US 12,189,770 B2
Methods and apparatus to detect malware using micro-forests with customer trust seeds
German Lancioni, San Jose, CA (US); and Sorcha Healy, Mahon (IE)
Assigned to MCAFEE, LLC, San Jose, CA (US)
Filed by McAfee, LLC, San Jose, CA (US)
Filed on Dec. 23, 2021, as Appl. No. 17/561,475.
Claims priority of provisional application 63/227,305, filed on Jul. 29, 2021.
Prior Publication US 2023/0030136 A1, Feb. 2, 2023
Int. Cl. G06F 21/56 (2013.01); G06F 21/00 (2013.01); G06N 7/01 (2023.01)
CPC G06F 21/566 (2013.01) [G06F 21/56 (2013.01); G06F 21/567 (2013.01); G06N 7/01 (2023.01); G06F 2221/033 (2013.01)] 26 Claims
OG exemplary drawing
 
1. A false positive correction apparatus comprising:
memory; and
processor circuitry including one or more of:
at least one of a central processing unit, a graphic processing unit or a digital signal processor, the at least one of the central processing unit, the graphic processing unit or the digital signal processor having control circuitry to control data movement within the processor circuitry, arithmetic and logic circuitry to perform one or more first operations corresponding to instructions, and one or more registers to store a result of the one or more first operations, the instructions in the apparatus;
a Field Programmable Gate Array (FPGA), the FPGA including logic gate circuitry, a plurality of configurable interconnections, and storage circuitry, the logic gate circuitry and interconnections to perform one or more second operations, the storage circuitry to store a result of the one or more second operations; or
Application Specific Integrated Circuit (ASIC) including logic gate circuitry to perform one or more third operations;
the processor circuitry to perform at least one of the first operations, the second operations or the third operations to instantiate:
classifier circuitry to access a malicious sample, the malicious sample having a first feature vector;
sample comparison circuitry to compare, using a machine learning algorithm, the malicious sample to a known sample, the known sample collected from customer normality samples, the known sample having a second feature vector, the machine learning algorithm trained based on the customer normality samples, the customer normality samples including clean samples;
calculator circuitry to calculate a distance value between the first feature vector and the second feature vector; and
threshold comparator circuitry to:
compare the distance value to a threshold; and
change a classification of the malicious sample to clean in response to the distance value satisfying the threshold.