Behavior profiling for malware detection

US 10,102,372 B2
Filed: 06/14/2017
Issued: 10/16/2018
Est. Priority Date: 03/17/2014
Status: Active Grant

First Claim

Patent Images

1. A method for behavior profiling for malware detection, comprising:

creating, via executable instructions stored in memory and executed by one or more processors coupled to a computer network, a domain specific language for use for detecting searchable patterns and conditions associated with malware,the domain specific language, executable by the one or more processors or other processors, being a declarative language definable in response to a user specification;

providing, in response to executing the domain specific language, a set of rules for use for the detecting of the searchable patterns associated with the malware, the set of rules provided by the domain specific language; and

detecting, by the set of rules, a set of temporal sequences and temporal events of a domain for the malware detection, the domain comprising a target associated with the computer network.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Provided herein are systems and methods for behavior profiling of targets to determine malware presence. The method includes, in various embodiments, applying a domain specific language to a target; observing a set of temporal sequences and events of the target; determining the presence of markers within the set of temporal sequences and events indicative of malware; and identifying the target as being associated with malware based on the markers. In some embodiments, a malware detection system is provided for creating a behavioral sandbox environment where a target is inspected for malware. The behavioral sandbox environment can include forensic collectors. Each of the collectors may be configured to apply a domain specific language to a target; observe a set of temporal sequences and events of the target; determine the presence of markers within the set of temporal sequences and events indicative of malware; and detect malware presence based on the markers.

36 Citations

View as Search Results

20 Claims

1. A method for behavior profiling for malware detection, comprising:
- creating, via executable instructions stored in memory and executed by one or more processors coupled to a computer network, a domain specific language for use for detecting searchable patterns and conditions associated with malware,the domain specific language, executable by the one or more processors or other processors, being a declarative language definable in response to a user specification;
  
  providing, in response to executing the domain specific language, a set of rules for use for the detecting of the searchable patterns associated with the malware, the set of rules provided by the domain specific language; and
  
  detecting, by the set of rules, a set of temporal sequences and temporal events of a domain for the malware detection, the domain comprising a target associated with the computer network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein the target comprises any of an HTTP conversation, a URL, a starting URL, an advertisement tag, a document file, an executable file, and combinations thereof.
  - 3. The method of claim 1, wherein the domain specific language is a threat description language configured for deployment as part of hardware on a network, a server, or the target.
  - 4. The method of claim 3, wherein the target is an Internet web server and the domain specific language is configurable for describing behavior and the patterns exhibited within conversations between HTTP clients.
  - 5. The method of claim 1, wherein the domain specific language is configured for deployment as a cloud-based software-as-a-service (SaaS).
  - 6. The method of claim 1, wherein the user specification includes tests to be performed while analyzing an HTTP conversation, wherein the domain specific language does not specify how the user-specified tests are run, the order of execution or logic flow for the user-specified tests.
  - 7. The method of claim 1, further comprising:
    - applying, via the executable instructions stored in the memory and executed by the one or more processors or the other processors, the domain specific language to the target accessible via the computer network, the domain specific language for detecting the malware associated with the target, the set of rules for the domain specific language further including, in addition to the detecting of the set of temporal sequences and temporal events of the target,determining a presence of a particular one of the patterns within the set of temporal sequences and temporal events, that is indicative of the malware; and
      
      identifying the target as being associated with the malware based on the presence of the particular one of the patterns.
  - 8. The method of claim 7, wherein the particular one of the patterns comprises one or more markers.
  - 9. The method of claim 7, further comprising, utilizing the domain specific language, and creating a behavior profile for the target based on the set of temporal sequences and temporal events.
  - 10. The method of claim 7, further comprising, in response to identifying the target as being associated with the malware, determining behavioral knowledge of the target that is associated with the malware.
  - 11. The method of claim 7, further comprising:
    - determining if the malware is configured to protect itself from a monitored lab environment;
      
      in response to the determining, the malware is configured to protect itself from the monitored lab environment, provoking the malware to attack; and
      
      in response to the provoking, recording activities of the malware, wherein each of the activities comprises a time stamp such that the activities can be arranged in a chronological order.
  - 12. The method of claim 11, further comprising, using the domain specific language, creating a behavioral sandbox environment where the target is inspected for malware, the behavioral sandbox environment comprising a plurality of forensic collectors configured to gather evidence from the malware.

13. A malware detection system, comprising:
- a processor; and
  
  a memory for storing executable instructions, the instructions being executed by the processor to perform a method, the method comprising;
  
  creating, via executable instructions stored in the memory and executed by the processor, a domain specific language for use for detecting searchable patterns and conditions associated with malware,the domain specific language being a declarative language definable in response to a user specification;
  
  providing, via the domain specific language, a set of rules for use for the detecting of the searchable patterns associated with the malware, the set of rules generated from the domain specific language; and
  
  detecting, by the set of rules, a set of temporal sequences and temporal events of a domain, the domain comprising a target associated with the computer network.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The system of claim 13, wherein the target comprises any of an HTTP conversation, a URL, a starting URL, an advertisement tag, a document file, an executable file, and combinations thereof.
  - 15. The system of claim 13, wherein the domain specific language is configured for deployment as part of hardware on a network, a server, or the target, or is configured for deployment as a cloud-based software-as-a-service (SaaS).
  - 16. The system of claim 13, wherein the method further comprises:
    - applying, via the executable instructions stored in the memory and executed by the processor or other processors, the domain specific language to a the target accessible via the computer network, the domain specific language for detecting the malware associated with the target, the set of rules for the domain specific language further including, in addition to the detecting of the set of temporal sequences and temporal events of the target;
      
      determining a presence of a particular one of the patterns having one or more markers within the set of temporal sequences and temporal events that are indicative of the malware; and
      
      identifying the target as being associated with the malware based on the presence of the particular one of the pattern having the one or more markers.
  - 17. The system of claim 16, further comprising, utilizing the domain specific language, and creating a behavior profile for the target based on the set of temporal sequences and temporal events.
  - 18. The system of claim 16, further comprising, using the domain specific language, and creating a behavioral sandbox environment where the target is inspected for malware, the behavioral sandbox environment comprising a plurality of forensic collectors.
  - 19. The system of claim 18, wherein each of the plurality of forensic collectors is configured to:
    - allow the target to execute therein;
      
      collect evidence from the malware using a plurality of collector modules, wherein the evidence comprises activities of the malware;
      
      determine malicious behavior from the set of temporal sequences and temporal events; and
      
      log the target in response to the malicious behavior being determined or suspected.

20. A method for behavior profiling for malware detection, comprising:
- applying, via executable instructions stored in memory and executed by one or more processors coupled to a computer network, a domain specific language to a target accessible via the computer network,the domain specific language being definable in response to a user specification for detecting malware associated with the target; and
  
  providing a set of rules generated from the domain specific language including;
  
  detecting a set of temporal sequences and temporal events of the target,determining a presence of a particular pattern within the set of temporal sequences and temporal events, that is indicative of the malware, andidentifying the target as being associated with the malware based on the presence of the particular pattern.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Proofpoint Incorporated
Original Assignee
Proofpoint Incorporated
Inventors
Huang, Wayne, Idle, M. James
Primary Examiner(s)
Zhao, Don G

Application Number

US15/623,018
Publication Number

US 20170286678A1
Time in Patent Office

489 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/562   Static detection

G06F 21/563   by source code analysis

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/567   using dedicated hardware

G06F 2221/034   Test or assess a computer o...

H04L 63/1433   Vulnerability analysis

H04L 63/145   the attack involving the pr...

Behavior profiling for malware detection

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

36 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Behavior profiling for malware detection

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

36 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others