Method and product for providing a predictive security product and evaluating existing security products
First Claim
Patent Images
1. A malware evaluator system, comprising:
- a non-transitory memory storing a first variant of a malware specimen and a second variant of the malware specimen; and
one or more hardware processors coupled to the non-transitory memory and configured to read instructions from the non-transitory memory to cause the system to perform operations comprising;
scanning the first variant and the second variant with one or more malware detectors to determine a first evasiveness characteristic of the first variant and a first maliciousness characteristic of the first variant and to determine a second evasiveness characteristic of the second variant and a second maliciousness characteristic of the second variant;
determining a first likelihood that the first variant meets one or more criteria based at least on the first evasiveness characteristic and the first maliciousness characteristic;
determining a second likelihood that the second variant meets the one or more criteria based at least on the second evasiveness characteristic and the second maliciousness characteristic;
based on determining that the first likelihood is greater than the second likelihood, selecting the first variant for mutation; and
mutating the first variant to generate one or more successive variants.
2 Assignments
0 Petitions
Accused Products
Abstract
A method, product and computer program product for evaluating a generation of malware variants, the method including the steps of: scanning, with one or more malware detectors, a variant of a malware specimen; determining an evasiveness characteristic of the variant and a maliciousness characteristic of the variant; determining a likelihood that the variant meets one or more criteria based at least on the evasiveness characteristic of the variant and the maliciousness characteristic of the variant; and based on the determined likelihood, selecting the variant for propagation.
24 Citations
18 Claims
-
1. A malware evaluator system, comprising:
-
a non-transitory memory storing a first variant of a malware specimen and a second variant of the malware specimen; and one or more hardware processors coupled to the non-transitory memory and configured to read instructions from the non-transitory memory to cause the system to perform operations comprising; scanning the first variant and the second variant with one or more malware detectors to determine a first evasiveness characteristic of the first variant and a first maliciousness characteristic of the first variant and to determine a second evasiveness characteristic of the second variant and a second maliciousness characteristic of the second variant; determining a first likelihood that the first variant meets one or more criteria based at least on the first evasiveness characteristic and the first maliciousness characteristic; determining a second likelihood that the second variant meets the one or more criteria based at least on the second evasiveness characteristic and the second maliciousness characteristic; based on determining that the first likelihood is greater than the second likelihood, selecting the first variant for mutation; and mutating the first variant to generate one or more successive variants. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A non-transitory machine-readable medium having stored thereon machine-readable instructions executable to cause a machine to perform operations comprising:
-
scanning, with one or more malware detectors, a first variant of a malware specimen and a second variant of the malware specimen; determining a first evasiveness characteristic corresponding to the first variant and a first maliciousness characteristic corresponding to the first variant; determining a second evasiveness characteristic corresponding to the second variant and a second maliciousness characteristic corresponding to the second variant; determining a first likelihood that the first variant meets one or more criteria based at least on the first evasiveness characteristic and the first maliciousness characteristic; determining a second likelihood that the second variant meets one or more criteria based at least on the second evasiveness characteristic and the second maliciousness characteristic; and based on determining that the first likelihood is greater than the second likelihood, selecting the first variant for mutation. - View Dependent Claims (9, 10, 11, 12)
-
-
13. A method for evaluating a generation of malware variants comprising:
-
scanning, with one or more malware detectors, a first variant of a malware specimen and a second variant of the malware specimen; determining a first evasiveness characteristic of the first variant and a first maliciousness characteristic of the first variant; determining a second evasiveness characteristic corresponding to the second variant and a second maliciousness characteristic corresponding to the second variant; determining a first likelihood that the first variant meets one or more criteria based at least on the first evasiveness characteristic and the first maliciousness characteristic; determining a second likelihood that the second variant meets one or more criteria based at least on the second evasiveness characteristic and the second maliciousness characteristic; and based on determining that the first likelihood is greater than the second likelihood, selecting the first variant for mutation. - View Dependent Claims (14, 15, 16, 17)
-
-
18. A method for evaluating a generation of malware variants comprising:
-
scanning, with one or more malware detectors, two or more variants of a malware specimen; determining an evasiveness characteristic and a maliciousness characteristic of each of the two or more variants; determining a likelihood that each of the two or more variants meets one or more criteria based at least on the evasiveness characteristic and the maliciousness characteristic of each of the two or more variants; selecting a first variant of the two or more variants based on a first determined likelihood of the first variant meeting the one or more criteria, the selecting further comprising; comparing the first determined likelihood with a second determined likelihood of a second variant of the two or more variants meeting the one or more criteria; and determining that the first determined likelihood is greater than the second determined likelihood; and mutating the first variant to generate one or more successive variants.
-
Specification