Patents by Inventor Matthew Wolff

Matthew Wolff has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).

  • Publication number: 20180157670
    Abstract: Data is received or accessed that includes a structured file encapsulating data required by an execution environment to manage executable code wrapped within the structured file. Thereafter, code and data regions are iteratively identified in the structured file. Such identification is analyzed so that at least one feature can be extracted from the structured file. Related apparatus, systems, techniques and articles are also described.
    Type: Application
    Filed: February 6, 2018
    Publication date: June 7, 2018
    Inventors: Derek A. Soeder, Ryan Permeh, Gary Golomb, Matthew Wolff
  • Publication number: 20180144131
    Abstract: In one respect, there is provided a system for training a neural network adapted for classifying one or more scripts. The system may include at least one processor and at least one memory. The memory may include program code that provides operations when executed by the at least one processor. The operations may include: reducing a dimensionality of a plurality of features representative of a file set; determining, based at least on a reduced dimensional representation of the file set, a distance between a file and the file set; and determining, based at least on the distance between the file and the file set, a classification for the file. Related methods and articles of manufacture, including computer program products, are also provided.
    Type: Application
    Filed: November 21, 2016
    Publication date: May 24, 2018
    Inventors: Michael Wojnowicz, Matthew Wolff, Aditya Kapoor
  • Publication number: 20180144130
    Abstract: In one respect, there is provided a system for training a neural network adapted for classifying one or more scripts. The system may include at least one processor and at least one memory. The memory may include program code that provides operations when executed by the at least one memory. The operations may include: extracting, from an icon associated with a file, one or more features; assigning, based at least on the one or more features, the icon to one of a plurality of clusters; and generating, based at least on the cluster to which the icon is assigned, a classification for the file associated with the icon. Related methods and articles of manufacture, including computer program products, are also provided.
    Type: Application
    Filed: November 21, 2016
    Publication date: May 24, 2018
    Inventors: Matthew Wolff, Pedro Silva do Nascimento Neto, Xuan Zhao, John Brock, Jian Luan
  • Patent number: 9959276
    Abstract: Data is received or accessed that includes a structured file encapsulating data required by an execution environment to manage executable code wrapped within the structured file. Thereafter, code and data regions are iteratively identified in the structured file. Such identification is analyzed so that at least one feature can be extracted from the structured file. Related apparatus, systems, techniques and articles are also described.
    Type: Grant
    Filed: February 12, 2016
    Date of Patent: May 1, 2018
    Assignee: Cylance Inc.
    Inventors: Derek A. Soeder, Ryan Permeh, Gary Golomb, Matthew Wolff
  • Patent number: 9946876
    Abstract: A plurality of data files is received. Thereafter, each file is represented as an entropy time series that reflects an amount of entropy across locations in code for such file. A wavelet transform is applied, for each file, to the corresponding entropy time series to generate an energy spectrum characterizing, for the file, an amount of entropic energy at multiple scales of code resolution. It can then be determined, for each file, whether or not the file is likely to be malicious based on the energy spectrum. Related apparatus, systems, techniques and articles are also described.
    Type: Grant
    Filed: August 12, 2016
    Date of Patent: April 17, 2018
    Assignee: Cylance Inc.
    Inventors: Michael Wojnowicz, Glenn Chisholm, Matthew Wolff, Derek A. Soeder, Xuan Zhao
  • Publication number: 20180101681
    Abstract: Using a recurrent neural network (RNN) that has been trained to a satisfactory level of performance, highly discriminative features can be extracted by running a sample through the RNN, and then extracting a final hidden state hh where i is the number of instructions of the sample. This resulting feature vector may then be concatenated with the other hand-engineered features, and a larger classifier may then be trained on hand-engineered as well as automatically determined features. Related apparatus, systems, techniques and articles are also described.
    Type: Application
    Filed: April 15, 2016
    Publication date: April 12, 2018
    Inventors: Andrew Davis, Matthew Wolff, Derek A. Soeder, Glenn Chisholm
  • Publication number: 20180096230
    Abstract: Centroids are used for improving machine learning classification and information retrieval. A plurality of files are classified as malicious or not malicious based on a function dividing a coordinate space into at least a first portion and a second portion such that the first portion includes a first subset of the plurality of files classified as malicious. One or more first geometric regions are defined in the first portion that classify files from the first subset as not malicious. A file is determined to be malicious based on whether the file is located within the one or more first geometric regions.
    Type: Application
    Filed: September 29, 2017
    Publication date: April 5, 2018
    Inventors: Jian Luan, Matthew Wolff, Brian Wallace
  • Patent number: 9928363
    Abstract: Determining, by a machine learning model in an isolated operating environment, whether a file is safe for processing by a primary operating environment. The file is provided, when the determining indicates the file is safe for processing, to the primary operating environment for processing by the primary operating environment. When the determining indicates the file is unsafe for processing, the file is prevented from being processed by the primary operating environment. The isolated operating environment can be maintained on an isolated computing system remote from a primary computing system maintaining the primary operating system. The isolating computing system and the primary operating system can communicate over a cloud network.
    Type: Grant
    Filed: August 30, 2016
    Date of Patent: March 27, 2018
    Assignee: Cylance Inc.
    Inventors: Ryan Permeh, Derek A. Soeder, Matthew Wolff, Ming Jin, Xuan Zhao
  • Publication number: 20180075348
    Abstract: In one respect, there is provided a system for classifying an instruction sequence with a machine learning model. The system may include at least one processor and at least one memory. The memory may include program code that provides operations when executed by the at least one processor. The operations may include: processing an instruction sequence with a trained machine learning model configured to detect one or more interdependencies amongst a plurality of tokens in the instruction sequence and determine a classification for the instruction sequence based on the one or more interdependencies amongst the plurality of tokens; and providing, as an output, the classification of the instruction sequence. Related methods and articles of manufacture, including computer program products, are also provided.
    Type: Application
    Filed: November 7, 2016
    Publication date: March 15, 2018
    Inventors: Xuan Zhao, Matthew Wolff, John Brock, Brian Wallace, Andrew Wortman, Jian Luan, Mahdi Azarafrooz, Andrew Davis, Michael Wojnowicz, Derek Soeder, David Beveridge, Eric Petersen, Ming Jin, Ryan Permeh
  • Publication number: 20180075349
    Abstract: In one respect, there is provided a system for training a neural network adapted for classifying one or more instruction sequences. The system may include at least one processor and at least one memory. The memory may include program code which when executed by the at least one processor provides operations including: training, based at least on training data, a machine learning model to detect one or more predetermined interdependencies amongst a plurality of tokens in the training data; and providing the trained machine learning model to enable classification of one or more instruction sequences. Related methods and articles of manufacture, including computer program products, are also provided.
    Type: Application
    Filed: November 7, 2016
    Publication date: March 15, 2018
    Inventors: Xuan Zhao, Matthew Wolff, John Brock, Brian Wallace, Andrew Wortman, Jian Luan, Mahdi Azarafrooz, Andrew Davis, Michael Wojnowicz, Derek Soeder, David Beveridge, Eric Petersen, Ming Jin, Ryan Permeh
  • Publication number: 20180060580
    Abstract: In one respect, there is provided a system for training a machine learning model to detect malicious container files. The system may include at least one processor and at least one memory. The at least one memory may include program code that provides operations when executed by the at least one processor. The operations may include: training, based on a training data, a machine learning model to enable the machine learning model to determine whether at least one container file includes at least one file rendering the at least one container file malicious; and providing the trained machine learning model to enable the determination of whether the at least one container file includes at least one file rendering the at least one container file malicious. Related methods and articles of manufacture, including computer program products, are also disclosed.
    Type: Application
    Filed: November 7, 2016
    Publication date: March 1, 2018
    Inventors: Xuan Zhao, Matthew Wolff, John Brock, Brian Wallace, Andrew Wortman, Jian Luan, Mahdi Azarafrooz, Andrew Davis, Michael Wojnowicz, Derek Soeder, David Beveridge, Yaroslav Oliinyk, Ryan Permeh
  • Publication number: 20180063169
    Abstract: In one respect, there is provided a system for training a machine learning model to detect malicious container files. The system may include at least one processor and at least one memory. The memory may include program code which when executed by the at least one processor provides operations including: processing a container file with a trained machine learning model, wherein the trained machine learning is trained to determine a classification for the container file indicative of whether the container file includes at least one file rendering the container file malicious; and providing, as an output by the trained machine learning model, an indication of whether the container file includes the at least one file rendering the container file malicious. Related methods and articles of manufacture, including computer program products, are also disclosed.
    Type: Application
    Filed: November 7, 2016
    Publication date: March 1, 2018
    Inventors: Xuan Zhao, Matthew Wolff, John Brock, Brian Wallace, Andrew Wortman, Jian Luan, Mahdi Azarafrooz, Andrew Davis, Michael Wojnowicz, Derek Soeder, David Beveridge, Yaroslav Oliinyk, Ryan Permeh
  • Publication number: 20180060760
    Abstract: Under one aspect, a computer-implemented method includes receiving a query at a query interface about whether a computer file comprises malicious code. It is determined, using at least one machine learning sub model corresponding to a type of the computer file, whether the computer file comprises malicious code. Data characterizing the determination are provided to the query interface. Generating the sub model includes receiving computer files at a collection interface. Multiple sub populations of the computer files are generated based on respective types of the computer files, and random training and testing sets are generated from each of the sub populations. At least one sub model for each random training set is generated.
    Type: Application
    Filed: October 20, 2017
    Publication date: March 1, 2018
    Inventors: Ryan Permeh, Stuart McClure, Matthew Wolff, Gary Golomb, Derek A. Soeder, Seagen Levites, Michael O'Dea, Gabriel Acevedo, Glenn Chisholm
  • Publication number: 20170249455
    Abstract: Determining, by a machine learning model in an isolated operating environment, whether a file is safe for processing by a primary operating environment. The file is provided, when the determining indicates the file is safe for processing, to the primary operating environment for processing by the primary operating environment. When the determining indicates the file is unsafe for processing, the file is prevented from being processed by the primary operating environment. The isolated operating environment can be maintained on an isolated computing system remote from a primary computing system maintaining the primary operating system. The isolating computing system and the primary operating system can communicate over a cloud network.
    Type: Application
    Filed: August 30, 2016
    Publication date: August 31, 2017
    Inventors: Ryan Permeh, Derek A. Soeder, Matthew Wolff, Ming Jin, Xuan Zhao
  • Publication number: 20170249462
    Abstract: An endpoint computer system can harvest data relating to a plurality of events occurring within an operating environment of the endpoint computer system and can add the harvested data to a local data store maintained on the endpoint computer system. In some examples, the local data store can be an audit log and/or can include one or more tamper resistant features. Systems, methods, and computer program products are described.
    Type: Application
    Filed: November 18, 2016
    Publication date: August 31, 2017
    Inventors: Ryan Permeh, Matthew Wolff, Samuel Oswald, Xuan Zhao, Mark Culley, Steve Polson
  • Publication number: 20170249461
    Abstract: An endpoint computer system can harvest data relating to a plurality of events occurring within an operating environment of the endpoint computer system and can add the harvested data to a local data store maintained on the endpoint computer system. A query response can be generated, for example by identifying and retrieving responsive data from the local data store. The responsive data are related to an artifact on the endpoint computer system and/or to an event of the plurality of events. In some examples, the local data store can be an audit log and/or can include one or more tamper resistant features. Systems, methods, and computer program products are described.
    Type: Application
    Filed: November 17, 2016
    Publication date: August 31, 2017
    Inventors: RYAN PERMEH, Matthew Wolff, Samuel Oswald, Xuan Zhao, Mark Culley, Steve Polson
  • Publication number: 20170249459
    Abstract: In one aspect there is provided a method. The method may include: determining that an executable implements a sub-execution environment, the sub-execution environment being configured to receive an input, and the input triggering at least one event at the sub-execution environment; intercepting the event at the sub-execution environment; and applying a security policy to the intercepted event, the applying of the policy comprises blocking the event, when the event is determined to be a prohibited event. Systems and articles of manufacture, including computer program products, are also provided.
    Type: Application
    Filed: February 24, 2017
    Publication date: August 31, 2017
    Inventors: Ryan Permeh, Derek Soeder, Matthew Wolff, Ming Jin, Xuan Zhao
  • Patent number: 9721097
    Abstract: As part of an analysis of the likelihood that a given input (e.g. a file, etc.) includes malicious code, a convolutional neural network can be used to review a sequence of chunks into which an input is divided to assess how best to navigate through the input and to classify parts of the input in a most optimal manner. At least some of the sequence of chunks can be further examined using a recurrent neural network in series with the convolutional neural network to determine how to progress through the sequence of chunks. A state of the at least some of the chunks examined using the recurrent neural network summarized to form an output indicative of the likelihood that the input includes malicious code. Methods, systems, and articles of manufacture are also described.
    Type: Grant
    Filed: July 21, 2016
    Date of Patent: August 1, 2017
    Assignee: Cylance Inc.
    Inventors: Andrew Davis, Matthew Wolff, Michael Wojnowicz, Derek A. Soeder, Xuan Zhao
  • Patent number: 9705904
    Abstract: As part of an analysis of the likelihood that a given input (e.g. a file, etc.) includes malicious code, a convolutional neural network can be used to review a sequence of chunks into which an input is divided to assess how best to navigate through the input and to classify parts of the input in a most optimal manner. At least some of the sequence of chunks can be further examined using a recurrent neural network in series with the convolutional neural network to determine how to progress through the sequence of chunks. A state of the at least some of the chunks examined using the recurrent neural network summarized to form an output indicative of the likelihood that the input includes malicious code. Methods, systems, and articles of manufacture are also described.
    Type: Grant
    Filed: August 24, 2016
    Date of Patent: July 11, 2017
    Assignee: Cylance Inc.
    Inventors: Andrew Davis, Matthew Wolff, Michael Wojnowicz, Derek A. Soeder, Xuan Zhao
  • Patent number: 9672081
    Abstract: In one respect, there is provided a system for loading managed applications. The system may include at least one processor and at least one memory. The memory may include program code which when executed by the at least one memory provides operations including: generating a single process, the generating comprising running a native code executable, the running of the native code execute loading a loader manager as part of the single process; loading, by the loader manager running within the single process, a runtime environment corresponding to a non-native code application; and loading, by the loader manager, the non-native code application, the non-native code application being loaded to run as part of the single process.
    Type: Grant
    Filed: August 12, 2016
    Date of Patent: June 6, 2017
    Assignee: Cylance Inc.
    Inventors: Alejandro Espinoza Esparza, Braden Russell, Haiming Pan, Ming Jin, Matthew Wolff, Ryan Permeh