Systems and methods for executable code detection, automatic feature extraction and position independent code detection

1 .- 20 . (canceled) 21 . A computer-implemented method for programmatically identifying executable code within a file, the method comprising: extracting, by a computer system, from a sequence of bytes of a file, a number of n-grams, wherein each n-gram comprises a series of bytes in the sequence of bytes; generating, by the computer system, an array of counters, each counter of the array associated with one of the n-grams, wherein each counter comprises an integer value based on a frequency of occurrence of the associated n-gram within the sequence of bytes; and applying, by the computer system, a predictive model to the array of counters to determine a probability that the sequence of bytes comprises the executable code, wherein the computer system comprises a computer processor and an electronic storage medium. 22 . The computer-implemented method of claim 21 , further comprising accessing, by the computer system, the sequence of bytes from a portion of the file. 23 . The computer-implemented method of claim 22 , wherein the portion of the file comprises one or more of a resource, a string, a variable, an overlay, or a section, and wherein the portion of the file does not comprise executable permissions. 24 . The computer-implemented method of claim 21 , wherein the executable code is programmatically identified without executing the sequence of bytes on a computer system. 25 . The computer-implemented method of claim 21 , further comprising flagging, by the computer system, the sequence of bytes of the file for further analysis by a malware detection system when the probability that the sequence of bytes comprises executable code is above a predetermined threshold. 26 . The computer-implemented method of claim 21 , wherein the file comprises an executable file format and/or a portable executable (PE) file. 27 . The computer-implemented method of claim 21 , wherein the n-grams comprise a first set of n-grams with a first value of n and a second set of n-grams with a second value of n, wherein the predictive model uses the first set of n-grams and the second set of n-grams as input features to determine the probability of the sequence of bytes comprises executable code. 28 . The computer-implemented method of claim 21 , wherein n-grams comprise bi-grams, and wherein the bi-grams represent sequences of the two contiguous bytes within the sequence of bytes. 29 . The computer-implemented method of claim 21 , wherein the series of bytes of each respective n-gram comprises n number of bytes, wherein n is between 2 and 500. 30 . The computer-implemented method of claim 21 , wherein the number of n-grams corresponds to every n-gram present in the sequence of bytes. 31 . The computer-implemented method of claim 21 , wherein the series of bytes of each respective n-gram comprises n number of byte, wherein the n number of bytes in the series of bytes of each respective n-gram is selected based on the number of n-grams. 32 . The computer-implemented method of claim 21 , wherein the number of n-grams is a predetermined number between 50 and 10,000. 33 . The computer-implemented method of claim 21 , further comprising normalizing, by the computer system, each counter by a data length of the sequence of bytes. 34 . The computer-implemented method of claim 21 , wherein the predictive model comprises a plurality of models, each model of the plurality of models corresponding to a different machine architecture code. 35 . The computer-implemented method of claim 34 , wherein a machine architecture code comprises .NET, x86, and/or x64. 36 . The computer-implemented method of claim 21 , wherein the predictive model comprises at least one learning algorithm selected from the group of: support vector machines (SVM), linear regression, K-nearest neighbor (KNN) algorithm, logistic regression, naïve Bayes, linear discriminant analysis, decision trees, neural networks, or similarity learning. 37 . The computer-implemented method of claim 21 , wherein the predictive model comprises a random forest. 38 . The computer implemented method of claim 21 , wherein the random forest comprises a plurality of decision trees, each decision tree trained independently on a training set of bytes. 39 . A non-transitory computer readable medium containing program instructions for causing a computer to perform a method of: extracting, from a sequence of bytes of a file, a number of n-grams, wherein each n-gram comprises a series of bytes in the sequence of bytes; generating an array of counters, each counter of the array associated with one of the n-grams, wherein each counter comprises an integer value based on a frequency of occurrence of the associated n-gram within the sequence of bytes; and applying a predictive model to the array of counters to determine a probability that the sequence of bytes comprises the executable code. 40 . A computer system for programmatically identifying executable code within a file, the computer system comprising: one or more computer readable storage devices configured to store a plurality of computer executable instructions; and one or more hardware computer processors in communication with the one or more computer readable storage devices and configured to execute the plurality of computer executable instructions in order to cause the computer system to: extract, from a sequence of bytes of a file, a number of n-grams, wherein each n-gram comprises a series of bytes in the sequence of bytes; generate, an array of counters, each counter of the array associated with one of the n-grams, wherein each counter comprises an integer value based on a frequency of occurrence of the associated n-gram within the sequence of bytes; and apply, a predictive model to the array of counters to determine a probability that the sequence of bytes comprises the executable code.