Graph-based classification of elements such as files using a tool such as VirusTotal

Assignee

• Cybereason Inc. · US

Inventor

• Assaf Ben-David · Jerusalem, IL

Key dates

Classification

• Technology area (CPC G)Physics
• CPC primaryG06N3/082
• WIPO fieldComputer technology
• WIPO sectorElectrical engineering

Abstract

A method of determining the level of maliciousness of an element using a directed hypergraph to classify the element based on information aggregated from its locally identified close neighbors, queried in a data base such as VirusTotal (VT). A crawling procedure is used starting from elements needing classification and collecting a set of their neighbors forming neighborhoods. These neighbors are then used to classify the elements. The neural network classifier is able to obtain as input an entire neighborhood. The input includes several feature vectors, one for each element in the neighborhood. In addition, a mapping of interconnections can be provided for each group of elements. Finally, a maliciousness level is provided for the elements in question. For an incriminated file one or more actions can be taken, such as isolating a machine that received the file, killing processes started by the file, removing persistence of the file on the network or affected computer, cleaning infected samples, modifying risk assessment for computer or network, generating a report, collecting additional artifacts, triggering a search for related elements, blocking a user from taking actions and sen…