System and methods for detection of new malicious executables
DC CAFCFirst Claim
1. A method for classifying an executable attachment in an email received at an email processing application of a computer system comprising:
- a) filtering said executable attachment from said email;
b) extracting a byte sequence feature from said executable attachment; and
c) classifying said executable attachment by comparing said byte sequence feature of said executable attachment with a classification rule set derived from byte sequence features of a set of executables having a predetermined class in a set of classes to determine the probability whether said executable attachment is malicious, wherein extracting said byte sequence features from said executable attachment comprises creating a byte string representative of resources referenced by said executable attachment.
1 Assignment
Litigations
1 Petition
Accused Products
Abstract
A system and methods for detecting malicious executable attachments at an email processing application of a computer system using data mining techniques. The email processing application may be located at the server or at the client or host. The executable attachments are filtered from said email, and byte sequence features are extracted from the executable attachment. The executable attachments are classified by comparing the byte sequence feature of the executable attachment to a classification rule set derived from byte sequence features of a data set of known executables having a predetermined class in a set of classes, e.g., malicious or benign. The system is also able to classify executable attachments as borderline when the difference between the probability that the executable is malicious and the probability that the executable is benign are within a predetermined threshold. The system can notify the user when the number of borderline attachments exceeds the threshold in order to refine the classification rule set.
145 Citations
43 Claims
-
1. A method for classifying an executable attachment in an email received at an email processing application of a computer system comprising:
-
a) filtering said executable attachment from said email; b) extracting a byte sequence feature from said executable attachment; and c) classifying said executable attachment by comparing said byte sequence feature of said executable attachment with a classification rule set derived from byte sequence features of a set of executables having a predetermined class in a set of classes to determine the probability whether said executable attachment is malicious, wherein extracting said byte sequence features from said executable attachment comprises creating a byte string representative of resources referenced by said executable attachment. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A method for classifying an executable attachment in an email received at an email processing application of a computer system comprising:
-
a) filtering said executable attachment from said email; b) extracting a byte sequence feature from said executable attachment; and c) classifying said executable attachment by comparing said byte sequence feature of said executable attachment with a classification rule set derived from byte sequence features of a set of executables having a predetermined class in a set of classes to determine a probability that said executable attachment is a member of each class in a set of classes consisting of malicious, benign, and borderline. - View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A method for classifying an executable program comprising:
-
a) training a classification rule set based on a predetermined set of known executable programs having a predetermined class and one or more byte sequence features by recording the number of known executable programs in each said predetermined class that has each of said byte sequence features; b) extracting a byte sequence feature from said executable program comprising converting said executable program from binary format to hexadecimal format, wherein extracting said byte sequence features from said executable attachment comprises create a byte string representative of resources referenced by said executable attachment; and c) determining the probability that the executable program is within each said predetermined class, based on said one or more byte sequence features in said executable and said classification rule set to determine whether said executable program is malicious. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
-
-
28. A system for classifying an executable attachment in an email received at a server of a computer system comprising:
-
a) an email filter configured to filter said executable attachment from said email; b) a feature extractor configured to extract a byte sequence feature from said executable attachment, wherein said feature extractor is further configured to create a byte string representative of resources referenced by said executable attachment; and c) a rule evaluator configured to classify said executable attachment by comparing said byte sequence feature of said executable attachment to a classification rule set derived from byte sequence features of a set of executables having a predetermined class in a set of classes to determine the probability whether said executable attachment is malicious. - View Dependent Claims (29, 30, 31, 32, 33, 41, 42)
-
-
34. A system for classifying an executable attachment in an email received at a server of a computer system comprising:
-
a) an email filter configured to filter said executable attachment from said email; b) a feature extractor configured to extract a byte sequence feature from said executable attachment; and c) a rule evaluator is configured to predict the classification of said executable attachment as one class of a set of classes consisting of malicious, benign, and borderline by comparing said byte sequence feature of said executable attachment to a classification rule set derived from byte sequence features of a set of executables having a predetermined class in a set of classes. - View Dependent Claims (35, 36, 37, 38, 39, 40)
-
-
43. A method for classifying an executable program comprising:
-
a) training a classification rule set based on a predetermined set of known executable programs having a predetermined class and one or more byte sequence features by recording the number of known executable programs in each said predetermined class that has each of said byte sequence features; b) extracting a byte sequence feature from said executable program comprising converting said executable program from binary format to hexadecimal format c) determining the probability that the executable program is within each said predetermined class in a set of classes consisting of malicious, benign, and borderline, based on said one or more byte sequence features in said executable and said classification rule set.
-
Specification