Systems and methods for improving forest-based malware detection within an organization

US 9,942,264 B1
Filed: 12/16/2016
Issued: 04/10/2018
Est. Priority Date: 12/16/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for improving forest-based malware detection within an organization, at least a portion of the method being performed by a backend computing system comprising at least one processor, the method comprising:

receiving, at the backend computing system, organization data from at least one organization computing device within an organization computer network;

adjusting, at the backend computing system, a general use forest model to generate an organization-specific forest model for detecting malicious computer files within the organization computer network, wherein adjusting the general use forest model comprises changing a weight of at least one leaf node of the general use forest model based on the organization data;

sending, from the backend computing system, the organization-specific forest model to the at least one organization computing device;

detecting, by the backend computing system the at least one organization computing device, using the organization-specific forest model, malware in a file received on the at least one organization computing device within the organization computer network; and

performing a security action with respect to the file to protect the backend computing system or the at least one organization computing device or both.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The disclosed computer-implemented method for improving forest-based malware detection within an organization may include (i) receiving, at a backend computing system, organization data from at least one organization computing device within an organization computer network, (ii) adjusting, at the backend computing system, a general use forest model based on the organization data to generate an organization-specific forest model for detecting malicious computer files within the organization computer network, and (iii) sending, from the backend computing system, the organization-specific forest model to the at least one organization computing device. Various other methods, systems, and computer-readable media are also disclosed.

19 Citations

View as Search Results

17 Claims

1. A computer-implemented method for improving forest-based malware detection within an organization, at least a portion of the method being performed by a backend computing system comprising at least one processor, the method comprising:
- receiving, at the backend computing system, organization data from at least one organization computing device within an organization computer network;
  
  adjusting, at the backend computing system, a general use forest model to generate an organization-specific forest model for detecting malicious computer files within the organization computer network, wherein adjusting the general use forest model comprises changing a weight of at least one leaf node of the general use forest model based on the organization data;
  
  sending, from the backend computing system, the organization-specific forest model to the at least one organization computing device;
  
  detecting, by the backend computing system the at least one organization computing device, using the organization-specific forest model, malware in a file received on the at least one organization computing device within the organization computer network; and
  
  performing a security action with respect to the file to protect the backend computing system or the at least one organization computing device or both.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The computer-implemented method of claim 1, wherein adjusting the general use forest model further comprises changing a conviction threshold of the general use forest model, wherein changing the conviction threshold of the general use forest model comprises calculating a conviction threshold for the organization-specific forest model by:
    - running, at the backend computing system, the organization data through the general use forest model to determine true positive rates and false positive rates for each leaf node of the general use forest model with respect to the organization data;
      
      generating, at the backend computing system, a receiver operating characteristic curve based on the true positive rates and the false positive rates for each leaf node; and
      
      selecting, at the backend computing system, a position along the receiver operating characteristic curve, the position corresponding to the updated conviction threshold.
  - 3. The computer-implemented method of claim 1, wherein adjusting the general use forest model comprises training, at the backend computing system, the general use forest model using the organization data.
  - 4. The computer-implemented method of claim 1, further comprising:
    - receiving, at the backend computing system, additional organization data from the at least one organization computing device within the organization computer network; and
      
      evaluating, at the backend computing system, performance of the organization-specific forest model with respect to the additional organization data by running the additional organization data through the organization-specific forest model.
  - 5. The computer-implemented method of claim 1, wherein the organization data comprises file data of at least one computer file from the at least one organization computing device.
  - 6. The computer-implemented method of claim 5, further comprising categorizing, at the backend computing system, the file data of the at least one computer file.
  - 7. The computer-implemented method of claim 1, wherein the general use forest model comprises a forest model that was generated and trained using data from sources outside the organization computer network.
  - 8. The computer-implemented method of claim 1, wherein adjusting the general use forest model comprises adjusting, at the backend computing system, the general use forest model based on the organization data to generate an organization-specific forest model that exhibits at least one of higher true positive rates and lower false positive rates in comparison to the general use forest model when utilized to evaluate data within the organization computer network.
  - 9. The method of claim 1, further comprising determining that a computer file includes malware based on an analysis of the computer file using the organization-specific forest model.
  - 10. The method of claim 9, further comprising performing a security action to protect the at least one organization computing device when the computer file is determined to include malware.
  - 11. The method of claim 1, wherein the general use forest model and the organization-specific forest model are each random forests.
  - 12. The method of claim 1, further comprising categorizing, at the backend computing system, the organization data received from the at least one organization computing device.

13. A system for improving forest-based malware detection within an organization the system comprising:
- a receiving module, stored in memory, that receives, at a backend computing system, organization data from at least one organization computing device within an organization computer network;
  
  an adjusting module, stored in memory, that adjusts, at the backend computing system, a general use forest model to generate an organization-specific forest model for detecting malicious computer files within the organization computer network, wherein the adjusting module adjusts the general use forest model by changing a weight of at least one leaf node of the general use forest model based on the organization;
  
  a sending module, stored in memory, that sends, from the backend computing system, the organization-specific forest model to the at least one organization computing device;
  
  a security module, stored in memory, that;
  
  detects, from the backend computing system or the at least one organization computing device, using the organization-specific forest model, malware in a file received on the at least one organization computing device within the organization computer network; and
  
  performs a security action with respect to the file to protect the backend computing system or the at least one organization computing device or both; and
  
  at least one processor that executes the receiving module, the adjusting module, and the sending module.
- View Dependent Claims (14, 15)
- - 14. The system of claim 13, wherein the adjusting module adjusts the general use forest model by training, at the backend computing system, the general use forest model using the organization data to generate the organization-specific forest model.
  - 15. The system of claim 13, wherein the adjusting module further adjusts the general use forest model by changing a conviction threshold of the general use forest model, wherein changing the conviction threshold of the general use forest model comprises calculating a conviction threshold for the organization-specific forest model by:
    - running, at the backend computing system, the organization data through the general use forest model to determine true positive rates and false positive rates for each leaf node of the general use forest model with respect to the organization data;
      
      generating, at the backend computing system, a receiver operating characteristic curve based on the true positive rates and the false positive rates for each leaf node; and
      
      selecting, at the backend computing system, a position along the receiver operating characteristic curve, the position corresponding to the updated conviction threshold.

16. A non-transitory computer-readable medium comprising one or more computer-executable instructions that, when executed by at least one processor of a backend computing system, cause the backend computing system to:
- receive, at the backend computing system, organization data from at least one organization computing device within an organization computer network;
  
  adjust, at the backend computing system, a general use forest model to generate an organization-specific forest model for detecting malicious computer files within the organization computer network, wherein the general use forest model is adjusted by changing a weight of at least one leaf node of the general use forest model based on the organization datasend, from the backend computing system, the organization-specific forest model to the at least one organization computing device;
  
  detect, by the backend computing system or the at least one organization computing device, using the organization-specific forest model, malware in a file received on the at least one organization computing device within the organization computer network; and
  
  perform a security action with respect to the file to protect the backend computing system or the at least one organization computing device or both.
- View Dependent Claims (17)
- - 17. The non-transitory computer-readable medium of claim 16, wherein the one or more computer readable instructions further cause the backend computing system to adjust the general use forest model by changing a conviction threshold of the general use forest model, wherein changing the conviction threshold of the general use forest model comprises calculating a conviction threshold for the organization-specific forest model by:
    - running, at the backend computing system, the organization data through the general use forest model to determine true positive rates and false positive rates for each leaf node of the general use forest model with respect to the organization data;
      
      generating, at the backend computing system, a receiver operating characteristic curve based on the true positive rates and the false positive rates for each leaf node; and
      
      selecting, at the backend computing system, a position along the receiver operating characteristic curve, the position corresponding to the updated conviction threshold.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Kennedy, Mark, Viljoen, Pieter
Primary Examiner(s)
PYZOCHA, MICHAEL J

Application Number

US15/381,140
Time in Patent Office

480 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/1416 Event detection, e.g. attac...

H04L 63/145 the attack involving the pr...

Systems and methods for improving forest-based malware detection within an organization

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

19 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for improving forest-based malware detection within an organization

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

19 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links