Distributed traffic pattern analysis and entropy prediction for detecting malware in a network environment

摘要

Technologies are provided in embodiments to detect malware. The embodiments are configured to receive an entropy rate of a potentially affected system. The embodiments are further configured to compare the entropy rate to an average entropy rate, and to determine a probability that the potentially affected system is infected with malware. The probability is based, at least in part, on a result of the comparison. More specific embodiments can include the received entropy rate being generated, at a least in part, by a genetic program. Additional embodiments can include a configuration to provide the potentially affected system with a specified time-span associated with the genetic program. The specified time-span indicates an amount of time to observe context information on the potentially affected system. In at least some embodiments, the result of the comparison includes an indicator of whether the entropy rate correlates to an infected system or a healthy system.

主权项

1. At least one non-transitory machine readable storage medium having instructions stored thereon to detect malware, the instructions when executed by at least one processor cause the processor to:
select a genetic program based, at least in part, on a type of manipulation to be performed by the genetic program on one or more streams of context information of a potentially affected system; receive an entropy rate associated with the potentially affected system, wherein the received entropy rate was generated, at least in part, from an output stream of manipulated context information produced by the genetic program manipulating one or more streams of context information related to, respectively, one or more events detected on the potentially affected system, wherein a first stream of the one or more streams of context information includes one or more context elements observed in response to a first event being detected on the potentially affected system; compare the received entropy rate to an average entropy rate; and determine a probability that the potentially affected system is infected with malware, the probability based, at least in part, on a result of the comparison.