System and method for detecting malware in a stream of bytes

US 10,372,908 B2
Filed: 07/25/2016
Issued: 08/06/2019
Est. Priority Date: 07/25/2016
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a hardware unit executing a first process and a second, different, process;

the first process configured to;

receive a stream of bytes,select a first offset,cause the second process to execute the stream of bytes from the first offset, andmonitor an execution of the stream of bytes by the second process; and

the second process configured to;

execute the stream of bytes from the first offset;

wherein the first process is configured to perform at least one of;

start execution of the second process, stop execution of the second process and resume execution of the second process, and wherein the first process is further configured to determine, based on the execution of the stream of bytes, whether or not the stream of bytes includes a malware.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method may include a first unit configured to receive a stream of bytes, cause a second unit to execute the stream of bytes from a selected first offset, and monitor an execution of the stream of bytes by the second unit. A second unit may be configured to execute the stream of bytes from the selected offset. The first unit may be configured to determine, based on the execution of the stream of bytes, whether or not the stream of bytes includes a malware.

21 Citations

View as Search Results

21 Claims

1. A system comprising:
- a hardware unit executing a first process and a second, different, process;
  
  the first process configured to;
  
  receive a stream of bytes,select a first offset,cause the second process to execute the stream of bytes from the first offset, andmonitor an execution of the stream of bytes by the second process; and
  
  the second process configured to;
  
  execute the stream of bytes from the first offset;
  
  wherein the first process is configured to perform at least one of;
  
  start execution of the second process, stop execution of the second process and resume execution of the second process, and wherein the first process is further configured to determine, based on the execution of the stream of bytes, whether or not the stream of bytes includes a malware.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system of claim 1, wherein the first process is configured to:
    - if it is determined that the stream of bytes does not include malware then;
      
      selecting a second offset in the stream of bytes; and
      
      causing the second process to execute the stream of bytes from the selected second offset.
  - 3. The system of claim 1, wherein determining that the stream of bytes includes malware includes identifying a behavior of a shellcode when executing the stream of bytes.
  - 4. The system of claim 1, wherein the second process is configured to execute the stream of bytes directly on a hardware controller, at a native speed of the hardware controller.
  - 5. The system of claim 4, wherein the first process is configured to prevent the malware, when executed by the second process, to take control of the hardware controller.
  - 6. The system of claim 2, wherein the processes are configured to:
    - if the execution of the stream of bytes crashes, then;
      
      immediately recover and cause the second process to execute the stream of bytes from the second offset.
  - 7. The system of claim 1, wherein the second process is adapted to execute, on a first operating system (OS) and at a native speed of a controller, a shellcode included in the stream of bytes, wherein the shellcode is targeting a second, different OS.
  - 8. The system of claim 1, comprising a third process including a memory and a controller, the third process configured to emulate an operating system application program interface (API) and to provide operating system services to the second process.
  - 9. The system of claim 8, wherein the third process is configured to provide operating system services to a plurality of processes.
  - 10. The system of claim 8, wherein the third process is configured to provide real-time interaction with a shellcode included in the stream of bytes.

11. A method comprising:
- receiving a stream of bytes by a first unit, the first unit including a memory and a controller;
  
  selecting, by the first unit, a first offset;
  
  causing, by the first unit, a second, different unit to execute the stream of bytes from the selected first offset wherein the second unit includes a memory and a controller;
  
  monitoring, by the first unit, an execution of the stream of bytes by the second unit; and
  
  determining, based on the execution of the stream of bytes, whether or not the stream of bytes includes malware;
  
  wherein the first unit is configured to perform at least one of;
  
  start execution of the second unit, stop execution of the second unit and resume execution of the second unit, and wherein the first unit is further configured to determine, based on the execution of the stream of bytes, whether or not the stream of bytes includes malware.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The method of claim 11, comprising:
    - if it is determined that the stream of bytes does not include malware, then;
      
      selecting a second offset in the stream of bytes; and
      
      causing the second process to execute the stream of bytes from the selected second offset.
  - 13. The method of claim 11, wherein determining that the stream of bytes includes malware includes identifying a behavior of a shellcode when executing the stream of bytes.
  - 14. The method of claim 11, comprising executing the stream of bytes directly on a hardware controller, at a native speed of the hardware controller.
  - 15. The method of claim 14, comprising preventing the malware, when executed, to take control of the hardware controller.
  - 16. The method of claim 11, comprising, if the execution of the stream of bytes crashes, then causing the second process to execute the stream of bytes from a second offset.
  - 17. The method of claim 11, comprising executing, on a first operating system (OS) and at a native speed of a controller, a shellcode included in the stream of bytes, wherein the shellcode is targeting a second, different OS.
  - 18. The method of claim 11, comprising emulating an operating system application program interface (API) and provide operating system services to an execution of the stream of bytes.
  - 19. The method of claim 18, comprising providing, by a third process including a memory and a controller, operating system services to a plurality of processes that execute a respective plurality of byte streams.
  - 20. The method of claim 18, comprising providing real-time interaction with a shellcode included in the stream of bytes.

21. A method comprising:
- selecting, a first offset in a byte stream;
  
  causing a first unit including a memory and a controller to execute the byte stream from the selected first offset;
  
  monitoring, by a second, different unit including a memory and a controller, an execution of the byte stream; and
  
  determining, by the second unit and based on a result of the execution, whether or not the stream of bytes includes malware;
  
  wherein the first unit is configured to perform at least one of;
  
  start execution of the second unit, stop execution of the second unit and resume execution of the second unit, and wherein the first unit is further configured to determine, based on the execution of the stream of bytes, whether or not the stream of bytes includes malware.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CommVault Systems Incorporated
Original Assignee
Trap Data Security Ltd. (CommVault Systems Incorporated)
Inventors
Malachi, Yuval, Benech, Mori
Primary Examiner(s)
Song, Hee K

Application Number

US15/218,103
Publication Number

US 20180025158A1
Time in Patent Office

1,107 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/51   at application loading time...

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/033   Test or assess software

G06F 9/54   Interprogram communication

System and method for detecting malware in a stream of bytes

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

21 Citations

21 Claims

Specification

Use Cases

Quick Links

Others

System and method for detecting malware in a stream of bytes

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

21 Citations

21 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others