logo

For the Inventor, By the Inventor

The patent badge is an abbreviated version of the USPTO patent document. The patent badge does contain a link to the full patent document.

The patent badge is an abbreviated version of the USPTO patent document. The patent badge covers the following: Patent number, Date patent was issued, Date patent was filed, Title of the patent, Applicant, Inventor, Assignee, Attorney firm, Primary examiner, Assistant examiner, CPCs, and Abstract. The patent badge does contain a link to the full patent document (in Adobe Acrobat format, aka pdf). To download or print any patent click here.

Patent No.:

US 7979907 B1

PDFFull Text
Date of Patent:
Jul. 12, 2011

Filed:

Dec. 18, 2008

Systems and methods for detection of new malicious executables

Applicants:

Matthew G. Schultz, Ithaca, NY (US);

Eleazar Eskin, Santa Monica, CA (US);

Erez Zadok, Middle Island, NY (US);

Manasi Bhattacharyya, Flushing, NY (US);

Stolfo Salvatore J., Ridgewood, NJ (US);

Inventors:

Matthew G. Schultz, Ithaca, NY (US);

Eleazar Eskin, Santa Monica, CA (US);

Erez Zadok, Middle Island, NY (US);

Manasi Bhattacharyya, Flushing, NY (US);

Stolfo Salvatore J., Ridgewood, NJ (US);

Assignee:

The Trustees of Columbia University in the City of New York, New York, NY (US);

Attorney:

Baker Botts LLP

Primary Examiner:

Gilberto Barron, Jr

Assistant Examiner:

Abdulhakim Nobahar

Int. Cl.
CPC ...
G06F 11/00 (2006.01); G06F 12/14 (2006.01);
U.S. Cl.
CPC ...
Abstract

A system and methods for detecting malicious executable attachments at an email processing application of a computer system using data mining techniques. The email processing application may be located at the server or at the client or host. The executable attachments are filtered from said email, and byte sequence features are extracted from the executable attachment. The executable attachments are classified by comparing the byte sequence feature of the executable attachment to a classification rule set derived from byte sequence features of a data set of known executables having a predetermined class in a set of classes, e.g., malicious or benign. The system is also able to classify executable attachments as borderline when the difference between the probability that the executable is malicious and the probability that the executable is benign are within a predetermined threshold. The system can notify the user when the number of borderline attachments exceeds the threshold in order to refine the classification rule set.

Find Patent Forward Citations

Loading…