System and methods for detection of new malicious executables

Assignee

• The Trustees of Columbia University in the City of New York · US

Inventors

• Matthew SCHULTZ · Redwood City, US
• Eleazar Eskin · Santa Monica, US
• Erez Zadok · Stony Brook, US
• Manasi Bhattacharyya · Great Neck, US
• Stolfo J. Salvatore · Ridgewood, US

Key dates

Classification

• Technology area (CPC G)Physics
• CPC primaryG06F21/562
• WIPO fieldDigital communication
• WIPO sectorElectrical engineering

Abstract

A system and methods for detecting malicious executable attachments at an email processing application of a computer system using data mining techniques. The email processing application may be located at the server or at the client or host. The executable attachments are filtered from said email, and byte sequence features are extracted from the executable attachment. The executable attachments are classified by comparing the byte sequence feature of the executable attachment to a classification rule set derived from byte sequence features of a data set of known executables having a predetermined class in a set of classes, e.g., malicious or benign. The system is also able to classify executable attachments as borderline when the difference between the probability that the executable is malicious and the probability that the executable is benign are within a predetermined threshold. The system can notify the user when the number of borderline attachments exceeds the threshold in order to refine the classification rule set.