| 发明名称 | System and method for automated machine-learning, zero-day malware detection | ||
| 摘要 | Improved systems and methods for automated machine-learning, zero-day malware detection. Embodiments include a method for improved zero-day malware detection that receives a set of training files which are each known to be either malign or benign, partitions the set of training files into a plurality of categories, and trains category-specific classifiers that distinguish between malign and benign files in a category of files. The training may include selecting one of the plurality of categories of training files, identifying features present in the training files in the selected category of training files, evaluating the identified features to determine the identified features most effective at distinguishing between malign and benign files, and building a category-specific classifier based on the evaluated features. Embodiments also include by a system and computer-readable medium with instructions for executing the above method. | ||
| 申请公布号 | US9292688(B2) | 申请公布日期 | 2016.03.22 |
| 申请号 | US201314038682 | 申请日期 | 2013.09.26 |
| 申请人 | NORTHROP GRUMMAN SYSTEMS CORPORATION | 发明人 | Avasarala Bhargav R.;Bose Brock D.;Day John C.;Steiner Donald |
| 分类号 | H04L29/06;G06F21/56 | 主分类号 | H04L29/06 |
| 代理机构 | Andrews Kurth LLP | 代理人 | Andrews Kurth LLP ;Wooden Sean S. |
| 主权项 | 1. A computer-implemented method for improved zero-day malware detection comprising: receiving, at a computer that includes one or more processors and memory, a set of training files which are each known to be either malign or benign, wherein the training files comprise one or more types of computer files; analyzing, using the one or more computer processors, a training file from the set of training files to determine features of the training file, wherein the analyzing determines n-gram features; tagging, using the one or more computer processors, the determined features of the training file with qualified meta-features (QMF) tags, wherein the tagging includes: extracting one of the determined n-gram features from the training file;identifying a location of the extracted n-gram feature in the training file;determining an appropriate QMF tag of the extracted n-gram feature based on the identified location;applying the determined QMF tag to the extracted n-gram feature; andrepeating the extracting, identifying, determining and applying for the remaining determined n-gram features of the training file; repeating the analyzing and tagging for remaining training files in the set of training files; and building, using the one or more computer processors, a model identifying n-gram features indicative of a malign file using the QMF-tagged n-gram features, wherein the model is capable of being used to detect malign files. | ||
| 地址 | Falls Church VA US | ||