US 11,790,085 B2
Apparatus for detecting unknown malware using variable opcode sequence and method using the same
Jung-Tae Kim, Daejeon (KR); Ji-Hyeon Song, Daejeon (KR); Jong-Hyun Kim, Daejeon (KR); Sang-Min Lee, Daejeon (KR); Ik-Kyun Kim, Daejeon (KR); and Dae-Sung Moon, Daejeon (KR)
Assigned to Electronics and Telecommunications Research Institute, Daejeon (KR)
Filed by Electronics and Telecommunications Research Institute, Daejeon (KR)
Filed on Aug. 30, 2021, as Appl. No. 17/461,337.
Claims priority of application No. 10-2020-0142203 (KR), filed on Oct. 29, 2020; and application No. 10-2021-0060608 (KR), filed on May 11, 2021.
Prior Publication US 2022/0138319 A1, May 5, 2022
Int. Cl. G06F 21/56 (2013.01); G06N 20/00 (2019.01)
CPC G06F 21/564 (2013.01) [G06N 20/00 (2019.01)] 16 Claims
OG exemplary drawing
 
1. A method for detecting unknown malware, comprising:
collecting operation code (opcode) information from a detection target;
generating a multi-pixel image having a variable length by performing feature engineering on the opcode information; and
detecting unknown malware by inputting the multi-pixel image to a deep-learning model based on AI,
wherein the multi-pixel image corresponds to a multi-pixel RGB image based on an n-gram corresponding to the opcode information, and
wherein generating the multi-pixel image comprises:
storing n-gram sequences for hexadecimal (hex) codes having a variable length based on the opcode information; and
mapping a 3-gram of opcodes to an RGB code based on the n-gram sequences, thereby generating the multi-pixel RGB image.