Matrix factorization for automated malware detection

摘要

Disclosed herein is a system and method for automatically identifying potential malware files or benign files in files that are not known to be malware. Vector distances for select features of the files are compared to vectors both known malware files and benign files. Based on the distance measures a malware score is obtained for the unknown file. If the malware score exceeds a threshold a researcher may be notified of the potential malware, or the file may be automatically classified as malware if the score is significantly high.

主权项

1. A malware detection system comprising:
at least one processor; a feature identifier configured to generate a matrix of files and associated machines having a plurality of features associated with the files and machines, the feature identifier further configured to apply matrix factorization to the matrix of files and associated machines to generate a machine matrix and a file matrix, and is configured to perform dimensional reduction to identify a group of features from the plurality of features that are most informative features, wherein the group of features is a fixed number of features and comprises a subset of the plurality of features; a malware database comprising files of known malware and a plurality of features associated with the known malware; a comparison engine configured to identify for a file a number of other files that are similar to the file from the matrix of files and the malware database and to score the file based on a closeness of the other files to the file; and malware classification component configured to identify potential malware based on the score of the file and is further configured to create an alert if the score for the file exceeds a first threshold score.