User interface with real-time visual playback along with synchronous textual analysis log display and event/time index for anomalous behavior detection in applications
First Claim
1. A method for detecting anomalous behavior by an application software under test that suggest a presence of malware, suspicious code or pernicious code, the method comprising:
- conducting an analysis of operations of the software executed by a virtual machine for (i) detecting an occurrence of one or more events, each of the one or more events being a monitored behavior of the software that occurs during execution by the virtual machine, and (ii) determining whether any behavior of one or more behaviors corresponding to the one or more events is an anomalous behavior indicating that the software includes malware, suspicious code or pernicious code;
generating a plurality of display images based on the operations of the software; and
generating, for display on the electronic device contemporaneously with the plurality of display images, a textual log including information associated with the one or more events and identifying if any of the one or more behaviors corresponds to the anomalous behavior,wherein display of the textual log is temporally coordinated with display of the plurality of display images to provide information associated with the one or more events during the analysis of the operations of the software along with display of one or more display images of the plurality of display images.
7 Assignments
0 Petitions
Accused Products
Abstract
An apparatus is described for detecting anomalous behavior by an application software under test that suggests a presence of malware. The apparatus features a hardware processor and a storage device. The storage device stores logic that, when executed by the hardware processor, conducts an analysis of operations of the software for an occurrence of one or more events, generates a video of a display output produced by the operations of the software, and generates, for display contemporaneously with the video, a textual log including information associated with the one or more events, the textual log provides information as to when each event of the one or more events occurs within an execution flow of the operations of the software.
-
Citations
25 Claims
-
1. A method for detecting anomalous behavior by an application software under test that suggest a presence of malware, suspicious code or pernicious code, the method comprising:
-
conducting an analysis of operations of the software executed by a virtual machine for (i) detecting an occurrence of one or more events, each of the one or more events being a monitored behavior of the software that occurs during execution by the virtual machine, and (ii) determining whether any behavior of one or more behaviors corresponding to the one or more events is an anomalous behavior indicating that the software includes malware, suspicious code or pernicious code; generating a plurality of display images based on the operations of the software; and generating, for display on the electronic device contemporaneously with the plurality of display images, a textual log including information associated with the one or more events and identifying if any of the one or more behaviors corresponds to the anomalous behavior, wherein display of the textual log is temporally coordinated with display of the plurality of display images to provide information associated with the one or more events during the analysis of the operations of the software along with display of one or more display images of the plurality of display images. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 20, 21, 22, 23, 24)
-
-
11. An apparatus for detecting anomalous behavior by software under test that suggests a presence of malware, suspicious code or pernicious code, the apparatus comprising:
-
a hardware processor; and a storage device communicatively coupled to the hardware processor, the storage device comprises logic that, when executed by the hardware processor, (i) conducts an analysis of operations of the software for an occurrence of one or more events, (ii) generates a plurality of display images corresponding to a display output produced by the operations of the software, and (iii) generates and displays, contemporaneously and synchronized with the plurality of display images, a textual log that illustrates the one or more events being monitored during the analysis of the operations of the software and whether an event of the one or more events corresponds to an anomalous behavior indicating that the software includes malware, suspicious code or pernicious code. - View Dependent Claims (12, 13, 14, 15, 25)
-
-
16. An apparatus for detecting anomalous behavior by an application software under test that suggests a presence of malware, suspicious code or pernicious code, the apparatus comprising:
-
a hardware processor; and a storage device communicatively coupled to the hardware processor, the storage device to store logic that, when executed by the hardware processor, to (i) conduct an analysis of operations of the software for an occurrence of one or more events, (ii) generate a video of a display output produced by the operations of the software, (iii) generate and display, contemporaneously and synchronized with the video, a textual log including information associated with the one or more events, the textual log provides information as to (i) when each event of the one or more events occurs within an execution flow of the operations of the software and (ii) when each event corresponds to an anomalous behavior indicating that the software includes malware, suspicious code or pernicious code. - View Dependent Claims (17, 18, 19)
-
Specification