Systems and methods for file classification

US 9,805,192 B1
Filed: 06/26/2015
Issued: 10/31/2017
Est. Priority Date: 06/26/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for file classification, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:

identifying, by a computer security system, a cluster of files that co-occur with each other according to a statistical analysis that detects instances of application packages that install multiple files associated with an application on a single machine;

identifying ground truth files to which the computer security system has previously assigned a security score;

determining that a file in the cluster of files shares an item of file metadata with at least one other file in the ground truth files;

assigning a security score to the file in the cluster of files based at least in part on a security score of the other file in the ground truth files that shares the item of file metadata;

assigning an overall security score to the entire cluster of files based at least in part on the security score assigned to the file in the cluster;

checking, prior to determining that the file in the cluster of files shares the item of file metadata with the other file, a field of file metadata that corresponds to the item of file metadata for accuracy in detecting security threats by checking for a threshold level of at least one of false positives and false negatives; and

determining that the field of file metadata passes the checking for accuracy.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method for file classification may include (1) identifying, by a computer security system, a cluster of files that co-occur with each other according to a statistical analysis, (2) identifying ground truth files to which the computer security system has previously assigned a security score, (3) determining that a file in the cluster of files shares an item of file metadata with another file in the ground truth files, (4) assigning a security score to the file in the cluster of files based on a security score of the other file in the ground truth files that shares the item of file metadata, and (5) assigning an overall security score to the entire cluster of files based on the security score assigned to the file in the cluster. Various other methods, systems, and computer-readable media are also disclosed.

19 Citations

View as Search Results

20 Claims

1. A computer-implemented method for file classification, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- identifying, by a computer security system, a cluster of files that co-occur with each other according to a statistical analysis that detects instances of application packages that install multiple files associated with an application on a single machine;
  
  identifying ground truth files to which the computer security system has previously assigned a security score;
  
  determining that a file in the cluster of files shares an item of file metadata with at least one other file in the ground truth files;
  
  assigning a security score to the file in the cluster of files based at least in part on a security score of the other file in the ground truth files that shares the item of file metadata;
  
  assigning an overall security score to the entire cluster of files based at least in part on the security score assigned to the file in the cluster;
  
  checking, prior to determining that the file in the cluster of files shares the item of file metadata with the other file, a field of file metadata that corresponds to the item of file metadata for accuracy in detecting security threats by checking for a threshold level of at least one of false positives and false negatives; and
  
  determining that the field of file metadata passes the checking for accuracy.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the item of file metadata comprises at least one of:
    - an identity of an author of a digital signature;
      
      a file name; and
      
      a file path.
  - 3. The method of claim 1, wherein prior to assigning the security score to the file, the computer security system has not previously assigned a security score to any file in the cluster of files.
  - 4. The method of claim 1, wherein assigning the overall security score to the entire cluster of files comprises giving the file a vote in a vote on the overall security score for the entire cluster of files.
  - 5. The method of claim 1,wherein the threshold level comprises a threshold level of false positives.
  - 6. The method ofclaim 1, wherein the threshold level comprises a threshold level of false negatives.
  - 7. The method of claim 1, further comprising determining, prior to determining that the file in the cluster of files shares the item of file metadata with the other file, a ranking, in terms of detection accuracy, of the field of file metadata that corresponds to the item of file metadata in comparison to other fields of file metadata.
  - 8. The method of claim 1, wherein assigning the overall security score to the entire cluster of files comprises applying a machine learning model that is generated by inputting to a machine learning algorithm:
    - known security scores from a set of files in the ground truth files; and
      
      items of file metadata that the set of files shares with another set of files in the ground truth files.
  - 9. The method of claim 1, wherein assigning the security score to the file in the cluster of files comprises:
    - identifying a plurality of files in the ground truth files that share the item of file metadata with the file in the cluster; and
      
      assigning the security score to the file based on security scores assigned to the plurality of files in the ground truth files.
  - 10. The method of claim 1, wherein the security score comprises a classification as malicious.

11. A system for file classification, the system comprising:
- an identification module, stored in memory, that;
  
  identifies a cluster of files that co-occur with each other according to a statistical analysis that detects instances of application packages that install multiple files associated with an application on a single machine; and
  
  identifies ground truth files to which the system has previously assigned a security score;
  
  a determination module, stored in memory, that determines that a file in the cluster of files shares an item of file metadata with at least one other file in the ground truth files;
  
  an assignment module, stored in memory, that;
  
  assigns a security score to the file in the cluster of files based at least in part on a security score of the other file in the ground truth files that shares the item of file metadata; and
  
  assigns an overall security score to the entire cluster of files based at least in part on the security score assigned to the file in the cluster;
  
  wherein the determination module further;
  
  checks, prior to determining that the file in the cluster of files shares the item of file metadata with the other file, a field of file metadata that corresponds to the item of file metadata for accuracy in detecting security threats by checking for a threshold level of at least one of false positives and false negatives; and
  
  determines that the field of file metadata passes the checking for accuracy; and
  
  at least one physical processor configured to execute the identification module, the determination module, and the assignment module.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The system of claim 11, wherein the item of file metadata comprises at least one of:
    - an identity of an author of a digital signature;
      
      a file name; and
      
      a file path.
  - 13. The system of claim 11, wherein prior to assigning the security score to the file, the system has not previously assigned a security score to any file in the cluster of files.
  - 14. The system of claim 11, wherein the assignment module assigns the overall security score to the entire cluster of files by giving the file a vote in a vote on the overall security score for the entire cluster of files.
  - 15. The system of claim 11,wherein the threshold level comprises a threshold level of false positives.
  - 16. The system ofclaim 11, wherein the threshold level comprises a threshold level of false negatives.
  - 17. The system of claim 11, wherein the determination module determines, prior to determining that the file in the cluster of files shares the item of file metadata with the other file, a ranking, in terms of detection accuracy, of the field of file metadata that corresponds to the item of file metadata in comparison to other fields of file metadata.
  - 18. The system of claim 11, wherein the assignment module assigns the overall security score to the entire cluster of files by applying a machine learning model that is generated by inputting to a machine learning algorithm:
    - known security scores from a set of files in the ground truth files; and
      
      items of file metadata that the set of files shares with another set of files in the ground truth files.
  - 19. The system of claim 11, wherein the assignment module assigns the security score to the file in the cluster of files by:
    - identifying a plurality of files in the ground truth files that share the item of file metadata with the file in the cluster; and
      
      assigning the security score to the file based on security scores assigned to the plurality of files in the ground truth files.

20. A non-transitory computer-readable medium comprising one or more computer-readable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
- identify, by a computer security system, a cluster of files that co-occur with each other according to a statistical analysis that detects instances of application packages that install multiple files associated with an application on a single machine;
  
  identify ground truth files to which the computer security system has previously assigned a security score;
  
  determine that a file in the cluster of files shares an item of file metadata with at least one other file in the ground truth files;
  
  assign a security score to the file in the cluster of files based at least in part on a security score of the other file in the ground truth files that shares the item of file metadata;
  
  assign an overall security score to the entire cluster of files based at least in part on the security score assigned to the file in the cluster;
  
  check, prior to determining that the file in the cluster of files shares the item of file metadata with the other file, a field of file metadata that corresponds to the item of file metadata for accuracy in detecting security threats by checking for a threshold level of at least one of false positives and false negatives; and
  
  determine that the field of file metadata passes the checking for accuracy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Gen Digital Inc.
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Gates, Christopher, Roundy, Kevin
Primary Examiner(s)
Hoffman, Brandon
Assistant Examiner(s)
Salehi, Helai

Application Number

US14/751,178
Time in Patent Office

858 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/562 Static detection

G06F 2221/034 Test or assess a computer o...

Systems and methods for file classification

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

19 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for file classification

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

19 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links