Classification of malware using clustering that orders events in accordance with the time of occurance

Assignee

• Microsoft Corporation · US

Inventors

• Tony Lee · Sammamish, US
• Jigar J. Mody · Bellevue, US
• Ying Lin · Redmond, US
• Adrian Marinescu · Sammamish, US
• Alexey Polyakov · Sammamish, US

Key dates

Classification

• Technology area (CPC G)Physics
• CPC primaryG06F21/564
• WIPO fieldComputer technology
• WIPO sectorElectrical engineering

Abstract

The present invention is directed to a method and system for automatically classifying an application into an application group which is previously classified in a knowledge base. More specifically, a runtime behavior of an application is captured as a series of events which are monitored and recorded during the execution of the application. The series of events are analyzed to find a proper application group which shares common runtime behavior patterns with the application. The knowledge base of application groups is previously constructed based on a large number of sample applications. The construction of the knowledge base is done in such a manner that each sample application can be classified into application groups based on a set of classification rules in the knowledge base. The set of classification rules are applied to a new application in order to classify the new application into one of the application groups.