System and method for classifying an object based on an aggregated behavior results

US 10,432,649 B1
Filed: 01/15/2016
Issued: 10/01/2019
Est. Priority Date: 03/20/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for detecting malicious behavior, comprising:

processing an object within a virtual machine;

receiving a response object resulting from or created in response to the processing of the object within the virtual machine;

parsing the response object by at least subdividing the response object into a plurality of sub-objects, the plurality of sub-objects including a first sub-object and a second sub-object;

determining a first behavior match result based, at least in part, on whether information associated with the first sub-object corresponds to at least one of a first plurality of identifiers associated with malicious activity;

determining a second behavior match result based, at least in part, on whether information associated with the second sub-object corresponds to at least one of a second plurality of identifiers associated with malicious activity;

aggregating at least the first behavior match result with the second behavior match result to produce an aggregated result, wherein a malicious behavior score is calculated based, at least in part, on the aggregated result; and

classifying the object according to the malicious behavior score.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for detecting malicious behavior of content (object) are described herein. An object is processed within a virtual machine. Responsive to receiving the result of the processing (response object), a parser parses the response object into a plurality of sub-objects. The plurality of sub-objects include a first sub-object and a second sub-object. A first behavior match result is determined based, at least in part, on whether information within the first sub-object corresponds to a identifiers associated with malicious activity. Also, a second behavior match result is determined based, at least in part, on whether information within the second sub-object corresponds to identifiers associated with malicious activity. Thereafter, the first and second behavior match results are aggregated to produce an aggregated result, wherein a malicious behavior score is calculated based, at least in part, on the aggregated result. The object is classified according to the malicious behavior score.

565 Citations

32 Claims

1. A computer-implemented method for detecting malicious behavior, comprising:
- processing an object within a virtual machine;
  
  receiving a response object resulting from or created in response to the processing of the object within the virtual machine;
  
  parsing the response object by at least subdividing the response object into a plurality of sub-objects, the plurality of sub-objects including a first sub-object and a second sub-object;
  
  determining a first behavior match result based, at least in part, on whether information associated with the first sub-object corresponds to at least one of a first plurality of identifiers associated with malicious activity;
  
  determining a second behavior match result based, at least in part, on whether information associated with the second sub-object corresponds to at least one of a second plurality of identifiers associated with malicious activity;
  
  aggregating at least the first behavior match result with the second behavior match result to produce an aggregated result, wherein a malicious behavior score is calculated based, at least in part, on the aggregated result; and
  
  classifying the object according to the malicious behavior score.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 20, 21)
- - 2. The method of claim 1, wherein the aggregated result includes aggregating behavior match results for each of the plurality of sub-objects, the behavior match results are determined based, at least in part, by determining whether information associated with the each of the plurality of sub-objects corresponds to one or more identifiers associated with malicious activity.
  - 3. The method of claim 1, wherein the first behavior match result is determined by comparing a behavior characteristic of the first sub-object to an identifier.
  - 4. The method of claim 3, wherein the identifier includes one or more of:
    - a suspicious Dynamic Domain Name System (DDNS) identifier,an email communication identifier, ora network traffic pattern related to data theft.
  - 5. The method of claim 1, wherein prior to determining the first behavior result and the second behavior result, the method further comprising:
    - sending the first sub-object to a first communication behavior detector in response to determining the first sub-object is a compatible input for the first communication behavior detector; and
      
      sending the second sub-object to a second communication behavior detector in response to determining the second sub-object is a compatible input for the second communication behavior detector.
  - 6. The method of claim 1, wherein the malicious behavior score is related to a probability that the object should be classified as malware.
  - 7. The method of claim 1, wherein the first plurality of identifiers are different from the second plurality of identifiers.
  - 20. The method of claim 1, wherein the information associated with the first sub-object is within the first sub-object.
  - 21. The method of claim 1, wherein the information associated with the second sub-object is within the second sub-object.

8. A data processing system, comprising:
- a hardware processor; and
  
  a memory coupled to the processor for storing instructions that, when executed by the processor, causes the processor to;
  
  process an object within a virtual machine,parse a response object resulting from or created in response to the processing of the object within the virtual machine by at least subdividing the response object into a plurality of sub-objects, the plurality of sub-objects including a first sub-object and a second sub-object,determine a first behavior match result based, at least in part, on whether information associated with the first sub-object corresponds to at least one of a first plurality of identifiers associated with malicious activity,determine a second behavior match result based, at least in part, on whether information associated with the second sub-object corresponds to at least one of a second plurality of identifiers associated with malicious activity,aggregate at least the first behavior match result with the second behavior match result to produce an aggregated result, wherein a malicious behavior score is calculated based, at least in part, on the aggregated result, andclassify the object according to the malicious behavior score.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 22, 23)
- - 9. The system of claim 8, wherein the aggregated result includes aggregating behavior match results for each of the plurality of sub-objects, the behavior match results are determined based, at least in part, by determining whether information associated with the each of the plurality of sub-objects corresponds to one or more identifiers associated with malicious activity.
  - 10. The system of claim 8, wherein the first behavior match result is determined by comparing a behavior characteristic of the first sub-object to an identifier.
  - 11. The system of claim 10, wherein the identifier includes one or more of:
    - a suspicious Dynamic Domain Name System (DDNS) identifier,an email communication identifier, ora network traffic pattern related to data theft.
  - 12. The system of claim 8, wherein prior to determining the first behavior result and the second behavior result, the processor is further configured during execution of the instructions, to perform operations comprising:
    - sending the first sub-object to a first communication behavior detector in response to determining the first sub-object is a compatible input for the first communication behavior detector; and
      
      sending the second sub-object to a second communication behavior detector in response to determining the second sub-object is a compatible input for the second communication behavior detector.
  - 13. The system of claim 8, wherein the malicious behavior score is related to a probability that the response object indicates the object should be classified as malware.
  - 14. The system of claim 8, wherein the first plurality of identifiers are different from the second plurality of identifiers.
  - 22. The system of claim 8, wherein the information associated with the first sub-object is within the first sub-object.
  - 23. The system of claim 8, wherein the information associated with the second sub-object is within the second sub-object.

15. A system for detecting malicious behavior, comprising:
- a hardware processor; and
  
  a memory communicatively coupled to the hardware processor, the memory comprises a behavior analyzer that, when executed by the processor, receives a response object resulting from or created in response to processing of an object within a virtual machine, the behavior analyzer comprises;
  
  a parser, when executed by the processor, to parse the response object by at least subdividing the response object into a plurality of sub-objects including at least a first sub-object and a second sub-object,a first behavior detector, when executed by the processor, to determine a first behavior match result for the first sub-object of the received information,a second behavior detector, when executed by the processor, to determine a second behavior match result for the second sub-object of the received information,a detector manager communicatively coupled to the parser, the first behavior detector and the second behavior detector, the detector manager, when executed by the processor, to receive at least the first sub-object and the second sub-object from the parser, provide the first sub-object to the first behavior detector in response to determining that the first sub-object is compatible with the first behavior detector, and provide the second sub-object to the second behavior detector in response to determining the second sub-object is compatible with the second behavior detector,an aggregator, when executed by the processor, to aggregate the first behavior match result with the second behavior match result, wherein a malicious behavior score is calculated according to an aggregated result from at least the first behavior match result with the second behavior match result, anda classifier, when executed by the processor, to classify the object according to the malicious behavior score.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The system of claim 15, wherein the first behavior detector, when executed by the processor, determines whether information within the first sub-object matches one or more identifiers associated with malicious activity.
  - 17. The system of claim 16, wherein the first behavior detector, when executed by the processor, determines the first behavior match result by comparing a behavior characteristic of the first sub-object to an identifier.
  - 18. The system of claim 15, wherein the malicious behavior score is related to a probability that the response object indicates the object should be classified as malware.
  - 19. The system of claim 15, wherein the memory further comprising:
    - a reporting module, when executed by the processor, creates a malware alert notification or a malicious fingerprint in response to the classifier determining that the malicious behavior score exceeds a predetermined threshold.

24. A non-transitory, computer-readable storage medium having stored thereon instructions that, when executed by a processor, cause performance of operations comprising:
- processing an object within a virtual machine;
  
  receiving a response object resulting from or created in response to the processing of the object within the virtual machine;
  
  parsing the response object by at least subdividing the response object into a plurality of sub-objects, the plurality of sub-objects including a first sub-object and a second sub-object;
  
  determining a first behavior match result based, at least in part, on whether information associated with the first sub-object corresponds to at least one of a first plurality of identifiers associated with malicious activity;
  
  determining a second behavior match result based, at least in part, on whether information associated with the second sub-object corresponds to at least one of a second plurality of identifiers associated with malicious activity;
  
  aggregating at least the first behavior match result with the second behavior match result to produce an aggregated result, wherein a malicious behavior score is calculated based, at least in part, on the aggregated result; and
  
  classifying the object according to the malicious behavior score.
- View Dependent Claims (25, 26, 27, 28, 29, 30, 31, 32)
- - 25. The storage medium of claim 24, wherein the aggregated result includes aggregating behavior match results for each of the plurality of sub-objects, the behavior match results are determined based, at least in part, by determining whether information within the each of the plurality of sub-objects corresponds to one or more identifiers associated with malicious activity.
  - 26. The storage medium of claim 24, wherein the first behavior match result is determined by comparing a behavior characteristic of the first sub-object to an identifier.
  - 27. The storage medium of claim 26, wherein the identifier includes one or more of:
    - a suspicious Dynamic Domain Name System (DDNS) identifier,an email communication identifier, ora network traffic pattern related to data theft.
  - 28. The storage medium of claim 24, wherein prior to determining the first behavior result and the second behavior result, the instructions that, when executed by the processor, cause performance of further operations comprising:
    - sending the first sub-object to a first communication behavior detector in response to determining the first sub-object is a compatible input for the first communication behavior detector; and
      
      sending the second sub-object to a second communication behavior detector in response to determining the second sub-object is a compatible input for the second communication behavior detector.
  - 29. The storage medium of claim 24, wherein the malicious behavior score is related to a probability that the response object indicates the object should be classified as malware.
  - 30. The storage medium of claim 24, wherein the first plurality of identifiers are different from the second plurality of identifiers.
  - 31. The storage medium of claim 24, wherein the information associated with the first sub-object is within the first sub-object.
  - 32. The storage medium of claim 24, wherein the information associated with the second sub-object is within the second sub-object.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Bennett, James, Bu, Zheng
Primary Examiner(s)
Sholeman, Abu S

Application Number

US14/997,443
Time in Patent Office

1,355 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/285   Clustering or classification

G06F 2009/45587   Isolation or security of vi...

G06F 21/53   by executing in a restricte...

G06F 40/205   Parsing

G06F 9/45558   Hypervisor-specific managem...

H04L 61/4511   using domain name system [DNS]

H04L 61/5076   Update or notification mech...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/145   the attack involving the pr...

System and method for classifying an object based on an aggregated behavior results

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

565 Citations

32 Claims

Specification

Use Cases

Quick Links

Others

System and method for classifying an object based on an aggregated behavior results

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

565 Citations

32 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others