System and method for malware detection using multidimensional feature clustering

US 9,386,028 B2
Filed: 10/23/2013
Issued: 07/05/2016
Est. Priority Date: 10/23/2012
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

specifying, by at least one hardware processor, multiple features, which are present in communication transactions conducted between computers in a computer network and which are indicative of whether the transactions are exchanged with a malicious software;

representing, by the at least one hardware processor, a plurality of malware transactions by respective elements in a multi-dimensional space, whose dimensions are spanned respectively by the features, so as to form plurality of clusters of the elements, wherein each transaction is represented by a respective tuple in the multi-dimensional space and different families of malware transactions correspond to different clusters of the plurality of clusters;

receiving, by a at least one hardware interface operatively coupled to the at least one hardware processor, a new input communication transaction conducted between computers in the computer network; and

identifying, by the at least one hardware processor, whether the new input communication transaction is malicious by at least;

representing, by the at least one hardware processor, the new input transaction as a new element tuple in the multi-dimensional space;

measuring, by the at least one hardware processor, respective distance metrics between the new element of the multi-dimensional space and each cluster of the plurality of clusters; and

evaluating, by the at least one hardware processor, a criterion with respect to the distance metrics, wherein evaluating the criterion with respect to the distance metrics comprises;

defining a classification criterion that identifies hybrid malware comprising different code sections taken from at least two of the different malware families associated with at least two different clusters of the plurality of clusters, and applying the defined criterion to the measured respective distance metrics between the new element of the multi-dimensional space and the at least two different clusters.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for malware detection techniques, which detect malware by identifying the Command and Control (C&C) communication between the malware and the remote host, and distinguish between communication transactions that carry C&C communication and transactions of innocent traffic. The fine-granularity features are examined, which are present in the transactions and are indicative of whether the transactions are exchanged with malware. A feature comprises an aggregated statistical property of one or more features of the transactions, such as average, sum median or variance, or of any suitable function or transformation of the features.

55 Citations

View as Search Results

19 Claims

1. A method, comprising:
- specifying, by at least one hardware processor, multiple features, which are present in communication transactions conducted between computers in a computer network and which are indicative of whether the transactions are exchanged with a malicious software;
  
  representing, by the at least one hardware processor, a plurality of malware transactions by respective elements in a multi-dimensional space, whose dimensions are spanned respectively by the features, so as to form plurality of clusters of the elements, wherein each transaction is represented by a respective tuple in the multi-dimensional space and different families of malware transactions correspond to different clusters of the plurality of clusters;
  
  receiving, by a at least one hardware interface operatively coupled to the at least one hardware processor, a new input communication transaction conducted between computers in the computer network; and
  
  identifying, by the at least one hardware processor, whether the new input communication transaction is malicious by at least;
  
  representing, by the at least one hardware processor, the new input transaction as a new element tuple in the multi-dimensional space;
  
  measuring, by the at least one hardware processor, respective distance metrics between the new element of the multi-dimensional space and each cluster of the plurality of clusters; and
  
  evaluating, by the at least one hardware processor, a criterion with respect to the distance metrics, wherein evaluating the criterion with respect to the distance metrics comprises;
  
  defining a classification criterion that identifies hybrid malware comprising different code sections taken from at least two of the different malware families associated with at least two different clusters of the plurality of clusters, and applying the defined criterion to the measured respective distance metrics between the new element of the multi-dimensional space and the at least two different clusters.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method according to claim 1, wherein representing the malware transactions comprises forming the clusters in a learning process that analyzes a first set of known innocent transactions and a second set of known malware transactions.
  - 3. The method according to claim 1, wherein the distance metrics and the criterion are defined irrespective of a number of the elements in each cluster.
  - 4. The method according to claim 1, wherein representing the malware transactions comprises forming the clusters using a first distance metric, and wherein measuring the distance metrics between the new input communication transaction and the clusters comprises using a second distance metric that is different from the first distance metric.
  - 5. The method according to claim 1, wherein measuring the distance metrics comprises assigning each cluster a respective weight.
  - 6. The method according to claim 5, wherein the respective weight assigned to each cluster does not depend on a number of the elements in the cluster.
  - 7. The method according to claim 1, wherein representing the malware transactions comprises representing each cluster by a single respective representative transaction, and wherein measuring the distance metrics comprises calculating the distance metrics between representative transactions of the respective clusters and the element representing the new input communication transaction.
  - 8. The method according to claim 7, wherein representing each cluster by the respective representative transaction comprises calculating a center of mass of the malware transactions in the cluster.
  - 9. The method according to claim 1, wherein evaluating the criterion comprises identifying a new malware variation associated with one of the clusters.
  - 10. The method according to claim 1, and comprising invoking responsive action upon deciding that the new input communication transaction is malicious.
  - 11. The method according to claim 1, wherein measuring the distance metrics comprises measuring first and second different distance metrics for respective different first and second clusters.
  - 12. The method according to claim 11, wherein measuring the different distance metrics comprises assigning to the first and second clusters respective different weights that emphasize different dimensions of the multi-dimensional space.
  - 13. The method according to claim 1, wherein representing the malware transactions comprises receiving a definition of the clusters from an external source.

14. Apparatus, comprising:
- an interface, which is configured to receive communication transactions held in a computer network; and
  
  a hardware processor operatively coupled to the hardware interface, which is configured to hold a specification of multiple features, which are present in the communication transactions conducted between computers and which are indicative of whether the transactions are exchanged with a malicious software, to represent a plurality of malware transactions by respective elements in a multi-dimensional space, whose dimensions are spanned respectively by the features, so as to form plurality of clusters of the elements, wherein each transaction is represented by a respective tuple in the multi-dimensional space and different families of malware transactions correspond to different clusters of the plurality of clusters, and upon the at least one hardware interface receiving a new input communication transaction conducted between computers in the computer network, the at least one processor is configured to identify whether the new input communication transaction is malicious by at least;
  
  representing the new input transaction as a new element tuple in the multi-dimensional space;
  
  measuring respective distance metrics between the new element of the multi-dimensional space and each cluster of the plurality of clusters, andevaluating a criterion with respect to the distance metrics, wherein evaluating the criterion with respect to the distance metrics comprises;
  
  defining a classification criterion that identifies hybrid malware comprising different code sections taken from at least two of the different malware families associated with at least two different clusters of the plurality of clusters, and applying the defined criterion to the measured respective distance metrics between the new element of the multi-dimensional space and the at least two different clusters.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The apparatus according to claim 14, wherein the processor is configured to form the clusters in a learning process that analyzes a first set of known innocent transactions and a second set of known malware transactions.
  - 16. The apparatus according to claim 14, wherein the distance metrics and the criterion are defined irrespective of a number of the elements in each cluster.
  - 17. The apparatus according to claim 14, wherein the processor is configured to represent each cluster by a single respective representative transaction, and to measure the distance metrics between representative transactions of the respective clusters and the element representing the new input communication transaction.
  - 18. The apparatus according to claim 17, wherein the processor is configured to calculate the representative transaction as a center of mass of the malware transactions in the cluster.
  - 19. The apparatus according to claim 14, wherein the processor is configured to identify a new malware variation associated with one of the clusters.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cognyte Technologies Israel Ltd. (Cognyte Software Ltd.)
Original Assignee
Verint Systems Limited (Verint Systems Incorporated)
Inventors
Altman, Yuval
Primary Examiner(s)
Edwards, Linglan
Assistant Examiner(s)
Carey, Forrest

Application Number

US14/060,933
Publication Number

US 20140165198A1
Time in Patent Office

986 Days
Field of Search

726 22- 24
US Class Current

1/1
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/561   Virus type analysis

G06F 21/564   by virus signature recognition

H04L 2463/144   Detection or countermeasure...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

System and method for malware detection using multidimensional feature clustering

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

55 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for malware detection using multidimensional feature clustering

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

55 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links