System and methods for detection of new malicious executables

DC CAFC

US 7,487,544 B2
Filed: 07/30/2002
Issued: 02/03/2009
Est. Priority Date: 07/30/2001
Status: Active Grant

- Alert
- Pin

First Claim

Patent Images

1. A method for classifying an executable attachment in an email received at an email processing application of a computer system comprising:

a) filtering said executable attachment from said email;

b) extracting a byte sequence feature from said executable attachment; and

c) classifying said executable attachment by comparing said byte sequence feature of said executable attachment with a classification rule set derived from byte sequence features of a set of executables having a predetermined class in a set of classes to determine the probability whether said executable attachment is malicious, wherein extracting said byte sequence features from said executable attachment comprises creating a byte string representative of resources referenced by said executable attachment.

View all claims

1 Assignment

Timeline View

Assignment View

Litigations

1 Petition

Accused Products

Abstract

A system and methods for detecting malicious executable attachments at an email processing application of a computer system using data mining techniques. The email processing application may be located at the server or at the client or host. The executable attachments are filtered from said email, and byte sequence features are extracted from the executable attachment. The executable attachments are classified by comparing the byte sequence feature of the executable attachment to a classification rule set derived from byte sequence features of a data set of known executables having a predetermined class in a set of classes, e.g., malicious or benign. The system is also able to classify executable attachments as borderline when the difference between the probability that the executable is malicious and the probability that the executable is benign are within a predetermined threshold. The system can notify the user when the number of borderline attachments exceeds the threshold in order to refine the classification rule set.

145 Citations

43 Claims

1. A method for classifying an executable attachment in an email received at an email processing application of a computer system comprising:
- a) filtering said executable attachment from said email;
  
  b) extracting a byte sequence feature from said executable attachment; and
  
  c) classifying said executable attachment by comparing said byte sequence feature of said executable attachment with a classification rule set derived from byte sequence features of a set of executables having a predetermined class in a set of classes to determine the probability whether said executable attachment is malicious, wherein extracting said byte sequence features from said executable attachment comprises creating a byte string representative of resources referenced by said executable attachment.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method as defined in claim 1, wherein extracting said byte sequence feature from said executable attachment comprises extracting static properties of said executable attachment.
  - 3. The method as defined in claim 1, wherein extracting said byte sequence feature from said executable attachment comprises converting said executable attachment from binary format to hexadecimal format.
  - 4. The method as defined in claim 1, wherein classifying said executable attachment comprises determining a probability that said executable attachment is a member of each class in a set of classes consisting of malicious and benign.
  - 5. The method as defined in claim 1, further comprising updating the classification rule set based on executable attachments classified in said classifying.

6. A method for classifying an executable attachment in an email received at an email processing application of a computer system comprising:
- a) filtering said executable attachment from said email;
  
  b) extracting a byte sequence feature from said executable attachment; and
  
  c) classifying said executable attachment by comparing said byte sequence feature of said executable attachment with a classification rule set derived from byte sequence features of a set of executables having a predetermined class in a set of classes to determine a probability that said executable attachment is a member of each class in a set of classes consisting of malicious, benign, and borderline.
- View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 7. The method as defined in claim 6, wherein classifying said executable attachment comprises determining said probability that said executable attachment is a member of each class in said set of classes with a Naive Bayes algorithm.
  - 8. The method as defined in claim 6, wherein classifying the executable attachment comprises determining said probability that said executable attachment is a member of a class in said set of classes with a Multi-Naive Bayes algorithm.
  - 9. The method as defined in claim 8, which further comprises dividing said determining said probability into a plurality of processing steps and executing said processing steps in parallel.
  - 10. The method as defined in claim 6, wherein classifying the executable attachment comprises classifying said executable attachment as malicious if said probability that said executable attachment is malicious is greater than said probability that said executable attachment is benign.
  - 11. The method as defined in claim 6, wherein classifying the executable attachment comprises classifying said executable attachment as benign if said probability that said executable attachment is benign is greater than said probability that said executable attachment is malicious.
  - 12. The method as defined in claim 6, wherein classifying the executable attachment comprises classifying said executable attachment as borderline if a difference between said probability that said executable attachment is benign and said probability that said executable attachment is malicious is within a predetermined threshold.
  - 13. The method as defined in claim 6, which further comprises logging said class of said executable attachment classified in said step c).
  - 14. The method as defined in claim 13, wherein logging said class of said executable attachment further comprising incrementing a count of said executable attachments classified as borderline.
  - 15. The method defined in claim 14, which further comprises, if said count of executable attachments exceeds a predetermined threshold, providing a notification that said threshold has been exceeded.

16. A method for classifying an executable program comprising:
- a) training a classification rule set based on a predetermined set of known executable programs having a predetermined class and one or more byte sequence features by recording the number of known executable programs in each said predetermined class that has each of said byte sequence features;
  
  b) extracting a byte sequence feature from said executable program comprising converting said executable program from binary format to hexadecimal format, wherein extracting said byte sequence features from said executable attachment comprises create a byte string representative of resources referenced by said executable attachment; and
  
  c) determining the probability that the executable program is within each said predetermined class, based on said one or more byte sequence features in said executable and said classification rule set to determine whether said executable program is malicious.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 17. The method as defined in claim 16, wherein extracting said byte sequence feature from said executable program comprises extracting static properties of said executable program.
  - 18. The method as defined in claim 16, wherein determining the probability that the executable program is within each said predetermined class comprises determining the probability that the executable program is within said predetermined class in a set of classes consisting of malicious and benign.
  - 19. The method as defined in claim 16, wherein determining said probability that the executable program is within each said predetermined class comprises determining said probability that the executable program is within each said predetermined class with a Naive Bayes algorithm.
  - 20. The method as defined in claim 16, wherein determining said probability that the executable program is within each said predetermined class comprises determining said probability that the executable program is within each said predetermined class with a multi-Naive Bayes algorithm.
  - 21. The method as defined in claim 16, wherein determining said probability that the executable program is within each said predetermined class comprises classifying said executable program as malicious if said probability that said executable program is malicious is greater than said probability that said executable program is benign.
  - 22. The method as defined in claim 16, wherein determining said probability that the executable program is within each said predetermined class comprises classifying said executable program as benign if said probability that said executable program is benign is greater than said probability that said executable program is malicious.
  - 23. The method as defined in claim 16, wherein determining said probability that the executable program is within each said predetermined class comprises classifying said executable program as borderline if a difference between said probability that said executable program is benign and said probability that said executable program is malicious is within a predetermined threshold.
  - 24. The method as defined in claim 16, which further comprises logging said class of said executable determined in said step c).
  - 25. The method as defined in claim 24, wherein logging said class of said executable further comprising incrementing a count of said executable classified as borderline.
  - 26. The method defined in claim 25, which further comprises, if said count of executable exceeds a predetermined threshold, providing a notification that said threshold has been exceeded.
  - 27. The method as defined in claim 16, further comprising updating the classification rule set based on executable attachments classified in said determining.

28. A system for classifying an executable attachment in an email received at a server of a computer system comprising:
- a) an email filter configured to filter said executable attachment from said email;
  
  b) a feature extractor configured to extract a byte sequence feature from said executable attachment, wherein said feature extractor is further configured to create a byte string representative of resources referenced by said executable attachment; and
  
  c) a rule evaluator configured to classify said executable attachment by comparing said byte sequence feature of said executable attachment to a classification rule set derived from byte sequence features of a set of executables having a predetermined class in a set of classes to determine the probability whether said executable attachment is malicious.
- View Dependent Claims (29, 30, 31, 32, 33, 41, 42)
- - 29. The system as defined in claim 28, wherein the feature extractor is configured to extract static properties of said executable attachment.
  - 30. The system as defined in claim 28, wherein the feature extractor is configured to convert said executable attachment from binary format to hexadecimal format.
  - 31. The system as defined in claim 28, wherein the rule evaluator is configured to predict the classification of said executable attachment as one class of a set of classes consisting of malicious and benign.
  - 32. The system as defined in claim 28, which further comprises an email interface configured to log said class of said executable attachment classified in said step c).
  - 33. The system as defined in claim 28, further comprising a model generator configured to update the classification rule set based on classified executable attachments.
  - 41. The system as defined in claim 32, wherein said email interface is configured to increment a count of said executable attachments classified as borderline.
  - 42. The system defined in claim 41, wherein said email interface is configured to, if said count of executable attachments exceeds a predetermined threshold, provide a notification that said threshold has been exceeded.

34. A system for classifying an executable attachment in an email received at a server of a computer system comprising:
- a) an email filter configured to filter said executable attachment from said email;
  
  b) a feature extractor configured to extract a byte sequence feature from said executable attachment; and
  
  c) a rule evaluator is configured to predict the classification of said executable attachment as one class of a set of classes consisting of malicious, benign, and borderline by comparing said byte sequence feature of said executable attachment to a classification rule set derived from byte sequence features of a set of executables having a predetermined class in a set of classes.
- View Dependent Claims (35, 36, 37, 38, 39, 40)
- - 35. The system as defined in claim 34, wherein the rule evaluator is configured to determine said probability that said executable attachment is a member of one class of said set of classes with a Naive Bayes algorithm.
  - 36. The system as defined in claim 34, wherein the rule evaluator is configured to determine said probability that said executable attachment is a member of a class of said set of classes with a multi-Naive Bayes algorithm.
  - 37. The system as defined in claim 34, wherein the rule evaluator is configured to divide a determination said probability into a plurality of processing steps and to execute said processing steps in parallel.
  - 38. The system as defined in claim 34, wherein the rule evaluator is configured to classify said executable attachment as malicious if said probability that said executable attachment is malicious is greater than said probability that said executable attachment is benign.
  - 39. The system as defined in claim 34, wherein the rule evaluator is configured to classify said executable attachment as benign if said probability that said executable attachment is benign is greater than said probability that said executable attachment is malicious.
  - 40. The system as defined in claim 34, wherein the rule evaluator is configured to classify said executable attachment as borderline if a difference between said probability that said executable attachment is benign and said probability that said executable attachment is malicious is within a predetermined threshold.

43. A method for classifying an executable program comprising:
- a) training a classification rule set based on a predetermined set of known executable programs having a predetermined class and one or more byte sequence features by recording the number of known executable programs in each said predetermined class that has each of said byte sequence features;
  
  b) extracting a byte sequence feature from said executable program comprising converting said executable program from binary format to hexadecimal formatc) determining the probability that the executable program is within each said predetermined class in a set of classes consisting of malicious, benign, and borderline, based on said one or more byte sequence features in said executable and said classification rule set.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
Trustees Of Columbia University In The City Of New York (Columbia University)
Original Assignee
Trustees Of Columbia University In The City Of New York (Columbia University)
Inventors
Eskin, Eleazar, Bhattacharyya, Manasi, Zadok, Erez, Schultz, Matthew G., Salvatore, Stolfo J.
Primary Examiner(s)
Barron, Jr., Gilberto
Assistant Examiner(s)
Nobahar, Abdulhakim

Application Number

US10/208,432
Publication Number

US 20030065926A1
Time in Patent Office

2,380 Days
Field of Search

726/13, 726 22- 25, 713/156, 713/188, 709/206, 709/207, 709/225
US Class Current

726/24
CPC Class Codes

G06F 21/562 Static detection

H04L 63/145 the attack involving the pr...

System and methods for detection of new malicious executables

First Claim

1 Assignment

Litigations

1 Petition

Accused Products

Abstract

145 Citations

43 Claims

Specification

Use Cases

Quick Links

Others

System and methods for detection of new malicious executables

First Claim

1 Assignment

Subscription Required

Subscription Required

Litigations

1 Petition

Subscription Required

Accused Products

Subscription Required

Abstract

145 Citations

43 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others