Leveraging behavior-based rules for malware family classification
First Claim
1. An electronic device comprising:
- one or more hardware processors; and
a memory coupled to the one or more processors, the memory comprises software that, when executed by the one or more hardware processors,(i) analyzing a plurality of behaviors by at least monitoring the plurality of behaviors of a sample during execution within one or more virtual machines and determining compliance or non-compliance by the plurality of behaviors with a plurality of rules to generate a sequence of rules where compliance or non-compliance with each of the sequence of rules corresponds to a potential malicious behavior detected during analysis of the sample, (ii) generating a rule aggregation sequence from the sequence of rules, the rule aggregation sequence being a subset of the sequence of rules each corresponding to a behavior of the plurality of behaviors having at least a prescribed probability of being associated with malware, and (iii) attempting to classify the sample to a known malware family based on a degree of relatedness between the rule aggregation sequence and rules associated with the known malware family.
6 Assignments
0 Petitions
Accused Products
Abstract
According to one embodiment, a malware classification scheme operating with an electronic device, configured with one or more hardware processors and a memory that stores the software handling the malware classification scheme that is conducted through analysis of behavior-based rules, is described. This malware classification scheme (i) conducts a determination whether a sequence of rules correspond to potential malicious behaviors detected during analysis of a malware sample within one or more virtual machines, and in response to determining that the sequence of rules corresponds to potential malicious behaviors, (ii) conducts an attempt to classify the malware sample to at least one known malware family based on an analysis of the sequence of rules.
747 Citations
33 Claims
-
1. An electronic device comprising:
-
one or more hardware processors; and a memory coupled to the one or more processors, the memory comprises software that, when executed by the one or more hardware processors, (i) analyzing a plurality of behaviors by at least monitoring the plurality of behaviors of a sample during execution within one or more virtual machines and determining compliance or non-compliance by the plurality of behaviors with a plurality of rules to generate a sequence of rules where compliance or non-compliance with each of the sequence of rules corresponds to a potential malicious behavior detected during analysis of the sample, (ii) generating a rule aggregation sequence from the sequence of rules, the rule aggregation sequence being a subset of the sequence of rules each corresponding to a behavior of the plurality of behaviors having at least a prescribed probability of being associated with malware, and (iii) attempting to classify the sample to a known malware family based on a degree of relatedness between the rule aggregation sequence and rules associated with the known malware family. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. An electronic device comprising:
-
one or more hardware processors; and a memory coupled to the one or more processors, the memory comprises dynamic analysis logic that includes components that, when executed by the one or more hardware processors, generate one or more virtual machines that are configured to process a sample and monitor a plurality of behaviors of the sample during processing within the one or more virtual machines, correlation logic that, when executed by the one or more hardware processors, (i) analyzes the plurality of behaviors of the behaviors by determining compliance or non-compliance by the plurality of behaviors with a plurality of rules to generate a sequence of rules where compliance or non-compliance with each of the sequence of rules corresponds to a potential malicious behavior detected during analysis of the sample within the one or more virtual machines, and (ii) assigns weight values to each of the sequence of rules and generates a rule aggregation sequence from the sequence of rules, the rule aggregation sequence being a subset of the sequence of rules each corresponding to a behavior of the plurality of behaviors having at least a prescribed probability of being associated with malware, and classification logic that, when executed by the one or more hardware processors and in response to determining that the sequence of rules corresponds to potential malicious behaviors, attempts to classify the sample to a known malware family based on a degree of relatedness between at least a portion of the sequence of rules and rules associated with the known malware family. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. An electronic device comprising:
-
one or more hardware processors; and a memory coupled to the one or more processors, the memory comprises one or more software components that, when executed by the one or more hardware processors, generates one or more virtual machines that process a sample and monitor behaviors by the sample during processing within the one or more virtual machines, correlation logic that, when executed by the one or more hardware processors,(i) analyzes the behaviors by determining compliance or non-compliance with a series of rules to determine a sequence of rules that correspond to potential malicious behaviors detected during analysis of the sample within one or more virtual machines, and (ii) filters the sequence of rules by removal of one or more rules corresponding to one or more potential malicious behaviors having or exceeding a prescribed probability of being associated with malware, and classification logic that, when executed by the one or more hardware processors, compares the filtered sequence of rules to unique rules associated with a known malware family. - View Dependent Claims (19, 20, 21, 22, 23, 24, 25)
-
-
26. A method comprising:
-
monitoring a plurality of behaviors of a sample during execution within one or more virtual machines; determining compliance or non-compliance by the plurality of behaviors with a plurality of rules to generate a sequence of rules where compliance or non-compliance with each of the sequence of rules corresponds to a potential malicious behavior detected during analysis of the sample; generating a rule aggregation sequence from the sequence of rules, the rule aggregation sequence being a subset of the sequence of rules each corresponding to a behavior of the plurality of behaviors having at least a prescribed probability of being associated with malware; and attempting to classify the sample to a known malware family based on a degree of relatedness between the rule aggregation sequence and rules associated with the known malware family. - View Dependent Claims (27, 28, 29, 30, 31, 32, 33)
-
Specification