Static feature extraction from structured files
First Claim
Patent Images
1. A computer-implemented method comprising:
- receiving and accessing a plurality of structured files;
parsing each structured file to discover corresponding code and data regions and to extract a plurality of corresponding code start points;
extracting, for each structured file, at least one feature from such structured a file by disassembling the code in the structured file using each of the plurality of corresponding code start points as a respective disassembly starting point and analyzing one or more code and data regions identified within the structured file, the extracting occurring statically while the structured file is not being executed, the features being at least one of (i) a first-order feature indicating whether a collection of import names is ordered lexicographically and being able to be derived into a higher-order feature, (ii) a checksum feature for a string of elements in the file compared to a checksum stored in a field in the file, or (iii) a Boolean feature that characterizes a set of timestamp fields from the file to represent whether or not the file relies upon various functionalities that did not exist at the time represented by the most recent time stamp;
providing the extracted features from each of the plurality of structured files to a machine learning model, to determine classification of the features and place them into a malicious or benign category, wherein the provision of the extracted features from one of the plurality of structured files, reduces subsequent misclassification of extracted features from the next one of the plurality structured files by the machine learning model.
1 Assignment
0 Petitions
Accused Products
Abstract
Data is received or accessed that includes a structured file encapsulating data required by an execution environment to manage executable code wrapped within the structured file. Thereafter, code and data regions are iteratively identified in the structured file. Such identification is analyzed so that at least one feature can be extracted from the structured file. Related apparatus, systems, techniques and articles are also described.
59 Citations
42 Claims
-
1. A computer-implemented method comprising:
-
receiving and accessing a plurality of structured files; parsing each structured file to discover corresponding code and data regions and to extract a plurality of corresponding code start points; extracting, for each structured file, at least one feature from such structured a file by disassembling the code in the structured file using each of the plurality of corresponding code start points as a respective disassembly starting point and analyzing one or more code and data regions identified within the structured file, the extracting occurring statically while the structured file is not being executed, the features being at least one of (i) a first-order feature indicating whether a collection of import names is ordered lexicographically and being able to be derived into a higher-order feature, (ii) a checksum feature for a string of elements in the file compared to a checksum stored in a field in the file, or (iii) a Boolean feature that characterizes a set of timestamp fields from the file to represent whether or not the file relies upon various functionalities that did not exist at the time represented by the most recent time stamp; providing the extracted features from each of the plurality of structured files to a machine learning model, to determine classification of the features and place them into a malicious or benign category, wherein the provision of the extracted features from one of the plurality of structured files, reduces subsequent misclassification of extracted features from the next one of the plurality structured files by the machine learning model. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A system comprising:
-
at least one processor; and at least one memory including instructions which, when executed by the at least one processor, result in the at least one processor performing operations comprising; receiving and accessing a plurality of structured files; parsing each structured file to discover corresponding code and data regions and to extract a plurality of corresponding code start points; extracting, for each structured file, at least one feature from such structured a file by disassembling the code in the structured file using each of the plurality of corresponding code start points as a respective disassembly starting point and analyzing one or more code and data regions identified within the structured file the extracting occurring statically while the structured file is not being executed, the features being at least one of (i) a first-order feature indicating whether a collection of import names is ordered lexicographically and being able to be derived into a higher-order feature, (ii) a checksum feature for a string of elements in the file compared to a checksum stored in a field in the file, or (iii) a Boolean feature that characterizes a set of timestamp fields from the file to represent whether or not the file relies upon various functionalities that did not exist at the time represented by the most recent time stamp; providing the extracted features from each of the plurality of structured files to a machine learning model, to determine classification of the features and place them into a malicious or benign category, wherein the provision of the extracted features from one of the plurality of structured files, reduces subsequent misclassification of extracted features from the next one of the plurality structured files by the machine learning model. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
-
-
29. A non-transitory computer-readable storage medium including instructions, which when executed by at least one processor, cause at least one processor to perform operations comprising:
-
receiving and accessing a plurality of structured files; parsing each structured file to discover corresponding code and data regions and to extract a plurality of corresponding code start points; extracting, for each structured file, at least one feature from such structured file by disassembling the code in the structured file using each of the plurality of corresponding code start points as a respective disassembly starting point and analyzing one or more code and data regions identified within the structured file the extracting occurring statically while the structured file is not being executed, the features being at least one of (i) a first-order feature indicating whether a collection of import names is ordered lexicographically and being able to be derived into a higher-order feature, (ii) a checksum feature for a string of elements in the file compared to a checksum stored in a field in the file, or (iii) a Boolean feature that characterizes a set of timestamp fields from the file to represent whether or not the file relies upon various functionalities that did not exist at the time represented by the most recent timestamp; providing the extracted features from each of the plurality of structured files to a machine learning model, to determine classification of the features and place them into a malicious or benign category, wherein the provision of the extracted features from one of the plurality of structured files, reduces subsequent misclassification of extracted features from the next one of the plurality structured files by the machine learning model. - View Dependent Claims (30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42)
-
Specification