MALWARE DETERMINATION DEVICE, MALWARE DETERMINATION SYSTEM, MALWARE DETERMINATION METHOD, AND PROGRAM

US 20170098074A1
Filed: 06/08/2015
Published: 04/06/2017
Est. Priority Date: 06/11/2014
Status: Active Application

First Claim

Patent Images

1. :

A malware determination device comprising;

a feature selection database including an attribute table and an attribute value table;

a feature-selection setting unit that, upon input of an attribute name of an attribute of an executable file, registers an attribute having the input attribute name in the attribute table as an attribute to be extracted, and upon input of an attribute value of an attribute of an executable file, registers the input attribute value in the attribute value table as an attribute value to be deleted or as an attribute value not to be deleted;

a feature extraction unit that, upon input of an executable file, extracts an attribute value of an attribute registered as an attribute to be extracted in the attribute table from the executable file to generate a feature vector including the extracted attribute value as a feature;

a feature selection unit that performs deletion of an attribute value registered as an attribute value to be deleted or deletion of an attribute value other than attribute values registered as attribute values not to be deleted in the attribute value table from the feature vector generated by the feature extraction unit, to reconstruct the feature vector;

a classifier that, when the feature selection unit reconstructs a feature vector of an executable file to be learned, performs machine learning of the executable file to be learned based on the feature vector and information indicating whether the feature vector of the executable file to be learned is malware, and that, when the feature selection unit reconstructs a feature vector of an executable file to be determined, calculates a score of the likelihood of malware for the executable file to be determined based on a result of the machine learning and the feature vector; and

a determination unit that determines whether the executable file to be determined is malware based on the score of the executable file to be determined calculated by the classifier.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A malware determination device, in which, upon input of an attribute name and an attribute value of an attribute of an executable file, a feature-selection setting unit registers the attribute with the attribute name in an attribute table as an attribute to be extracted, and registers the attribute value as an attribute value to be deleted in an attribute value table. Upon input of an executable file to be learned or to be determined, a feature extraction unit extracts an attribute value of an attribute registered as an attribute to be extracted in the attribute table from the executable file, to generate a feature vector including the extracted attribute value as a feature. A feature selection unit performs deletion of an attribute value registered as an attribute value to be deleted in the attribute value table from the feature vector.

15 Citations

View as Search Results

7 Claims

1. :
- A malware determination device comprising;
  
  a feature selection database including an attribute table and an attribute value table;
  
  a feature-selection setting unit that, upon input of an attribute name of an attribute of an executable file, registers an attribute having the input attribute name in the attribute table as an attribute to be extracted, and upon input of an attribute value of an attribute of an executable file, registers the input attribute value in the attribute value table as an attribute value to be deleted or as an attribute value not to be deleted;
  
  a feature extraction unit that, upon input of an executable file, extracts an attribute value of an attribute registered as an attribute to be extracted in the attribute table from the executable file to generate a feature vector including the extracted attribute value as a feature;
  
  a feature selection unit that performs deletion of an attribute value registered as an attribute value to be deleted or deletion of an attribute value other than attribute values registered as attribute values not to be deleted in the attribute value table from the feature vector generated by the feature extraction unit, to reconstruct the feature vector;
  
  a classifier that, when the feature selection unit reconstructs a feature vector of an executable file to be learned, performs machine learning of the executable file to be learned based on the feature vector and information indicating whether the feature vector of the executable file to be learned is malware, and that, when the feature selection unit reconstructs a feature vector of an executable file to be determined, calculates a score of the likelihood of malware for the executable file to be determined based on a result of the machine learning and the feature vector; and
  
  a determination unit that determines whether the executable file to be determined is malware based on the score of the executable file to be determined calculated by the classifier.
- View Dependent Claims (2, 3, 4, 5)
- - 2. :
    - A malware determination system comprising the malware determination device according to claim 1, and further comprising a feature-selection trial device, whereinthe feature-selection trial device includesa feature-selection instruction unit that repeats a process of selecting one set from sets obtained by combining one or more sets of features including an attribute name and an attribute value of an attribute of an executable file and inputting the selected set to the feature-selection setting unit of the malware determination device,a validation unit that each time the feature-selection instruction unit inputs the set to the feature-selection setting unit, repeats a process of inputting an executable file to be determined after inputting an executable file to be learned to the feature extraction unit of the malware determination device, andan index calculation unit that each time the feature-selection instruction unit inputs the set to the feature-selection setting unit, acquires a determination result including a score of the executable file to be determined and information indicating whether the executable file to be determined has been determined to be malware, for each of executable files to be determined that have been input repeatedly to the feature extraction unit by the validation unit, from the determination unit of the malware determination device, to calculate an index indicating a degree of determination accuracy of the determination unit based on the determination result, andthe feature-selection instruction unit selects a set having a highest index calculated by the index calculation unit from the sets input to the feature-selection setting unit and inputs the selected set to the feature-selection setting unit.
  - 3. :
    - The malware determination system according to claim 2, wherein the index calculation unit calculates the index by using a detection rate, which is a rate of determining an executable file to be determined that is malware to be malware correctly, or an erroneous detection rate, which is a rate of erroneously determining an executable file to be determined that is not malware to be malware.
  - 4. :
    - A malware determination system comprising the malware determination device according to claim 1, and further comprising a user interface, whereinthe user interface includesa feature-list acquisition unit that acquires an attribute name and an attribute value of an attribute of an executable file, anda feature-selection input unit that displays a setting screen including a list of attribute names and attribute values acquired by the feature-list acquisition unit, andthe feature-selection input unitdisplays attribute names on the setting screen together with a first check box, and regarding an attribute name of an attribute registered as an attribute to be extracted in the attribute table, checks the first check box,displays attribute values on the setting screen together with a second check box, and regarding an attribute value other than attribute values registered as attribute values to be deleted or an attribute value registered as an attribute value not to be deleted in the attribute value table, checks the second check box, andwhen a checked state of the first check box or the second check box is manually changed, inputs an attribute name checked in the first check box after the change to the feature-selection setting unit of the malware determination device, and inputs an attribute value not checked in the second check box or a checked attribute value after the change to the feature-selection setting unit of the malware determination device.
  - 5. :
    - The malware determination system according to claim 4, wherein the feature-selection input unit displays an attribute value on the setting screen together with number of appearances, which is number of executable files in which the attribute value appears, and total number of executable files.

6. :
- A malware determination method performed by a malware determination device, the malware determination method comprising;
  
  a feature-selection setting step at which, upon input of an attribute name of an attribute of an executable file, the attribute with the input attribute name is registered in an attribute table as an attribute to be extracted, and upon input of an attribute value of an attribute of an executable file, the input attribute value is registered in an attribute value table as an attribute value to be deleted or as an attribute value not to be deleted,a feature extraction step at which, upon input of an executable file, an attribute value of an attribute registered as an attribute to be extracted in the attribute table is extracted from the executable file and a feature vector including the extracted attribute value as a feature is generated,a feature selection step of performing deletion of an attribute value registered as an attribute value to be deleted or deletion of an attribute value other than attribute values registered as attribute values not to be deleted in the attribute value table from the feature vector generated at the feature extraction step, to reconstruct the feature vector,a classification step at which, when a feature vector of an executable file to be learned is reconstructed at the feature selection step, machine learning of the executable file to be learned is performed based on the feature vector and information indicating whether the feature vector of the executable file to be learned is malware, and at which, when a feature vector of an executable file to be determined is reconstructed at the feature selection step, a score of likelihood of malware is calculated for the executable file to be determined based on a result of the machine learning and the feature vector, anda determination step of determining whether the executable file to be determined is malware based on the score of the executable file to be determined calculated at the classification step.

7. :
- A non-transitory computer-readable recording medium having stored a program that causes a computer to function as;
  
  a storage unit including an attribute table and an attribute value table;
  
  a feature-selection setting unit that, upon input of an attribute name of an attribute of an executable file, registers an attribute with the input attribute name in the attribute table as an attribute to be extracted, and upon input of an attribute value of an attribute of an executable file, registers the input attribute value in the attribute value table as an attribute value to be deleted or as an attribute value not to be deleted;
  
  a feature extraction unit that, upon input of an executable file, extracts an attribute value of an attribute registered as an attribute to be extracted in the attribute table from the executable file, to generate a feature vector including the extracted attribute value as a feature;
  
  a feature selection unit that performs deletion of an attribute value registered as an attribute value to be deleted or deletion of an attribute value other than attribute values registered as attribute values not to be deleted in the attribute value table, to reconstruct the feature vector;
  
  a classification unit that, when the feature selection unit reconstructs a feature vector of an executable file to be learned, performs machine learning of the executable file to be learned based on the feature vector and information indicating whether the feature vector of the executable file to be learned is malware, and that, when the feature selection unit reconstructs a feature vector of an executable file to be determined, calculates a score of likelihood of malware for the executable file to be determined based on a result of the machine learning and the feature vector; and
  
  a determination unit that determines whether the executable file to be determined is malware based on the score of the executable file to be determined calculated by the classification unit.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nippon Telegraph and Telephone Corporation
Original Assignee
Nippon Telegraph and Telephone Corporation
Inventors
ABE, Tetsuya, KUMAGAI, Atsutoshi, OKANO, Yasushi, ORIHARA, Shingo, ASAKURA, Hiroshi

Granted Patent

US 10,268,820 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/567   using dedicated hardware

G06N 20/00   Machine learning

H04L 63/1433   Vulnerability analysis

MALWARE DETERMINATION DEVICE, MALWARE DETERMINATION SYSTEM, MALWARE DETERMINATION METHOD, AND PROGRAM

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

15 Citations

7 Claims

Specification

Solutions

Use Cases

Quick Links

MALWARE DETERMINATION DEVICE, MALWARE DETERMINATION SYSTEM, MALWARE DETERMINATION METHOD, AND PROGRAM

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

15 Citations

7 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links