Generally, the following description relates to the field of electronic devices capable of executing computer programs. More specifically, the following description relates to apparatuses and methods for providing detecting malware.
Modern computers and computing capable devices, such as mobile phones, cars and household appliances are often provided with a possibility to execute third party computer applications. This provides third parties a possibility to improve devices and to provide experiences that are not provided by the original manufacturer. For example, in case of mobile phones games are a very popular example of improving the mobile phone user experience with third party applications. Third party applications can be related to the need of a user and may be recreational purpose only. In another examples the third party application may relate directly improving the device, for example, in form of updates firmware code or similar.
Many of the modern devices are connected to the internet and often also to telecommunication networks so that they are capable of transmitting messages. This does not only open the door for improvements can also cause malfunction and malicious behavior, as unauthorized third parties might use the devices, connected through the network, for their own purposes, by providing malicious acting software.
Thus, there is a need for providing reliable sources for third party applications. However, the number of applications has grown very rapidly and it is impossible to detect all maliciously acting software, also known as malware, by conventional means. Conventional means include, for example, examining the source code. Furthermore, it is not always sufficient to rely on trusted providers. The computer program may be camouflaged to be from a trusted provider or the trusted provider may have been hacked and the product is incorporated with a malware. It is common that malware is difficult to detect for end users as they often try to act secretly. Furthermore, as the malware producers are aware of common approaches they try to camouflage their software so that it is not easy to determine to be malware.
Malware detection systems that do not require any user interaction have been introduced. They commonly analyze the dissembled source code of a computer program and try to find patterns that are caused by malware. Another possibility is to analyze files comprising a compiled computer program directly, for example, by using a neural network based classifier. These systems may be introduced at an end user device or centralized in the network.
Apparatuses and methods for determining if a computer program is malware and to which malware class it belongs to are disclosed. In the method the behaviour of a computer program is traced by observing the activity of the program. Behaviour sequences comprising API-calls or similar activity of a computer program are then provided into a classifier for classifying the computer program. From the outcome of the classifier a classification result and the portions of the behavior sequence relevant to decision made by the classifier can be provided to a person for further confirmation.
According to a first aspect a method for detecting malware is provided. The method comprises deriving a behaviour sequence of a computer program, wherein the behaviour sequence is based on the activity of the computer program; classifying the derived behaviour sequence of a computer program; based on the classification result, determining a need for providing the behaviour sequence to an expert; and as a response to the positive determination, outputting the classification result and subsequences of the behaviour sequence relevant to the classification result to the expert; and determining, based on the classification, if the computer program is malware. It is beneficial to determine which subsequences or parts of the behaviour sequence are actually relevant for the classification result. When an expert is verifying the classification result it is beneficial to provide the expert only those parts of the behaviour sequence that have been relevant to the classification result. Thus, the expert is able to concentrate on analyzing the significant part of the behaviour sequence. The determination of the significant part causes a significant reduction to the data content of the behaviour sequence to be analyzed.
In an implementation form of the first aspect, the method further comprises receiving an opinion as a response to the outputting to the expert; and providing the received opinion as a feedback to the classifier. When the classification result and the significant parts of the behaviour sequence have been provided to the expert it is beneficial to use a response received from the expert as a training material for the classifier. This is particularly beneficial as the training material is confirmed to be true.
In a further implementation form of the first aspect, the method further comprises classifying using a neural network based classifier, wherein the neural network based classifier comprises an attention mechanism. It is beneficial to use a neural network based classifier as they are fast and very reliable in machine learning based classification. Furthermore, an attention mechanism can efficiently be used for determining the parts that are significant for determining the classification result.
In a further implementation form of the first aspect, the method further comprises extracting k-grams from the behaviour sequence; inputting extracted k-gram to the classifier; selecting using the attention mechanism a plurality of k-grams from the extracted k-grams; and providing a classification result and selected k-grams as the output to the expert. It is beneficial to use k-grams, which is a widely applied technique in handling sequence-type data, because it can efficiently reduce the computation while still capturing most of the information contained in the data.
In a further implementation form of the first aspect, the method further comprises training the classifier using each of extracted k-grams. It is beneficial to train the classifier using all extracted k-grams so that the training material is more complete.
In a further implementation form of the first aspect, the method further comprises assigning an attention weight to each k-gram; aggregating the attention weights using a pre-calculated set of attention weights; and providing in the output to the expert a classification result and k-grams with an attention weight higher than a predetermined threshold. Using attention weight and comparing it against a threshold provides an efficient way to select the k-grams that are actually significant for the classification result.
In a further implementation form of the first aspect, the step of classifying the behavior further comprises inputting the behaviour sequence into a recurrent neural network of the neural network based classifier; combining an output of the recurrent neural network with the output of the attention mechanism; providing the combined output into a multi-layer perceptron; and providing a classification result and a behaviour sequence corresponding to the recurrent neural network output selected by the attention mechanism. Using a multi-layer perceptron for providing a final classification result improves the correctness of the classification as the final result is based on a combined model from the neural network based classifier and the attention mechanism.
In a further implementation form of the first aspect, the step of deriving the behaviour sequence comprises receiving the behaviour sequence from an external system. This is beneficial as the suspected malware does not need to be executed in the classification environment. This increases the security of the overall system as the malware cannot change the classification result.
In a further implementation form of the first aspect, the external system is a sand-box arrangement. This is beneficial because the malware cannot propagate to a systems that are used in production or everyday life. Furthermore, this is beneficial as the sand-box arrangement can be easily cleaned. Thus, if a malware infects the sand-box environment used for generating the behaviour sequence it is easy to clean so that also the subsequent analyses are reliable as the environment is not infected by another malware that could cause false results.
In a further implementation form of the first aspect, the behaviour sequence comprises a list of API-calls performed by the computer program. This is beneficial as the API-calls depict very well the computer program activity and increased API-calls can be associated with normal and malicious activity. Malicious activity may be, for example, excessive use of network connection or processor.
In a further implementation form of the first aspect the classification result comprises classification into malware and non-malware, and in case of malware the classification further comprises classifying malware into a particular malware family. It is beneficial to determine also the class of malware as different classes have different kind of behaviour. Knowing the class of malware increases the reliability of the classification result and provides system operators tools for preventing malware.
According to a second aspect, a computer program for detecting malware is provided. The computer program comprises computer program code, wherein the computer program code is configured to cause performing a method as described above, when the computer program code is executed in a computing device. It is beneficial to have the possibility to implement the method as a computer program so that it can be executed in a general purpose computer.
According to a third aspect, an apparatus for determining malware is disclosed. The apparatus for determining malware comprises at least one processing circuitry configured to cause performing a method as described above. It is beneficial to use an apparatus for performing the method as the apparatus can be specially prepared for the execution of the method.
An advantage of the above disclosed method, computer program and apparatus is that the selection, which may be operated for example by the attention module, allows the identification of key elements of the sequence responsible for the final decision of the classifier. Classifying execution traces, such as API-calls, that are relevant for malware prediction, so that the extracted subsequence can help an expert to understand the classification result, who, if qualified, can provide feedbacks to the classification system to improve its performance. Compared to the conventional approaches, this selection has the desirable advantage of being learnt in a supervised manner using backpropagation and gradient descent on the cross-entropy loss.
The foregoing and other objects are achieved by the subject matter of the independent claims. Further implementation forms are apparent from the dependent claims, the description and the figures.
The principles discussed in the present description can be implemented in hardware and/or software.
Further example embodiments will be described with respect to the following figures, wherein:
In the various figures, identical reference signs will be used for identical or at least functionally equivalent features.
In the following description, reference is made to the accompanying drawings, which form part of the disclosure, and in which are shown, by way of illustration, specific aspects in which the present apparatuses and methods may be placed. It is understood that other aspects may be utilized and structural or logical changes may be made without departing from the scope of the claims. Thus, the following detailed description, therefore, is not to be taken in a limiting sense.
For instance, it is understood that a disclosure in connection with a described method may also hold true for a corresponding device or system configured to perform the method and vice versa. For example, if a specific method step is described, a corresponding device may include a unit to perform the described method step, even if such unit is not explicitly described or illustrated in the figures. Further, it is understood that the features of the various exemplary aspects described herein may be combined with each other, unless specifically noted otherwise.
In the arrangement of
In
Computing device 120 is an external system that is used by an expert. The computing device 120 receives requests from the computing device 110 and shows them to the user. The user, who is an expert in the malware and computer behaviour, can make a decision for the request. The request comprises subsequences of behaviour sequence and an initial classification result. The expert may decide, based on the received subsequences, if the analyzed computer program is malware or not. The made decision can be fed back to the neural network based classifier or any other machine learning based classifier as feedback. The computing device 120 may be any kind of computing device that is capable of communicating with other devices, particularly with the computing device 110, and is capable of showing the behaviour subsequences and classification results to the expert. Furthermore, the expert must be able to provide feedback with the computing device 120.
Before the example of
When the recurrent neural network has been trained, the ordinary use of the method may be initiated. In the method first an input, which comprises a behaviour sequence of the analyzed program, is fed into the recurrent neural network, step 200.
In the example of
The recurrent neural network 200 receives a behaviour sequence of a program that is being analyzed. When deciding about the classification, which comprises at least deciding if the analyzed computer program is malware and typically also to which malware class it belongs to, the recurrent neural network typically makes the determination based on subsequences of the received behaviour sequence. This is because it is common that the whole behaviour sequence is not significant and malicious activity is determined based on the relevant sections. In the following it is explained how the determination of the relevant sections can be done.
In the example of
The recurrent neural network layer, also known as the embedding layer, receives as input a behaviour sequence comprising API function names, denoted by a1; a2; . . . ; an, and outputs a numerical vector representation of each distinct k-gram occurring in the behaviour sequence, denoted by Φ(x1); Φ(x2); . . . ; Φ(xm). This representation can be computed by using a standard recurrent neural network architecture with gated recurrent unit cells. This step transforms the behaviour sequence into d-dimensional vector representations of distinct k-grams contained in the behaviour sequence, capturing the characteristics of k-grams most relevant for malware classification.
In
The focus of the attention module is not fixed, and thus may change depending on the specific process being considered. For example, a malware may be identified because of its use of a single security related API, while other malware may require a more complex analysis and the use of more of its APIs and k-grams.
Finally, the neural network performs model selection, as the attention module will select k-grams of different sizes, and thus decide if larger or shorter k-grams should be used for classification, depending of the size of the dataset and the size of useful patterns in the input sequences. In the example of
The arrangement disclosed in
The classifier, such as the neural network based classifier of
where ω (xi) denote the attention weights.
The attention weights are defined as follows. For each x∈d, we define a linear score function sθ(x)=aTϕ(x)+b where θ=(a, b)∈d× are learnable parameters. The attention weights are then defined by softmax transformation of attention scores, i.e.
As the weights have been derived they can be compared with predetermined threshold. The weights exceeding the threshold value can be provided to the expert as these are considered to be significant.
As explained above, the arrangements using precoding shuffling as described above may be implemented in hardware, such as a mobile telephone, tablet computer, computer, telecommunication network base station or any other network connected device, or as a method. The method may be implemented as a computer program. The computer program is then executed in a computing device.
The apparatus, such as apparatus for transmitting signals in a communication network, is configured to perform one of the methods described above. The apparatus comprises necessary hardware components. These may include at least one processor, at least one memory, at least one network connection, a bus and similar. Instead of dedicated hardware components it is possible to share, for example, memories or processors with other components or access at a cloud service, centralized computing unit or other resource that can be used over a network connection.
The apparatus for transmitting signals in a communication network and the corresponding method have been described in conjunction with various embodiments herein. However, other variations to the disclosed embodiments can be understood and effected by those skilled in the art in practicing the claimed invention, from a study of the drawings, the disclosure, and the appended claims. In the claims, the word “comprising” does not exclude other elements or steps, and the indefinite article “a” or “an” does not exclude a plurality. A single processor or other unit may fulfill the functions of several items recited in the claims. The mere fact that certain measures are recited in mutually different dependent claims does not indicate that a combination of these measures cannot be used to advantage. A computer program may be stored/distributed on a suitable medium, such as an optical storage medium or a solid-state medium supplied together with or as part of other hardware, but may also be distributed in other forms, such as via the Internet or other wired or wireless telecommunication systems.
This application is a continuation of International Application No. PCT/EP2019/064187, filed on May 31, 2019, the disclosure of which is hereby incorporated by reference in its entirety.
Number | Date | Country | |
---|---|---|---|
Parent | PCT/EP2019/064187 | May 2019 | US |
Child | 17538703 | US |