Techniques for classifying non-process threats
First Claim
Patent Images
1. A computer-implemented method for improving classification of non-process threats to computers comprising:
- generating, using a trace component operating within a non-process threat classification component module stored in computer memory, trace data of at least one observable event during execution of a process by an interpreter, wherein generating trace data comprises using context information to identify execution information associated with the at least one observable event;
identifying, using at least one computer processor, a script file associated with the process executed by the interpreter, wherein the script the is identified using command line arguments provided during the execution of the process;
associating the trace data with the script file;
representing, using a feature representation component operating within the non-process threat classification component module, a first feature of the at least one observable event of the trace data;
calculating, using a similarity evaluation component operating within the non-process threat classification component module, a similarity between the first feature and at least one sample feature of a known non-process threat; and
classifying, using the similarity evaluation component, the script the as a non-process threat based on the similarity.
2 Assignments
0 Petitions
Accused Products
Abstract
Techniques for classifying non-process threats are disclosed. In one particular exemplary embodiment, the techniques may be realized as a method for classifying non-process threats comprising generating trace data of at least one observable event associated with execution of a process, representing a first feature of the at least one observable event of the trace data, calculating, using a computer processor, a similarity between the first feature and at least one sample feature, and classifying the process based on the similarity.
-
Citations
16 Claims
-
1. A computer-implemented method for improving classification of non-process threats to computers comprising:
- generating, using a trace component operating within a non-process threat classification component module stored in computer memory, trace data of at least one observable event during execution of a process by an interpreter, wherein generating trace data comprises using context information to identify execution information associated with the at least one observable event;
identifying, using at least one computer processor, a script file associated with the process executed by the interpreter, wherein the script the is identified using command line arguments provided during the execution of the process;
associating the trace data with the script file;
representing, using a feature representation component operating within the non-process threat classification component module, a first feature of the at least one observable event of the trace data;
calculating, using a similarity evaluation component operating within the non-process threat classification component module, a similarity between the first feature and at least one sample feature of a known non-process threat; and
classifying, using the similarity evaluation component, the script the as a non-process threat based on the similarity. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- generating, using a trace component operating within a non-process threat classification component module stored in computer memory, trace data of at least one observable event during execution of a process by an interpreter, wherein generating trace data comprises using context information to identify execution information associated with the at least one observable event;
-
15. An article of manufacture for improving classification of non-process threats to computers, the article of manufacture comprising:
- at least one non-transitory processor readable medium; and
instructions stored on the at least one medium;
wherein the instructions are configured to be readable from the at least one medium by at least one computer processor and thereby cause the at least one computer processor to operate so as to;
generate, using a trace component operating within a non-process threat classification component module stored in computer memory, trace data of at least one observable event during execution of a process by an interpreter, wherein generating trace data comprises using context information to identify execution information associated with the at least one observable event;
identify a script the associated with the process executed by the interpreter, wherein the script the is identified using command line arguments provided during the execution of the process;
associate the trace data with the script file;
represent, using a feature representation component operating within the non-process threat classification component module, a first feature of the at least one observable event of the trace data;
calculate, using a similarity evaluation component operating within the non-process threat classification component module, a similarity between the first feature and at least one sample feature of a known non-process threat; and
classify, using the similarity evaluation component, the script the as a non-process threat based on the similarity.
- at least one non-transitory processor readable medium; and
-
16. A system for improving classification of non-process threats to computers comprising:
- a computer memory; and
one or more computer processors communicatively coupled to a network;
wherein the one or more computer processors are configured to;
generate, using a trace component operating within a non-process threat classification component module stored in the computer memory, trace data of at least one observable event during execution of a process by an interpreter, wherein generating trace data comprises using context information to identify execution information associated with the at least one observable event;
identify a script the associated with the process executed by the interpreter, wherein the script the is identified using command line arguments provided during the execution of the process;
associate the trace data with the script file;
represent, using a feature representation component operating within the non-process threat classification component module, a first feature of the at least one observable event of the trace data;
calculate, using a similarity evaluation component operating within the non-process threat classification component module, a similarity between the first feature and at least one sample feature of a known non-process threat; and
classify, using the similarity evaluation component, the script the as a non-process threat based on the similarity.
- a computer memory; and
Specification