Leveraging behavior-based rules for malware family classification

US 10,176,321 B2
Filed: 12/11/2015
Issued: 01/08/2019
Est. Priority Date: 09/22/2015
Status: Active Grant

First Claim

Patent Images

1. An electronic device comprising:

one or more hardware processors; and

a memory coupled to the one or more processors, the memory comprises software that, when executed by the one or more hardware processors,(i) analyzing a plurality of behaviors by at least monitoring the plurality of behaviors of a sample during execution within one or more virtual machines and determining compliance or non-compliance by the plurality of behaviors with a plurality of rules to generate a sequence of rules where compliance or non-compliance with each of the sequence of rules corresponds to a potential malicious behavior detected during analysis of the sample, (ii) generating a rule aggregation sequence from the sequence of rules, the rule aggregation sequence being a subset of the sequence of rules each corresponding to a behavior of the plurality of behaviors having at least a prescribed probability of being associated with malware, and (iii) attempting to classify the sample to a known malware family based on a degree of relatedness between the rule aggregation sequence and rules associated with the known malware family.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to one embodiment, a malware classification scheme operating with an electronic device, configured with one or more hardware processors and a memory that stores the software handling the malware classification scheme that is conducted through analysis of behavior-based rules, is described. This malware classification scheme (i) conducts a determination whether a sequence of rules correspond to potential malicious behaviors detected during analysis of a malware sample within one or more virtual machines, and in response to determining that the sequence of rules corresponds to potential malicious behaviors, (ii) conducts an attempt to classify the malware sample to at least one known malware family based on an analysis of the sequence of rules.

747 Citations

33 Claims

1. An electronic device comprising:
- one or more hardware processors; and
  
  a memory coupled to the one or more processors, the memory comprises software that, when executed by the one or more hardware processors,(i) analyzing a plurality of behaviors by at least monitoring the plurality of behaviors of a sample during execution within one or more virtual machines and determining compliance or non-compliance by the plurality of behaviors with a plurality of rules to generate a sequence of rules where compliance or non-compliance with each of the sequence of rules corresponds to a potential malicious behavior detected during analysis of the sample, (ii) generating a rule aggregation sequence from the sequence of rules, the rule aggregation sequence being a subset of the sequence of rules each corresponding to a behavior of the plurality of behaviors having at least a prescribed probability of being associated with malware, and (iii) attempting to classify the sample to a known malware family based on a degree of relatedness between the rule aggregation sequence and rules associated with the known malware family.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The electronic device of claim 1, wherein the software stored in the memory, when executed by the one or more hardware processors, attempts to classify the sample by at least comparing a chronological order of the rule aggregation sequence to a chronological order of rules associated with each of a plurality of known malware families, including the rules associated with the known malware family.
  - 3. The electronic device of claim 1, wherein the software stored in the memory, when executed by the one or more hardware processors, further conducts the analyzing of the plurality of behaviors and conducts the determining whether the sequence of rules corresponds to the potential malicious behaviors by at least (i) organizing the monitored plurality of behaviors in accordance with a chronological order as to a time of detection, (ii) determining whether the monitored plurality of behaviors are non-compliant with a series of rules, and if so, (iii) including the series of rules as part of the sequence of rules.
  - 4. The electronic device of claim 1, wherein the software stored in the memory, when executed by the one or more hardware processors, generating the rule aggregation sequence by at least (i) assigning a weight value to each rule of the sequence of rules and (ii) removing a rule from the sequence of rules when the weight value assigned to the rule is determined to fall below a predetermined threshold, the weight value being based on a probability of the behavior associated with malware.
  - 5. The electronic device of claim 1, wherein the memory comprises software that, when executed by the one or more hardware processors, generates electrical alert signals to identify the sample and an identified malware family to which the sample pertains.
  - 6. The electronic device of claim 1, wherein the software stored in the memory, when executed by the one or more hardware processors, conducts the analyzing of the plurality of behaviors to determine the sequence of rules comprises (i) organizing the monitored plurality of behaviors in accordance with a chronological order as to a time of detection, (ii) determining whether a series of the monitored plurality of behaviors are compliant with the series of rules, and if so, (iii) including the series of rules as part of the sequence of rules.
  - 7. The electronic device of claim 1, wherein the software stored in the memory, when executed by the one or more hardware processors, generates an alert signal in response to classifying the sample as malicious and part of the known malware family.
  - 8. The electronic device of claim 7, wherein the alert signal being a type of message including a text message or an electronic mail (email) message.

9. An electronic device comprising:
- one or more hardware processors; and
  
  a memory coupled to the one or more processors, the memory comprisesdynamic analysis logic that includes components that, when executed by the one or more hardware processors, generate one or more virtual machines that are configured to process a sample and monitor a plurality of behaviors of the sample during processing within the one or more virtual machines,correlation logic that, when executed by the one or more hardware processors, (i) analyzes the plurality of behaviors of the behaviors by determining compliance or non-compliance by the plurality of behaviors with a plurality of rules to generate a sequence of rules where compliance or non-compliance with each of the sequence of rules corresponds to a potential malicious behavior detected during analysis of the sample within the one or more virtual machines, and (ii) assigns weight values to each of the sequence of rules and generates a rule aggregation sequence from the sequence of rules, the rule aggregation sequence being a subset of the sequence of rules each corresponding to a behavior of the plurality of behaviors having at least a prescribed probability of being associated with malware, andclassification logic that, when executed by the one or more hardware processors and in response to determining that the sequence of rules corresponds to potential malicious behaviors, attempts to classify the sample to a known malware family based on a degree of relatedness between at least a portion of the sequence of rules and rules associated with the known malware family.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
- - 10. The electronic device of claim 9, wherein the classification logic stored in the memory, when executed by the one or more hardware processors, attempts to classify the sample by comparing a chronological order of the portion of the sequence of rules to a chronological order of unique rules associated with each of a plurality of known malware families, including the rules associated with the known malware family.
  - 11. The electronic device of claim 9, wherein the correlation logic stored in the memory, when executed by the one or more hardware processors, analyzes the plurality of behaviors by determining whether the sequence of rules corresponds to the potential malicious behaviors by performing operations that comprises (i) monitoring the plurality of behaviors of the sample during execution within the one or more virtual machines, (ii) organizing the monitored plurality of behaviors in accordance with a chronological order as to a time of detection, (iii) determining whether a series of the chronologically ordered, monitored plurality of behaviors are non-compliant with a series of rules included as part of the plurality of rules, and if so, (iv) including the series of rules as part of the sequence of rules.
  - 12. The electronic device of claim 11, wherein the series of rules depend on a type of the sample where a first series of rules associated with an executable operating as the sample is different from a second series of rules associated with a Portable Document Format (PDF) document.
  - 13. The electronic device of claim 11, wherein the series of rules depend on a type of the electronic device where a first series of rules associated with a first type of security appliance is different from a second series of rules associated with a second type of security appliance.
  - 14. The electronic device of claim 11, wherein the correlation logic stored in the memory, when executed by the one or more hardware processors, assigns the weight value to each rule of the sequence of rules and removes a rule from the sequence of rules when generating the rule aggregation sequence when the weight value assigned to the rule is below a predetermined threshold.
  - 15. The electronic device of claim 9, wherein the memory further comprises a reporting logic that, when executed by the one or more hardware processors, generates electrical alert signals to identify the sample and an identified malware family to which the sample pertains.
  - 16. The electronic device of claim 15, wherein the reporting logic further comprises a user interface to allow for customer customization as to a configuration of the alert signals in a text message format or an electronic mail (email) message format.
  - 17. The electronic device of claim 9, wherein the correlation logic stored in the memory, when executed by the one or more hardware processors, generates the sequence of rules by performing operations that comprises (i) monitoring the plurality of behaviors of the sample during execution within the one or more virtual machines, (ii) organizing the monitored the plurality of behaviors in accordance with a chronological order as to a time of detection, (iii) determining whether a series of the chronologically ordered, monitored the plurality of behaviors are compliant with a series of rules being part of the plurality of rules, and if so, (iv) including the series of rules as part of the sequence of rules.

18. An electronic device comprising:
- one or more hardware processors; and
  
  a memory coupled to the one or more processors, the memory comprisesone or more software components that, when executed by the one or more hardware processors, generates one or more virtual machines that process a sample and monitor behaviors by the sample during processing within the one or more virtual machines,correlation logic that, when executed by the one or more hardware processors,(i) analyzes the behaviors by determining compliance or non-compliance with a series of rules to determine a sequence of rules that correspond to potential malicious behaviors detected during analysis of the sample within one or more virtual machines, and (ii) filters the sequence of rules by removal of one or more rules corresponding to one or more potential malicious behaviors having or exceeding a prescribed probability of being associated with malware, andclassification logic that, when executed by the one or more hardware processors, compares the filtered sequence of rules to unique rules associated with a known malware family.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25)
- - 19. The electronic device of claim 18, wherein the correlation logic stored in the memory, when executed by the one or more hardware processors, determines whether the sequence of rules correspond to the potential malicious behaviors by performing operations that comprises (i) monitoring behaviors of the sample during execution within the one or more virtual machines, (ii) organizing the monitored behaviors in accordance with a chronological order as to a time of detection, (iii) determining whether a series of the chronologically ordered, monitored behaviors are non-compliant with a series of rules, and if so, (iv) including the series of rules as part of the sequence of rules.
  - 20. The electronic device of claim 19, wherein the series of rules selected for analysis with the series of chronologically ordered, monitored behaviors is based on a type of the sample where the series of rules comprises a first series of rules when the sample is an executable.
  - 21. The electronic device of claim 20, wherein the series of rules comprises a second series of rules that is different from the first series of rules when the sample is a Portable Document Format (PDF) document.
  - 22. The electronic device of claim 19, wherein memory further comprises (i) scanning logic that obtains one or more labels associated with known malware having matching characteristics to characteristics of the sample and (ii) label assignment logic to assign a label to a cluster of samples including the sample.
  - 23. The electronic device of claim 22, the label assignment logic to assign the label that includes information associated with a label most common of the one or more labels obtained by the scanning logic.
  - 24. The electronic device of claim 18, wherein memory further comprises reporting logic that, when executed by the one or more hardware processors, generates alert signals to identify the sample as malicious and an identified malware family to which the sample pertains.
  - 25. The electronic device of claim 24, wherein the reporting logic further comprises a user interface to allow for customer customization as to a configuration of the alert signal in a text message format or an electronic mail (email) message format.

26. A method comprising:
- monitoring a plurality of behaviors of a sample during execution within one or more virtual machines;
  
  determining compliance or non-compliance by the plurality of behaviors with a plurality of rules to generate a sequence of rules where compliance or non-compliance with each of the sequence of rules corresponds to a potential malicious behavior detected during analysis of the sample;
  
  generating a rule aggregation sequence from the sequence of rules, the rule aggregation sequence being a subset of the sequence of rules each corresponding to a behavior of the plurality of behaviors having at least a prescribed probability of being associated with malware; and
  
  attempting to classify the sample to a known malware family based on a degree of relatedness between the rule aggregation sequence and rules associated with the known malware family.
- View Dependent Claims (27, 28, 29, 30, 31, 32, 33)
- - 27. The method of claim 26, wherein the attempting to classify the sample comprises comparing a chronological order of the rule aggregation sequence to a chronological order of rules associated with each of a plurality of known malware families, including the rules associated with the known malware family.
  - 28. The method of claim 26, wherein the determining compliance or non-compliance by the plurality of behaviors with a plurality of rules comprises (i) organizing the monitored plurality of behaviors in accordance with a chronological order as to a time of detection, (ii) determining whether the monitored plurality of behaviors are non-compliant with a series of rules, and if so, (iii) including the series of rules as part of the sequence of rules.
  - 29. The method of claim 26, wherein the generating of the rule aggregation sequence comprises (i) assigning a weight value to each rule of the sequence of rules and (ii) removing a rule from the sequence of rules when the weight value assigned to the rule is determined to fall below a predetermined threshold, the weight value being based on a probability of the behavior associated with malware.
  - 30. The electric device of claim 26 further comprising generating electrical alert signals to identify the sample and an identified malware family to which the sample pertains.
  - 31. The method of claim 30, wherein the alert signals being one or more messages that identify the sample and an identified malware family to which the sample pertains.
  - 32. The method claim 30, wherein prior to the monitoring of the plurality of behaviors of the sample, the method further comprising:
    - using a user interface to customize a configuration of a message format for the alert signals.
  - 33. The method of claim 26, wherein the determining compliance or non-compliance by the plurality of behaviors with a plurality of rules comprises (i) organizing the monitored plurality of behaviors in accordance with a chronological order as to a time of detection, (ii) determining whether a series of the monitored plurality of behaviors are compliant with the series of rules, and if so, (iii) including the series of rules as part of the sequence of rules.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Abbasi, Fahim H., Salam, Abdul, Shahzad, Farrukh
Primary Examiner(s)
Shehni, Ghazal B

Application Number

US14/967,180
Publication Number

US 20170083703A1
Time in Patent Office

1,124 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/561 Virus type analysis

G06F 21/566 Dynamic detection, i.e. det...

Leveraging behavior-based rules for malware family classification

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

747 Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

Leveraging behavior-based rules for malware family classification

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

747 Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links