Systems and methods for detection of new malicious executables

DC CAFC

US 7,979,907 B2
Filed: 12/18/2008
Issued: 07/12/2011
Est. Priority Date: 07/30/2001
Status: Expired due to Fees

- Alert
- Pin

First Claim

Patent Images

1. A method for classifying an executable attachment in an email received at a computer system comprising:

a) filtering said executable attachment from said email;

b) extracting a byte sequence feature from said executable attachment; and

c) classifying said executable attachment by comparing said byte sequence feature of said executable attachment with a classification rule set derived from byte sequence features of a set of executables having a predetermined class in a set of classes,wherein said classifying comprises determining using a computer processor, with a Multi-Naive Bayes algorithm, a probability that said executable attachment is a member of each class in said set of classes based on said byte sequence feature and dividing said step of determining said probability into a plurality of processing steps and executing said processing steps in parallel.

View all claims

1 Assignment

Timeline View

Assignment View

Litigations

1 Petition

Accused Products

Abstract

A system and methods for detecting malicious executable attachments at an email processing application of a computer system using data mining techniques. The email processing application may be located at the server or at the client or host. The executable attachments are filtered from said email, and byte sequence features are extracted from the executable attachment. The executable attachments are classified by comparing the byte sequence feature of the executable attachment to a classification rule set derived from byte sequence features of a data set of known executables having a predetermined class in a set of classes, e.g., malicious or benign. The system is also able to classify executable attachments as borderline when the difference between the probability that the executable is malicious and the probability that the executable is benign are within a predetermined threshold. The system can notify the user when the number of borderline attachments exceeds the threshold in order to refine the classification rule set.

53 Citations

View as Search Results

20 Claims

1. A method for classifying an executable attachment in an email received at a computer system comprising:
- a) filtering said executable attachment from said email;
  
  b) extracting a byte sequence feature from said executable attachment; and
  
  c) classifying said executable attachment by comparing said byte sequence feature of said executable attachment with a classification rule set derived from byte sequence features of a set of executables having a predetermined class in a set of classes,wherein said classifying comprises determining using a computer processor, with a Multi-Naive Bayes algorithm, a probability that said executable attachment is a member of each class in said set of classes based on said byte sequence feature and dividing said step of determining said probability into a plurality of processing steps and executing said processing steps in parallel.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method as defined in claim 1, wherein the step of extracting said byte sequence feature from said executable attachment comprises extracting static properties of said executable attachment.
  - 3. The method as defined in claim 1, wherein the step of extracting said byte sequence feature from said executable attachment comprises converting said executable attachment from binary format to hexadecimal format.
  - 4. The method as defined in claim 1, wherein the step of extracting said byte sequence features from said executable attachment comprises creating a byte string representative of resources referenced by said executable attachment.
  - 5. The method as defined in claim 1, wherein the step of classifying said executable attachment comprises determining a probability that said executable attachment is a member of each class in a set of classes consisting of malicious and benign.
  - 6. The method as defined in claim 1, wherein the step of classifying said executable attachment comprises determining a probability that said executable attachment is a member of each class in a set of classes consisting of malicious, benign, and borderline.
  - 7. The method as defined in claim 1, wherein the step of classifying the executable attachment comprises classifying said executable attachment as malicious if said probability that said executable attachment is malicious is greater than said probability that said executable attachment is benign.
  - 8. The method as defined in claim 1, wherein the step of classifying the executable attachment comprises classifying said executable attachment as benign if said probability that said executable attachment is benign is greater than said probability that said executable attachment is malicious.
  - 9. The method as defined in claim 1, wherein the step of classifying the executable attachment comprises classifying said executable attachment as borderline if a difference between said probability that said executable attachment is benign and said probability that said executable attachment is malicious is within a predetermined threshold.

10. A system for classifying an executable attachment in an email received at a computer system comprising:
- one or more computer processors executing instructions which implement;
  
  a) an email filter configured to filter said executable attachment from said email;
  
  b) a feature extractor configured to extract a byte sequence feature from said executable attachment; and
  
  c) a rule evaluator configured to;
  
  classify said executable attachment by comparing said byte sequence feature of said executable attachment to a classification rule set derived from byte sequence features of a set of executables having a predetermined class in a set of classes,determine a probability that said executable attachment is a member of a class of said set of classes based on said byte sequence feature, anddivide the determination of said probability into a plurality of processing steps and to execute said processing steps in parallel.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 11. The system as defined in claim 10, wherein the feature extractor is configured to extract static properties of said executable attachment.
  - 12. The system as defined in claim 10, wherein the feature extractor is configured to convert said executable attachment from binary format to hexadecimal format.
  - 13. The system as defined in claim 10, wherein the feature extractor is configured to create a byte string representative of resources referenced by said executable attachment.
  - 14. The system as defined in claim 10, wherein the rule evaluator is configured to predict the classification of said executable attachment as one class of a set of classes consisting of malicious and benign.
  - 15. The system as defined in claim 10, wherein the rule evaluator is configured to predict the classification of said executable attachment as one class of a set of classes consisting of malicious, benign, and borderline.
  - 16. The system as defined in claim 10, wherein the rule evaluator is configured to determine said probability that said executable attachment is a member of one class of said set of classes with a Naive Bayes algorithm.
  - 17. The system as defined in claim 10, wherein the rule evaluator is configured to determine said probability that said executable attachment is a member of a class of said set of classes with a multi-Naive Bayes algorithm.
  - 18. The system as defined in claim 10, wherein the rule evaluator is configured to classify said executable attachment as malicious if said probability that said executable attachment is malicious is greater than said probability that said executable attachment is benign.
  - 19. The system as defined in claim 10, wherein the rule evaluator is configured to classify said executable attachment as benign if said probability that said executable attachment is benign is greater than said probability that said executable attachment is malicious.
  - 20. The system as defined in claim 10, wherein the rule evaluator is configured to classify said executable attachment as borderline if a difference between said probability that said executable attachment is benign and said probability that said executable attachment is malicious is within a predetermined threshold.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
Trustees Of Columbia University In The City Of New York (Columbia University)
Original Assignee
Trustees Of Columbia University In The City Of New York (Columbia University)
Inventors
Schultz, Matthew G., Eskin, Eleazar, Zadok, Erez, Bhattacharyya, Manasi, Salvatore J., Stolfo
Primary Examiner(s)
Barron, Jr., Gilberto
Assistant Examiner(s)
Nobahar, Abdulhakim

Application Number

US12/338,479
Publication Number

US 20090254992A1
Time in Patent Office

936 Days
Field of Search

726/13, 726 22- 25, 713/156, 713/188, 709/206, 709/207, 709/225
US Class Current

726/24
CPC Class Codes

G06F 21/562 Static detection

H04L 63/145 the attack involving the pr...

Systems and methods for detection of new malicious executables

First Claim

1 Assignment

Litigations

1 Petition

Accused Products

Abstract

53 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for detection of new malicious executables

First Claim

1 Assignment

Subscription Required

Subscription Required

Litigations

1 Petition

Subscription Required

Accused Products

Subscription Required

Abstract

53 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links