System and methods for detection of new malicious executables
First Claim
1. A method for classifying an executable attachment in an email received at an email processing application of a computer system comprising:
- a) at the email processing application, filtering said executable attachment from said email;
b) extracting a byte sequence feature from said executable attachment; and
c) classifying said executable attachment by comparing said byte sequence feature of said executable attachment with a classification rule set derived from byte sequence features of a set of executables having a predetermined class in a set of classes.
1 Assignment
0 Petitions
Accused Products
Abstract
A system and methods for detecting malicious executable attachments at an email processing application of a computer system using data mining techniques. The email processing application may be located at the server or at the client or host. The executable attachments are filtered from said email, and byte sequence features are extracted from the executable attachment. The executable attachments are classified by comparing the byte sequence feature of the executable attachment to a classification rule set derived from byte sequence features of a data set of known executables having a predetermined class in a set of classes, e.g., malicious or benign. The system is also able to classify executable attachments as borderline when the difference between the probability that the executable is malicious and the probability that the executable is benign are within a predetermined threshold. The system can notify the user when the number of borderline attachments exceeds the threshold in order to refine the classification rule set.
318 Citations
44 Claims
-
1. A method for classifying an executable attachment in an email received at an email processing application of a computer system comprising:
-
a) at the email processing application, filtering said executable attachment from said email;
b) extracting a byte sequence feature from said executable attachment; and
c) classifying said executable attachment by comparing said byte sequence feature of said executable attachment with a classification rule set derived from byte sequence features of a set of executables having a predetermined class in a set of classes. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A method for classifying an executable program comprising:
-
a) training a classification rule set based on a predetermined set of known executable programs having a predetermined class and one or more byte sequence features by recording the number of known executable programs in each said predetermined class that has each of said byte sequence features;
b) extracting a byte sequence feature from said executable program comprising converting said executable program from binary format to hexadecimal format;
c) determining the probability that the executable program is within each said predetermined class, based on said one or more byte sequence features in said executable and said classification rule set. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
-
-
29. A system for classifying an executable attachment in an email received at a server of a computer system comprising:
-
a) an email filter configured to filter said executable attachment from said email;
b) a feature extractor configured to extract a byte sequence feature from said executable attachment; and
c) a rule evaluator configured to classify said executable attachment by comparing said byte sequence feature of said executable attachment to a classification rule set derived from byte sequence features of a set of executables having a predetermined class in a set of classes. - View Dependent Claims (30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44)
-
Specification