公开(公告)号：US07979907B2

公开(公告)日：2011-07-12

申请号：US12338479

申请日：2008-12-18

申请人： Matthew G. Schultz ,  Eleazar Eskin ,  Erez Zadok ,  Manasi Bhattacharyya ,  Stolfo Salvatore J.

发明人： Matthew G. Schultz ,  Eleazar Eskin ,  Erez Zadok ,  Manasi Bhattacharyya ,  Stolfo Salvatore J.

IPC分类号： G06F11/00 ,  G06F12/14

CPC分类号： H04L63/145 ,  G06F21/562

摘要： A system and methods for detecting malicious executable attachments at an email processing application of a computer system using data mining techniques. The email processing application may be located at the server or at the client or host. The executable attachments are filtered from said email, and byte sequence features are extracted from the executable attachment. The executable attachments are classified by comparing the byte sequence feature of the executable attachment to a classification rule set derived from byte sequence features of a data set of known executables having a predetermined class in a set of classes, e.g., malicious or benign. The system is also able to classify executable attachments as borderline when the difference between the probability that the executable is malicious and the probability that the executable is benign are within a predetermined threshold. The system can notify the user when the number of borderline attachments exceeds the threshold in order to refine the classification rule set.

摘要翻译： 一种用于在使用数据挖掘技术的计算机系统的电子邮件处理应用中检测恶意可执行附件的系统和方法。 电子邮件处理应用程序可能位于服务器或客户端或主机。 从所述电子邮件过滤可执行附件，并从可执行附件中提取字节序列特征。 可执行附件通过将可执行附件的字节序列特征与从一组类别（例如恶意或良性）中具有预定类别的已知可执行程序的数据集的字节序列特征导出的分类规则集进行比较来分类。 当可执行文件的恶意程度与可执行文件的良性概率在预定的阈值内时，系统还能将可执行附件分类为边界。 为了优化分类规则集，系统可以通知用户边界附件的数量超过阈值。

公开(公告)号：US20090254992A1

公开(公告)日：2009-10-08

申请号：US12338479

申请日：2008-12-18

申请人： Matthew G. Schultz ,  Eleazar Eskin ,  Erez Zadok ,  Manasi Bhattacharyya ,  Stolfo Salvatore J.

发明人： Matthew G. Schultz ,  Eleazar Eskin ,  Erez Zadok ,  Manasi Bhattacharyya ,  Stolfo Salvatore J.

IPC分类号： G06F21/00

CPC分类号： H04L63/145 ,  G06F21/562

摘要： A system and methods for detecting malicious executable attachments at an email processing application of a computer system using data mining techniques. The email processing application may be located at the server or at the client or host. The executable attachments are filtered from said email, and byte sequence features are extracted from the executable attachment. The executable attachments are classified by comparing the byte sequence feature of the executable attachment to a classification rule set derived from byte sequence features of a data set of known executables having a predetermined class in a set of classes, e.g., malicious or benign. The system is also able to classify executable attachments as borderline when the difference between the probability that the executable is malicious and the probability that the executable is benign are within a predetermined threshold. The system can notify the user when the number of borderline attachments exceeds the threshold in order to refine the classification rule set.

摘要翻译： 一种用于在使用数据挖掘技术的计算机系统的电子邮件处理应用中检测恶意可执行附件的系统和方法。 电子邮件处理应用程序可能位于服务器或客户端或主机。 从所述电子邮件过滤可执行附件，并从可执行附件中提取字节序列特征。 可执行附件通过将可执行附件的字节序列特征与从一组类别（例如恶意或良性）中具有预定类别的已知可执行程序的数据集的字节序列特征导出的分类规则集进行比较来分类。 当可执行文件的恶意程度与可执行文件的良性概率在预定的阈值内时，系统还能将可执行附件分类为边界。 为了优化分类规则集，系统可以通知用户边界附件的数量超过阈值。