Advanced malware detection using similarity analysis
First Claim
1. A non-transitory storage medium having stored thereon instructions corresponding to malware detection logic including as part of a software agent operating within a network device, the malware detection logic being executable by one or more processors to perform operations comprising:
- receiving an object for analysis;
extracting content from the object, the content includes a first plurality of instructions recovered from binary code of the object;
arranging the extracted content into one or more basic blocks, each basic block of the one or more basic blocks including at least an instruction sequence corresponding to two or more instructions of the first plurality of instructions;
generating, by the network device, an object fingerprint based on an analysis of the one or more basic blocks by at least (i) generating a representation of each instruction sequence of the one or more basic blocks, (ii) aggregating one or more representations associated with each instruction sequence of the one or more basic blocks, and (iii) comparing each of the one or more aggregated representations to a plurality of instruction sequences being monitored as being potentially malicious to produce a result, the result corresponding to the object fingerprint;
analyzing, by the network device, the object fingerprint by at least comparing the object fingerprint to one or more malware family fingerprints to determine whether the object is potentially malicious and associated with an advanced malware; and
generating information, based on the analyzing of the object fingerprint, for transmission from the network device to a second network device.
5 Assignments
0 Petitions
Accused Products
Abstract
A non-computerized method for detection of malware is described. First, an object for analysis is received. Thereafter, the content from the object is extracted and the extracted content is arranged into one or more basic blocks. Each basic block including at least a portion of the content. The object fingerprint is based on an analysis of the one or more basic blocks. Thereafter, the object fingerprint is generated based on an analysis of the one or more basic blocks. Lastly, the object fingerprint is compared to one or more malware family fingerprints to determine if the object is potentially malicious and may be associated with an advanced malware.
748 Citations
40 Claims
-
1. A non-transitory storage medium having stored thereon instructions corresponding to malware detection logic including as part of a software agent operating within a network device, the malware detection logic being executable by one or more processors to perform operations comprising:
-
receiving an object for analysis; extracting content from the object, the content includes a first plurality of instructions recovered from binary code of the object; arranging the extracted content into one or more basic blocks, each basic block of the one or more basic blocks including at least an instruction sequence corresponding to two or more instructions of the first plurality of instructions; generating, by the network device, an object fingerprint based on an analysis of the one or more basic blocks by at least (i) generating a representation of each instruction sequence of the one or more basic blocks, (ii) aggregating one or more representations associated with each instruction sequence of the one or more basic blocks, and (iii) comparing each of the one or more aggregated representations to a plurality of instruction sequences being monitored as being potentially malicious to produce a result, the result corresponding to the object fingerprint; analyzing, by the network device, the object fingerprint by at least comparing the object fingerprint to one or more malware family fingerprints to determine whether the object is potentially malicious and associated with an advanced malware; and generating information, based on the analyzing of the object fingerprint, for transmission from the network device to a second network device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A computerized method for detection of malware, comprising:
-
receiving an object for analysis; extracting content from the object, the content includes a first plurality of instructions recovered from non-binary code of the object; arranging the extracted content into one or more basic blocks, each basic block including at least an instruction sequence corresponding to two or more instructions of the first plurality of instructions; generating an object fingerprint based on an analysis of the one or more basic blocks by malware detection logic, operating within a network device, at least (i) generating a representation of each instruction sequence of the one or more basic blocks, (ii) aggregating one or more representations associated with each instruction sequence of the one or more basic blocks, and (iii) comparing each of the one or more aggregated representations to a plurality of instruction sequences being monitored as being potentially malicious to produce a result, the result corresponding to the object fingerprint; analyzing the object fingerprint by at least comparing the object fingerprint to one or more malware family fingerprints to determine whether the object is potentially malicious and associated with an advanced malware; and generating information, based on the analyzing of the object fingerprint, for transmission from the network device to a second network device. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
-
-
31. A network device, comprising:
-
a transmission medium; one or more hardware processors coupled to the transmission medium; communication interface logic coupled to the transmission medium, the communication interface logic to receive an object for analysis; and a memory coupled to the transmission medium, the memory comprises disassembly logic that, when executed by the one or more hardware processors, extracts content from the object, the content includes a first plurality of instructions recovered from binary code of the object, aggregation logic that, when executed by the one or more hardware processors, arranges the extracted content into one or more basic blocks, each basic block including at least an instruction sequence corresponding to two or more instructions of the first plurality of instructions, and fingerprint generation logic that, when executed by the one or more hardware processors, generates an object fingerprint based on an analysis of the one or more basic blocks by at least (i) generating a representation of each instruction sequence of the one or more basic blocks, (ii) aggregating one or more representations associated with each instruction sequence of the one or more basic blocks, and (iii) comparing each of the one or more aggregated representations to a plurality of instruction sequences being monitored as being potentially malicious to produce a result, the result corresponding to the object fingerprint; classification logic that, when executed by the one or more hardware processors, analyzes the object fingerprint by at least comparing the object fingerprint to one or more malware family fingerprints to determine whether the object is potentially malicious; and logic that, when executed by the one or more hardware processors, generates information resulting from analysis of the object fingerprint by the classification logic, for transmission from the network device to a second network device. - View Dependent Claims (32, 33, 34, 35, 36, 37, 38, 39, 40)
-
Specification