Methods And Systems For Malware Detection
Abstract
Methods, system, and media for detecting malware are disclosed. A network may be monitored for a configured time interval collecting all of or some of the network traffic or samples of the network traffic. Feature vectors may be extracted from the network traffic resulting in feature vectors. One or more machine learning models may be applied to the feature vectors producing a score. The score may indicate the presence of malware or the presence of a particular type of malware. One or more scores obtained by applying learning models may be fused by another machine learning model into a resulting score. A threshold value may be calculated to accompany a score indicating the likelihood that the traffic sample indicates the presence of malware and the likely effectiveness of planned remediation effort. An alert may be generated from the score and the threshold when the threshold is exceeded.
Claims
exact text as granted — not AI-modified1 - 20 . (canceled)
21 . A computer-implemented method comprising:
obtaining data that is representative of particular network traffic transmitted over a network during a particular time interval; generating one or more particular values for one or more corresponding features (i) of the data that is representative of the particular network traffic transmitted over the network during the particular time interval, and (ii) that are associated with a predictive model that is trained to classify network traffic as including unidentified malware of a particular class of malware or as not including the unidentified malware of the particular class of malware using one or more respective values for the one or more corresponding features; providing the one or more particular values to the predictive model that is trained to classify network traffic as including unidentified malware of the particular class of malware or as not including the unidentified malware of the particular class of malware using one or more values for the one or more corresponding features; receiving, from the predictive model, a score that reflects a likelihood that the particular network traffic indicates unidentified malware of the particular class of malware or does not indicate unidentified malware of the particular class of malware; and determining to output an alert to indicate a presence of malware based at least on the score that reflects the likelihood that the particular network traffic indicates unidentified malware of the particular class of malware or does not indicate unidentified malware of the particular class of malware.
22 . The method of claim 21 , comprising:
determining that the data does not include characteristics of known malware, wherein generating the one or more particular values for the one or more corresponding features (i) of the data that is representative of the particular network traffic transmitted over the network during the particular time interval, and (ii) that are associated with a predictive model that is trained to classify network traffic as including unidentified malware of a particular class of malware or as not including the unidentified malware of the particular class of malware using one or more respective values for the one or more corresponding features comprises generating the one or more particular values for the one or more corresponding features (i) of the data that is representative of the particular network traffic transmitted over the network during the particular time interval, and (ii) that are associated with a predictive model that is trained to classify network traffic as including unidentified malware of a particular class of malware or as not including the unidentified malware of the particular class of malware using one or more respective values for the one or more corresponding features in response to determining that the data does not include characteristics of known malware.
23 . The method of claim 21 , comprising:
sending, to a remediation system, the alert to indicate the presence of malware on a particular computing device in response to determining to output the alert to indicate the presence of malware based at least on the score.
24 . The method of claim 21 , comprising:
determining that the score satisfies a threshold value, wherein determining to output the alert to indicate the presence of malware based at least on the score comprises determining to output the alert to indicate the presence of malware based at least on determining that the score satisfies the threshold value.
25 . The method of claim 21 , wherein determining to output the alert to indicate the presence of malware based at least on the score that reflects the likelihood that the particular network traffic indicates unidentified malware of the particular class of malware or does not indicate unidentified malware of the particular class of malware comprises determining to output the alert to indicate the presence of malware based on at least the particular class of malware that the particular network traffic indicates.
26 . The method of claim 21 , wherein receiving, from the predictive model, the score that reflects the likelihood that the particular network traffic indicates unidentified malware of the particular class of malware or does not indicate unidentified malware of the particular class of malware comprises receiving, from the predictive model, the score that reflects the likelihood that the particular network traffic indicates unidentified malware of the particular class selected from one of a malicious software program, a virus, a worm, a Trojan horse, a rootkit, a key logger, spyware, adware, or rogue security software.
27 . A system comprising:
a data processing apparatus; and a non-transitory computer readable storage medium in data communication with the data processing apparatus and storing instructions executable by the data processing apparatus and upon such execution cause the data processing apparatus to perform operations comprising:
obtaining data that is representative of particular network traffic transmitted over a network during a particular time interval;
generating one or more particular values for one or more corresponding features (i) of the data that is representative of the particular network traffic transmitted over the network during the particular time interval, and (ii) that are associated with a predictive model that is trained to classify network traffic as including unidentified malware of a particular class of malware or as not including the unidentified malware of the particular class of malware using one or more respective values for the one or more corresponding features;
providing the one or more particular values to the predictive model that is trained to classify network traffic as including unidentified malware of the particular class of malware or as not including the unidentified malware of the particular class of malware using one or more values for the one or more corresponding features;
receiving, from the predictive model, a score that reflects a likelihood that the particular network traffic indicates unidentified malware of the particular class of malware or does not indicate unidentified malware of the particular class of malware; and
determining to output an alert to indicate a presence of malware based at least on the score that reflects the likelihood that the particular network traffic indicates unidentified malware of the particular class of malware or does not indicate unidentified malware of the particular class of malware.
28 . The system of claim 27 , the operations comprising:
determining that the data does not include characteristics of known malware, wherein generating the one or more particular values for the one or more corresponding features (i) of the data that is representative of the particular network traffic transmitted over the network during the particular time interval, and (ii) that are associated with a predictive model that is trained to classify network traffic as including unidentified malware of a particular class of malware or as not including the unidentified malware of the particular class of malware using one or more respective values for the one or more corresponding features comprises generating the one or more particular values for the one or more corresponding features (i) of the data that is representative of the particular network traffic transmitted over the network during the particular time interval, and (ii) that are associated with a predictive model that is trained to classify network traffic as including unidentified malware of a particular class of malware or as not including the unidentified malware of the particular class of malware using one or more respective values for the one or more corresponding features in response to determining that the data does not include characteristics of known malware.
29 . The system of claim 27 , the operations comprising:
sending, to a remediation system, the alert to indicate the presence of malware on a particular computing device in response to determining to output the alert to indicate the presence of malware based at least on the score.
30 . The system of claim 27 , the operations comprising:
determining that the score satisfies a threshold value, wherein determining to output the alert to indicate the presence of malware based at least on the score comprises determining to output the alert to indicate the presence of malware based at least on determining that the score satisfies the threshold value.
31 . The system of claim 27 , wherein determining to output the alert to indicate the presence of malware based at least on the score that reflects the likelihood that the particular network traffic indicates unidentified malware of the particular class of malware or does not indicate unidentified malware of the particular class of malware comprises determining to output the alert to indicate the presence of malware based on at least the particular class of malware that the particular network traffic indicates.
32 . The system of claim 27 , wherein receiving, from the predictive model, the score that reflects the likelihood that the particular network traffic indicates unidentified malware of the particular class of malware or does not indicate unidentified malware of the particular class of malware comprises receiving, from the predictive model, the score that reflects the likelihood that the particular network traffic indicates unidentified malware of the particular class selected from one of a malicious software program, a virus, a worm, a Trojan horse, a rootkit, a key logger, spyware, adware, or rogue security software.
33 . A non-transitory computer readable storage medium storing instructions executable by a data processing apparatus and upon such execution cause the data processing apparatus to perform operations comprising:
obtaining data that is representative of particular network traffic transmitted over a network during a particular time interval; generating one or more particular values for one or more corresponding features (i) of the data that is representative of the particular network traffic transmitted over the network during the particular time interval, and (ii) that are associated with a predictive model that is trained to classify network traffic as including unidentified malware of a particular class of malware or as not including the unidentified malware of the particular class of malware using one or more respective values for the one or more corresponding features; providing the one or more particular values to the predictive model that is trained to classify network traffic as including unidentified malware of the particular class of malware or as not including the unidentified malware of the particular class of malware using one or more values for the one or more corresponding features; receiving, from the predictive model, a score that reflects a likelihood that the particular network traffic indicates unidentified malware of the particular class of malware or does not indicate unidentified malware of the particular class of malware; and determining to output an alert to indicate a presence of malware based at least on the score that reflects the likelihood that the particular network traffic indicates unidentified malware of the particular class of malware or does not indicate unidentified malware of the particular class of malware.
34 . The computer readable storage medium of claim 33 , the operations comprising:
determining that the data does not include characteristics of known malware, wherein generating the one or more particular values for the one or more corresponding features (i) of the data that is representative of the particular network traffic transmitted over the network during the particular time interval, and (ii) that are associated with a predictive model that is trained to classify network traffic as including unidentified malware of a particular class of malware or as not including the unidentified malware of the particular class of malware using one or more respective values for the one or more corresponding features comprises generating the one or more particular values for the one or more corresponding features (i) of the data that is representative of the particular network traffic transmitted over the network during the particular time interval, and (ii) that are associated with a predictive model that is trained to classify network traffic as including unidentified malware of a particular class of malware or as not including the unidentified malware of the particular class of malware using one or more respective values for the one or more corresponding features in response to determining that the data does not include characteristics of known malware.
35 . The computer readable storage medium of claim 33 , the operations comprising:
sending, to a remediation system, the alert to indicate the presence of malware on a particular computing device in response to determining to output the alert to indicate the presence of malware based at least on the score.
36 . The computer readable storage medium of claim 33 , the operations comprising:
determining that the score satisfies a threshold value, wherein determining to output the alert to indicate the presence of malware based at least on the score comprises determining to output the alert to indicate the presence of malware based at least on determining that the score satisfies the threshold value.
37 . The computer readable storage medium of claim 33 , wherein determining to output the alert to indicate the presence of malware based at least on the score that reflects the likelihood that the particular network traffic indicates unidentified malware of the particular class of malware or does not indicate unidentified malware of the particular class of malware comprises determining to output the alert to indicate the presence of malware based on at least the particular class of malware that the particular network traffic indicates.
38 . The computer readable storage medium of claim 33 , wherein receiving, from the predictive model, the score that reflects the likelihood that the particular network traffic indicates unidentified malware of the particular class of malware or does not indicate unidentified malware of the particular class of malware comprises receiving, from the predictive model, the score that reflects the likelihood that the particular network traffic indicates unidentified malware of the particular class selected from one of a malicious software program, a virus, a worm, a Trojan horse, a rootkit, a key logger, spyware, adware, or rogue security software.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.