Multi-Channel Change-Point Malware Detection
First Claim
1. A malware detection system comprising:
- sensors that monitor the status of a host computer being monitored for malware, including malware that do not propagate through a network;
a feature extractor that extracts data from the sensors corresponding to predetermined features;
local detectors that perform malware detection on each stream of feature data from the feature extractor independently; and
a data fusion center that uses the decisions from the local detectors to infer whether the host computer is infected by malware.
3 Assignments
0 Petitions
Accused Products
Abstract
A malware detection system and method detects changes in host behavior indicative of malware execution. The system uses linear discriminant analysis (LDA) for feature extraction, multi-channel change-point detection algorithms to infer malware execution, and a data fusion center (DFC) to combine local decisions into a host-wide diagnosis. The malware detection system includes sensors that monitor the status of a host computer being monitored for malware, a feature extractor that extracts data from the sensors corresponding to predetermined features, local detectors that perform malware detection on each stream of feature data from the feature extractor independently, and a data fusion center that uses the decisions from the local detectors to infer whether the host computer is infected by malware.
218 Citations
25 Claims
-
1. A malware detection system comprising:
-
sensors that monitor the status of a host computer being monitored for malware, including malware that do not propagate through a network; a feature extractor that extracts data from the sensors corresponding to predetermined features; local detectors that perform malware detection on each stream of feature data from the feature extractor independently; and a data fusion center that uses the decisions from the local detectors to infer whether the host computer is infected by malware. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 25)
-
-
15. A method for detecting malware that has infected a host computer, comprising the steps of:
-
monitoring the status of the host computer being monitored for malware, including malware that do not propagate through a network; extracting feature data produced in said monitoring step that corresponds to predetermined features; detecting malware in each stream of feature data independently; and using detection decisions from the malware detecting step to infer whether the host computer is infected by malware. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24)
-
Specification