Automated detection of malware using trained neural network-based file classifiers and machine learning
Abstract
A computing device including a memory configured to store instructions. The computing device includes a processor configured to execute the instructions from the memory to perform operations. The operations include identifying, among multiple files of a file package, a first file having a first file type. The operations include identifying, among the multiple files of the file package, a second file having a second file type. The operations include generating, based on the first file type, a first feature vector based on first features extracted from the first file. The operations include generating, based on the second file type, a second feature vector based on second features extracted from the second file. The operations include generating classification data associated with the file package, the classification data indicating whether the file package is predicted to include malware.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1 . A computing device comprising:
a memory configured to store instructions; and a processor configured to execute the instructions from the memory to perform operations comprising:
identifying, among multiple files of a file package, a first file having a first file type;
identifying, among the multiple files of the file package, a second file having a second file type, wherein the second file type is distinct from the first file type;
generating, based on the first file type, a first feature vector based on first features extracted from the first file;
generating, based on the second file type, a second feature vector based on second features extracted from the second file, wherein the first features are distinct from the second features; and
generating classification data associated with the file package, the classification data indicating whether the file package is predicted to include malware, wherein the classification data is generated based on the first feature vector and the second feature vector.
2 . The computing device of claim 1 , wherein the first features correspond to character information associated with the first file, and wherein the second features correspond to an occurrence of attributes in the second file.
3 . The computing device of claim 1 , wherein the first file type is an executable file type and the second file type is a non-executable file type.
4 . The computing device of claim 1 , wherein the first feature vector is generated based on:
zero-skip n-gram data indicating occurrences of adjacent characters in printable characters representing the first file; skip n-gram data indicating occurrences of non-adjacent characters in the printable characters representing the first file; and n-gram data indicating occurrences of groups of entropy indicators in a first set of entropy indicators derived from first file entropy data for the first file, each entropy indicator of the first set of entropy indicators having a value representing entropy of a corresponding chunk of the first file.
5 . The computing device of claim 1 , wherein the second feature vector is based on occurrences of attributes in the second file.
6 . The computing device of claim 5 , wherein the attributes include requests for system permissions indicated by the second file.
7 . The computing device of claim 6 , wherein the second feature vector includes a Boolean vector indicating whether each system permission of a particular group of system permissions is requested by the second file.
8 . The computing device of claim 5 , wherein the attributes include references to application programming interface (API) classes associated with an operating system executed by the processor, the references to the API classes indicated by the second file.
9 . The computing device of claim 1 , wherein the second feature vector indicates that particular information is present in the second file.
10 . The computing device of claim 1 , wherein the operations further comprise initiating performance of one or more malware protection operations based on the classification data indicating that the file package includes malware.
11 . The computing device of claim 1 , wherein the file package corresponds to an application file package of a mobile device application.
12 . The computing device of claim 1 , wherein the classification data is generated using a feed-forward neural network that includes at least one hidden layer.
13 . A method comprising:
identifying, among multiple files of a file package, a first file having a first file type; identifying, among the multiple files of the file package, a second file having a second file type, wherein the second file type is distinct from the first file type; generating, based on the first file type, a first feature vector based on first features extracted from the first file; generating, based on the second file type, a second feature vector based on second features extracted from the second file, wherein the first features are distinct from the second features; and generating classification data associated with the file package, the classification data indicating whether the file package is predicted to include malware, wherein the classification data is generated based on the first feature vector and the second feature vector.
14 . The method of claim 13 , wherein the first file type corresponds to an executable file type, and wherein the first feature vector is generated based on:
zero-skip n-gram data for the first file, wherein first zero-skip n-gram data of the zero-skip n-gram data indicates occurrences of adjacent characters in printable characters representing the first file; skip n-gram data for the first file, wherein first skip n-gram data of the skip n-gram data indicates occurrences of non-adjacent characters in the printable characters representing the first file; and n-gram data for the first file, wherein first n-gram data of the n-gram data indicates occurrences of groups of entropy indicators in a first set of entropy indicators derived from first file entropy data for the first file, each entropy indicator of the first set of entropy indicators having a value representing entropy of a corresponding chunk of the first file.
15 . The method of claim 13 , further comprising combining the first feature vector and the second feature vector to generate a combined feature vector, wherein the classification data is generated based on the combined feature vector.
16 . The method of claim 13 , wherein the second feature vector is based on occurrences of attributes in the second file.
17 . The method of claim 13 , further comprising:
processing the first file to generate printable characters representing the first file; and processing the printable characters to generate zero-skip n-gram data and skip n-gram data.
18 . The method of claim 17 , further comprising applying a hash function to the skip n-gram data to generate a reduced skip n-gram representation, and wherein the first feature vector includes a Boolean vector indicating occurrences of skip n-grams in the reduced skip n-gram representation.
19 . A computer-readable storage device storing instructions that, when executed, cause a computer to perform operations comprising:
identifying, among multiple files, a first file having a first file type; identifying, among the multiple files, a second file including a second file having a second file type, wherein the second file type is distinct from the first file type; generating, based on the first file type, a first feature vector based on first features extracted from the first file; generating, based on the second file type, a second feature vector based on second features extracted from the second file, wherein the first features are distinct from the second features; and generating classification data associated with the multiple files, the classification data indicating whether the multiple files is predicted to include malware, wherein the classification data is generated based on the first feature vector and the second feature vector.
20 . The computer-readable storage device of claim 19 , wherein the first features correspond to entropy information associated with the first file, and wherein the second features correspond to an occurrence of attributes in the second file.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.