System and method for verifying and detecting malware
First Claim
Patent Images
1. A device comprising:
- a memory; and
one or more processors to;
perform behavior detonation through an execution of a file object in one or more virtual environments;
extract feature values from one or more behavior traces generated from performing the behavior detonation;
send the feature values to a machine learning model;
identify the file object as a first malware object based on sending the feature values to the machine learning model;
select one or more persistent artifacts, generated in the one or more virtual environments as a result of the execution of the file object in the one or more virtual environments, based on one or more algorithms applied to behavior traces of the file object,the one or more persistent artifacts including one or more of;
information identifying a creation of a file, orinformation identifying an addition of a registry key;
transform the one or more persistent artifacts into a form to detect a second malware object in another device using a different operating system,the one or more persistent artifacts, before being transformed, having a first mapping of an application data path, andthe one or more transformed persistent artifacts having a second mapping of the application data path,the second mapping corresponding to the different operating system; and
incorporate the one or more transformed persistent artifacts into a set of instructions to be executed on the other device using the different operating system.
1 Assignment
0 Petitions
Accused Products
Abstract
A system configured to detect malware is described. The system including an infection verification pack configured to perform behavior detonation; identify a malware object based on machine-learning; and select one or more persistent artifacts of the malware on the target system based on one or more algorithms applied to behavior traces of the malware object to select one or more persistent artifacts of the malware on the target system.
79 Citations
20 Claims
-
1. A device comprising:
-
a memory; and one or more processors to; perform behavior detonation through an execution of a file object in one or more virtual environments; extract feature values from one or more behavior traces generated from performing the behavior detonation; send the feature values to a machine learning model; identify the file object as a first malware object based on sending the feature values to the machine learning model; select one or more persistent artifacts, generated in the one or more virtual environments as a result of the execution of the file object in the one or more virtual environments, based on one or more algorithms applied to behavior traces of the file object, the one or more persistent artifacts including one or more of; information identifying a creation of a file, or information identifying an addition of a registry key; transform the one or more persistent artifacts into a form to detect a second malware object in another device using a different operating system, the one or more persistent artifacts, before being transformed, having a first mapping of an application data path, and the one or more transformed persistent artifacts having a second mapping of the application data path, the second mapping corresponding to the different operating system; and incorporate the one or more transformed persistent artifacts into a set of instructions to be executed on the other device using the different operating system. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A non-transitory computer-readable medium storing instructions, the instructions comprising:
one or more instructions that, when executed by at least one processor, cause the at least one processor to; perform behavior detonation through an execution of a file object in one or more virtual environments; extract feature values from one or more behavior traces generated from performing the behavior detonation; send the feature values to a machine learning model; identify the file object as a first malware object based on sending the feature values to the machine learning model; select one or more persistent artifacts, generated in the one or more virtual environments as a result of the execution of the file object in the one or more virtual environments, based on one or more algorithms applied to behavior traces of the file object, the one or more persistent artifacts including one or more of; information identifying a creation of a file, or information identifying an addition of a registry key; transform the one or more persistent artifacts into a form to detect a second malware object in another device using a different operating system, the one or more persistent artifacts, before being transformed, having a first mapping of an application data path, and the one or more transformed persistent artifacts having a second mapping of the application data path, the second mapping corresponding to the different operating system; and incorporate the one or more transformed persistent artifacts into a set of instructions to be executed on the other device using the different operating system. - View Dependent Claims (8, 9, 10, 11, 12, 13)
-
14. A method, comprising:
-
performing, by a device, behavior detonation by executing a file object in one or more virtual environments; extracting, by the device, feature values from one or more behavior traces generated from performing the behavior detonation; sending, by the device, the feature values to a machine learning model; identifying, by the device, the file object as a first malware object based on sending the feature values to the machine learning model; selecting, by the device, one or more persistent artifacts generated in the one or more virtual environments as a result of the execution of the file object in the one or more virtual environments based on one or more algorithms applied to behavior traces of the first malware object, the one or more persistent artifacts including one or more of; information identifying a creation of a file, or information identifying an addition of a registry key; transforming, by the device, the one or more persistent artifacts into a form to detect a second malware object in another device using a different operating system, the one or more persistent artifacts, before being transformed, having a first mapping of an application data path, and the one or more transformed persistent artifacts having a second mapping of the application data path, the second mapping corresponding to the different operating system; and incorporating, by the device, the one or more transformed persistent artifacts into a set of instructions to be executed on the other device using the different operating system. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
Specification