| CPC G06F 21/564 (2013.01) [G06F 2221/033 (2013.01)] | 7 Claims |
|
1. A method for constructing behavioral signatures of software packages performed by a device, said method comprising:
embedding execution traces of a set of software packages in a vector space, an execution trace of a software package comprising at least one event and being representative of execution of the software package, said embedding representing an event of the execution trace with a vector encoding a context of occurrence of the event,
performing a cluster analysis of vectors associated with the software packages of the set, said cluster analysis generating at least one data group, the data group being representative of a behavior, a behavioral label being associated with said data group,
associating a behavioral label with a vector, the behavioral label associated with the vector being representative of the data group to which the vector belongs, and association of a behavioral-label trace with a vector trace, said label trace being representative of the execution of the software package, and
extracting from the label trace at least two behavioral signature associated with the software package, a first of said at least two behavioral signatures being a signature of a first order corresponding to a k-gram present in the behavioral-label trace and a second of said at least two behavioral signatures being a signature of an order equal to at least two obtained by a combination of at least two signatures of the first order by using Boolean operators, the combination of the signatures of the first order being present in the execution trace of the software package.
|