Malware process detection techniques
By constructing a process phylogenetic tree and using graph representation to train a classification model, the problem of detecting malware process sequences was solved, enabling efficient identification and timely response to malware.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- CYLANCE INC
- Filing Date
- 2025-12-04
- Publication Date
- 2026-06-09
Smart Images

Figure CN122174229A_ABST
Abstract
Description
Technical Field
[0001] This disclosure relates to the detection of malware that is running or has been executed on a device. Background Technology
[0002] In the field of cybersecurity, malware is an active, running instance of malware / programs within a computer's operating system. Malware is specifically designed to perform harmful actions, such as stealing data, disrupting system operations, or granting attackers unauthorized access. Typically, this malware operates in the background and can mimic legitimate system processes to evade detection.
[0003] Therefore, there is a need to develop technologies for detecting when malware has already been executed on a device (or to notify the user that the device has been compromised, or to report data to train a machine learning model specifically for malware detection).
[0004] The techniques presented in this document can be used for this purpose. Attached Figure Description
[0005] Figure 1 This is a flowchart illustrating an example operation for classifying events associated with at least one process executing on a device, according to one implementation.
[0006] Figure 2 This is a flowchart illustrating an example method for training a machine learning model to be used as a malware classification model or malware identification model.
[0007] Figure 3 A schematic diagram is depicted illustrating an example system that provides an event classification technique according to one implementation.
[0008] Figure 4 The diagram illustrates a high-level architecture block diagram of a computer based on one implementation.
[0009] The same reference numerals and names in the various figures indicate the same elements. Detailed Implementation
[0010] Malware can often be viewed as a sequence of processes. In fact, many malware programs operate through a series of processes to achieve their goals. This sequence can include multiple processes running sequentially or in parallel to evade detection, establish control, or execute specific payloads. Therefore, malware can generate process sequences. In one embodiment of this disclosure, the genealogy or ancestry of processes will be used in the form of a tree (with nodes and edges) to facilitate malware detection. For clarity, a process is an instance of a program being executed by a computer's operating system. Each process has its own allocated memory and resources and operates independently of other processes (however, these processes can communicate with each other via inter-process communication (IPC) mechanisms, and they can also share resource / data artifacts, such as network resources they connect to or registry keys they modify). A process includes the executable code of a program, as well as other elements such as a memory address space (i.e., the specific memory assigned to the process for its data and code), an execution context (which includes the process state (running, waiting, etc.), CPU registers, and a program counter), resources (access to input / output files, devices, and any network connections the process may need), and a process ID (PID, a unique identifier assigned by the operating system).
[0011] Many types of malware begin with a single "dropper" process. This process is responsible for downloading or unpacking additional malicious components, such as other malware files or modules. Therefore, this dropper process may spawn new processes to extract or execute the main payload (the core malicious code that carries out the intended damage), as explained below.
[0012] In practice, the initial malware process often initiates a sequence of actions to gather information about the environment, such as OS type, security software, and user permissions. If needed, the malware can execute processes to gain higher privileges to perform sensitive or restricted actions.
[0013] Once a foothold is established, the malware can trigger additional processes to download the main payload. These processes may include launching separate threads to run background tasks or manage communication with remote servers.
[0014] To ensure that malware continues to run even after a reboot or shutdown, a persistence mechanism is often established. This may include modifying system registry keys, creating scheduled tasks, or installing hidden services, all of which may appear as distinct processes.
[0015] Then, in the malicious execution phase, the malware actively performs its malicious tasks, such as data penetration, keylogging, or dissemination across the network. Depending on the design of the malware, each of these activities can run in parallel or sequentially within its own process.
[0016] Therefore, one process associated with malware can handle data leaks, another process associated with the same malware can handle keylogging, and yet another process associated with the same malware can communicate with command and control (C&C) servers. Some malware (such as ransomware) can also initiate encryption processes that scan and encrypt files on the system.
[0017] Some advanced malware includes processes that self-destruct or clean up after completing their tasks, leaving almost no trace on the infected system.
[0018] However, regardless of the sequence of operations and actions performed by different processes associated with malware, information related to them can be recorded.
[0019] In practice, several techniques are typically used to capture detailed information about malware execution. For example, system event logs can be used to collect this information. Additionally, process monitoring and tracing tools can list all running processes, including their memory usage, command-line arguments, and network connections. Furthermore, network traffic monitoring tools (such as packet capture tools or firewall and intrusion detection / prevention logs) can capture communication between processes associated with malware and external servers. Other techniques, such as API monitoring (which logs calls to Windows APIs) or hooking techniques (which capture low-level interactions), can also be used. Finally, registry trackers can be used to capture registry changes in Windows, thus logging modifications or additions that malware may make for persistence or obfuscation. The term "raw data" will be used below to refer to the information / data captured using these techniques.
[0020] Figure 1 This is a flowchart illustrating an example operation 100 for classifying events associated with at least one process executing on a device, according to one implementation. Figure 1 The example operation 100 shown can be implemented using additional, fewer, or different operations, which can be performed in the order shown or a different order.
[0021] Below, the term "event" is used to define a set / sequence of actions performed by one or more processes on different resources, which may be related to the execution of (malicious or non-malicious) programs. Therefore, the execution of malware (as mentioned above) can be considered a malware event or a malicious event. Thus, in a sense, an event can be associated with one or more processes.
[0022] According to one implementation, in identification step 101, the device identifies one or more processes in the raw data (at least through process information such as name, ID, command line, or parent process), and obtains a list of activities and a list of resources used associated with the execution of these identified processes. The raw data is associated with a time range during which data from the use of various capture techniques is collected. The time range can be a range of minutes (e.g., 10 to 60 minutes) or a range of hours (1 to 24 hours), and is combined with... Figure 1 The described process can be repeated for the same duration using a new original dataset collected during another subsequent time range. The length of the time range is a parameter that can be configured according to one embodiment of this disclosure. It should be noted that, depending on the length of the time range, a trained machine learning model should have already been trained on the same time period / range. In a variation, only completed processes are selected / selected to represent them as a graph representation in subsequent steps.
[0023] In fact, in generation step 102, each identified process (or selected / chosen process) is represented in the form of a graph. The graph representation of a process includes nodes and edges: nodes are assigned elements from the process's list of used resources and / or the identifier value of the identified process (such as name or ID, which can be a unique numeric identifier assigned to the process by the operating system when the process is created), while edges are assigned elements from the activity list. Used resources can be associated with memory space, files, hardware resources (processors, sensors, batteries, network connectivity-related components, GPS, cameras, etc.), IP addresses, ports, protocols, applications, and system services. Activities are associated with actions performed by the process on resources (such as allocating or dealing with memory, reading or writing data in memory, creating or deleting files (such as system configuration registers) or directories, establishing network connections (i.e., the resource can be a network interface card), sending or receiving data packets, listening for incoming connections, etc.).
[0024] Therefore, nodes and edges include non-numeric values (such as category labels or text information). For example, edges can include numeric values, such as the amount of CPU or memory consumed to perform the considered action.
[0025] In combination step 103, when processes are related to each other, the graph representations of these related processes are combined. For example, combination may include nodes connecting different graph representations of processes (such as nodes whose connections include the identifier values of these processes). In the case where two graph representations of processes are combined, the value 2 is assigned to the depth value. Therefore, the depth value is a parameter characterizing the number of processes linked together, thus preserving the relationships (and scheduling) of these processes represented in graph form. In one implementation, the depth value is included between 2 and 10. Related processes may arise due to the presence of inter-process communication (IPC) or due to parent-child relationships. Therefore, the combined graph representation of processes can be viewed as a representation of events, and the combined graph representation traces the genealogy of processes. Combination can be performed by analyzing specific information in logs or traces that indicates the process hierarchy (such as process ID, parent process ID (PPID), timestamp, user ID (UID) or session ID, event type (because some logs distinguish different types of events, such as process start, stop, or fork)). It should be noted that if some nodes (corresponding to resources) correspond to the same resource, they can be merged (during the generation of the combined graph representation), but edges are preserved. Furthermore, the detection of command-line instructions, forked system calls, or inter-process communication (IPC) mechanisms in the raw data can establish a hierarchical structure or relationship between processes, which can be reflected in the combined graph representation by linking or connecting graph representations of related processes. The edges connecting different graph representations then include information that establishes or interprets the relationships between connected processes. For example, in one embodiment of this disclosure, the edges linking two graph representations of related processes may include vector representations of command-line instructions from the use of embedding techniques similar to Word2Vec but specifically designed for handling command-line instructions. For example, this embedding technique may rely on the use of Skip-gram or Continuous Word Band (CBOW) models to predict contextual commands for a given command, thereby capturing the relationships between different commands.
[0026] In step 104, one or more combined graph representations of the process are provided as input to the trained classification model.
[0027] In one implementation, nodes and edges that include text (e.g., labels, tags) are transformed into numeric vectors using text embedding techniques such as Word2Vec, GloVe, or transformer-based embeddings (e.g., BERT). Thus, each node or edge can be associated with a numeric value / vector.
[0028] In one embodiment of this disclosure, the device may perform a vectorization step that converts each of one or more composite graph representations of the process into a vector. The vectorization step can be performed to prepare data for processing by a trained classification model. In one variation, this step is part of a trained classification model: the trained classification model takes graph data (such as composite graph representations) as input, and vectorization is part of the model itself.
[0029] According to one implementation, the vectorization step includes using graph embedding techniques to convert the numeric values associated with nodes and edges into vectors of fixed length (i.e., converting each composite graph representation of the process into a fixed-length vector regardless of the size or depth of the composite graph representation).
[0030] In one variant, the vectorization step can rely on using graph neural networks (GNNs) such as Graph Attention Networks (GAT) or Relational Graph Convolutional Networks (R-GCN) or message-passing neural networks (MPNNs), which are designed to handle both node embeddings and edge embeddings. In practice, in these architectures, edge embeddings and node embeddings can be processed together. For example, they can be concatenated or aggregated based on their positions in the composite graph representation. Pooling or readout functions can then be used to obtain a fixed-length vector of the composite graph representation.
[0031] In one variation, graph embedding techniques can be combined with the use of random projection (a dimensionality reduction technique where a high-dimensional vector (obtained from processing a combined graph representation of the process) is projected onto a lower-dimensional subspace using a random matrix). It should be noted that the use of random projection can be performed on the node embeddings themselves before the pooling method is executed. Therefore, according to this embodiment, the pooling method is performed on the dimensionality-reduced node / edge embeddings. In another variation, the use of random projection can be performed on the vectors resulting from the pooling method performed on the node / edge embeddings. Regardless of the method chosen, we can, in a sense, say that we can obtain a set of dimensionality-reduced vectors (generated using random projection) according to these methods.
[0032] Therefore, based on the process combinatorial graph representation set, a vector set is obtained, where each vector has the same length / size.
[0033] In one variant, the vectorization step can rely on the use of a trained graph autoencoder (GAE). In practice, a trained graph autoencoder includes an encoder that maps composite graph representations to a latent space, and a decoder that reconstructs the composite graph representations from the latent representations. However, in the vectorization step, only the encoder from the trained graph autoencoder is used. Therefore, a set of vectors (output by the encoder of the trained graph autoencoder) is obtained based on the set of composite graph representations of the process.
[0034] In one variation, clustering techniques can be applied to the set of vectors obtained from the vectorization step. The cluster centroids of the resulting clusters are then used as input to a trained classification model. By doing so, we can reduce the number of vectors to be classified. Clustering techniques can also be applied to dimensionality-reduced vector sets when dimensionality reduction techniques are used. In practice, in one implementation, dimensionality reduction techniques like Principal Component Analysis (PCA) can be used to obtain a dimensionality-reduced set of vectors to be classified from the set of vectors. In another implementation, other dimensionality reduction methods, such as t-SNE (t-distributed random neighborhood embedding) or UMAP (uniform manifold approximation and projection), can be used to obtain a dimensionality-reduced set of vectors from the set of vectors.
[0035] In one variation, clustering techniques can be used to detect outlier vectors. In this embodiment, only outlier vectors are fed to a trained classification model.
[0036] In one implementation, clustering techniques such as k-means clustering can be used.
[0037] In one variation, clustering techniques such as density-based noisy spatial clustering (DBSCAN) can be used. However, it should be noted that DBSCAN is generally better suited for clustering data when clusters have similar densities. Therefore, a selection step can be performed to choose which clustering technique to use from among the possible ones.
[0038] In one embodiment of this disclosure, the trained classification model is able to detect or identify malicious events from the provided data related to the composite graph representation.
[0039] According to one implementation method Figure 2 This is a flowchart illustrating an example method for training a machine learning model to be used as a malware classification model or malware identification model.
[0040] As is well known, machine learning models are trained using a process that involves feeding them large amounts of data and allowing them to learn patterns and relationships within that data.
[0041] In one implementation, a method for training a machine learning model is proposed. The machine learning model is described below as a malware classification model or a malware identification model; however, depending on the data type used as input, the operations and processes used to train this machine learning model can be applied to other types of machine learning models.
[0042] According to one embodiment of this disclosure, the device obtains raw data in step 201. As explained above, the raw data covers multiple types of information / data from different monitoring tools. In one implementation, a time slot or period is associated with the raw data (meaning that the raw data has been monitored during that time slot or period). For training machine learning models, raw data or a sequence of historical raw data (from earliest to latest) is used, where each piece of raw data can be considered as a data block associated with a time slot or period (e.g., having data collected in the form of files).
[0043] According to one implementation, raw data has been collected from a "secure" device in the sense that no malware has executed on the device. Therefore, the machine learning model will be trained using this "secure" data (i.e., data free of malware events). Consequently, the trained machine learning model will be able to detect anomalies (i.e., events where actions are performed on unusual resources; these unusual events are potential malware events, and the trained machine learning model will highlight this aspect in the output values / scores / labels). According to this embodiment, the trained machine learning model relies on a single-class SVM (Support Vector Machine) architecture or an autoencoder architecture.
[0044] According to another implementation, raw data has been collected from the "infected" device in the sense that one or more malware programs are known to have executed on the device. Unlike the previous embodiments, a machine learning model can be trained on malware events, and thus such a trained machine learning model can identify malware events in this way.
[0045] Then, in step 202, steps similar to those performed in steps 101, 102, and 103 are executed to generate a combined graph representation of the relevant processes already running on the monitored device. In these steps, the vector set can be obtained / determined using graph embedding techniques. In one implementation, labels indicating the state of the device from which the original data originated are associated with the combined graph representation.
[0046] Once step 202 has been performed, the data partitioning process can be executed to split the given vector / file embedding vector dataset into a training set and a test set. The training set is used to train the model, while the test set is used to evaluate its performance.
[0047] According to one embodiment of this disclosure, different models can be selected for training. In practice, different architectures can be used depending on the nature of the acquired data (i.e., graph data or vector sets). For example, if the vector set is used as input, a feedforward neural network (FNN), also known as a multilayer perceptron (MLP), can be used. In one variation, a convolutional neural network (CNN) can be selected for training. In another variation, a recurrent neural network (RNN) or a long short-term memory (LSTM) network can be selected. Furthermore, other architectures depending on the use of transformers or hybrid approaches depending on the use of MLPs combined with autoencoders can be selected. The method for selecting the parameters and hyperparameters of each model is not described in this document. However, those skilled in the art will understand that modifications to these parameters and hyperparameters can be made based on the training results of these models to obtain better results. In fact, to determine these parameters and hyperparameters, comparisons of results must be performed. Factors such as the number of layers, the number of neurons per layer, the activation function, and the optimization algorithm have a significant impact on the behavior of the model. This is for fine-tuning purposes beyond the scope of this document.
[0048] Once a model architecture is selected, model training is performed using a training dataset, a loss function that measures the difference between the model's predictions and the true values, and optimization algorithms (e.g., gradient descent) that iteratively update the parameters (weights) to minimize the loss function. In practice, during model training, the internal parameters (weights and biases) are modified to minimize the difference between the model's predictions and the actual values in the training data.
[0049] Model training 203 also includes an evaluation step, which assesses the trained model on a test dataset to evaluate its performance. Based on the results, if the performance metrics meet the stopping criteria, model refinement (i.e., tuning of the model's hyperparameters) can be performed, or the training process can be stopped at this stage.
[0050] In one variant, a contrastive loss function is used to train the machine learning model. In this embodiment, data from the training set is used to obtain a positive pair set and a negative pair set: the positive pair set comprises a set of similar pair vector / combined graph representations, while the negative pair set comprises a set of dissimilar pair vector / combined graph representations. The similarity between combined graph representations can be determined using, for example, graph edit distance. The device then uses these two sets to train a machine learning model (such as a graph neural network). At the end of this training process, the trained machine learning model is able to classify combined graph representations into categories defined by similar representations and also associated with labels such as "malicious software" or "non-malicious software".
[0051] In one embodiment, once a trained machine learning model is obtained / generated, it can be deployed to... Figure 3 The event service platform described in [the document].
[0052] The training process and deployment of trained machine learning models can be repeated periodically based on parameters of the security policy, which define, for example, the time frame or frequency of training. In other cases, a security alert can be an event that triggers the initiation of new training for one or more models.
[0053] In one variant, several machine learning models are trained.
[0054] Figure 3 A schematic diagram illustrating an example system providing event classification technology according to one implementation is depicted. More precisely, system 300 includes an event service platform 304 communicatively coupled to a client device 301 via a network 302. The client device 301 represents an electronic device providing raw data, combined graphical representations, or similar data to be analyzed. In some cases, the client device 301 may send files containing this data to the event service platform 304 for malware detection and analysis. In other cases, the event service platform 304 sends the output of the malware detection and analysis to the client device 301 for remedial action.
[0055] The event service platform 304 represents an application, application set, software, software module, hardware, or any combination thereof that detects malware events. The event service platform 304 can be an application server, service provider, or any other network entity. The event service platform 304 can be implemented using one or more computers, computer servers, or cloud computing platforms. The event service platform 304 can be used to run trained machine learning models used in malware detection events. In one variant, the event service platform 304 can also perform... Figure 2 The training process is discussed in the relevant description. The event service platform 304 includes an event analyzer 303. The event analyzer 303 represents an application, set of applications, software, software module, hardware, or any combination thereof that performs data preprocessing on received files. In some implementations, the event analyzer 303 may generate embedding vectors or perform vectorization. Figures 1-2 The accompanying description provides additional details on these implementations. In one variant, both the event analyzer 303 and the event service platform 304 execute within the client device 301 itself. Indeed, due to technological advancements, an increasing number of client devices are capable of running trained machine learning models locally. For example, iPhones, which can be considered client devices, are well-suited for running machine learning models locally because they provide the core machine learning framework—specifically, dedicated chip components optimized for performing machine learning tasks, such as the Apple Neural Engine (ANE).
[0056] Turning to the general description, client device 301 may include, but is not limited to, any of the following: endpoint, computing device, mobile device, mobile electronic device, user equipment, mobile station, subscriber station, portable electronic device, mobile communication device, wireless modem, wireless terminal, or other electronic device. Examples of endpoints may include mobile devices, IoT (Internet of Things) devices, EoT (Internet of Things) devices, cellular phones, personal data assistants (PDAs), smartphones, laptops, tablets, personal computers (PCs), pagers, portable computers, portable gaming devices, wearable electronic devices, health / medical / fitness devices, cameras, vehicles, or other mobile communication devices having components for transmitting voice or data via a wireless communication network. Means of transport can include motor vehicles (e.g., cars, sedans, trucks, buses, motorcycles, etc.), aircraft (e.g., airplanes, unmanned aerial vehicles, unmanned aerial vehicle systems, drones, helicopters, etc.), spacecraft (e.g., space shuttles, space shuttles, spacecraft modules, space stations, satellites, etc.), watercraft (e.g., ships, vessels, hovercraft, submarines, etc.), rail transport (e.g., trains, trams, etc.), and other types of transport including any combination of the foregoing, whether currently existing or emerging. Wireless communication networks can include wireless links on at least one of licensed and unlicensed spectrum. The term "mobile device" can also refer to any hardware or software component capable of terminating a user's communication session. Furthermore, the terms "user equipment," "UE," "user equipment device," "user agent," "UA," "user equipment," and "mobile device" are used interchangeably herein.
[0057] Example system 300 includes network 302. Network 302 represents an application, application set, software, software module, hardware, or combination thereof that can be configured to transmit data messages between entities in example system 300. Network 302 may include a wireless network, a wired network, the Internet, or a combination thereof. For example, network 302 may include one or more radio access networks (RANs), core networks (CNs), and the Internet. The RAN may include one or more radio access technologies. In some implementations, the radio access technology may be Global System for Mobile Communications (GSM), Provisional Standard 95 (IS-95), Universal Mobile Telecommunications System (UMTS), CDMA2000 (Code Division Multiple Access), Evolved Universal Mobile Telecommunications System (E-UMTS), Long Term Evolution (LTE), Advanced LTE, 5G, or any other radio access technology. In some cases, the core network may be an Evolved Packet Core (EPC).
[0058] Although Figure 3The elements are shown as various components, parts, or modules that implement various features and functions; however, these elements can be appropriately modified to include multiple submodules, third-party services, components, libraries, etc. Furthermore, the features and functions of various components can be appropriately combined into fewer components.
[0059] Figure 4 The diagram illustrates a high-level architecture block diagram of a computer 400 according to one implementation. The computer 400 can be implemented as a client device 301, an event service platform 304, or any combination thereof. The computer 400 can also be used to implement... Figures 1-2 The operations discussed herein. The illustrations described are merely one possible implementation of the described subject matter and are not intended to limit this disclosure to the single described implementation. Those skilled in the art will understand that the described components can be connected, combined, and / or used in alternative ways consistent with this disclosure.
[0060] In some cases, Figures 1-2 The steps can be implemented in executable computational code (e.g., C / C++ executable code). In some cases, computer 400 may include a standalone Linux system running batch applications. In other cases, computer 400 may include a mobile or personal computer.
[0061] Computer 400 may include a computer that includes input devices (such as keypad, keyboard, touch screen, microphone, voice identification device, other devices that can accept user information) and / or output devices (that convey information related to the operation of the computer, including digital data, visual and / or audio information, or GUI).
[0062] Computer 400 can act as a client, network component, server, database, or other entity, and / or any other component. In some implementations, one or more components of computer 400 can be configured to operate within a cloud-based environment.
[0063] At a higher level, computer 400 is an electronic computing device operable to receive, transmit, process, store, or manage data. Depending on some implementations, computer 400 may also include, or be communicatively coupled to, application servers, email servers, web servers, cache servers, streaming data servers, business intelligence (BI) servers, and / or other servers.
[0064] Computer 400 can collect data on network events or mobile application usage events from a web browser or client application (e.g., an installed plugin) via network 302. Furthermore, data can be collected by computer 400 from internal users (e.g., from a command console or through another suitable access method), external or third parties, other automated applications, and any other suitable entity, individual, system, or computer.
[0065] Each component of computer 400 can communicate using system bus 412. In some implementations, any and / or all components (hardware and / or software) of computer 400 can connect to each other and / or to interface 402 via system bus 412 using application programming interfaces (APIs) 408 and / or service layer 410. API 408 may include specifications for routines, data structures, and object classes. API 408 may be language-independent or language-dependent, and refers to a complete interface, a single function, or even a set of APIs. Service layer 410 provides software services to computer 400. The functionality of computer 400 may be accessible to all service consumers using the service layer. Software services (such as those provided by service layer 410) provide reusable, defined business functionality through defined interfaces. For example, the interface may be software written in JAVA, C++, or other suitable languages that provide data in Extensible Markup Language (XML) or other suitable formats. Although shown as an integrated component of computer 400, alternative implementations may show API 408 and / or service layer 410 as independent components relative to other components of computer 400. Furthermore, any or all portions of API 408 and / or service layer 410 may be implemented as a descendant or submodule of another software module, enterprise application, or hardware module without departing from the scope of this disclosure.
[0066] Computer 400 includes interface 402. Although in Figure 4 The interface 402 is shown as a single interface, but two or more interfaces 402 may be used depending on the specific needs, expectations, or implementation of the computer 400. Interface 402 is used by the computer 400 to communicate with other systems (whether shown or not) in a distributed environment connected to a network. Generally, interface 402 includes logic encoded in software and / or hardware in a suitable combination and operable to communicate with the network. More specifically, interface 402 may include software supporting one or more communication protocols associated with the communication, enabling the network or interface hardware to transmit physical signals within and outside the computer 400.
[0067] Computer 400 includes at least one processor 404. Although in Figure 4The processor 404 is shown as a single processor 404, but two or more processors may be used depending on the specific needs, expectations, or implementation of the computer. Generally, processor 404 executes instructions and manipulates data to perform operations of the computer 400. Specifically, processor 404 executes instructions and manipulates data to perform operations of the computer 400. Figures 1-2 The publicly available functions.
[0068] Computer 400 also includes memory 414 for storing data for computer 400. Although in Figure 4 The memory 414 is shown as a single memory 414, but two or more memories may be used depending on the specific needs, expectations, or particular implementation of the computer 400. Although the memory 414 is shown as an integrated component of the computer 400, in alternative implementations, the memory 414 may be external to the computer 400.
[0069] Application 406 is an algorithmic software engine that provides functionality (particularly functionality required for anomaly detection) based on the specific needs, expectations, or implementation of computer 400. Although shown as a single application 406, application 406 can be implemented as multiple applications 406 on computer 400. Furthermore, although shown as integrated into computer 400, in alternative implementations, application 406 can be external to computer 400.
[0070] There may be any number of computers 400 associated with or outside the network and communicating through the network. Furthermore, this disclosure envisions that many users may use one computer 400, or one user may use multiple computers 400.
[0071] The subject matter and functional operations described in this specification can be implemented in digital electronic circuits, in tangibly embodied computer software or firmware, in computer hardware including the structures disclosed in this specification and their equivalents, or in a combination of one or more of these. The software implementation of the described subject matter can be implemented as one or more computer programs, i.e., one or more modules of computer program instructions encoded on a tangible, non-transitory computer-readable medium, for performing or controlling the operation of a computer or a computer-implemented system by a computer. Alternatively or additionally, the program instructions can be encoded in / on artificially generated propagation signals (e.g., machine-generated electrical, optical, or electromagnetic signals) generated to encode information for transmission to a receiver device for execution by a computer or a computer-implemented system. Computer storage media can be machine-readable storage devices, machine-readable storage substrates, random or serial access memory devices, or combinations of computer storage media. Configuring one or more computers means that one or more computers have hardware, firmware, or software (or a combination of hardware, firmware, and software) installed such that when the software is executed by one or more computers, specific computational operations are performed. However, computer storage media are not propagation signals.
[0072] The terms “data processing apparatus,” “computer,” “computing device,” or “electronic computer equipment” (or equivalent terms as understood by one of ordinary skill in the art) refer to data processing hardware and encompass all kinds of apparatus, devices, and machines for processing data, including, for example, programmable processors, computers, or multiple processors or computers. A computer may also be or include special-purpose logic circuitry, such as a central processing unit (CPU), a field-programmable gate array (FPGA), or an application-specific integrated circuit (ASIC). In some implementations, a computer or computer-implemented system or special-purpose logic circuitry (or a combination of a computer or computer-implemented system and special-purpose logic circuitry) may be hardware-based or software-based (or a combination of both). A computer may optionally include code that creates an execution environment for computer programs, such as code constituting processor firmware, a protocol stack, a database management system, an operating system, or a combination of execution environments. This disclosure contemplates the use of a computer or computer-implemented system with an operating system (e.g., LINUX, UNIX, WINDOWS, MAC OS, ANDROID, or IOS) or a combination of operating systems.
[0073] A computer program (which may also be referred to or described as a program, software, software application, unit, module, software module, script, code, or other component) can be written in any form of programming language, including compiled or interpreted languages, or declarative or procedural languages, and can be deployed in any form (including, for example, as a standalone program, module, component, or subroutine) for use in a computing environment. A computer program may, but does not need to, correspond to a file in a file system. A program may be stored as a part of a file that holds other programs or data (e.g., one or more scripts stored in a markup language document), stored in a single file dedicated to the program in question, or stored in multiple collaborating files (e.g., a file storing one or more modules, subroutines, or code sections). A computer program can be deployed to execute on a single computer, or on multiple computers located in one location or distributed among multiple locations and interconnected via a communication network.
[0074] While portions of the program shown in the various figures can be represented as separate components (such as units or modules) implementing the described features and functions using various objects, methods, or other processes, the program can be suitably modified to include multiple sub-units, sub-modules, third-party services, components, libraries, and other components. Conversely, the features and functions of various components can be suitably combined into a single component. The thresholds used for computational determination can be determined statically, dynamically, or both statically and dynamically.
[0075] The described methods, processes, or logical flows represent one or more examples of functionality consistent with this disclosure and are not intended to limit this disclosure to the implementations described or shown, but rather to conform to the widest scope consistent with the described principles and features. The described methods, processes, or logical flows can be executed by one or more programmable computers executing one or more computer programs to perform functions by manipulating input data and generating output data. The methods, processes, or logical flows can also be executed by special-purpose logic circuitry (e.g., a CPU, FPGA, or ASIC), and the computer can also be implemented as special-purpose logic circuitry (e.g., a CPU, FPGA, or ASIC).
[0076] A computer used to execute computer programs can be based on a general-purpose microprocessor or a special-purpose microprocessor, both, or another CPU type. Generally, a CPU receives instructions and data from memory and writes instructions and data to memory. The basic components of a computer are a CPU for executing or running instructions and one or more storage devices for storing instructions and data. Generally, a computer will also include, or be operatively coupled to, one or more mass storage devices (e.g., disks, magneto-optical disks, or optical disks) for storing data, to receive data from, transfer data to, or both. However, a computer does not necessarily need to have such a device. Furthermore, a computer can be embedded in another device, such as a mobile phone, a personal digital assistant (PDA), a mobile audio or video player, a game console, a global positioning system (GPS) receiver, or a portable memory storage device (e.g., a universal serial bus (USB) flash drive), to name just a few.
[0077] Non-transitory computer-readable media used for storing computer program instructions and data can include all forms of permanent / non-permanent or volatile / non-volatile memory, media, and memory devices, including, for example: semiconductor memory devices, such as random access memory (RAM), read-only memory (ROM), phase-change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), erasable programmable read-only memory (EPROM), electrically erasable programmable read-only memory (EEPROM), and flash memory devices; magnetic devices, such as magnetic tape, magnetic tape cassette, cartridge magnetic tape, internal / removable magnetic disk; magneto-optical disk; optical memory devices, such as digital versatile / video optical disc (DVD), compressed optical disc (CD) ROM, DVD+ / -R, DVD-RAM, DVD-ROM, high definition / density (HD)-DVD, and Blu-ray / Blu-ray disc (BD); and other optical memory technologies. Memory can store various objects or data, including: caches, categories, frames, applications, modules, backup data, jobs, web pages, web page templates, data structures, database tables, repositories storing dynamic information, or other suitable information including any parameters, variables, algorithms, instructions, rules, constraints, or references. Additionally, memory can include other suitable data such as logs, policies, security or access data, or report files. Processors and memory can be supplemented by special-purpose logic circuitry or incorporated into it.
[0078] To provide interaction with the user, the implementation of the subjects described in this specification can be implemented on a computer having a display device for displaying information to the user (e.g., a cathode ray tube (CRT), liquid crystal display (LCD), light-emitting diode (LED), or plasma monitor) and a keyboard and pointing device (e.g., a mouse, trackball, or trackpad) that the user can use to provide input to the computer. Input can also be provided to the computer using a touchscreen (such as a pressure-sensitive tablet computer surface or a multi-touch screen using capacitive or electro-sensing). Other types of devices can be used to interact with the user. For example, feedback provided to the user can be any form of sensory feedback (such as visual feedback, auditory feedback, tactile feedback, or a combination of feedback types). Input from the user can be received in any form, including voice input, speech input, or tactile input. Furthermore, the computer can interact with the user by sending documents to and receiving documents from the client computing device used by the user (e.g., by sending a webpage to a web browser on the user's mobile computing device in response to a request received from a web browser).
[0079] The term "graphical user interface (GUI)" can be used in the singular or plural to describe one or more graphical user interfaces and each display of a particular graphical user interface. Therefore, a GUI can represent any graphical user interface, including but not limited to web browsers, touchscreens, or command-line interfaces (CLIs) that process information and efficiently present the results to the user. Generally, a GUI may include multiple user interface (UI) elements, some or all of which are associated with a web browser, such as interactive fields, dropdown lists, and buttons. These UI elements, and other UI elements, may be related to or represent the functionality of the web browser.
[0080] The implementations of the subject matter described in this specification can be implemented in a computing system including back-end components (e.g., as a data server), or in a computing system including middleware components (e.g., an application server), or in a computing system including front-end components (e.g., a client computer having a graphical user interface or web browser that a user can use to interact with the implementations of the subject matter described in this specification), or in any combination of one or more such back-end components, middleware components, or front-end components. Components of the system can be interconnected via any form or medium of wired or wireless digital data communication (or a combination of data communications), such as a communication network. Examples of communication networks include local area networks (LANs), radio access networks (RANs), metropolitan area networks (MANs), wide area networks (WANs), WiMAX, wireless local area networks (WLANs) using protocols such as 802.11x or others, all or part of the Internet, another communication network, or a combination of communication networks. Communication networks can communicate with, for example, Internet Protocol (IP) packets, Frame Relay frames, Asynchronous Transfer Mode (ATM) cells, voice, video, data, or other information between network nodes.
[0081] A computing system may include clients and servers. Clients and servers are generally located far apart and typically interact through a communication network. The client-server relationship arises from computer programs running on their respective computers that have a client-server relationship with each other.
[0082] In some implementations, any or all components (hardware and / or software) of the computing system can interface with each other and / or with interfaces using APIs and / or service layers. APIs may include specifications for routines, data structures, and object classes. APIs may be language-independent or language-dependent, and refer to a complete interface, a single function, or even a set of APIs. Service layers provide software services to the computing system. The functionality of the various components of the computing system can be accessible to all service consumers via this service layer. Software services provide reusable, defined business functionality through defined interfaces. For example, an interface may be software written in JAVA, C++, or other suitable languages that provide data in XML or other suitable formats. APIs and / or service layers may be integrated components and / or independent components relative to other components of the computing system. Furthermore, any or all portions of the service layer may be implemented as a descendant or submodule of another software module, enterprise application, or hardware module without departing from the scope of this disclosure.
[0083] While this specification contains numerous specific implementation details, these details should not be construed as limiting the scope or claimable scope of any inventive concept, but rather as descriptions of features characteristic of a particular implementation of a specific inventive concept. Certain features described in this specification within the context of individual implementations may also be implemented in combination within a single implementation. Conversely, various features described in the context of a single implementation may be implemented in multiple implementations, individually, or in any sub-combination. Furthermore, although the features described above may be described as functioning in certain combinations, and even initially claimed in this way, in some cases, one or more features from the claimed combination may be removed from the combination, and the claimed combination may be for sub-combinations or variations thereof.
[0084] Specific implementations of the subject matter have been described. It will be apparent to those skilled in the art that other implementations, modifications, and substitutions of the described implementations are within the scope of the following claims. Although operations are depicted in a specific order in the drawings or claims, this should not be construed as requiring these operations to be performed in the specific order shown or in an ordered sequence, or requiring the performance of all shown operations (some operations may be considered optional) to obtain the desired result. In some cases, multitasking or parallel processing (or a combination of multitasking and parallel processing) may be advantageous and should be implemented as appropriate.
[0085] The separation or integration of various system modules and components in the implementation methods described above should not be construed as requiring such separation or integration in all implementation methods. It should be understood that the described program components and systems can generally be integrated together in a single software product or packaged into multiple software products.
[0086] The implementation of the described subject may include one or more individual or combined features.
[0087] For example, in one implementation, a first feature of a method for classifying events from raw data associated with a device is proposed, wherein the event is associated with at least two processes executed on the device, and the event is a malicious or non-malicious event, the method comprising: - For at least two identified processes in the raw data, obtain a list of activities and a list of resources used that are associated with the execution of each of the at least two identified processes; - For each of at least two identified processes, generate a graph representation, wherein the graph representation includes nodes and edges, wherein nodes are assigned elements from the list of used resources or the identifier value of one of the two identified processes, and wherein edges are assigned elements from the list of activities. - When at least two identified processes are linked together, combine at least two of the generated graph representations of the at least two identified processes, wherein the combination outputs a combined graph representation, which is a representation of one of the events to be classified; - Provide a representation of one of the events to be classified to at least one classification model; and - Generate an alert if one of the events is classified as a malicious event by at least one classification model.
[0088] The second feature, which can be combined with any preceding or following feature, relates to a method for classifying events, wherein at least two identified processes are linked together based on the detection of command-line instructions in the raw data, or by the detection of forked system calls in the raw data, or by the detection of inter-process communication (IPC) mechanisms in the raw data.
[0089] The third feature, which can be combined with any preceding or following feature, relates to a method for classifying events, wherein at least one classification model is either a graph convolutional network model or a graph attention network model.
[0090] A fourth feature, which can be combined with any preceding or following feature, relates to a method for classifying events, wherein the method further includes: clustering the combined graph representations into clusters when several combined graph representations exist; and using representative elements of the clusters as another representation of the event to be classified by at least one classification model, or associating cluster-related information with the representation of the event to be classified by at least one classification model, wherein the information is one of information related to the cluster centroid, information related to the cluster mean, information related to the cluster membership probability, and / or information related to the cluster label.
[0091] The fifth feature, which can be combined with any preceding or following feature, relates to a method for classifying events, wherein clustering further includes: obtaining a combined graph representation; determining features from the combined graph representation; and determining clusters based on the processing of the features.
[0092] The sixth feature, which can be combined with any preceding or following feature, relates to a method in which determining the cluster includes using at least one of k-means, hierarchical clustering, or DBSCAN.
[0093] The seventh feature, which can be combined with any preceding or following feature, relates to a method in which determining the feature from the combined graph representation includes determining the graph embeddings of nodes and edges, which are numerical values in a lower-dimensional space compared to the original values.
[0094] The eighth feature, which can be combined with any preceding or following feature, relates to a method in which determining the graph embedding involves using Node2Vec.
[0095] The ninth feature, which can be combined with any preceding or following feature, relates to a method in which determining the feature from the combined graph representation includes determining the adjacency matrix and / or the attribute matrix.
[0096] The tenth feature, which can be combined with any preceding or following feature, relates to a method in which determining a cluster includes: determining a common motif in a composite graph representation; and clustering the composite graph representation into a cluster based on the occurrence of the determined common motif, wherein the common motif includes: a linear chain representing sequential dependencies, a fork-join representing the parallel execution of corresponding processes, a loop representing an iterative loop or a feedback loop, and a diamond structure representing conditional branches.
[0097] The eleventh feature, which can be combined with any preceding or following feature, relates to a method in which determining a cluster also includes determining the community of nodes in the composite graph representation based on the similarity or connectivity of the nodes in the composite graph representation.
[0098] The twelfth feature, which can be combined with any preceding or following feature, relates to a method in which determining the community of a node involves merging nodes into communities based on modularity gain using the Leuven algorithm.
[0099] The thirteenth feature, which can be combined with any preceding or following feature, relates to a method in which the raw data includes at least one of system logs, performance metrics, trajectory data, command history, and network traffic data.
[0100] The fourteenth feature, which can be combined with any preceding or following feature, relates to a method in which resources used are associated with hardware and / or software resources of a device and / or other equipment, and in which activities are associated with actions performed on the hardware and / or software resources.
[0101] The fifteenth feature, which can be combined with any preceding or following feature, relates to a method in which elements assigned to nodes and edges as classification values or labels are converted into numerical representations using at least one of the following techniques: one-hot encoding, label embedding, or sequential encoding.
[0102] The sixteenth feature, which can be combined with any preceding or following feature, involves a method in which raw data is associated with a time slot.
[0103] The seventeenth feature, which can be combined with any preceding or following feature, relates to a method in which all processes identified in the original data are terminated.
[0104] The eighteenth feature, which can be combined with any preceding or following feature, relates to a method that also includes labeling events classified as malicious by at least one classification model.
[0105] The nineteenth feature, which can be combined with any preceding or following feature, relates to a method in which several classification models are used and events are classified as malicious or non-malicious events using majority voting.
[0106] The twentieth feature, which can be combined with any preceding or following feature, relates to a method in which the combined graph represents a depth of N, which is related to the number of identified processes linked together in the original data, where N is an integer greater than or equal to 2.
[0107] Accordingly, the example implementations described above do not define or constrain this disclosure. Other changes, substitutions, and modifications are possible without departing from the scope of this disclosure.
[0108] In one variant, the aforementioned features can be implemented in hardware or as a computer program.
[0109] Furthermore, any claimed implementation is considered to be applicable at least to: a computer-implemented method; a non-transitory computer-readable medium storing computer-readable instructions for performing the computer-implemented method; and a computer system including a computer memory interoperably coupled to a hardware processor configured to perform the computer-implemented method or the instructions stored on the non-transitory computer-readable medium.
[0110] Finally, according to one embodiment, some machine learning models can run on a central processing unit (CPU), a general-purpose processor that handles most types of computational tasks. In one variation, a graphics processing unit (GPU) (specialized hardware designed for parallel computing) can be used to run or train the machine learning models mentioned in this document. Furthermore, in one variation, a tensor processing unit (TPU) can be used. Therefore, a device including at least one of these different processors can perform parts of the process involving the use of machine learning models.
Claims
1. A computer-implemented method for classifying events from raw data associated with a device, the events being associated with at least two processes executed on the device, the events being malicious or non-malicious events, the method comprising: For at least two identified processes in the original data, obtain a list of activities and a list of used resources related to the execution of each of the at least two identified processes; For each of the at least two identified processes, a graph representation is generated, wherein the graph representation includes nodes and edges, wherein the nodes are assigned elements from the list of used resources or the identifier value of one of the two identified processes, and wherein the edges are assigned elements from the list of activities. When the at least two identified processes are linked together, the graph representations generated by combining at least two of the at least two identified processes are combined, wherein the combined output is a combined graph representation, which is a representation of one of the events to be classified. The representation of one of the events to be classified is provided to at least one classification model; as well as An alert is generated if one of the events is classified as a malicious event by the at least one classification model.
2. The computer-implemented method of claim 1, wherein the at least two identified processes are linked together based on the detection of command-line instructions in the raw data, or by the detection of forked system calls in the raw data, or by the detection of inter-process communication (IPC) mechanisms in the raw data.
3. The computer-implemented method according to claim 1, wherein the at least one classification model is one of a graph convolutional network model or a graph attention network model.
4. The computer-implemented method according to claim 1, wherein the method further comprises: When several composite graph representations exist, the composite graph representations are clustered into clusters, and representative elements of the clusters are used as another representation of the event to be classified by the at least one classification model, or information related to the clusters is associated with the representation of the event to be classified by the at least one classification model, wherein the information is one of the following: information related to the cluster centroid, information related to the cluster mean, information related to the cluster membership probability, and / or information related to the cluster label.
5. The computer-implemented method according to claim 4, wherein the clustering further comprises: Obtain a composite diagram representation; Features are determined from the combined diagram representation; And the cluster is determined based on the processing of the features.
6. The computer-implemented method of claim 5, wherein determining the cluster comprises using at least one of the following: k-means, hierarchical clustering, or DBSCAN.
7. The computer-implemented method of claim 5, wherein determining the feature from the composite graph representation comprises: Determine the graph embeddings of nodes and edges, where the graph embeddings are numerical values in a lower-dimensional space compared to the original values.
8. The computer-implemented method of claim 7, wherein determining the graph embedding includes using Node2Vec.
9. The computer-implemented method of claim 5, wherein determining the feature from the composite graph representation comprises: Determine the adjacency matrix and / or attribute matrix.
10. The computer-implemented method of claim 5, wherein determining the cluster further comprises: Node communities are determined based on the similarity or connectivity of nodes represented in a composite graph.
11. The computer-implemented method of claim 10, wherein determining the community of a node comprises: The Leuven algorithm is used to merge nodes into communities based on modularity gain.
12. The computer-implemented method of claim 1, wherein the elements assigned to the nodes and edges as classification values or labels are converted into digital representations using at least one of the following techniques: one-hot encoding, label embedding, or sequential encoding.
13. The computer-implemented method of claim 1, wherein the raw data is associated with a time slot.
14. The computer-implemented method of claim 1, wherein all processes identified in the original data are terminated.
15. The computer-implemented method according to claim 1, wherein the method further comprises: Events classified as malicious by the at least one classification model are labeled.
16. The computer-implemented method of claim 1, wherein several classification models are used, and a majority vote is used to classify the event as a malicious event or a non-malicious event.
17. The computer-implemented method of claim 1, wherein the composite graph represents a depth equal to N, the depth being related to the number of identified processes linked together in the original data, where N is an integer greater than or equal to 2.
18. A computer-readable medium comprising instructions that, when executed, cause an electronic device to perform operations for classifying events from raw data associated with the device, the events being associated with at least two processes executed on the device, the events being malicious or non-malicious events, the operations for classifying the events comprising: For at least two identified processes in the original data, obtain a list of activities and a list of used resources related to the execution of each of the at least two identified processes; For each of the at least two identified processes, a graph representation is generated, wherein the graph representation includes nodes and edges, wherein the nodes are assigned elements from the list of used resources or the identifier value of one of the two identified processes, and wherein the edges are assigned elements from the list of activities. When the at least two identified processes are linked together, the graph representations generated by combining at least two of the at least two identified processes are combined, wherein the combined output is a combined graph representation, which is a representation of one of the events to be classified. The representation of one of the events to be classified is provided to at least one classification model; as well as An alert is generated if one of the events is classified as a malicious event by the at least one classification model.
19. A computer-implemented system, comprising: One or more computers; as well as One or more computer memory devices, interoperably coupled to the one or more computers, and having a tangible, non-transitory, machine-readable medium storing one or more instructions, which, when executed by the one or more computers, perform one or more operations for classifying events from raw data associated with the device, the events being associated with at least two processes executed on the device, the events being malicious or non-malicious events, the one or more operations for classifying the events including: For at least two identified processes in the original data, obtain a list of activities and a list of used resources related to the execution of each of the at least two identified processes; For each of the at least two identified processes, a graph representation is generated, wherein the graph representation includes nodes and edges, wherein the nodes are assigned elements from the list of used resources or the identifier value of one of the two identified processes, and wherein the edges are assigned elements from the list of activities. When the at least two identified processes are linked together, the graph representations generated by combining at least two of the at least two identified processes are combined, wherein the combined output is a combined graph representation, which is a representation of one of the events to be classified. The representation of one of the events to be classified is provided to at least one classification model; and An alert is generated if one of the events is classified as a malicious event by the at least one classification model.