Systems and methods for detection of new malicious executables
DC CAFCFirst Claim
1. A method for classifying an executable attachment in an email received at a computer system comprising:
- a) filtering said executable attachment from said email;
b) extracting a byte sequence feature from said executable attachment; and
c) classifying said executable attachment by comparing said byte sequence feature of said executable attachment with a classification rule set derived from byte sequence features of a set of executables having a predetermined class in a set of classes,wherein said classifying comprises determining using a computer processor, with a Multi-Naive Bayes algorithm, a probability that said executable attachment is a member of each class in said set of classes based on said byte sequence feature and dividing said step of determining said probability into a plurality of processing steps and executing said processing steps in parallel.
1 Assignment
Litigations
1 Petition
Accused Products
Abstract
A system and methods for detecting malicious executable attachments at an email processing application of a computer system using data mining techniques. The email processing application may be located at the server or at the client or host. The executable attachments are filtered from said email, and byte sequence features are extracted from the executable attachment. The executable attachments are classified by comparing the byte sequence feature of the executable attachment to a classification rule set derived from byte sequence features of a data set of known executables having a predetermined class in a set of classes, e.g., malicious or benign. The system is also able to classify executable attachments as borderline when the difference between the probability that the executable is malicious and the probability that the executable is benign are within a predetermined threshold. The system can notify the user when the number of borderline attachments exceeds the threshold in order to refine the classification rule set.
53 Citations
20 Claims
-
1. A method for classifying an executable attachment in an email received at a computer system comprising:
-
a) filtering said executable attachment from said email; b) extracting a byte sequence feature from said executable attachment; and c) classifying said executable attachment by comparing said byte sequence feature of said executable attachment with a classification rule set derived from byte sequence features of a set of executables having a predetermined class in a set of classes, wherein said classifying comprises determining using a computer processor, with a Multi-Naive Bayes algorithm, a probability that said executable attachment is a member of each class in said set of classes based on said byte sequence feature and dividing said step of determining said probability into a plurality of processing steps and executing said processing steps in parallel. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A system for classifying an executable attachment in an email received at a computer system comprising:
-
one or more computer processors executing instructions which implement; a) an email filter configured to filter said executable attachment from said email; b) a feature extractor configured to extract a byte sequence feature from said executable attachment; and c) a rule evaluator configured to;
classify said executable attachment by comparing said byte sequence feature of said executable attachment to a classification rule set derived from byte sequence features of a set of executables having a predetermined class in a set of classes,determine a probability that said executable attachment is a member of a class of said set of classes based on said byte sequence feature, and divide the determination of said probability into a plurality of processing steps and to execute said processing steps in parallel. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
-
Specification