发明名称 |
METHODS AND SYSTEMS FOR ENCODING COMPUTER PROCESSES FOR MALWARE DETECTION |
摘要 |
A method for encoding computer processes for malicious program detection. The method includes the steps of (a) randomly sampling a trace of system calls collected over a predetermined interval, each system call including context information and memory addresses for the function being monitored; (b) computing system address differences from the trace of system calls and retaining the computed values; (c) forming a group of n-grams (words) of retained differences of system addresses from the trace of system calls; (d) forming a series of process snippets, each process snippet including context information and the retained differences of system addresses; (e) transforming each process snippet to form a compact representation (process dot) comprising a pair of elements c, a, wherein c includes the context information and a is a sparse vector that encodes information derived from the group of n-grams; (f) forming clusters of compact representations; (g) obtaining clusters of compact representations from one or more malicious program-free computers; and (h) comparing the clusters formed in step (f) to those obtained in step (g) and determining the presence of malicious program from the comparison. |
申请公布号 |
US2016164901(A1) |
申请公布日期 |
2016.06.09 |
申请号 |
US201514960066 |
申请日期 |
2015.12.04 |
申请人 |
PERMISSIONBIT |
发明人 |
Mainieri Ronnie;Hastings Curtis A. |
分类号 |
H04L29/06;G06N7/00;G06N99/00 |
主分类号 |
H04L29/06 |
代理机构 |
|
代理人 |
|
主权项 |
1. In a managed network of computers, a method for encoding computer processes for malicious program detection, comprising the steps of:
(a) randomly sampling a trace of system calls collected over an observation interval, each system call including context information and memory addresses for the function being monitored; (b) computing system address differences from the trace of system calls and retaining the computed values; (c) forming a group of n-grams (words) of retained differences of system addresses from the trace of system calls; (d) forming a series of process snippets, each process snippet including context information and the retained differences of system addresses; (e) transforming each process snippet to form a compact representation (process dot) comprising a pair of elements c, a, wherein c includes the context information and a is a sparse vector that encodes information derived from the group of n-grams; (f) forming clusters of compact representations; (g) obtaining clusters of compact representations from one or more malicious program-free computers; and (h) comparing the clusters formed in step (f) to those obtained in step (g) and determining the presence of malicious program from the comparison; |
地址 |
McLean VA US |