Wavelet decomposition of software entropy to identify malware

US 9,946,876 B2
Filed: 08/12/2016
Issued: 04/17/2018
Est. Priority Date: 03/30/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

analyzing, by at least one data processor, a data file to obtain characters contained in the data file, the characters split into a plurality of data file chunks;

representing, by the at least one data processor, the data file as a plurality of entropy values reflective of an amount of entropy across the plurality of file chunks;

applying, by the at least one data processor, a wavelet transform to the plurality of entropy values to generate a wavelet energy spectrum that represents an amount of entropic energy at multiple levels of resolution;

determining, by the at least one data processor and using at least one predictive model, which levels of resolution of the multiple levels of resolution exert the strongest influences on a probability of the data file being malicious and whether the entropic energy at such levels of resolution make a likelihood of the data file being malicious larger or smaller;

calculating, by the at least one data processor, a suspiciously structured entropy score based on the wavelet energy spectrum and the determination, wherein the suspiciously structured entropy score represents a probability of whether or not the data file is likely to be malicious; and

incorporating, by the at least one data processor, the suspiciously structured entropy score within an existing malware model.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A plurality of data files is received. Thereafter, each file is represented as an entropy time series that reflects an amount of entropy across locations in code for such file. A wavelet transform is applied, for each file, to the corresponding entropy time series to generate an energy spectrum characterizing, for the file, an amount of entropic energy at multiple scales of code resolution. It can then be determined, for each file, whether or not the file is likely to be malicious based on the energy spectrum. Related apparatus, systems, techniques and articles are also described.

72 Citations

View as Search Results

30 Claims

1. A method comprising:
- analyzing, by at least one data processor, a data file to obtain characters contained in the data file, the characters split into a plurality of data file chunks;
  
  representing, by the at least one data processor, the data file as a plurality of entropy values reflective of an amount of entropy across the plurality of file chunks;
  
  applying, by the at least one data processor, a wavelet transform to the plurality of entropy values to generate a wavelet energy spectrum that represents an amount of entropic energy at multiple levels of resolution;
  
  determining, by the at least one data processor and using at least one predictive model, which levels of resolution of the multiple levels of resolution exert the strongest influences on a probability of the data file being malicious and whether the entropic energy at such levels of resolution make a likelihood of the data file being malicious larger or smaller;
  
  calculating, by the at least one data processor, a suspiciously structured entropy score based on the wavelet energy spectrum and the determination, wherein the suspiciously structured entropy score represents a probability of whether or not the data file is likely to be malicious; and
  
  incorporating, by the at least one data processor, the suspiciously structured entropy score within an existing malware model.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the plurality of file chunks are non-overlapping.
  - 3. The method of claim 1, wherein the plurality of file chunks have fixed length.
  - 4. The method of claim 1, wherein the wavelet transform is applied based on at least a coefficient representing a difference of mean entropy levels between adjacent file chunks.
  - 5. The method of claim 1, wherein the data file comprises encrypted segments concealing malicious commands.
  - 6. The method of claim 1, wherein the data file comprises compressed segments concealing malicious commands.
  - 7. The method of claim 1, wherein the at least one predictive model is trained using data sets comprising files known to contain malware.
  - 8. The method of claim 6, wherein the at least one predictive model comprises a logistic regression model.
  - 9. The method of claim 6, wherein the at least one predictive model comprises a neural network model and/or a support vector machine.
  - 10. The method of claim 1, wherein the wavelet transform is a Haar wavelet transform.

11. A system comprising:
- at least one data processor; and
  
  at least one memory storing instructions which, when executed by the at least one data processor, causes operations comprising;
  
  analyzing, by at least one data processor, a data file to obtain characters contained in the data file, the characters split into a plurality of file chunks;
  
  representing, by the at least one data processor, the data file as a plurality of entropy values reflective of an amount of entropy across the plurality of file chunks;
  
  applying, by the at least one data processor, a wavelet transform to the plurality of entropy values to generate a wavelet energy spectrum that represents an amount of entropic energy at multiple levels of resolution;
  
  determining, by the at least one data processor and using at least one predictive model, which levels of resolution of the multiple levels of resolution exert the strongest influences on a probability of the data file being malicious and whether the entropic energy at such levels of resolution make a likelihood of the data file being malicious larger or smaller;
  
  calculating, by the at least one data processor, a suspiciously structured entropy score based on the wavelet energy spectrum and the determination, wherein the suspiciously structured entropy score represents a probability of whether or not the data file is likely to be malicious; and
  
  incorporating, by the at least one data processor, the suspiciously structured entropy score within an existing malware model.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The system of claim 11, wherein the plurality of file chunks are non-overlapping.
  - 13. The system of claim 11, wherein the plurality of file chunks have fixed length.
  - 14. The system of claim 11, wherein the wavelet transform is applied based on at least a coefficient representing a difference of mean entropy levels between adjacent file chunks.
  - 15. The system of claim 11, wherein the data file comprises encrypted segments concealing malicious commands.
  - 16. The system of claim 11, wherein the data file comprises compressed segments concealing malicious commands.
  - 17. The system of claim 11, wherein the at least one predictive model is trained using data sets comprising files known to contain malware.
  - 18. The system of claim 17, wherein the at least one predictive model comprises a logistic regression model.
  - 19. The system of claim 17, wherein the at least one predictive model comprises a neural network model and/or a support vector machine.
  - 20. The system of claim 11, wherein the wavelet transform is a Haar wavelet transform.

21. A non-transitory computer program product storing instructions which, when executed by at least one data processor forming part of at least one computing system, result in operations comprising:
- analyzing, by at least one data processor, a data file to obtain characters contained in the data file, the characters split into a plurality of file chunks;
  
  representing, by the at least one data processor, the data file as a plurality of entropy values reflective of an amount of entropy across the plurality of file chunks;
  
  applying, by the at least one data processor, a wavelet transform to the plurality of entropy values to generate a wavelet energy spectrum that represents an amount of entropic energy at multiple levels of resolution;
  
  determining, by the at least one data processor and using at least one predictive model, which levels of resolution of the multiple levels of resolution exert the strongest influences on a probability of the data file being malicious and whether the entropic energy at such levels of resolution make a likelihood of the data file being malicious larger or smaller;
  
  calculating a suspiciously structured entropy score based on the wavelet energy spectrum and the determination, wherein the suspiciously structured entropy score represents a probability of whether or not the data file is likely to be malicious; and
  
  incorporating, by the at least one data processor, the suspiciously structured entropy score within an existing malware model.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 22. The non-transitory computer program product of claim 21, wherein the plurality of file chunks are non-overlapping.
  - 23. The non-transitory computer program product of claim 21, wherein the plurality of file chunks have fixed length.
  - 24. The non-transitory computer program product of claim 21, wherein the wavelet transform is applied based on at least a coefficient representing a difference of mean entropy levels between adjacent file chunks.
  - 25. The non-transitory computer program product of claim 21, wherein the data file comprises encrypted segments concealing malicious commands.
  - 26. The non-transitory computer program product of claim 21, wherein the data file comprises compressed segments concealing malicious commands.
  - 27. The non-transitory computer program product of claim 21, wherein the at least one predictive model is trained using data sets comprising files known to contain malware.
  - 28. The non-transitory computer program product of claim 27, wherein the at least one predictive model comprises a logistic regression model.
  - 29. The non-transitory computer program product of claim 27, wherein the at least one predictive model comprises a neural network model and/or a support vector machine.
  - 30. The non-transitory computer program product of claim 21, wherein the wavelet transform is a Haar wavelet transform.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cylance Inc. (Blackberry Limited)
Original Assignee
Cylance Inc. (Blackberry Limited)
Inventors
Wojnowicz, Michael, Chisholm, Glenn, Wolff, Matthew, Soeder, Derek A., Zhao, Xuan
Primary Examiner(s)
POTRATZ, DANIEL B

Application Number

US15/236,316
Publication Number

US 20160378984A1
Time in Patent Office

613 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/562   Static detection

G06F 21/565   by checking file integrity

G06F 2221/034   Test or assess a computer o...

G06N 3/08   Learning methods

Wavelet decomposition of software entropy to identify malware

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

72 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Wavelet decomposition of software entropy to identify malware

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

72 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links