| CPC G06F 21/566 (2013.01) [G06F 21/54 (2013.01); G06F 21/554 (2013.01)] | 14 Claims |
|
1. A computer-implemented method of detecting malware in real-time in a live environment, the method comprising:
monitoring a sequence of linked operations performed by a program running in the live environment;
generating an event data characterizing each monitored operation, wherein the event data comprises, for each monitored operation, at least an operation type and a source of the operation;
building an updated stateful model in accordance with the event data, wherein the updated stateful model comprises a data structure representing a real-time updated system state resulting from the sequence of linked operations, and wherein the building the updated stateful model comprises:
retrieving one or more objects associated with the event data, each of the one or more objects representing an entity involved in one of the monitored operations, the retrieved one or more objects comprising at least one object for each monitored operation that represents the source of the operation;
determining one or more relationships among the one or more objects in accordance with the event data, the determined relationships comprising at least the type of each monitored operation and one or more interconnections between the objects of one monitored operation and the objects of another monitored operation;
inferring an event context comprising the one or more objects and the determined relationships thereof; and
generating a stateful model comprising the event context if the monitored operation is a first monitored operation or otherwise updating an existing stateful model based at least in part on the event context, thereby building the updated stateful model representing a hierarchical structure comprising one or more entities involved in the sequence of linked operations and interconnections between the one or more entities resulting from the linked operations;
generating a graph data structure corresponding to the updated stateful model, wherein the graph data structure comprises:
a representation of a structure of a graph comprising nodes and edges linking the nodes, wherein the nodes correspond to the one or more entities of the updated stateful model, and wherein the edges correspond to the interconnections between the one or more entities of the updated stateful model;
an embedding for each node comprising information associated with the entity that corresponds to the respective node; and
an embedding for each edge comprising information associated with the interconnection that corresponds to the respective edge;
applying a graph neural network to the graph data structure to transform one or more embeddings in the graph data structure based on the structure of the graph;
applying a machine learning model to the one or more transformed embeddings to identify one or more suspicious behaviors associated with the updated stateful model, wherein the machine learning model is trained to identify suspicious behavior based on graph data structures corresponding to stateful models; and
determining the presence of malware based on the identified one or more suspicious behaviors.
|