Launcher for setting analysis environment variations for malware detection

US 10,284,575 B2
Filed: 11/10/2015
Issued: 05/07/2019
Est. Priority Date: 11/10/2015
Status: Active Grant

First Claim

Patent Images

1. A system for automatically analyzing an object for malware, the system comprising:

one or more hardware processors; and

a memory coupled to the one or more hardware processors, the memory comprises a dynamic analysis engine, a classification engine and a reporting engine, whereinthe dynamic analysis engine, when executed by the one or more hardware processors, generates one or more virtual machines, at least a first virtual machine of the one or more virtual machines includes launcher logic that, upon execution, (i) sets a processing framework for use in configuring a plurality of processes based on a type of object being analyzed and received configuration data identifying a prescribed order of execution of different application and plug-in combinations, (ii) receives information for accessing an object for analysis and parameters associated with the object, and (iii) selects a different application and plug-in combination for each process of the plurality of processes based on the parameters, wherein the plurality of processes concurrently processing the object within the first virtual machine to produce results comprising information associated with behaviors of the object,the classification engine classifying the object as part of a potential malicious attack based on the information associated with the behaviors of the object, andthe reporting engine generating an alert signal indicating the potential malicious attack.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for automatically analyzing an object for malware is described. Operating one or more virtual machines, the system and method provide an analysis environment variation framework to provide a more robust analysis of an object for malware. The multi-application, multi-plugin processing framework is configured within a virtual machine, where the framework generates a plurality of processes for analyzing the object for malware and each of plurality of processes is configured with a different application and plug-in combination selected based in part on a type of object being analyzed.

Citations

45 Claims

1. A system for automatically analyzing an object for malware, the system comprising:
- one or more hardware processors; and
  
  a memory coupled to the one or more hardware processors, the memory comprises a dynamic analysis engine, a classification engine and a reporting engine, whereinthe dynamic analysis engine, when executed by the one or more hardware processors, generates one or more virtual machines, at least a first virtual machine of the one or more virtual machines includes launcher logic that, upon execution, (i) sets a processing framework for use in configuring a plurality of processes based on a type of object being analyzed and received configuration data identifying a prescribed order of execution of different application and plug-in combinations, (ii) receives information for accessing an object for analysis and parameters associated with the object, and (iii) selects a different application and plug-in combination for each process of the plurality of processes based on the parameters, wherein the plurality of processes concurrently processing the object within the first virtual machine to produce results comprising information associated with behaviors of the object,the classification engine classifying the object as part of a potential malicious attack based on the information associated with the behaviors of the object, andthe reporting engine generating an alert signal indicating the potential malicious attack.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The system of claim 1, wherein the launcher is configured to set the processing framework based on the received configuration data including a priority list, the priority list identifying a selected plug-in ordering for analysis of a selected type and version of the application.
  - 3. The system of claim 2, wherein the priority list identifying the selected plug-in ordering based on which plug-in operating with the selected type and version of the application is more frequently targeted for malicious attack.
  - 4. The system of claim 1, wherein the different application and plug-in combinations include a different version of a selected application type and a different version of one or more selected plug-in types.
  - 5. The system of claim 1, wherein the different application and plug-in combinations include a selected application type and one or more different plug-in types.
  - 6. The system of claim 1, wherein the launcher logic reconfigures the processing framework to alter the analysis of the object in accordance with a different application and plug-in combination than previously configured by the launcher logic.
  - 7. The system of claim 1, wherein the first virtual machine further includes correlation logic operating in combination with the launcher logic, the correlation logic to receive information associated with the object and categorize the object as either a Uniform Resource Locator (URL) or a data type, the object being categorized as the data type in response to a determination that the object includes a selected type of file extension.
  - 8. The system of claim 7, wherein the correlation logic provides a file path of the object and an object type parameter that identifies a category of the object to the launcher logic.
  - 9. The system of claim 1, wherein the plurality of processes, being performed within the first virtual machine, include (1) a first process based on a first application and plug-in combination corresponding to an operating environment of an electronic device targeted to receive the object, (2) a second process based on a second application and plug-in combination that is more vulnerable to a malicious attack, and (3) a third process based on a third application and plug-in combination that is a most fortified application and plug-in combination to detect latest and unknown attacks.
  - 10. The system of claim 1, wherein the launcher is configured to set the processing framework based on the received configuration data including a priority list, the priority list identifying a selected plug-in ordering for analysis of a selected type and version of the application, the priority list further comprises an identification of a selected operating system type and version supporting the selected type and version of the application.
  - 11. The system of claim 1, wherein the plurality of processes, being performed within the first virtual machine, include (1) the first process based on the first application and plug-in combination, and (2) a second process based on a second application and plug-in combination different than the first application and plug-in combination.
  - 12. The system of claim 1, wherein the launcher logic to further select, for a second process of the plurality of processes, a second application and plug-in combination different than the first application and plug-in combination.
  - 13. The system of claim 1, wherein the launcher logic to select the different application and plug-in combination for each process of the plurality of processes by at least selecting a first version of a first application instance and a first version of a plugin as the first application and plugin combination for a first process of the plurality of processes and a second version of the first application instance and the first version of the plugin as a second application and plugin combination for a second process of the plurality of processes.
  - 14. The system of claim 1, wherein the launcher logic to select the different application and plug-in combination for each process of the plurality of processes by at least selecting a first version of a first application instance and a first plugin type as the first application and plugin combination for a first process of the plurality of processes and a second version of the first application instance and a second plugin type as a second application and plugin combination for a second process of the plurality of processes.
  - 15. The system of claim 1, wherein the launcher logic to select the different application and plug-in combination for each process of the plurality of processes by at least selecting a first application instance and a first version of a plugin as the first application and plugin combination for a first process of the plurality of processes and a second application instance and a second version of the plugin as a second application and plugin combination for a second process of the plurality of processes.
  - 16. The system of claim 1, wherein the launcher logic to select the different application and plug-in combination for each process of the plurality of processes by at least selecting a first application instance and a first plugin type as the first application and plugin combination for a first process of the plurality of processes and a second application instance and a second plugin type as a second application and plugin combination for a second process of the plurality of processes.

17. A non-transitory storage medium including software that, when executed by one or more hardware processors, perform operations for automatically analyzing an object for malware, the non-transitory storage medium comprising:
- a first software component that, when executed by the one or more hardware processors, generates one or more virtual machines;
  
  a launcher logic of at least a first virtual machine of the one or more virtual machines that, upon execution, (i) sets a processing framework for use in configuring a plurality of processes based on a type of object being analyzed and received configuration data identifying a prescribed order of execution of different application and plug-in combinations, (ii) receives information for accessing an object for analysis and parameters associated with the object, and (iii) selects a different application and plug-in combination for each process of the plurality of processes based on the parameters, wherein the plurality of processes concurrently processing the object within the first virtual machine to produce results comprising information associated with behaviors of the object;
  
  a classification engine that, upon execution, classifies the object as part of a potential malicious attack based on the information associated with the behaviors of the object; and
  
  the reporting engine that, upon execution, generates an alert signal indicating the potential malicious attack.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31)
- - 18. The non-transitory storage medium of claim 17, wherein the launcher is configured to set the processing framework based on the received configuration data including a priority list, the priority list identifying a selected plug-in ordering for analysis of a selected type and version of the application.
  - 19. The non-transitory storage medium of claim 18, wherein the priority list identifying the selected plug-in ordering based on which plug-in operating with the selected type is more frequently targeted for malicious attack.
  - 20. The non-transitory storage medium of claim 18, wherein the different application and plug-in combinations include a different versions of a selected application type and a different versions of one or more selected plug-in types.
  - 21. The non-transitory storage medium of claim 18, wherein the different application and plug-in combinations include either (i) a different version of a selected application type and a different plug-in types or (ii) a selected application type and a different versions of one or more plug-in types.
  - 22. The non-transitory storage medium of claim 17 further comprising correlation logic operating in combination with the launcher logic, the correlation logic to receive information associated with the object and categorize the object as either a Uniform Resource Locator (URL) or a data type, the object being categorized as the data type in response to a determination that the object includes a selected type of file extension.
  - 23. The non-transitory storage medium of claim 22, wherein the correlation logic provides a file path of the object and an object type parameter that identifies a category of the object to the launcher logic.
  - 24. The non-transitory storage medium of claim 17, wherein the plurality of processes concurrently running within the first virtual machine include (1) a first process based on a first application and plug-in combination corresponding to an operating environment of an electronic device targeted to receive the object, (2) a second process based on a second application and plug-in combination that is more vulnerable to a malicious attack, and (3) a third process based on a third application and plug-in combination that is a most fortified application and plug-in combination to detect zero-day attacks.
  - 25. The non-transitory storage medium of claim 17, wherein the launcher is configured to set the processing framework based on the received configuration data including a priority list, the priority list identifying a selected plug-in ordering for analysis of a selected type and version of the application, the priority list further comprises an identification of a selected operating system type and version supporting the selected type and version of the application.
  - 26. The non-transitory storage medium of claim 17, wherein the plurality of processes, being conducted within the first virtual machine, include (1) the first process based on the first application and plug-in combination, and (2) a second process based on a second application and plug-in combination different than the first application and plug-in combination.
  - 27. The non-transitory storage medium of claim 17, wherein the plurality of processes, being conducted within the first virtual machine, include (1) the first process based on the first application and plug-in combination, and (2) a second process based on a second application and plug-in combination different than the first application and plug-in combination.
  - 28. The non-transitory storage medium of claim 17, wherein the launcher to select the different application and plug-in combination for each process of the plurality of processes by at least selecting a first version of a first application instance and a first version of a plugin as a first application and plugin combination for a first process of the plurality of processes and a second version of the first application instance and the first version of the plugin as a second application and plugin combination for a second process of the plurality of processes.
  - 29. The non-transitory storage medium of claim 17, wherein the launcher to select the different application and plug-in combination for each process of the plurality of processes by at least selecting a first version of a first application instance and a first plugin type as a first application and plugin combination for a first process of the plurality of processes and a second version of the first application instance and a second plugin type as a second application and plugin combination for a second process of the plurality of processes.
  - 30. The non-transitory storage medium of claim 17, wherein the launcher to select the different application and plug-in combination for each process of the plurality of processes by at least selecting a first application instance and a first version of a plugin as a first application and plugin combination for a first process of the plurality of processes and a second application instance and a second version of the plugin as a second application and plugin combination for a second process of the plurality of processes.
  - 31. The non-transitory storage medium of claim 17, wherein the launcher to select the different application and plug-in combination for each process of the plurality of processes by at least selecting a first application instance and a first plugin type as a first application and plugin combination for a first process of the plurality of processes and a second application instance and a second plugin type as a second application and plugin combination for a second process of the plurality of processes.

32. A computerized method for automatically analyzing an object for malware comprising:
- running a virtual machine within an electronic device; and
  
  analyzing an object being processing within the virtual machine for malware concurrently by a plurality of processes associated with a processing framework by at least (i) setting the-processing framework for use in configuring plurality of processes based on a type of object being analyzed and received configuration data identifying a prescribed order of execution of different application and plug-in combinations, (ii) receiving information for accessing an object for analysis and parameters associated with the object, and (iii) selecting a different application and plug-in combination for each process of the plurality of processes based on the parameters, wherein the plurality of processes concurrently processing the object within the virtual machine to produce results comprising information associated with behaviors of the object;
  
  classifying the object as part of a potential malicious attack based on the information associated with the behaviors of the object; and
  
  generating an alert signal indicating the potential malicious attack.
- View Dependent Claims (33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45)
- - 33. The computerized method of claim 32, wherein the setting of the processing framework being-based on the received configuration data including a priority list, the priority list identifying a selected plug-in ordering for analysis of a selected type and version of the application.
  - 34. The computerized method of claim 33, wherein the priority list identifying the selected plug-in ordering based on which plug-in operating with the selected type is more frequently targeted for malicious attack.
  - 35. The computerized method of claim 33, wherein the different application and plug-in combinations include a different versions of a selected application type and a different versions of one or more selected plug-in types.
  - 36. The computerized method of claim 33, wherein the different application and plug-in combinations include either (i) a different version of a selected application type and a different plug-in types or (ii) a selected application type and a different versions of one or more plug-in types.
  - 37. The computerized method of claim 32 further comprising:
    - receiving information associated with the object; and
      
      categorizing the object as either a Uniform Resource Locator (URL) or a data type, the object being categorized as the data type in response to a determination that the object includes a selected type of file extension.
  - 38. The computerized method of claim 37, wherein the categorizing of the object logic being based on a file path of the object and an object type parameter that identifies a category of the object.
  - 39. The computerized method of claim 32, wherein the plurality of processes include (1) a first process based on a first application and plug-in combination corresponding to an operating environment of an electronic device targeted to receive the object, (2) a second process based on a second application and plug-in combination that is more vulnerable to a malicious attack, and (3) a third process based on a third application and plug-in combination that is a most fortified application and plug-in combination to detect zero-day attacks.
  - 40. The computerized method of claim 32, wherein the setting of the processing framework being-based on the received configuration data including a priority list, the priority list identifying a selected plug-in ordering for analysis of a selected type and version of the application, the priority list further comprises an identification of a selected operating system type and version supporting the selected type and version of the application.
  - 41. The computerized method of claim 32, wherein the plurality of processes, being performed within the virtual machine, include (1) the first process based on the first application and plug-in combination, and (2) a second process based on a second application and plug-in combination different than the first application and plug-in combination.
  - 42. The computerized method of claim 32, wherein the selecting of the different application and plug-in combination for each process of the plurality of processes includes selecting a first version of a first application instance and a first version of a plugin as a first application and plugin combination for a first process of the plurality of processes and a second version of the first application instance and the first version of the plugin as a second application and plugin combination for a second process of the plurality of processes.
  - 43. The computerized method of claim 32, wherein the selecting of the different application and plug-in combination for each process of the plurality of processes includes selecting a first version of a first application instance and a first plugin type as a first application and plugin combination for a first process of the plurality of processes and a second version of the first application instance and a second plugin type as a second application and plugin combination for a second process of the plurality of processes.
  - 44. The computerized method of claim 32, wherein the selecting of the different application and plug-in combination for each process of the plurality of processes includes selecting a first application instance and a first version of a plugin as a first application and plugin combination for a first process of the plurality of processes and a second application instance and a second version of the plugin as a second application and plugin combination for a second process of the plurality of processes.
  - 45. The computerized method of claim 32, wherein the selecting of the different application and plug-in combination for each process of the plurality of processes includes selecting a first application instance and a first plugin type as a first application and plugin combination for a first process of the plurality of processes and a second application instance and a second plugin type as a second application and plugin combination for a second process of the plurality of processes.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
FireEye, Inc. (Alphabet Inc.)
Inventors
Paithane, Sushant, Vashisht, Sai, Khalid, Yasir, Pilipenko, Alexandre, Rizwan, Muhammad
Primary Examiner(s)
Garcia, Gary S

Application Number

US14/937,802
Publication Number

US 20180048660A1
Time in Patent Office

1,274 Days
Field of Search

726 23, 726 24, 726 25, 726 22, 182187, 182188
US Class Current
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/554   involving event detection a...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/6218   to a system of files or obj...

H04L 63/1416   Event detection, e.g. attac...

Launcher for setting analysis environment variations for malware detection

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

45 Claims

Specification

Solutions

Use Cases

Quick Links

Launcher for setting analysis environment variations for malware detection

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

45 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links