US 11,928,213 B2
Malware detection
Andrew Davis, Portland, OR (US); Matthew Wolff, Laguna Niguel, CA (US); Derek A. Soeder, Irvine, CA (US); Glenn Chisholm, Irvine, CA (US); and Ryan Permeh, Laguna Hills, CA (US)
Assigned to Cylance Inc., San Ramon, CA (US)
Filed by Cylance Inc., Irvine, CA (US)
Filed on Mar. 20, 2020, as Appl. No. 16/826,033.
Application 16/826,033 is a continuation of application No. 16/183,624, filed on Nov. 7, 2018, granted, now 10,635,814.
Application 16/183,624 is a continuation of application No. 15/210,761, filed on Jul. 14, 2016, granted, now 10,157,279, issued on Dec. 18, 2018.
Claims priority of provisional application 62/193,025, filed on Jul. 15, 2015.
Prior Publication US 2020/0218807 A1, Jul. 9, 2020
This patent is subject to a terminal disclaimer.
Int. Cl. G06F 21/56 (2013.01); G06N 3/08 (2023.01)
CPC G06F 21/565 (2013.01) [G06F 21/562 (2013.01); G06N 3/08 (2013.01); G06F 2221/034 (2013.01)] 17 Claims
OG exemplary drawing
 
1. A system comprising:
at least one processor; and
at least one memory including program code which when executed by the at least one memory provides operations comprising:
receiving a disassembled binary file that includes a plurality of instructions;
generating fixed length representations of the plurality of instructions by processing each of the plurality of instructions having lengths other than a first length by either truncating the instructions so that they are the first length or by padding the instructions so that they are the first length;
processing the disassembled binary file with a trained convolutional neural network configured to (i) apply a first plurality of kernels to detect a presence of one or more sequences of instructions amongst the plurality of instructions, the plurality of kernels being adapted to detect different sequences of instructions (ii) apply a second plurality of kernels to the disassembled binary file, the second plurality of kernels being adapted to detect specific sequences of two or more instructions detected by the first plurality of kernels, and (iii) determine a classification for the disassembled binary file based at least in part on the presence of the one or more sequences of instructions; and
providing, as an output, the classification of the disassembled binary file to determine whether to execute, open, or access a binary file corresponding to the disassembled binary file.