System and method for malware detection learning
First Claim
1. A method, comprising:
- monitoring, by a network interface, a protected computer network that is protected from malicious software by a processor, the protected computer network comprising one or more infected computers, and an infected computer network that is known to be infected with malicious software and is not protected from malicious software by the processor, wherein the protected computer network and the infected computer network are different networks;
extracting, by the processor, from both the protected computer network and the infected computer network, first communication transactions that are known to be malicious;
extracting, by the processor, only from the protected computer network, second communication transactions that are not known to be malicious;
identifying, by the processor, one or more malicious communication transactions exchanged with the protected computer network, by processing the first and second communication transactions;
wherein identifying the malicious communication transactions comprises creating, by the processor, based on the extracted first and second communication transactions, one or more models that distinguish the malicious communication transactions from innocent communication transactions, and detecting the malicious communication transactions using the models.
3 Assignments
0 Petitions
Accused Products
Abstract
Malware detection techniques that detect malware by identifying the C&C communication between the malware and the remote host, and distinguish between communication transactions that carry C&C communication and transactions of innocent traffic. The system distinguishes between malware transactions and innocent transactions using malware identification models, which it adapts using machine learning algorithms. However, the number and variety of malicious transactions that can be obtained from the protected network are often too limited for effectively training the machine learning algorithms. Therefore, the system obtains additional malicious transactions from another computer network that is known to be relatively rich in malicious activity. The system is thus able to adapt the malware identification models based on a large number of positive examples—The malicious transactions obtained from both the protected network and the infected network. As a result, the malware identification models are adapted with high speed and accuracy.
76 Citations
20 Claims
-
1. A method, comprising:
-
monitoring, by a network interface, a protected computer network that is protected from malicious software by a processor, the protected computer network comprising one or more infected computers, and an infected computer network that is known to be infected with malicious software and is not protected from malicious software by the processor, wherein the protected computer network and the infected computer network are different networks; extracting, by the processor, from both the protected computer network and the infected computer network, first communication transactions that are known to be malicious; extracting, by the processor, only from the protected computer network, second communication transactions that are not known to be malicious; identifying, by the processor, one or more malicious communication transactions exchanged with the protected computer network, by processing the first and second communication transactions; wherein identifying the malicious communication transactions comprises creating, by the processor, based on the extracted first and second communication transactions, one or more models that distinguish the malicious communication transactions from innocent communication transactions, and detecting the malicious communication transactions using the models. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A system, comprising:
-
a network interface, which is configured to monitor a protected computer network that is to be protected from malicious software by a processor, the protected computer network comprising one or more infected computers, and an infected computer network that is known to be infected with malicious software and is not to be protected from malicious software by the processor, wherein the protected computer network and the infected computer network are different networks; and a hardware computer system comprising the processor, which is configured to extract, from both the protected computer network and the infected computer network, first communication transactions that are known to be malicious, to extract, only from the protected computer network, second communication transactions that are not known to be malicious, and to identify one or more malicious communication transactions exchanged with the protected computer network, by processing the first and second communication transactions; wherein the processor is configured to create, based on the extracted first and second communication transactions, one or more models that distinguish the malicious communication transactions from innocent communication transactions, and to detect the malicious communication transactions using the models. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A non-transitory computer-readable medium having stored thereon a sequence of instructions that when executed by a computing system causes, the computing system to perform the steps comprising:
-
monitoring a protected computer network that is to be protected from malicious software by the computing system, the protected computer network comprising one or more infected computers, and an infected computer network that is known to be infected with malicious software and is not to be protected from malicious software by the computing system, wherein the protected computer network and the infected computer network are different networks; extracting from both the protected computer network and the infected computer network, first communication transactions that are known to be malicious; extracting only from the protected computer network, second communication transactions that are not known to be malicious; and identifying one or more malicious communication transactions exchanged with the protected computer network, by processing the first and second communication transactions; wherein identifying the malicious communication transactions comprises creating, by the processor, based on the extracted first and second communication transactions, one or more models that distinguish the malicious communication transactions from innocent communication transactions, and detecting the malicious communication transactions using the models. - View Dependent Claims (18, 19, 20)
-
Specification