System and method for detecting time-bomb malware
First Claim
Patent Images
1. A system comprising:
- one or more counters;
comparison logic; and
one or more hardware processors communicatively coupled to the one or more counters and the comparison logic, the one or more hardware processors being configured, using a virtual machine (VM) image selected based on metadata associated with received content, to instantiate one or more virtual machines for analysis of the received-content, the one or more virtual machines being configured to utilize the one or more counters to monitor a delay caused by one or more events conducted during processing of the received content and utilize the comparison logic to identify the received content as including malware if the delay exceeds a first time period.
7 Assignments
0 Petitions
Accused Products
Abstract
According to one embodiment, a system comprises one or more counters; comparison logic; and one or more hardware processors communicatively coupled to the one or more counters and the comparison logic. The one or more hardware processors are configured to instantiate one or more virtual machines that are adapted to analyze received content, where the one or more virtual machines are configured to monitor a delay caused by one or more events conducted during processing of the content and identify the content as including malware if the delay exceed a first time period.
-
Citations
20 Claims
-
1. A system comprising:
-
one or more counters; comparison logic; and one or more hardware processors communicatively coupled to the one or more counters and the comparison logic, the one or more hardware processors being configured, using a virtual machine (VM) image selected based on metadata associated with received content, to instantiate one or more virtual machines for analysis of the received-content, the one or more virtual machines being configured to utilize the one or more counters to monitor a delay caused by one or more events conducted during processing of the received content and utilize the comparison logic to identify the received content as including malware if the delay exceeds a first time period. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A system for detecting time-bomb malware, comprising:
-
one or more processors; a memory communicatively coupled to the one or more processors and including one or more virtual machine images, wherein the one or more processors, using a virtual machine image selected based on metadata associated with received content, to instantiate one or more virtual machines adapted to analyze the received content and determine if the received content includes time-bomb malware by monitoring at least one of (i) a number of events that delay processing of the received content and (ii) an amount of delay caused by the events and correspondingly determining that the received content includes malware if at least one of (a) the number of events exceeds a first threshold and (b) the amount of delay caused by the events exceeds a second threshold. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
-
-
20. A system comprising:
-
one or more counters; one or more comparators coupled to the one or more counters; and one or more hardware processors communicatively coupled to the one or more counters and the one or more comparators, the one or more hardware processors being configured, using a virtual machine (VM) image selected based on metadata associated with received content, to instantiate one or more virtual machines that, utilizing the one or more counters and the one or more comparators, are adapted to analyze received content, the one or more virtual machines being configured to (i) monitor a delay caused by at least one of (a) repetitive Sleep request messages or (b) Application Programming Interface (API) function calls that is conducted during processing of the received content and (ii) identify the received content as including malware if the delay exceed a first time period.
-
Specification