User interface with real-time visual playback along with synchronous textual analysis log display and event/time index for anomalous behavior detection in applications

US 10,019,338 B1
Filed: 11/23/2015
Issued: 07/10/2018
Est. Priority Date: 02/23/2013
Status: Active Grant

First Claim

Patent Images

1. A method for detecting anomalous behavior by an application software under test that suggest a presence of malware, suspicious code or pernicious code, the method comprising:

conducting an analysis of operations of the software executed by a virtual machine for (i) detecting an occurrence of one or more events, each of the one or more events being a monitored behavior of the software that occurs during execution by the virtual machine, and (ii) determining whether any behavior of one or more behaviors corresponding to the one or more events is an anomalous behavior indicating that the software includes malware, suspicious code or pernicious code;

generating a plurality of display images based on the operations of the software; and

generating, for display on the electronic device contemporaneously with the plurality of display images, a textual log including information associated with the one or more events and identifying if any of the one or more behaviors corresponds to the anomalous behavior,wherein display of the textual log is temporally coordinated with display of the plurality of display images to provide information associated with the one or more events during the analysis of the operations of the software along with display of one or more display images of the plurality of display images.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An apparatus is described for detecting anomalous behavior by an application software under test that suggests a presence of malware. The apparatus features a hardware processor and a storage device. The storage device stores logic that, when executed by the hardware processor, conducts an analysis of operations of the software for an occurrence of one or more events, generates a video of a display output produced by the operations of the software, and generates, for display contemporaneously with the video, a textual log including information associated with the one or more events, the textual log provides information as to when each event of the one or more events occurs within an execution flow of the operations of the software.

Citations

25 Claims

1. A method for detecting anomalous behavior by an application software under test that suggest a presence of malware, suspicious code or pernicious code, the method comprising:
- conducting an analysis of operations of the software executed by a virtual machine for (i) detecting an occurrence of one or more events, each of the one or more events being a monitored behavior of the software that occurs during execution by the virtual machine, and (ii) determining whether any behavior of one or more behaviors corresponding to the one or more events is an anomalous behavior indicating that the software includes malware, suspicious code or pernicious code;
  
  generating a plurality of display images based on the operations of the software; and
  
  generating, for display on the electronic device contemporaneously with the plurality of display images, a textual log including information associated with the one or more events and identifying if any of the one or more behaviors corresponds to the anomalous behavior,wherein display of the textual log is temporally coordinated with display of the plurality of display images to provide information associated with the one or more events during the analysis of the operations of the software along with display of one or more display images of the plurality of display images.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 20, 21, 22, 23, 24)
- - 2. The method of claim 1, wherein the generating of the plurality of display images comprises capturing display output of the software during the operations.
  - 3. The method of claim 2, wherein the plurality of display images comprise a sequence of display images corresponding to a displayed sequence of the one or more events detected by the analysis.
  - 4. The method of claim 2, wherein the plurality of display images comprise a sequence of display images corresponding to an execution flow of the operations of the software.
  - 5. The method of claim 1, wherein the plurality of display images correspond to images that would have been displayed if the software executed natively.
  - 6. The method of claim 1, wherein the generating of the plurality of display images comprises indexing the plurality of display images by corresponding a display time for each display image of the plurality of display images with a behavior associated with an event of the one or more events being monitored during analysis of the software.
  - 7. The method of claim 1, wherein the conducting of the analysis of operations of the software for detecting the occurrence of the one or more events comprises:
    - generating a display screen for selecting and setting the one or more events corresponding to the one or more behaviors to be monitored;
      
      performing operations of the software within the virtual machine; and
      
      monitoring the one or more behaviors to determine whether at least one of the one or more behaviors corresponds to the anomalous behavior during analysis of the operations of the software performed within the virtual machine.
  - 8. The method of claim 7, wherein the generating of the screen display comprises presenting a user interface to enable a user to customize a grouping or sequencing of behaviors of the one or more behaviors to be monitored.
  - 9. The method of claim 1 being performed within the virtual machine running in a mobile electronic device and the software is designed for native execution on the mobile electronic device.
  - 10. The method of claim 1, wherein the conducting of the analysis for the occurrence of the one or more events comprises monitoring for one or more anomalous behaviors including a malware-based behavior.
  - 20. The method of claim 1, wherein the plurality of display images comprises a video.
  - 21. The method of claim 20 further comprising indexing the video so as to permit access to a desired segment of the video in accordance with at least one of a particular playback time in the video and a particular analyzed event of the one or more events.
  - 22. The method of claim 20 further comprising indexing of the video so as to permit a user, by user interaction, to access a desired display image of the video in accordance with at least one of (i) a playback time and (ii) an analyzed event of the one or more events.
  - 23. The method of claim 20, wherein the analysis of the operations of the software for the occurrence of the one or more events comprises detecting at least one anomalous behavior during the analysis of the operations of the software within one or more virtual machines.
  - 24. The method of claim 8, wherein the generating of the screen display further comprises customizing as to when the behaviors are to be monitored.

11. An apparatus for detecting anomalous behavior by software under test that suggests a presence of malware, suspicious code or pernicious code, the apparatus comprising:
- a hardware processor; and
  
  a storage device communicatively coupled to the hardware processor, the storage device comprises logic that, when executed by the hardware processor, (i) conducts an analysis of operations of the software for an occurrence of one or more events, (ii) generates a plurality of display images corresponding to a display output produced by the operations of the software, and (iii) generates and displays, contemporaneously and synchronized with the plurality of display images, a textual log that illustrates the one or more events being monitored during the analysis of the operations of the software and whether an event of the one or more events corresponds to an anomalous behavior indicating that the software includes malware, suspicious code or pernicious code.
- View Dependent Claims (12, 13, 14, 15, 25)
- - 12. The apparatus of claim 11, wherein the plurality of display images is a video.
  - 13. The apparatus of claim 11, wherein the hardware processor executes the logic to conduct the analysis within one or more virtual machines.
  - 14. The apparatus of claim 13, wherein the logic, when executed by the hardware processor, conducting the analysis by (a) responsive at least in part to user input, setting one or more behaviors to be monitored;
    - (b) controlling the operations of the software conducted within one or more virtual machines; and
      
      (c) determining whether the one or more behaviors is detected during analysis of the operations of the software performed within the one or more virtual machines and corresponds to the one or more events.
  - 15. The apparatus of claim 11, wherein the logic, when executed by the hardware processor, to conduct the analysis of operations of the software for the occurrence of the one or more events that comprise at least one anomalous behavior detected during the analysis of operations of the software within one or more virtual machines.
  - 25. The apparatus of claim 11, wherein the plurality of display images comprises a video.

16. An apparatus for detecting anomalous behavior by an application software under test that suggests a presence of malware, suspicious code or pernicious code, the apparatus comprising:
- a hardware processor; and
  
  a storage device communicatively coupled to the hardware processor, the storage device to store logic that, when executed by the hardware processor, to (i) conduct an analysis of operations of the software for an occurrence of one or more events, (ii) generate a video of a display output produced by the operations of the software, (iii) generate and display, contemporaneously and synchronized with the video, a textual log including information associated with the one or more events, the textual log provides information as to (i) when each event of the one or more events occurs within an execution flow of the operations of the software and (ii) when each event corresponds to an anomalous behavior indicating that the software includes malware, suspicious code or pernicious code.
- View Dependent Claims (17, 18, 19)
- - 17. The apparatus of claim 16, wherein the logic, when executed by the hardware processor, to further provide, during playback of the video, reciprocal graphic interaction between the displayed video and the displayed textual log responsive to user input.
  - 18. The apparatus of claim 16, wherein the logic, executed by the hardware processor, to index the video so as to permit access to a desired segment of the video in accordance with at least one of a particular playback time in the video and a particular analyzed event of the one or more events.
  - 19. The apparatus of claim 18, wherein the logic, when executed by the hardware processor, to conduct the analysis of operations of the software for the occurrence of the one or more events that comprise at least one anomalous behavior detected during the analysis of operations of the software within one or more virtual machines.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
FireEye, Inc. (Alphabet Inc.)
Inventors
Goradia, Harnish, Ismael, Osman Abdoul, Johnson, Noah M., Mettler, Adrian, Aziz, Ashar
Primary Examiner(s)
Herzog, Madhuri R

Application Number

US14/949,770
Time in Patent Office

960 Days
Field of Search
US Class Current
CPC Class Codes

G06F 11/28   by checking the correct ord...

G06F 11/36   Preventing errors by testin...

G06F 11/3604   Software analysis for verif...

G06F 11/3608   using formal methods, e.g. ...

G06F 11/3612   by runtime analysis perform...

G06F 11/362   Software debugging

G06F 11/3664   Environments for testing or...

G06F 21/50   Monitoring users, programs ...

G06F 21/53   by executing in a restricte...

G06F 21/54   by adding security routines...

G06F 21/55   Detecting local intrusion o...

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 21/563   by source code analysis

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/033   Test or assess software

G06N 20/00   Machine learning

G06N 3/006   based on simulated virtual ...

G06N 5/04   Inference or reasoning models

H04L 63/12 : Applying verification of th...

H04L 63/14 : for detecting or protecting...

H04L 63/1416 : Event detection, e.g. attac...

H04L 63/1425 : Traffic logging, e.g. anoma...

H04L 63/1433 : Vulnerability analysis

H04L 63/145 : the attack involving the pr...

View All

User interface with real-time visual playback along with synchronous textual analysis log display and event/time index for anomalous behavior detection in applications

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

User interface with real-time visual playback along with synchronous textual analysis log display and event/time index for anomalous behavior detection in applications

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links