Distributed traffic pattern analysis and entropy prediction for detecting malware in a network environment
First Claim
1. At least one non-transitory machine readable storage medium having instructions stored thereon to detect malware, the instructions when executed by at least one processor cause the processor to:
- select a genetic program based, at least in part, on a type of manipulation to be performed by the genetic program on one or more streams of context information of a potentially affected system;
receive an entropy rate associated with the potentially affected system, wherein the received entropy rate was generated, at least in part, from an output stream of manipulated context information produced by the genetic program manipulating one or more streams of context information related to, respectively, one or more events detected on the potentially affected system, wherein a first stream of the one or more streams of context information includes one or more context elements observed in response to a first event being detected on the potentially affected system;
compare the received entropy rate to an average entropy rate; and
determine a probability that the potentially affected system is infected with malware, the probability based, at least in part, on a result of the comparison.
2 Assignments
0 Petitions
Accused Products
Abstract
Technologies are provided in embodiments to detect malware. The embodiments are configured to receive an entropy rate of a potentially affected system. The embodiments are further configured to compare the entropy rate to an average entropy rate, and to determine a probability that the potentially affected system is infected with malware. The probability is based, at least in part, on a result of the comparison. More specific embodiments can include the received entropy rate being generated, at a least in part, by a genetic program. Additional embodiments can include a configuration to provide the potentially affected system with a specified time-span associated with the genetic program. The specified time-span indicates an amount of time to observe context information on the potentially affected system. In at least some embodiments, the result of the comparison includes an indicator of whether the entropy rate correlates to an infected system or a healthy system.
15 Citations
25 Claims
-
1. At least one non-transitory machine readable storage medium having instructions stored thereon to detect malware, the instructions when executed by at least one processor cause the processor to:
-
select a genetic program based, at least in part, on a type of manipulation to be performed by the genetic program on one or more streams of context information of a potentially affected system; receive an entropy rate associated with the potentially affected system, wherein the received entropy rate was generated, at least in part, from an output stream of manipulated context information produced by the genetic program manipulating one or more streams of context information related to, respectively, one or more events detected on the potentially affected system, wherein a first stream of the one or more streams of context information includes one or more context elements observed in response to a first event being detected on the potentially affected system; compare the received entropy rate to an average entropy rate; and determine a probability that the potentially affected system is infected with malware, the probability based, at least in part, on a result of the comparison. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 24, 25)
-
-
14. A system to detect malware, the apparatus comprising:
-
at least one processor; at least one memory element; and an entropy rate comparison module configured to; select a genetic program based, at least in part, on a type of manipulation to be performed by the genetic program on one or more streams of context information of a potentially affected system; receive an entropy rate associated with the potentially affected system in a network environment, wherein the received entropy rate was generated, at least in part, from an output stream of manipulated context information produced by the genetic program manipulating one or more streams of context information related to, respectively, one or more events detected on the potentially affected system, wherein a first stream of the one or more streams of context information includes one or more context elements observed in response to a first event being detected on the potentially affected system; compare the received entropy rate to an average entropy rate; and determine a probability that the potentially affected system is infected with malware, the probability based, at least in part, on a result of the comparison. - View Dependent Claims (15, 23)
-
-
16. A method for detecting malware, the method comprising:
-
selecting a genetic program based, at least in part, on a type of manipulation to be performed by the genetic program on one or more streams of context information of a potentially affected system; receiving an entropy rate associated with the potentially affected system, wherein the received entropy rate was generated, at least in part, from an output stream of manipulated context information produced by the genetic program manipulating one or more streams of context information related to, respectively, one or more events detected on the potentially affected system, wherein a first stream of the one or more streams of context information includes one or more context elements observed in response to a first event being detected on the potentially affected system; comparing the received entropy rate to an average entropy rate; and determining a probability that the potentially affected system is infected with malware, the probability based, at least in part, on a result of the comparison. - View Dependent Claims (17)
-
-
18. A system comprising:
-
at least one processor; at least one memory element; and an agent, when executed by the at least one processor, detect one or more events on a potentially affected system in real-time; generate one or more streams of context information corresponding to, respectively, the one or more events, wherein each stream of context information includes one or more context elements observed on the potentially affected system in response to one of the one or more events being detected; execute a genetic program to manipulate the one or more streams to produce an output stream of manipulated context information based, at least in part, on the manipulation of the one or more streams; generate an entropy rate by applying entropy encoding to the output stream of manipulated context information produced by the genetic program; and communicate the entropy rate to a backend system to determine whether the system is an infected system. - View Dependent Claims (19, 20)
-
-
21. At least one non-transitory machine readable storage medium having instructions stored thereon to detect malware, the instructions when executed by at least one processor cause the processor to:
-
detect one or more events on a potentially affected system in real-time; generate one or more streams of context information corresponding to, respectively, the one or more events, wherein each stream of context information includes one or more context elements observed on the potentially affected system in response to one of the one or more events being detected; execute a genetic program to manipulate the one or more streams to produce an output stream of manipulated context information based, at least in part, on the manipulation of the one or more streams; generate an entropy rate by applying entropy encoding to the output stream of manipulated context information produced by the genetic program; and communicate the entropy rate to a backend system to determine whether the system is an infected system. - View Dependent Claims (22)
-
Specification