Detecting malicious files

US 10,489,583 B2
Filed: 02/09/2018
Issued: 11/26/2019
Est. Priority Date: 05/20/2015
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving information associated with executing a candidate file;

executing the candidate file;

monitoring the execution of the candidate file;

generating a monitored action record corresponding to the execution of the candidate file including by;

executing the candidate file by at least two virtual machines based at least in part on the information associated with executing the candidate file, wherein each virtual machine corresponds to the candidate file; and

invoking one or more functions in a preset dynamic link library (DLL) during the execution of the candidate file to monitor the execution of the candidate file and generate the monitored action record corresponding to the execution of the candidate file;

determining that at least one malicious action included in the monitored action record is included in a preset malicious action set; and

determining that the candidate file is a malicious file.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Detecting malicious files is disclosed, including: executing a candidate file; monitoring the execution of the candidate file; generating a monitored action record corresponding to the execution of the candidate file; determining that at least one malicious action included in the monitored action record is included in a preset malicious action set; and determining that the candidate file is a malicious file.

44 Citations

View as Search Results

20 Claims

1. A method, comprising:
- receiving information associated with executing a candidate file;
  
  executing the candidate file;
  
  monitoring the execution of the candidate file;
  
  generating a monitored action record corresponding to the execution of the candidate file including by;
  
  executing the candidate file by at least two virtual machines based at least in part on the information associated with executing the candidate file, wherein each virtual machine corresponds to the candidate file; and
  
  invoking one or more functions in a preset dynamic link library (DLL) during the execution of the candidate file to monitor the execution of the candidate file and generate the monitored action record corresponding to the execution of the candidate file;
  
  determining that at least one malicious action included in the monitored action record is included in a preset malicious action set; and
  
  determining that the candidate file is a malicious file.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising receiving a file checking task comprising a storage address of the candidate file.
  - 3. The method of claim 1, further comprising generating the preset malicious action set, including by:
    - creating a first training sample set and a second training sample set, wherein the first training sample set comprises at least one malicious sample file and the second training sample set comprises at least one non-malicious sample file;
      
      executing the first training sample set to generate a first sample action record and executing the second training sample set to generate a second sample action record;
      
      determining a corresponding occurrence frequency for each action type in the first sample action record and the second sample action record;
      
      generating a first sample action set based on a first preset occurrence frequency threshold value and a second sample action set based on a second preset occurrence frequency threshold value, wherein the first sample action set comprises zero or more action types included in the first sample action record whose corresponding occurrence frequencies are greater than the first preset occurrence frequency threshold value, and wherein the second sample action set comprises zero or more action types included in the second sample action record whose corresponding occurrence frequencies are greater than the second preset occurrence frequency threshold value; and
      
      determining the preset malicious action set based at least in part on the first sample action set and the second sample action set.
  - 4. The method of claim 3, wherein the determining of the preset malicious action set based at least in part on the first sample action set and the second sample action set comprises:
    - performing a set intersection operation on the first sample action set and the second sample action set to obtain a third sample action set, wherein the third sample action set comprises one or more action types that are included in both the first sample action set and the second sample action set; and
      
      deleting one or more action types from the first sample action set that match an action type included in the third sample action set to obtain the preset malicious action set.
  - 5. The method of claim 1, further comprising:
    - receiving the candidate file from a client;
      
      obtaining information associated with the candidate file through analyzing the candidate file;
      
      encrypting the candidate file; and
      
      storing the information associated with the candidate file to a database and storing the encrypted candidate file to a file server.
  - 6. The method of claim 1, wherein the candidate file is encrypted with an asymmetrical encryption technique.
  - 7. The method of claim 1, wherein the monitored action record comprises an action associated with one or more of:
    - a creating function, a deleting function, an information changing function, a registration table creating function, and/or a registration table value setting function.
  - 8. The method of claim 1, wherein determining that the candidate file is the malicious file comprises determining whether matching malicious actions included in the monitored action record exceeds a preset malicious action threshold value.
  - 9. The method of claim 1, wherein executing the candidate file by the at least two virtual machines based at least in part on the information associated with executing the candidate file, wherein each virtual machine corresponds to the candidate file comprises:
    - determining a decryption technique for a candidate file that is encrypted;
      
      using the decryption technique to decrypt the candidate file;
      
      establishing virtual runtime environments in the at least two virtual machines according to the information associated with executing the candidate file; and
      
      executing the candidate file by each of the at least two virtual machines, wherein reading and writing operations generated during execution of the candidate file are reset to addresses configured with each virtual machine.

10. A computer program product, the computer program product being embodied in a non-transitory computer readable storage medium and comprising computer instructions for:
- receiving information associated with executing a candidate file;
  
  executing the candidate file;
  
  monitoring the execution of the candidate file;
  
  generating a monitored action record corresponding to the execution of the candidate file including by;
  
  executing the candidate file by at least two virtual machines based at least in part on the information associated with executing the candidate file, wherein each virtual machine corresponds to the candidate file; and
  
  invoking one or more functions in a preset dynamic link library (DLL) during the execution of the candidate file to monitor the execution of the candidate file and generate the monitored action record corresponding to the execution of the candidate file;
  
  determining that at least one malicious action included in the monitored action record is included in a preset malicious action set; and
  
  determining that the candidate file is a malicious file.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The computer program product of claim 10, further comprising receiving a file checking task comprising a storage address of the candidate file.
  - 12. The computer program product of claim 10, further comprising computer instructions for generating the preset malicious action set, including by:
    - creating a first training sample set and a second training sample set, wherein the first training sample set comprises at least one malicious sample file and the second training sample set comprises at least one non-malicious sample file;
      
      executing the first training sample set to generate a first sample action record and executing the second training sample set to generate a second sample action record;
      
      determining a corresponding occurrence frequency for each action type in the first sample action record and the second sample action record;
      
      generating a first sample action set based on a first preset occurrence frequency threshold value and a second sample action set based on a second preset occurrence frequency threshold value, wherein the first sample action set comprises zero or more action types included in the first sample action record whose corresponding occurrence frequencies are greater than the first preset occurrence frequency threshold value, and wherein the second sample action set comprises zero or more action types included in the second sample action record whose corresponding occurrence frequencies are greater than the second preset occurrence frequency threshold value; and
      
      determining the preset malicious action set based at least in part on the first sample action set and the second sample action set.
  - 13. The computer program product of claim 12, wherein the determining of the preset malicious action set based at least in part on the first sample action set and the second sample action set comprises:
    - performing a set intersection operation on the first sample action set and the second sample action set to obtain a third sample action set, wherein the third sample action set comprises one or more action types that are included in both the first sample action set and the second sample action set; and
      
      deleting one or more action types from the first sample action set that match an action type included in the third sample action set to obtain the preset malicious action set.
  - 14. The computer program product of claim 10, further comprising computer instructions for:
    - receiving the candidate file from a client;
      
      obtaining information associated with the candidate file through analyzing the candidate file;
      
      encrypting the candidate file; and
      
      storing the information associated with the candidate file to a database and storing the encrypted candidate file to a file server.
  - 15. The computer program product of claim 10, wherein the candidate file is encrypted with an asymmetrical encryption technique.
  - 16. The computer program product of claim 10, wherein the monitored action record comprises an action associated with one or more of:
    - a creating function, a deleting function, an information changing function, a registration table creating function, and/or a registration table value setting function.
  - 17. The computer program product of claim 10, wherein determining that the candidate file is the malicious file comprises determining whether matching malicious actions included in the monitored action record exceeds a preset malicious action threshold value.
  - 18. The computer program product of claim 10, wherein executing the candidate file by the at least two virtual machines based at least in part on the information associated with executing the candidate file, wherein each virtual machine corresponds to the candidate file comprises:
    - determining a decryption technique for a candidate file that is encrypted;
      
      using the decryption technique to decrypt the candidate file;
      
      establishing virtual runtime environments in the at least two virtual machines according to the information associated with executing the candidate file; and
      
      executing the candidate file by each of the at least two virtual machines, wherein reading and writing operations generated during execution of the candidate file are reset to addresses configured with each virtual machine.

19. A system, comprising:
- one or more processors configured to;
  
  receive information associated with executing a candidate file;
  
  execute the candidate file;
  
  monitor the execution of the candidate file;
  
  generate a monitored action record corresponding to the execution of the candidate file, including to;
  
  execute the candidate file by at least two virtual machines based at least in part on the information associated with executing the candidate file, wherein each virtual machine corresponds to the candidate file; and
  
  invoke one or more functions in a preset dynamic link library (DLL) during the execution of the candidate file to monitor the execution of the candidate file and generate the monitored action record corresponding to the execution of the candidate file;
  
  determine that at least one malicious action included in the monitored action record is included in a preset malicious action set; and
  
  determine that the candidate file is a malicious file; and
  
  one or more memories coupled to the one or more processors, configured to provide the one or more processors with instructions.

20. A method, comprising:
- executing a candidate file;
  
  monitoring the execution of the candidate file;
  
  generating a monitored action record corresponding to the execution of the candidate file;
  
  generating a preset malicious action set, including by;
  
  creating a first training sample set and a second training sample set, wherein the first training sample set comprises at least one malicious sample file and the second training sample set comprises at least one non-malicious sample file;
  
  executing the first training sample set to generate a first sample action record and executing the second training sample set to generate a second sample action record;
  
  determining a corresponding occurrence frequency for each action type in the first sample action record and the second sample action record;
  
  generating a first sample action set based on a first preset occurrence frequency threshold value and a second sample action set based on a second preset occurrence frequency threshold value, wherein the first sample action set comprises zero or more action types included in the first sample action record whose corresponding occurrence frequencies are greater than the first preset occurrence frequency threshold value, and wherein the second sample action set comprises zero or more action types included in the second sample action record whose corresponding occurrence frequencies are greater than the second preset occurrence frequency threshold value; and
  
  determining the preset malicious action set based at least in part on the first sample action set and the second sample action set;
  
  determining that at least one malicious action included in the monitored action record is included in the preset malicious action set; and
  
  determining that the candidate file is a malicious file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Alibaba Group Holding Ltd.
Original Assignee
Alibaba Group Holding Ltd.
Inventors
Wang, Zhen
Primary Examiner(s)
Perungavoor, Venkat

Application Number

US15/892,670
Publication Number

US 20180165449A1
Time in Patent Office

655 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/552   involving long-term monitor...

G06F 21/566   Dynamic detection, i.e. det...

G06F 2218/12   Classification; Matching

Detecting malicious files

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

44 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting malicious files

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

44 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links