EMULATOR-BASED MALWARE LEARNING AND DETECTION

摘要

Methods and systems are described for malware learning and detection. According to one embodiment, an antivirus (AV) engine includes a training mode for internal lab use, for example, and a detection mode for use in commercial deployments. In training mode, an original set of suspicious patterns is generated by scanning malware samples. A set of clean patterns is generated by scanning clean samples. A revised set of suspicious patterns is created by removing the clean patterns from the original set. A further revised set of suspicious patterns is created by: (i) applying a statistical filter to the first revised set; and (ii) removing any suspicious patterns therefrom that do not meet a predefined frequency of occurrence. A detection model, based on the further revised set, can then be used in detection mode to flag executables as malware when the presence of one or more of the suspicious patterns is identified.

主权项

1. A method comprising:
when in a training mode:
generating, by an antivirus (AV) engine, an original set of suspicious patterns that are capable of being used to detect a malware executable by scanning a first set of samples of executables known to be or contain malware;generating, by the AV engine, a set of clean patterns by scanning a second set of samples of executables known not to be or contain malware;creating a first revised set of suspicious patterns having a first false positive rate lower than that of the original set of suspicious patterns by removing, by the AV engine, any of the set of clean patterns from the set of suspicious patterns; andcreating and optimizing a second revised set of suspicious patterns having a second false positive rate lower than the first false positive rate by:
applying, by the AV engine, a statistical filter to the first revised set of suspicious patterns; andremoving, by the AV engine, any suspicious patterns from the first revised set of suspicious patterns that do not meet a predefined frequency of occurrence; and when in a detection mode:
receiving, by the AV engine, an executable;extracting, by the AV engine, a set of target patterns represented within the executable;applying, by the AV engine, a detection model, based on the second revised set of suspicious patterns, against the set of target patterns; andflagging, by the AV engine, the executable as malware when the detection model indicates one or more target patterns within the set of target patterns matches any suspicious patterns in the second revised set of suspicious patterns.