state, whether at least a portion of the sample is likely to comprise malicious code.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cylance Inc. (Blackberry Limited)
Original Assignee
Cylance Inc. (Blackberry Limited)
Inventors
Davis, Andrew, Wolff, Matthew, Soeder, Derek A., Chisholm, Glenn, Permeh, Ryan
Primary Examiner(s)
CHEN, ALAN S

Application Number

US14/789,914
Publication Number

US 20160307094A1
Time in Patent Office

503 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 21/564   by virus signature recognition

G06F 21/566   Dynamic detection, i.e. det...

G06N 3/04   Architecture, e.g. intercon...

G06N 3/044   Recurrent networks, e.g. Ho...

G06N 3/08   Learning methods

G06N 3/084   Backpropagation, e.g. using...

Recurrent neural networks for malware analysis

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Recurrent neural networks for malware analysis

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links