US 12,443,712 B2
Methods and apparatus to classify samples as clean or malicious using low level Markov transition matrices
German Lancioni, San Jose, CA (US); Carl Woodward, Santa Clara, CA (US); and Jonathan Edwards, Portland, OR (US)
Assigned to McAfee, LLC, San Jose, CA (US)
Filed by McAfee, LLC, San Jose, CA (US)
Filed on Dec. 23, 2021, as Appl. No. 17/645,921.
Claims priority of provisional application 63/227,305, filed on Jul. 29, 2021.
Prior Publication US 2023/0032194 A1, Feb. 2, 2023
Int. Cl. G06F 21/56 (2013.01); G06N 7/01 (2023.01)
CPC G06F 21/566 (2013.01) [G06F 21/56 (2013.01); G06F 21/567 (2013.01); G06N 7/01 (2023.01); G06F 2221/033 (2013.01)] 20 Claims
OG exemplary drawing
 
9. At least one non-transitory machine-readable medium comprising machine readable instructions that, when executed, cause at least one processor to at least:
disassemble a known portable executable (PE) file that is not malicious into first instructions, the first instructions including first operation codes that are compatible with a first processor architecture;
transform the first instructions into a first sequence of states within an abstract language representation, the first sequence of states based on one more of the first operation codes;
create a first Markov transition matrix to represent transitions within the first sequence of states;
disassemble an unknown PE file into second instructions, the second instructions including second operation codes that are compatible with a second processor architecture but are not compatible with the first processor architecture;
transform the second instructions into a second sequence of states within the same abstract language representation, the second sequence of states based on one or more of the second operation codes;
create a second Markov transition matrix to represent transitions within the second sequence of states;
identify a clean group of Markov transition matrices from a corpus of clean groups, the second Markov transition matrix being more similar to the identified clean group than other clean groups within the corpus of clean groups, the corpus of clean groups to include the first Markov transition matrix;
identify a malicious group of Markov transition matrices from a corpus of malicious groups, the second Markov transition matrix being more similar to the identified malicious group than other malicious groups within the malicious groups;
classify the unknown PE file as clean or malicious, the classification in response to whether the second Markov transition matrix is closer to the identified clean group of Markov transition matrices or the identified malicious group of Markov transition matrices; and
perform an action responsive to a determination that the classified PE file is malicious.