	US 12,271,476 B2
	Antiransomware using machine learning
Ryan Smith, Austin, TX (US); and Jonathan Miller, Poway, CA (US)
Assigned to Halcyon Tech, Inc., Austin, TX (US)
Filed by Halcyon Tech, Inc., Austin, TX (US)
Filed on Feb. 16, 2023, as Appl. No. 18/170,415.
Claims priority of provisional application 63/311,684, filed on Feb. 18, 2022.
Prior Publication US 2023/0267207 A1, Aug. 24, 2023
Int. Cl. G06F 21/56 (2013.01); G06F 21/53 (2013.01); G06F 21/54 (2013.01); G06F 21/55 (2013.01)

CPC G06F 21/566 (2013.01) [G06F 21/53 (2013.01); G06F 21/54 (2013.01); G06F 21/554 (2013.01)]

20 Claims

1. A method comprising:

receiving data comprising or characterizing an executable and/or dynamic linked library (DLL);

extracting one or more features from the executable and/or DLL;

generating features indicative of ransomware based on each of: (i) when the executable and/or DLL is accessed, (ii) active processes using application programming interfaces (APIs), (iii) reputational information regarding the executable and/or DLL or modules being utilized in an active process, (iv) system-wide changes, and (v) patch-level changes;

inputting the extracted and generated features into at least one machine learning model to generate a suspiciousness score, the at least one machine learning model being trained to determine whether the executable file comprises ransomware;

determining, using the extracted features and the suspiciousness score, an execution chain of trust score for the executable and/or DLL characterizing one or more associated parent processes; and

initiating, based on the suspiciousness score and the execution chain of trust score, one or more ransomware countermeasures.