Classifying computer files as malware or whiteware

摘要

An improved approach for classifying computer files as malicious (malware) or benign (whiteware) is disclosed. The invention classifies any computer file as malware or whiteware after using Bayes Theorem to evaluate each observable feature of each file with respect to other observable features of the same computer file with reference to statistical information gathered from repositories of known whiteware and malware files.

主权项

1. A computer-implemented method for classifying a computer file as malware or whiteware, comprising the steps of:
(a) initializing a malware belief (P(M)) to a predetermined value; (b) accessing, using one or more processors, from a database of previously determined observable features, an observable feature from the computer file; (c) obtaining a malware conditional probability for the accessed observable feature from a database of predetermined probabilities for malware; (d) obtaining a whiteware conditional probability for the accessed observable feature from a database of predetermined probabilities for whiteware; (e) applying Bayes theorem to calculate a probability that the computer file is malware given the malware and whiteware conditional probabilities of the accessed observable feature; (f) updating the malware belief (P(M)) with a result of Bayes theorem calculated with respect to the accessed observable feature; (g) iterating steps (c) through (f) for all previously determined observable features; (h) setting the last updated malware belief (P(M)) as a final malware belief (P(M)Final); and, (i) evaluating the final malware belief (P(M)Final) to classify the computer file as malware if the final malware belief (P(M)Final) is greater than or equal to a predetermined threshold value, or as whiteware if the final malware belief (P(M)Final) is less than the same predetermined threshold value; and (j) evaluating the malware belief (P(M)) after each iteration and ceasing iterating by setting the last updated malware belief (P(M)) as the final malware (P(M)) value if:
(i) the malware belief (P(M)) is greater than or equal to a predetermined convergence value, wherein the computer file is classified as malware; or,(ii) the malware belief (P(M)) is less than the same predetermined convergence value, wherein the computer file is classified as whiteware.