DISTRIBUTED TRAFFIC PATTERN ANALYSIS AND ENTROPY PREDICTION FOR DETECTING MALWARE IN A NETWORK ENVIRONMENT
First Claim
1. At least one machine readable storage medium having instructions stored thereon to detect malware, the instructions when executed by at least one processor cause the processor to:
- receive an entropy rate of a potentially affected system;
compare the received entropy rate to an average entropy rate; and
determine a probability that the potentially affected system is infected with malware, the probability based, at least in part, on a result of the comparison.
2 Assignments
0 Petitions
Accused Products
Abstract
Technologies are provided in embodiments to detect malware. The embodiments are configured to receive an entropy rate of a potentially affected system. The embodiments are further configured to compare the entropy rate to an average entropy rate, and to determine a probability that the potentially affected system is infected with malware. The probability is based, at least in part, on a result of the comparison. More specific embodiments can include the received entropy rate being generated, at a least in part, by a genetic program. Additional embodiments can include a configuration to provide the potentially affected system with a specified time-span associated with the genetic program. The specified time-span indicates an amount of time to observe context information on the potentially affected system. In at least some embodiments, the result of the comparison includes an indicator of whether the entropy rate correlates to an infected system or a healthy system.
151 Citations
25 Claims
-
1. At least one machine readable storage medium having instructions stored thereon to detect malware, the instructions when executed by at least one processor cause the processor to:
-
receive an entropy rate of a potentially affected system; compare the received entropy rate to an average entropy rate; and determine a probability that the potentially affected system is infected with malware, the probability based, at least in part, on a result of the comparison. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A system to detect malware, the apparatus comprising:
-
at least one processor; at least one memory element; and an entropy rate comparison module configured to; receive an entropy rate of a potentially affected system in a network environment; compare the received entropy rate to an average entropy rate; and determine a probability that the potentially affected system is infected with malware, the probability based, at least in part, on a result of the comparison. - View Dependent Claims (17)
-
-
18. A method for detecting malware, the method comprising:
-
receiving an entropy rate of a potentially affected system; comparing the received entropy rate to an average entropy rate; and determining a probability that the potentially affected system is infected with malware, the probability based, at least in part, on a result of the comparison. - View Dependent Claims (19)
-
-
20. A system comprising:
-
at least one processor; at least one memory element; and an agent configured to; generate one or more streams of context information of the system for one or more events; execute a genetic program to produce an output stream of manipulated context information based, at least in part, on the one or more streams; apply entropy encoding to the output stream to generate an entropy rate; and communicate the entropy rate to a backend system to determine whether the system is an infected system. - View Dependent Claims (21, 22, 23, 24)
-
-
25. At least one machine readable storage medium having instructions stored thereon to detect malware, the instructions when executed by at least one processor cause the processor to:
-
generate one or more streams of context information of a potentially affected system for one or more events; execute a genetic program to produce an output stream of manipulated context information based, at least in part, on the one or more streams; apply entropy encoding to the output stream to generate an entropy rate; and communicate the entropy rate to a backend system to determine whether the system is an infected system.
-
Specification