Behavior profiling for malware detection
First Claim
1. A method for behavior profiling for malware detection, comprising:
- creating, via executable instructions stored in memory and executed by one or more processors coupled to a computer network, a domain specific language for use for detecting searchable patterns and conditions associated with malware,the domain specific language, executable by the one or more processors or other processors, being a declarative language definable in response to a user specification;
providing, in response to executing the domain specific language, a set of rules for use for the detecting of the searchable patterns associated with the malware, the set of rules provided by the domain specific language; and
detecting, by the set of rules, a set of temporal sequences and temporal events of a domain for the malware detection, the domain comprising a target associated with the computer network.
4 Assignments
0 Petitions
Accused Products
Abstract
Provided herein are systems and methods for behavior profiling of targets to determine malware presence. The method includes, in various embodiments, applying a domain specific language to a target; observing a set of temporal sequences and events of the target; determining the presence of markers within the set of temporal sequences and events indicative of malware; and identifying the target as being associated with malware based on the markers. In some embodiments, a malware detection system is provided for creating a behavioral sandbox environment where a target is inspected for malware. The behavioral sandbox environment can include forensic collectors. Each of the collectors may be configured to apply a domain specific language to a target; observe a set of temporal sequences and events of the target; determine the presence of markers within the set of temporal sequences and events indicative of malware; and detect malware presence based on the markers.
36 Citations
20 Claims
-
1. A method for behavior profiling for malware detection, comprising:
-
creating, via executable instructions stored in memory and executed by one or more processors coupled to a computer network, a domain specific language for use for detecting searchable patterns and conditions associated with malware, the domain specific language, executable by the one or more processors or other processors, being a declarative language definable in response to a user specification; providing, in response to executing the domain specific language, a set of rules for use for the detecting of the searchable patterns associated with the malware, the set of rules provided by the domain specific language; and detecting, by the set of rules, a set of temporal sequences and temporal events of a domain for the malware detection, the domain comprising a target associated with the computer network. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A malware detection system, comprising:
-
a processor; and a memory for storing executable instructions, the instructions being executed by the processor to perform a method, the method comprising; creating, via executable instructions stored in the memory and executed by the processor, a domain specific language for use for detecting searchable patterns and conditions associated with malware, the domain specific language being a declarative language definable in response to a user specification; providing, via the domain specific language, a set of rules for use for the detecting of the searchable patterns associated with the malware, the set of rules generated from the domain specific language; and detecting, by the set of rules, a set of temporal sequences and temporal events of a domain, the domain comprising a target associated with the computer network. - View Dependent Claims (14, 15, 16, 17, 18, 19)
-
-
20. A method for behavior profiling for malware detection, comprising:
-
applying, via executable instructions stored in memory and executed by one or more processors coupled to a computer network, a domain specific language to a target accessible via the computer network, the domain specific language being definable in response to a user specification for detecting malware associated with the target; and providing a set of rules generated from the domain specific language including; detecting a set of temporal sequences and temporal events of the target, determining a presence of a particular pattern within the set of temporal sequences and temporal events, that is indicative of the malware, and identifying the target as being associated with the malware based on the presence of the particular pattern.
-
Specification