System and method for classifying an object based on an aggregated behavior results
First Claim
1. A computer-implemented method for detecting malicious behavior, comprising:
- processing an object within a virtual machine;
receiving a response object resulting from or created in response to the processing of the object within the virtual machine;
parsing the response object by at least subdividing the response object into a plurality of sub-objects, the plurality of sub-objects including a first sub-object and a second sub-object;
determining a first behavior match result based, at least in part, on whether information associated with the first sub-object corresponds to at least one of a first plurality of identifiers associated with malicious activity;
determining a second behavior match result based, at least in part, on whether information associated with the second sub-object corresponds to at least one of a second plurality of identifiers associated with malicious activity;
aggregating at least the first behavior match result with the second behavior match result to produce an aggregated result, wherein a malicious behavior score is calculated based, at least in part, on the aggregated result; and
classifying the object according to the malicious behavior score.
5 Assignments
0 Petitions
Accused Products
Abstract
Techniques for detecting malicious behavior of content (object) are described herein. An object is processed within a virtual machine. Responsive to receiving the result of the processing (response object), a parser parses the response object into a plurality of sub-objects. The plurality of sub-objects include a first sub-object and a second sub-object. A first behavior match result is determined based, at least in part, on whether information within the first sub-object corresponds to a identifiers associated with malicious activity. Also, a second behavior match result is determined based, at least in part, on whether information within the second sub-object corresponds to identifiers associated with malicious activity. Thereafter, the first and second behavior match results are aggregated to produce an aggregated result, wherein a malicious behavior score is calculated based, at least in part, on the aggregated result. The object is classified according to the malicious behavior score.
565 Citations
32 Claims
-
1. A computer-implemented method for detecting malicious behavior, comprising:
-
processing an object within a virtual machine; receiving a response object resulting from or created in response to the processing of the object within the virtual machine; parsing the response object by at least subdividing the response object into a plurality of sub-objects, the plurality of sub-objects including a first sub-object and a second sub-object; determining a first behavior match result based, at least in part, on whether information associated with the first sub-object corresponds to at least one of a first plurality of identifiers associated with malicious activity; determining a second behavior match result based, at least in part, on whether information associated with the second sub-object corresponds to at least one of a second plurality of identifiers associated with malicious activity; aggregating at least the first behavior match result with the second behavior match result to produce an aggregated result, wherein a malicious behavior score is calculated based, at least in part, on the aggregated result; and classifying the object according to the malicious behavior score. - View Dependent Claims (2, 3, 4, 5, 6, 7, 20, 21)
-
-
8. A data processing system, comprising:
-
a hardware processor; and a memory coupled to the processor for storing instructions that, when executed by the processor, causes the processor to; process an object within a virtual machine, parse a response object resulting from or created in response to the processing of the object within the virtual machine by at least subdividing the response object into a plurality of sub-objects, the plurality of sub-objects including a first sub-object and a second sub-object, determine a first behavior match result based, at least in part, on whether information associated with the first sub-object corresponds to at least one of a first plurality of identifiers associated with malicious activity, determine a second behavior match result based, at least in part, on whether information associated with the second sub-object corresponds to at least one of a second plurality of identifiers associated with malicious activity, aggregate at least the first behavior match result with the second behavior match result to produce an aggregated result, wherein a malicious behavior score is calculated based, at least in part, on the aggregated result, and classify the object according to the malicious behavior score. - View Dependent Claims (9, 10, 11, 12, 13, 14, 22, 23)
-
-
15. A system for detecting malicious behavior, comprising:
-
a hardware processor; and a memory communicatively coupled to the hardware processor, the memory comprises a behavior analyzer that, when executed by the processor, receives a response object resulting from or created in response to processing of an object within a virtual machine, the behavior analyzer comprises; a parser, when executed by the processor, to parse the response object by at least subdividing the response object into a plurality of sub-objects including at least a first sub-object and a second sub-object, a first behavior detector, when executed by the processor, to determine a first behavior match result for the first sub-object of the received information, a second behavior detector, when executed by the processor, to determine a second behavior match result for the second sub-object of the received information, a detector manager communicatively coupled to the parser, the first behavior detector and the second behavior detector, the detector manager, when executed by the processor, to receive at least the first sub-object and the second sub-object from the parser, provide the first sub-object to the first behavior detector in response to determining that the first sub-object is compatible with the first behavior detector, and provide the second sub-object to the second behavior detector in response to determining the second sub-object is compatible with the second behavior detector, an aggregator, when executed by the processor, to aggregate the first behavior match result with the second behavior match result, wherein a malicious behavior score is calculated according to an aggregated result from at least the first behavior match result with the second behavior match result, and a classifier, when executed by the processor, to classify the object according to the malicious behavior score. - View Dependent Claims (16, 17, 18, 19)
-
-
24. A non-transitory, computer-readable storage medium having stored thereon instructions that, when executed by a processor, cause performance of operations comprising:
-
processing an object within a virtual machine; receiving a response object resulting from or created in response to the processing of the object within the virtual machine; parsing the response object by at least subdividing the response object into a plurality of sub-objects, the plurality of sub-objects including a first sub-object and a second sub-object; determining a first behavior match result based, at least in part, on whether information associated with the first sub-object corresponds to at least one of a first plurality of identifiers associated with malicious activity; determining a second behavior match result based, at least in part, on whether information associated with the second sub-object corresponds to at least one of a second plurality of identifiers associated with malicious activity; aggregating at least the first behavior match result with the second behavior match result to produce an aggregated result, wherein a malicious behavior score is calculated based, at least in part, on the aggregated result; and classifying the object according to the malicious behavior score. - View Dependent Claims (25, 26, 27, 28, 29, 30, 31, 32)
-
Specification