Methods and apparatus for detecting and identifying malware by mapping feature data into a semantic space

摘要

A method of detecting malware wherein a feature vector is identified for a potentially malicious file. The feature vector is then provided as input to a trained neural network autoencoder to produce a modified feature vector to which Gaussian noise is introduced to provide a normalized distribution for the resulting output vector, which is within a set of modified feature vectors. The output vector is then used as an input to a trained neural network decoder associated with the trained neural network autoencoder to produce an identifier of a class associated with the set of feature vectors. Remedial action can then be performed on the potentially malicious file based on the associated class. The above method could be in the form of using triple-loss function neural networks which can be trained by providing an anchor feature vector and two training feature vectors and can then be used to classify artifacts. A final version of the method relates to classifying the feature vector of an artifact in the way of the above method wherein the associated class is determined based on the distance between the modified feature vector and the set of modified feature vectors from a plurality of sets of modified feature vectors.