Automated runtime detection of malware

US 10,079,841 B2
Filed: 09/12/2014
Issued: 09/18/2018
Est. Priority Date: 09/12/2013
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

extracting a model of a computer application during load time, the extracting includes;

identifying address transitions that map instruction addresses to respective target addresses, andadding an identified address transition to the model when a respective target address is indeterminable and adding the respective target address to the model when the respective target address is determinable;

storing the model of the computer application;

inserting one or more collection instructions into the computer application, including at the instruction addresses and respective determinable target addresses in the extracted model, to collect data at runtime;

analyzing the data collected at runtime against the stored model of the computer application, including address transitions and target addresses, to detect one or more security events; and

tracking the one or more security events using a state machine, the tracking automatically detecting a security attack of the computer application.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

One example method and correspond apparatus extracts a model of a computer application during load time and stores the model of the computer application in a database. This example method and corresponding apparatus also inserts instructions into the computer application to collect data at runtime. This example method and corresponding apparatus then analyzes the data collected at runtime against the stored model of the computer application to detect one or more security events and tracks the one or more security events using a state machine.

162 Citations

115 Claims

1. A computer-implemented method comprising:
- extracting a model of a computer application during load time, the extracting includes;
  
  identifying address transitions that map instruction addresses to respective target addresses, andadding an identified address transition to the model when a respective target address is indeterminable and adding the respective target address to the model when the respective target address is determinable;
  
  storing the model of the computer application;
  
  inserting one or more collection instructions into the computer application, including at the instruction addresses and respective determinable target addresses in the extracted model, to collect data at runtime;
  
  analyzing the data collected at runtime against the stored model of the computer application, including address transitions and target addresses, to detect one or more security events; and
  
  tracking the one or more security events using a state machine, the tracking automatically detecting a security attack of the computer application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 2. The method of claim 1 wherein extracting the model of the computer application includes one or more of extracting transition mapping data from the computer application, extracting memory mapping data from the computer application, extracting soft spot data from the computer application, and extracting OS functions and system calls referenced by the computer application.
  - 3. The method of claim 1 wherein extracting the model of the computer application is accomplished at least in part using a code disassembler.
  - 4. The method of claim 1 wherein the computer application is formatted in binary or an interpreted language.
  - 5. The method of claim 1 further comprising:
    - checking the computer application for integrity during load time.
  - 6. The method of claim 5 wherein checking the computer application for integrity comprises computing a checksum.
  - 7. The method of claim 1 wherein storing the model includes storing the model in a database that contains one or more tables for modeling the computer application.
  - 8. The method of claim 1 wherein storing the model includes storing the model in a database on a remote system.
  - 9. The method of claim 8 further comprising packaging the model of the computer application for transmission to the remote system for storing in the database.
  - 10. The method of claim 9 further comprising placing a canary into the transmission to secure the transmission.
  - 11. The method of claim 1 wherein inserting instructions into the computer application is accomplished at least in part using a dynamic binary analysis engine or a byte code instrumentation engine.
  - 12. The method of claim 1 further comprising packaging the data collected at runtime for transmission to one or more processes.
  - 13. The method of claim 12 wherein the one or more processes are on a remote system.
  - 14. The method of claim 12 further comprising placing a canary into the transmission to secure the transmission.
  - 15. The method of claim 1 wherein the data collected at runtime comprises data for one or more threads of the computer application.
  - 16. The method of claim 1 wherein analyzing the data collected at runtime against the stored model of the computer application comprises one or more of analyzing transition data, analyzing OS functions, analyzing system calls, analyzing memory writes, and analyzing soft spot data.
  - 17. The method of claim 1 wherein tracking the one or more security events comprises correlating the one or more security events based on a predefined sequence.
  - 18. The method of claim 17 wherein the predefined sequence is based on an immutable chain.
  - 19. The method of claim 1 wherein tracking the one or more security events includes capturing forensic data for the events.
  - 20. The method of claim 1 wherein the one or more security events are tracked based on severity of the one or more security event.
  - 21. The method of claim 1 further comprising taking one or more actions in response to tracking the one or more security events.
  - 22. The method of claim 21 wherein the one or more actions is automatically taken by a system.
  - 23. The method of claim 21 wherein the one or more actions is taken by a user.
  - 24. The method of claim 21 wherein the one or more actions include any of terminating the computer application, terminating one or more threads of the computer application, closing a socket on one or more threads of the computer application, and generating alerts in response to the one or more security events.
  - 25. The method of claim 21 wherein the one or more actions taken in response to tracking the one or more security events is adjustable.
  - 26. The method of claim 1 wherein tracking the one or more security events further comprises adding one or more new security events with associated severity and actions for tracking using the state machine.

27. A computer-implemented method comprising:
- extracting a model of a computer application during load time, the extracting includes;
  
  identifying address transitions that map instruction addresses to respective target addresses, andadding an identified address transition to the model when a respective target address is indeterminable and adding the respective target address to the model when the respective target address is determinable;
  
  storing the model of the computer application;
  
  inserting one or more collection instructions into the computer application, including at the instruction addresses and respective determinable target addresses in the extracted model, to collect data at runtime; and
  
  automatically detecting a security attack of the computer application based on comparing the stored model to the collected data.
- View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41)
- - 28. The method of claim 27 wherein extracting the model of the computer application includes one or more of extracting transition mapping data from the computer application, extracting memory mapping data from the computer application, extracting soft spot data from the computer application, and extracting OS functions and system calls referenced by the computer application.
  - 29. The method of claim 27 wherein extracting a model of the computer application is accomplished at least in part using a code disassembler.
  - 30. The method of claim 27 wherein the computer application is formatted in binary or an interpreted language.
  - 31. The method of claim 27 further comprising:
    - checking the computer application for integrity during load time.
  - 32. The method of claim 31 wherein checking the computer application for integrity comprises computing a checksum.
  - 33. The method of claim 27 wherein storing the model includes storing the model in a database that contains one or more tables for modeling the computer application.
  - 34. The method of claim 27 wherein storing the model includes storing the model in a database on a remote system.
  - 35. The method of claim 34 further comprising packaging the model of the computer application for transmission to the remote system for storing in the database.
  - 36. The method of claim 35 further comprising placing a canary into the transmission to secure the transmission.
  - 37. The method of claim 27 wherein inserting instructions into the computer application is accomplished at least in part using a dynamic binary analysis engine or a byte code instrumentation engine.
  - 38. The method of claim 27 further comprising packaging the data collected at runtime for transmission to one or more processes.
  - 39. The method of claim 38 wherein the one or more processes are on a remote system.
  - 40. The method of claim 38 further comprising placing a canary into the transmission to secure the transmission.
  - 41. The method of claim 27 wherein the data collected at runtime comprises data for each thread of the computer application.

42. A computer-implemented method comprising:
- analyzing data collected at runtime for a computer application against a stored model of the computer application to detect one or more security events, (i) the stored model includes address transitions that map instruction addresses to respective target addresses when the respective target addresses are indeterminable at load time, and (ii) the stored model includes the respective target addresses when the respective target addresses are determinable at load time; and
  
  tracking the one or more security events using a state machine, the tracking automatically detecting a security attack of the computer application.
- View Dependent Claims (43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54)
- - 43. The method of claim 42 further comprising receiving the data collected at runtime from a process on a remote system.
  - 44. The method of claim 42 further comprising receiving the stored model of the computer application from a process on a remote system.
  - 45. The method of claim 42 wherein analyzing the data collected at runtime against the stored model of the computer application comprises one or more of analyzing transition data, analyzing OS functions, analyzing system calls, analyzing memory writes, and analyzing soft spot data.
  - 46. The method of claim 42 wherein tracking the one or more security events comprises correlating the one or more security events based on a predefined sequence.
  - 47. The method of claim 46 wherein the predefined sequence is based on an immutable chain.
  - 48. The method of claim 42 wherein tracking the one or more security events comprises capturing forensic data.
  - 49. The method of claim 42 wherein tracking the one or more security events based on severity of the one or more security event.
  - 50. The method of claim 42 further comprising taking one or more actions in response to tracking the one or more security events.
  - 51. The method of claim 50 wherein the one or more actions are automatically taken by a system.
  - 52. The method of claim 50 wherein the one or more actions are taken by a user.
  - 53. The method of claim 50 wherein the one or more actions include any of terminating the computer application, include terminating one or more threads of the computer application, include closing a socket on one or more threads of the computer application, and generating alerts in response to the one or more security events.
  - 54. The method of claim 50 wherein the one or more actions taken in response to tracking the one or more security events are adjustable.

55. The method of 42 wherein tracking the one or more security events further comprises adding one or more new security events with associated severity and actions for tracking using the state machine.

56. A system comprising:
- at least one processor configured to implement;
  
  a client configured to extract a model of a computer application during load time, wherein the extracting includes the client;
  
  identifying address transitions that map instruction addresses to respective target addresses, andadding an identified address transition to the model when a respective target address is indeterminable and adding the respective target address to the model when the respective target address is determinable;
  
  the client further configured to store the model of the computer application,the client further configured to insert one or more collection instructions into the computer application, including at the instruction addresses and respective determinable target addresses in the extracted model, to collect data at runtime; and
  
  an analysis engine configured to analyze data collected at runtime against the stored model of the computer application, including address transitions and target addresses, to detect one or more security events;
  
  the analysis engine configured to track the one or more security events using a state machine, the tracking automatically detecting a security attack of the computer application.
- View Dependent Claims (57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86)
- - 57. The system of claim 56 wherein extracting the model of the computer application includes one or more of extracting transition mapping data from the computer application, extracting memory mapping data from the computer application, extracting soft spot data from the computer application, and extracting OS functions and system calls referenced by the computer application.
  - 58. The system of claim 56 wherein extracting the model of the computer application is accomplished at least in part using a code disassembler.
  - 59. The system of claim 56 wherein the computer application is formatted in binary or an interpreted language.
  - 60. The system of claim 56 further comprising:
    - the client further configured to check the computer application for integrity during load time.
  - 61. The system of claim 60 wherein checking the computer application for integrity comprises computing a checksum.
  - 62. The system of claim 56 wherein storing the model includes storing the model in a database that contains one or more tables for modeling the computer application.
  - 63. The system of claim 62 wherein storing the model includes storing the model in a database on a remote system.
  - 64. The system of claim 63 wherein the client is further configured to package the model of the computer application for transmission to the remote system for storing in the database.
  - 65. The system of claim 64 wherein the client is further configured to place a canary into the transmission to secure the transmission.
  - 66. The system of claim 56 wherein inserting instructions into the computer application is accomplished at least in part using a dynamic binary analysis engine or a byte code instrumentation engine.
  - 67. The system of claim 56 wherein the client is further configured to package the data collected at runtime for transmission to the analysis engine.
  - 68. The system of claim 67 wherein the client is further configured to place a canary into the transmission to secure the transmission.
  - 69. The system of claim 67 wherein the transmission to the analysis engine comprises sending the data collected on a transport channel between the client and the analysis engine.
  - 70. The system of claim 56 wherein the data collected at runtime comprises data for one or more threads of the computer application.
  - 71. The system of claim 56 wherein analyzing the data collected at runtime against the stored model of the computer application comprises one or more of analyzing transition data, analyzing system calls, analyzing memory writes, and analyzing soft spot data.
  - 72. The system of claim 56 wherein tracking the one or more security events comprises correlating the one or more security events based on a predefined sequence.
  - 73. The system of claim 72 wherein the predefined sequence is based on an immutable chain.
  - 74. The system of claim 56 wherein tracking the one or more security events includes capturing forensic data for the events.
  - 75. The system of claim 56 wherein the one or more security events are tracked based on severity of the one or more security event.
  - 76. The system of claim 56 wherein the client is further configured to take one or more actions in response to tracking one or more security events.
  - 77. The system of claim 76 wherein the one or more actions is automatically taken by a system.
  - 78. The system of claim 76 wherein the one or more actions is taken by a user.
  - 79. The system of claim 76 wherein the one or more actions include any of terminating the computer application, include terminating one or more threads of the computer application, include closing a socket on one or more threads of the computer application, and include generating alerts in response to the one or more security events.
  - 80. The system of claim 76 wherein the one or more actions taken in response to tracking the one or more security events are adjustable.
  - 81. The system of claim 56 wherein at least one of the client and the analysis engine is configured to run on any of a smartphone, tablet, laptop, desktops, and high end server.
  - 82. The system of claim 56 wherein the analysis engine comprises a processor fabric comprising one or more processors.
  - 83. The system of claim 56 wherein the client comprises a client daemon configured to restart one or more processes of the client if the one or more processes dies or become unresponsive.
  - 84. The system of claim 56 wherein the analysis engine comprises an application daemon configured to restart one or more processes of the analysis engine if the one or more processes dies or become unresponsive.
  - 85. The system of claim 56 wherein the analysis engine comprises a dashboard configured to display the state of the computer application.
  - 86. The system of claim 56 wherein the client is further configured to add one or more new security events with associated severity and actions for tracking using the state machine.

87. An apparatus comprising:
- a processor configured to execute a first process and a second process;
  
  the first process configured to extract a model of a computer application during load time, wherein the extracting includes the first process;
  
  identifying address transitions that map instruction addresses to respective target addresses, andadding an identified address transition to the model when a respective target address is indeterminable and adding the respective target address to the model when the respective target address is determinable;
  
  the first process further configured to store the model of the computer application;
  
  the second process configured to insert one or more collection instructions into the computer application, including at the instruction addresses and respective determinable target addresses in the extracted model, to collect data at runtime; and
  
  the second process further configured to automatically detect a security attack of the computer application based on comparing the stored model to the collected data.
- View Dependent Claims (88, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101)
- - 88. The apparatus of claim 87 wherein extracting the model of the computer application includes one or more of extracting transition mapping data from the computer application, extracting memory mapping data from the computer application, extracting soft spot data from the computer application, and extracting OS function and system calls referenced by the computer application.
  - 89. The apparatus of claim 87 wherein extracting a model of the computer application is accomplished at least in part using code disassembler.
  - 90. The apparatus of claim 87 wherein the computer application is formatted in binary or an interpreted language.
  - 91. The apparatus of claim 87 further comprising:
    - a third process configured to check the computer application for integrity during load time.
  - 92. The apparatus of claim 91 wherein checking the computer application for integrity comprises computing a checksum.
  - 93. The apparatus of claim 87 wherein that database contains one or more tables for modeling the computer application.
  - 94. The apparatus of claim 87 wherein the database is on a remote system.
  - 95. The apparatus of claim 94 further comprising the first process packaging the model of the computer application for transmission to the remote system for storing in the database.
  - 96. The apparatus of claim 95 wherein the first process is further configured to place a canary into the transmission to secure the transmission.
  - 97. The apparatus of claim 94 wherein inserting instructions into the computer application is accomplished at least in part using a dynamic binary analysis engine or a byte code instrumentation engine.
  - 98. The apparatus of claim 94 further comprising a third process configured to package the data collected at runtime for transmission to one or more processes.
  - 99. The apparatus of claim 98 wherein the one or more processes are on a remote system.
  - 100. The apparatus of claim 98 wherein the third process is further configured to place a canary into the transmission to secure the transmission.
  - 101. The apparatus of claim 94 wherein the data collected at runtime comprises data for each thread of the computer application.

102. An apparatus comprising:
- a processor configured to execute a first process and a second process;
  
  the first process configured to analyze data collected at runtime for a computer application against a stored model of the computer application to detect one or more security events, (i) the stored model includes address transitions that map instruction addresses to respective target addresses when the respective target addresses are indeterminable at load time, and (ii) the stored model includes the respective target addresses when the respective target addresses are determinable at load time; and
  
  the second process configured to track the one or more security events using a state machine, the tracking automatically detecting a security attack of the computer application.
- View Dependent Claims (103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115)
- - 103. The apparatus of claim 102 wherein the data collected at runtime is received from a process on a remote system.
  - 104. The apparatus of claim 102 wherein the stored model of the computer application is received from a process on a remote system.
  - 105. The apparatus of claim 102 wherein analyzing the data collected at runtime against the stored model of the computer application comprises one or more of analyzing transition data, analyzing OS functions, analyzing system calls, analyzing memory writes, and analyzing soft spot data.
  - 106. The apparatus of claim 102 wherein tracking the one or more security events comprises correlating the one or more security events based on a predefined sequence.
  - 107. The apparatus of claim 106 wherein the predefined sequence is based on an immutable chain.
  - 108. The apparatus of claim 102 wherein tracking the one or more security events comprises capturing forensic data.
  - 109. The apparatus of claim 102 wherein tracking the one or more security events based on severity of the one or more security event.
  - 110. The apparatus of claim 102 further comprising a third process configured to take one or more actions in response to tracking the one or more security events.
  - 111. The apparatus of claim 110 wherein the one or more actions is taken automatically.
  - 112. The apparatus of claim 110 wherein the one or more actions are taken by a user.
  - 113. The apparatus of claim 110 wherein the one or more actions include any of terminating the computer application, include terminating one or more threads of the computer application, include closing a socket on one or more threads of the computer application, and generating alerts in response to the one or more security events.
  - 114. The apparatus of claim 110 wherein the one or more actions taken in response to tracking the one or more security events are adjustable.
  - 115. The apparatus of claim 102 wherein the second process is further configured to add one or more new security events with associated severity and actions for tracking using the state machine.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Virsec Systems, Inc.
Original Assignee
Virsec Systems, Inc.
Inventors
Gupta, Satya Vrat, DeMeo, Raymond F.
Primary Examiner(s)
Gee, Jason K

Application Number

US14/916,066
Publication Number

US 20160212159A1
Time in Patent Office

1,467 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/54   by adding security routines...

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

Automated runtime detection of malware

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

162 Citations

115 Claims

Specification

Solutions

Use Cases

Quick Links

Automated runtime detection of malware

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

162 Citations

115 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links