发明名称 |
MALWARE ANALYSIS AND DETECTION USING GRAPH-BASED CHARACTERIZATION AND MACHINE LEARNING |
摘要 |
Malware detection methods systems, and apparatus are described. Malware may be detected by obtaining a plurality of malware binary executables and a plurality of goodware binary executables, decompiling the plurality of malware binary executables and the plurality of goodware binary executable to extract corresponding assembly code for each of the plurality of malware binary executables and the plurality of goodware binary executable, constructing call graphs for each of the plurality of malware binary executables and the plurality of goodware binary executables from the corresponding assembly code, determining similarities between the call graphs using graph kernels applied to the call graphs for each of the plurality of malware binary executables and the plurality of goodware binary executables, building a malware detection model from the determined similarities between call graphs by applying a machine learning algorithm such as a deep neural network (DNN) algorithm to the determined similarities, and identifying whether a subject executable is malware by applying the built malware detection model to the subject executable. |
申请公布号 |
US2017068816(A1) |
申请公布日期 |
2017.03.09 |
申请号 |
US201615256883 |
申请日期 |
2016.09.06 |
申请人 |
CAVAZOS JOHN |
发明人 |
CAVAZOS JOHN |
分类号 |
G06F21/56;G06N3/04;G06N3/08 |
主分类号 |
G06F21/56 |
代理机构 |
|
代理人 |
|
主权项 |
1. A malware detection method, the, method comprising:
obtaining a plurality of malware binary executables and a plurality of goodware binary executables; decompiling the plurality of malware binary executables and the plurality of goodware binary executable to extract corresponding assembly code for each of the plurality of malware binary executables and the plurality of goodware binary executable; constructing call graphs for each of the plurality of malware binary executables and the plurality of goodware binary executables from the corresponding assembly code; determining similarities between the call graphs using graph kernels applied to the call graphs for each of plurality of malware binary executables and the plurality of goodware binary executables; building a malware detection model from the determined similarities between call graphs by applying a machine learning algorithm to the determined similarities; identifying whether a subject executable is malware by applying the built malware detection model to the subject executable. |
地址 |
Newark DE US |