Systems and methods for identifying malware
US-9519780-B1 · Dec 13, 2016 · US
Malware detection by exploiting malware re-composition variations using feature evolutions and confusions
US10505960B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10505960-B2 |
| Application number | US-201615388460-A |
| Country | US |
| Kind code | B2 |
| Filing date | Dec 22, 2016 |
| Priority date | Jun 6, 2016 |
| Publication date | Dec 10, 2019 |
| Grant date | Dec 10, 2019 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
One embodiment provides a method comprising, in a training phase, receiving one or more malware samples, extracting multi-aspect features of malicious behaviors triggered by the malware samples, determining evolution patterns of the malware samples based on the multi-aspect features, and predicting mutations of the malware samples based on the evolution patterns. Another embodiment provides a method comprising, in a testing phase, receiving a new mobile application, extracting a first set of multi-aspect features for the new mobile application using a learned feature model, and determining whether the new mobile application is a mutation of a malicious application using a learned classification model and the first set of multi-aspect features.
First claim
Opening claim text (preview).
What is claimed is: 1. A method comprising: receiving one or more malware samples; extracting one or more multi-aspect features of one or more malicious behaviors triggered by the one or more malware samples, wherein the one or more multi-aspect features are indicative of a context that the one or more malicious behaviors are triggered; determining one or more evolution patterns of the one or more malware samples based on the one or more multi-aspect features, wherein the one or more evolution patterns indicate one or more changes in the one or more multi-aspect features from one malware sample evolving to another malware sample; and generating one or more mutations of the one or more malware samples based on the one or more evolution patterns by transplanting the context that the one or more malicious behaviors are triggered to a different context, wherein the transplanting comprises adapting at least one code area within the one or more malware samples, the one or more mutations generated preserve the one or more malicious behaviors, the one or more mutations generated evade a conventional malware detection technique, and the one or more malware samples and the one or more mutations generated are used to detect malware. 2. The method of claim 1 , wherein the one or more malware samples comprises at least one of a malicious application, a benign application, or a malware variant of the malicious application. 3. The method of claim 1 , further comprising: maintaining a malicious application database comprising: one or more malicious applications; and for each malicious application of the one or more malicious applications, one or more malware re-composition variations (MRVs) of the malicious application, wherein each MRV is a mutation of the malicious application that preserves one or more malicious behaviors of the malicious application. 4. The method of claim 1 , wherein extracting one or more multi-aspect features of one or more malicious behaviors triggered by the one or more malware samples comprises: determining one or more resource features indicating at least one security-sensitive resource exploited by the one or more malicious behaviors based on static information flow analysis of the one or more malware samples. 5. The method of claim 1 , wherein extracting one or more multi-aspect features of one or more malicious behaviors triggered by the one or more malware samples comprises: determining one or more locale features indicating at least one device component where the one or more malicious behaviors occur based on static information flow analysis of the one or more malware samples. 6. The method of claim 1 , wherein extracting one or more multi-aspect features of one or more malicious behaviors triggered by the one or more malware samples comprises: determining one or more temporal features indicating when the one or more malicious behaviors are triggered based on static information flow analysis of the one or more malware samples. 7. The method of claim 1 , wherein extracting one or more multi-aspect features of one or more malicious behaviors triggered by the one or more malware samples comprises: determining one or more dependency features indicating how the one or more malicious behaviors are controlled based on static information flow analysis of the one or more malware samples. 8. The method of claim 1 , wherein determining one or more evolution patterns of the one or more malware samples based on the one or more multi-aspect features comprises: performing phylogenetic analysis of the one or more malware samples based on the one or more multi-aspect features, wherein the phylogenetic analysis comprises: capturing at least one semantic distance between different malware samples by determining, for each feature variable, a corresponding number of operations required to transform one malware sample of the different malware samples into another malware sample of the different malware samples; and for at least one malware family, constructing a corresponding phylogenetic tree based on the at least one semantic distance captured, wherein the corresponding phylogenetic tree comprises at least on feature variable representing at least one common feature of the malware family and a corresponding confidence value indicating a likelihood the at least one representative feature variable appears in a malware sample from the malware family. 9. The method of claim 1 , wherein generating one or more mutations of the one or more malware samples based on the one or more evolution patterns comprises: for each malware sample of the one or more malware samples: synthesizing a mutation strategy for the malware sample; generating one or more mutations of the malware sample by performing program transplantation to mutate one or more contextual features of one or more malicious behaviors triggered by the malware sample from one or more original values to one or more mutated values, wherein the one or more mutations of the malware sample generated preserve the one or more malicious behaviors triggered by the malware sample, and the program transplantation comprises identifying a code area within the malware sample to transplant, extracting the code area, identifying an insertion point in the code area, and adapting the code area at the insertion point; and testing each mutation of the malware sample generated to determine whether the mutation evades the conventional malware detection technique. 10. The method of claim 1 , further comprising: training a feature model for feature extraction based on multi-aspect features of each malware sample and each mutation generated. 11. The method of claim 1 , further comprising: training a classification model for detecting whether an application is malicious or benign based on multi-aspect features of each malware sample and each mutation generated that evades the conventional malware detection technique, wherein the malware is detected based on the classification model. 12. A system, comprising: at least one processor; and a non-transitory processor-readable memory device storing instructions that when executed by the at least one processor causes the at least one processor to perform operations including: receiving one or more malware samples; extracting one or more multi-aspect features of one or more malicious behaviors triggered by the one or more malware samples, wherein the one or more multi-aspect features are indicative of a context that the one or more malicious behaviors are triggered; determining one or more evolution patterns of the one or more malware samples based on the one or more multi-aspect features, wherein the one or more evolution patterns indicate one or more changes in the one or more multi-aspect features from one malware sample evolving to another malware sample; and generating one or more mutations of the one or more malware samples based on the one or more evolution patterns by transplanting the context that the one or more malicious behaviors are triggered to a different context, wherein the transplanting comprises adapting at least one code area within the one or more malware samples, the one or more mutations generated preserve the one or more malicious behaviors, the one or more mutations generated evade a conventional malware detection technique, and the one or more malware samples and the one or more mutations generated are used to detect malware. 13. The system of claim 12 , wherein the one or more malware samples comprises at least one of a malicious application, a benign application, or a malware variant of the malicious application. 14. The
Assignees
Inventors
Classifications
the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms · CPC title
- H04L63/1425Primary
Traffic logging, e.g. anomaly detection · CPC title
Machine learning · CPC title
Electricity · mapped topic
Anti-malware arrangements, e.g. protection against SMS fraud or mobile malware · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10505960B2 cover?
- One embodiment provides a method comprising, in a training phase, receiving one or more malware samples, extracting multi-aspect features of malicious behaviors triggered by the malware samples, determining evolution patterns of the malware samples based on the multi-aspect features, and predicting mutations of the malware samples based on the evolution patterns. Another embodiment provides a m…
- Who is the assignee on this patent?
- Samsung Electronics Co Ltd
- What technology area does this patent fall under?
- Primary CPC classification H04L63/1425. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Dec 10 2019 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 7 related publications on this page (citations in our corpus or others sharing the same primary CPC).