Risk information output device, information output system, risk information output method, and recording medium
US-2024414180-A1 · Dec 12, 2024 · US
Application phenotyping
US10476899B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10476899-B2 |
| Application number | US-201514866459-A |
| Country | US |
| Kind code | B2 |
| Filing date | Sep 25, 2015 |
| Priority date | Sep 25, 2015 |
| Publication date | Nov 12, 2019 |
| Grant date | Nov 12, 2019 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A collection of techniques is disclosed to allow for the detection of malware that leverages pattern recognition and machine learning to effectively provide “content-less” malware detection, i.e., detecting a process as being an ‘anomaly’ not based on its particular content, but instead based on comparisons of its behavior to known (and characterized) ‘trusted’ application behaviors, i.e., the trusted applications' “phenotypes” and/or the phenotypes of known malware applications. By analyzing the patterns of normal behavior performed by trusted applications as well as malware applications, one can build a set of sophisticated, content-agnostic behavioral models (i.e., “application phenotypes”)—and later compare the processes executed on a user device to the stored behavioral models to determine whether the actual measured behavior reflects a “good” application, or if it differs from the stored behavioral models to a sufficient degree and with a sufficient degree of confidence, thus indicating a potentially malicious application or behavior.
First claim
Opening claim text (preview).
What is claimed is: 1. An application phenotyping system, the application phenotyping system comprising: one or more processors; and a memory including instructions that, when executed, cause the one or more processors to: determine two or more first-tier rules, respective ones of the two or more first-tier rules referencing a corresponding sequence of two or more operations to be performed by one or more applications to be executed on one or more devices; identify second-tier rules, respective ones of the second-tier rules including a corresponding sequence of at least two of the first-tier rules; identify one or more behaviors including a third sequence of at least two of the second-tier rules, the one or more behaviors to represent one or more normal activities to be performed by the one or more applications; identify a phenotype for the one or more applications, the phenotype including one or more of the behaviors, the phenotype to represent the one or more of the normal activities identified for the one or more applications; and distribute an executable to the one or more devices, the executable to cause one or more of the devices to access the phenotype to identify malware. 2. The application phenotyping system of claim 1 , wherein the executable is to cause at least one of the one or more devices to determine a confidence score by comparing a first behavior of a first application of the at least one device to at least one of: the phenotype for the first application, the phenotype for one or more trusted applications, or the phenotype for one or more known malware applications. 3. The application phenotyping system of claim 1 , wherein a first device of the one or more devices includes a malware detection system to execute the executable to identify the malware. 4. The application phenotyping system of claim 1 , wherein the one or more processors are to distribute the executable to a malware detection system communicatively coupled to a first device of the one or more devices over a network. 5. The application phenotyping system of claim 1 , wherein the executable is to cause at least one of the one or more devices to associate a first behavior with a first application by: comparing a fourth sequence of at least two of the two or more operations that the first application caused to occur with the one or more behaviors to determine a confidence score; and determining that the confidence score satisfies a threshold. 6. The application phenotyping system of claim 5 , wherein the executable is to compare the at least two of the two or more operations with: the one or more behaviors to be performed on a first device of the one or more devices; the one or more behaviors to be performed on the one or more devices within a same enterprise as the first device; and the one or more behaviors to be performed on the one or more devices monitored by the application phenotyping system. 7. The application phenotyping system of claim 6 , wherein the confidence score is determined by independently weighting the comparisons of the at least two of the two or more operations, and, the one or more behaviors are to be performed on: the first device; the one or more devices within the same enterprise as the first device; and all devices monitored by the system. 8. A method for performing malware detection, the method comprising: determining two or more first-tier rules, respective ones of the two or more first-tier rules referencing a corresponding sequence of two or more operations to be performed by one or more applications to be executed on one or more devices; identifying second-tier rules, respective ones of the second-tier rules including a corresponding sequence of at least two of the first-tier rules; identifying one or more behaviors including a third sequence of at least two of the second-tier rules, the one or more behaviors to represent one or more normal activities to be performed by the one or more applications; identifying a phenotype for the one or more applications, the phenotype including one or more of the behaviors, the phenotype to represent one or more of the normal activities for the one or more applications; and distributing an executable to the one or more devices, the executable to cause one or more of the devices to access the phenotype to identify malware. 9. The method of claim 8 , wherein the executable is to cause a first device of the one or more devices to determine a confidence score by comparing a first behavior of a first application of the first device to at least one of: the phenotype for the first application, the phenotype for one or more trusted applications, or the phenotype for one or more known malware applications. 10. The method of claim 8 , wherein the executable is to cause a first device of the one or more devices to associate a first behavior with a first application by: comparing a fourth sequence of at least two of the two or more operations that the first application caused to occur with the one or more behaviors to generate a confidence score; and determining that the confidence score satisfies a threshold. 11. The method of claim 10 , wherein the executable is to cause the first device to compare the at least two of the two or more operations with: the one or more behaviors to be performed on the first device; the one or more behaviors to be performed on the one or more devices within a same enterprise as the first device; and the one or more behaviors to be performed on second devices, the second devices including the first device and the one or more devices within the same enterprise as the first device. 12. The method of claim 11 , wherein the confidence score is determined by independently weighting the comparisons of the at least two of the two or more operations, and, the one or more behaviors to be performed on: the first device; the one or more devices within the same enterprise as the first device; and all devices monitored by a system. 13. The method of claim 8 , wherein the phenotype for a first application of the one or more applications is accessed each time the first application is launched. 14. The method of claim 8 , wherein the executable is to cause a first device of the one or more devices to access the phenotype from a location remote to the one or more devices. 15. At least one storage disk or storage device, comprising instructions that, when executed, cause one or more processors of a first device to at least: determine two or more first-tier rules, respective ones of the two or more first-tier rules referencing a corresponding sequence of two or more operations that a first application caused to occur on the first device; determine one or more second-tier rules, respective ones of the one or more second-tier rules referencing a corresponding sequence of two or more of the two or more first-tier rules; determine a first behavior; when the first behavior is not associated with one or more behaviors associated with one or more normal activities to be performed by the first application, compare the first behavior to a phenotype for one or more known malware applications, the first behavior corresponding to a sequence of at least two of the second-tier rules; determine whether the first behavior is indicative of malware based on the comparison of the first behavior to the phenotype for the one or more known malware applications; and perform a corrective action on the first device when the first behavior is indicative of malware. 16. The at least one storage disk or storage device of claim 15 , wh
Assignees
Inventors
Classifications
the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms · CPC title
Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities · CPC title
- H04L63/1425Primary
Traffic logging, e.g. anomaly detection · CPC title
Query execution (filtering based on additional data G06F16/335) · CPC title
Event detection, e.g. attack signature detection · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10476899B2 cover?
- A collection of techniques is disclosed to allow for the detection of malware that leverages pattern recognition and machine learning to effectively provide “content-less” malware detection, i.e., detecting a process as being an ‘anomaly’ not based on its particular content, but instead based on comparisons of its behavior to known (and characterized) ‘trusted’ application behaviors, i.e., the …
- Who is the assignee on this patent?
- Mcafee Llc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/1425. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Nov 12 2019 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).