System and method for threat detection and identification
First Claim
1. A digital device for detecting malware, comprising:
- one or more processors; and
a memory coupled to the one or more processors, the memory comprises a controller that includesa heuristic module that, when executed by the one or more processors, identifies data associated with input data received by the digital device from one or more untrusted sources, the identified data associated with the input data includes at least one of (i) data within the input data or (ii) data derived from at least a portion of the input data,one or more software modules that, when executed by the one or more processors, (i) monitors information during processing of the identified data within a virtual machine, (ii) determines whether the monitored information occurring during the processing of the identified data within the virtual machine constitutes an unauthorized activity being a redirection in control flow through modification of information during processing of the identified data by the virtual machine, (iii) generates one or more unauthorized activity signatures based on the unauthorized activity, and (iv) transmits the one or more unauthorized activity signatures to a controller implemented at another digital device for use in identifying and blocking a malware attack without applying at least replaying transmission of at least a copy of the input data.
5 Assignments
0 Petitions
Accused Products
Abstract
Exemplary systems and methods for malware attack detection and identification are provided. A malware detection and identification system a controller that features an analysis environment including a virtual machine. The analysis environment to (1) receive data by the virtual machine of the analysis environment and identify a portion of the data that have been received from one or more untrusted, (2) monitor state information associated with the identified portion of the data during execution by the virtual machine, (3) identify an outcome of the state information by tracking the state information during execution of the identified portion of the data by the virtual machine, and (4) determine whether the identified outcome comprises a redirection in control flow during execution by the virtual machine of the portion of the data, the redirection in the control flow constituting an unauthorized activity.
543 Citations
29 Claims
-
1. A digital device for detecting malware, comprising:
-
one or more processors; and a memory coupled to the one or more processors, the memory comprises a controller that includes a heuristic module that, when executed by the one or more processors, identifies data associated with input data received by the digital device from one or more untrusted sources, the identified data associated with the input data includes at least one of (i) data within the input data or (ii) data derived from at least a portion of the input data, one or more software modules that, when executed by the one or more processors, (i) monitors information during processing of the identified data within a virtual machine, (ii) determines whether the monitored information occurring during the processing of the identified data within the virtual machine constitutes an unauthorized activity being a redirection in control flow through modification of information during processing of the identified data by the virtual machine, (iii) generates one or more unauthorized activity signatures based on the unauthorized activity, and (iv) transmits the one or more unauthorized activity signatures to a controller implemented at another digital device for use in identifying and blocking a malware attack without applying at least replaying transmission of at least a copy of the input data. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A malware detection and identification method, comprising:
-
identifying, by a digital device, data associated with input data from one or more untrusted sources, the identified data includes at least one of (i) data within the input data or (ii) data derived from at least a portion of the input data; processing the identified data associated with the input data within a virtual machine; monitoring information during the processing of the identified data within the virtual machine by tracking execution of at least a portion of the identified data and a response produced by the virtual machine based on execution of the portion of the identified data; and determining whether the monitored information that occurs during the processing of the identified data within the virtual machine constitutes an unauthorized activity that includes a redirection in control flow by altering a jump target during processing of the identified data by the virtual machine through modification of information during processing of the identified data by the virtual machine; and generating and transmitting one or more unauthorized activity signatures based on the unauthorized activity to a second digital device for use in identifying and blocking a malware attack without applying heuristics or replaying transmission of the input data. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29)
-
Specification