Application phenotyping

Assignee

• McAfee, LLC · US

Inventors

• Cedric Cochin · Portland, US
• John Teddy · Portland, US
• Ofir Arkin · Petah Tikva, IL
• James Douglas Bean · Beaverton, US
• Joel R. Spurlock · Portland, US
• Carl D. Woodward · Santa Clara, US

Key dates

Classification

• Technology area (CPC H)Electricity
• CPC primaryH04L63/145
• WIPO fieldDigital communication
• WIPO sectorElectrical engineering

Abstract

A collection of techniques is disclosed to allow for the detection of malware that leverages pattern recognition and machine learning to effectively provide “content-less” malware detection, i.e., detecting a process as being an ‘anomaly’ not based on its particular content, but instead based on comparisons of its behavior to known (and characterized) ‘trusted’ application behaviors, i.e., the trusted applications' “phenotypes” and/or the phenotypes of known malware applications. By analyzing the patterns of normal behavior performed by trusted applications as well as malware applications, one can build a set of sophisticated, content-agnostic behavioral models (i.e., “application phenotypes”)—and later compare the processes executed on a user device to the stored behavioral models to determine whether the actual measured behavior reflects a “good” application, or if it differs from the stored behavioral models to a sufficient degree and with a sufficient degree of confidence, thus indicating a potentially malicious application or behavior.