Anomaly detection to identify malware

US 10,129,291 B2
Filed: 06/27/2015
Issued: 11/13/2018
Est. Priority Date: 06/27/2015
Status: Active Grant

First Claim

Patent Images

1. At least one non-transitory machine readable medium comprising one or more instructions that when executed by a processor, cause the processor to:

create, by the processor, metadata for a system;

store, in memory, the metadata for the system;

monitor activities of a highly prevalent object in the system, wherein the highly prevalent object is a process, a peripheral, or hardware on an electronic device in the system;

compare the monitored activities to the metadata for the system stored in memory, wherein comparing the monitored activities to the metadata for the system includes an analysis of metadata of the highly prevalent object to identify a polymorphic threat, an object reuse analysis of the system to detect whether the highly prevalent object is reusing metadata from another object, and a filename analysis of the system;

identify a low prevalence outlier to detect potentially malicious activity, wherein the low prevalence outlier mimics metadata of the highly prevalent object and appears as an anomaly in other metadata of the highly prevalent object; and

in response to identifying the low prevalence outlier of the highly prevalent object, scanning the low prevalence outlier of the highly prevalent object for malware.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Particular embodiments described herein provide for an electronic device that can be configured to monitor activities of objects in a system, compare the monitored activities to metadata for the system, and identify low prevalence outliers to detect potentially malicious activity. The monitored activities can include an analysis of metadata of the objects in the system to identify polymorphic threats, an object reuse analysis of the system to detect an object reusing metadata from another object, and a filename analysis of the system.

Citations

15 Claims

1. At least one non-transitory machine readable medium comprising one or more instructions that when executed by a processor, cause the processor to:
- create, by the processor, metadata for a system;
  
  store, in memory, the metadata for the system;
  
  monitor activities of a highly prevalent object in the system, wherein the highly prevalent object is a process, a peripheral, or hardware on an electronic device in the system;
  
  compare the monitored activities to the metadata for the system stored in memory, wherein comparing the monitored activities to the metadata for the system includes an analysis of metadata of the highly prevalent object to identify a polymorphic threat, an object reuse analysis of the system to detect whether the highly prevalent object is reusing metadata from another object, and a filename analysis of the system;
  
  identify a low prevalence outlier to detect potentially malicious activity, wherein the low prevalence outlier mimics metadata of the highly prevalent object and appears as an anomaly in other metadata of the highly prevalent object; and
  
  in response to identifying the low prevalence outlier of the highly prevalent object, scanning the low prevalence outlier of the highly prevalent object for malware.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The at least one non-transitory machine readable medium of claim 1, wherein an age of the low prevalence outlier is at least partially used to detect the potentially malicious activity.
  - 3. The at least one non-transitory machine readable medium of claim 1, wherein the metadata of the highly prevalent object mimicked by the low prevalence outlier includes one or more of a filename, a process name, file properties, a fingerprint, and a registry key.
  - 4. The at least one non-transitory machine readable medium of claim 1, wherein the metadata for the system is created from previous activities monitored on the system.
  - 5. The at least one non-transitory machine readable medium of claim 1, wherein the metadata for the system is at least partially based on other metadata for similar systems.

6. An apparatus comprising:
- a memory element; and
  
  a hardware processor configured to;
  
  create metadata for a system;
  
  store, in the memory element, the metadata for the system;
  
  monitor activities of a highly prevalent object in the system, wherein the highly prevalent object is a process, a peripheral, or hardware on an electronic device in the system;
  
  compare the monitored activities to the metadata for the system stored in the memory element, wherein comparing the monitored activities to the metadata for the system includes an analysis of metadata of the highly prevalent object to identify a polymorphic threat, an object reuse analysis of the system to detect whether the highly prevalent object is reusing metadata from another object, and a filename analysis of the system;
  
  identify a low prevalence outlier to detect potentially malicious activity, wherein the low prevalence outlier mimics metadata of the highly prevalent object and appears as an anomaly in other metadata of the highly prevalent object; and
  
  in response to identifying the low prevalence outlier of the highly prevalent object, scan the low prevalence outlier of the highly prevalent object for malware.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The apparatus of claim 6, wherein an age of the low prevalence outlier is at least partially used to detect the potentially malicious activity.
  - 8. The apparatus of claim 6, wherein metadata of the highly prevalent object mimicked by the low prevalence outlier includes one or more of a filename, a process name, file properties, a fingerprint, and a registry key.
  - 9. The apparatus of claim 6, wherein the metadata for the system is created from previous activities monitored on the system.
  - 10. The apparatus of claim 6, wherein the metadata for the system is at least partially based on other metadata for similar systems.

11. A method comprising:
- creating metadata for a system;
  
  storing the metadata for the system;
  
  monitoring activities of a highly prevalent object in the system, wherein the highly prevalent object is a process, a peripheral, or hardware on an electronic device in the system;
  
  comparing the monitored activities to the metadata for the system, wherein comparing the monitored activities to the metadata for the system includes an analysis of metadata of the highly prevalent object to identify a polymorphic threat, an object reuse analysis of the system to detect whether the highly prevalent object is reusing metadata from another object, and a filename analysis of the system;
  
  identifying a low prevalence outlier to detect potentially malicious activity, wherein the low prevalence outlier mimics metadata of the highly prevalent object and appears as an anomaly in other metadata of the highly prevalent object; and
  
  in response to identifying the low prevalence outlier of the highly prevalent object, scanning the low prevalence outlier of the highly prevalent object for malware.
- View Dependent Claims (12, 13, 14)
- - 12. The method of claim 11, wherein an age of the low prevalence outlier is at least partially used to detect the potentially malicious activity.
  - 13. The method of claim 11, wherein metadata of the highly prevalent object mimicked by the low prevalence outlier includes one or more of a filename, a process name, file properties, a fingerprint, and a registry key.
  - 14. The method of claim 11, wherein the metadata for the system is created from previous activities monitored on the system.

15. A system for anomaly detection to identify malware, the system comprising:
- memory; and
  
  a hardware processor configured to;
  
  create metadata for a system;
  
  store, in memory, the metadata for the system;
  
  monitor activities of a highly prevalent object in the system, wherein the highly prevalent object is a process, a peripheral, or hardware on an electronic device in the system;
  
  compare the monitored activities to the metadata for the system stored in memory, wherein comparing the monitored activities to the metadata for the system includes an analysis of metadata of the highly prevalent object to identify a polymorphic threat, an object reuse analysis of the system to detect whether the highly prevalent object is reusing metadata from another object, and a filename analysis of the system; and
  
  identify a low prevalence outlier to detect potentially malicious activity, wherein the low prevalence outlier mimics metadata of the highly prevalent object and appears as an anomaly in other metadata of the highly prevalent object; and
  
  in response to identifying the low prevalence outlier of the highly prevalent object, scan the low prevalence outlier of the highly prevalent object for malware.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, LLC
Inventors
Bean, James, Spurlock, Joel R.
Primary Examiner(s)
Hailu, Teshome

Application Number

US14/752,893
Publication Number

US 20160381041A1
Time in Patent Office

1,235 Days
Field of Search

726 23
US Class Current
CPC Class Codes

G06F 21/56   Computer malware detection ...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

Anomaly detection to identify malware

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Anomaly detection to identify malware

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links