Advanced malware detection using similarity analysis

US 10,491,627 B1
Filed: 09/29/2016
Issued: 11/26/2019
Est. Priority Date: 09/29/2016
Status: Active Grant

First Claim

Patent Images

1. A non-transitory storage medium having stored thereon instructions corresponding to malware detection logic including as part of a software agent operating within a network device, the malware detection logic being executable by one or more processors to perform operations comprising:

receiving an object for analysis;

extracting content from the object, the content includes a first plurality of instructions recovered from binary code of the object;

arranging the extracted content into one or more basic blocks, each basic block of the one or more basic blocks including at least an instruction sequence corresponding to two or more instructions of the first plurality of instructions;

generating, by the network device, an object fingerprint based on an analysis of the one or more basic blocks by at least (i) generating a representation of each instruction sequence of the one or more basic blocks, (ii) aggregating one or more representations associated with each instruction sequence of the one or more basic blocks, and (iii) comparing each of the one or more aggregated representations to a plurality of instruction sequences being monitored as being potentially malicious to produce a result, the result corresponding to the object fingerprint;

analyzing, by the network device, the object fingerprint by at least comparing the object fingerprint to one or more malware family fingerprints to determine whether the object is potentially malicious and associated with an advanced malware; and

generating information, based on the analyzing of the object fingerprint, for transmission from the network device to a second network device.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A non-computerized method for detection of malware is described. First, an object for analysis is received. Thereafter, the content from the object is extracted and the extracted content is arranged into one or more basic blocks. Each basic block including at least a portion of the content. The object fingerprint is based on an analysis of the one or more basic blocks. Thereafter, the object fingerprint is generated based on an analysis of the one or more basic blocks. Lastly, the object fingerprint is compared to one or more malware family fingerprints to determine if the object is potentially malicious and may be associated with an advanced malware.

748 Citations

40 Claims

1. A non-transitory storage medium having stored thereon instructions corresponding to malware detection logic including as part of a software agent operating within a network device, the malware detection logic being executable by one or more processors to perform operations comprising:
- receiving an object for analysis;
  
  extracting content from the object, the content includes a first plurality of instructions recovered from binary code of the object;
  
  arranging the extracted content into one or more basic blocks, each basic block of the one or more basic blocks including at least an instruction sequence corresponding to two or more instructions of the first plurality of instructions;
  
  generating, by the network device, an object fingerprint based on an analysis of the one or more basic blocks by at least (i) generating a representation of each instruction sequence of the one or more basic blocks, (ii) aggregating one or more representations associated with each instruction sequence of the one or more basic blocks, and (iii) comparing each of the one or more aggregated representations to a plurality of instruction sequences being monitored as being potentially malicious to produce a result, the result corresponding to the object fingerprint;
  
  analyzing, by the network device, the object fingerprint by at least comparing the object fingerprint to one or more malware family fingerprints to determine whether the object is potentially malicious and associated with an advanced malware; and
  
  generating information, based on the analyzing of the object fingerprint, for transmission from the network device to a second network device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The non-transitory storage medium of claim 1, wherein the generating of the information for transmission to the second network device includes comparing of the object fingerprint to the one or more malware family fingerprints and the second network devices corresponds to a security appliance that is configured to conduct a secondary malware analysis of the object.
  - 3. The non-transitory storage medium of claim 1, wherein each representation being a hash result generated from a corresponding instruction sequence.
  - 4. The non-transitory storage medium of claim 1, wherein the arranging the extracted content comprisesarranging the first plurality of instructions in accordance with an operational flow of the object, the operational flow is determined from an analysis of an order of execution of the first plurality of instructions without execution of the first plurality of instructions;
    - andsegmenting the first plurality of instructions arranged in accordance with the operational flow into the one or more basic blocks,wherein each instruction for each basic block of the one or more basic blocks completes operation without a change in control flow.
  - 5. The non-transitory storage medium of claim 1, wherein the arranging the extracted content comprises generating an object control graph including the one or more basic blocks.
  - 6. The non-transitory storage medium of claim 5, wherein the generating of the object control graph comprisesarranging the first plurality of instructions in accordance with a determined order that is based, at least in part, on an order of execution of the first plurality of instructions without execution of the first plurality of instructions;
    - andsegmenting the first plurality of instructions arranged in accordance with the determined order into the one or more basic blocks,wherein each instruction for each instruction sequence of the one or more basic blocks completes operation without a change in control flow.
  - 7. The non-transitory storage medium of claim 3, wherein each instruction of the instruction sequence completes operation without a change in control flow.
  - 8. The non-transitory storage medium of claim 1, wherein the generating of the representation of each instruction sequence of the one or more basic blocks comprisesgenerating a first representation of a first instruction sequence that includes a selected number of instructions, the first instruction sequence included as a first block of the one or more basic blocks, the first representation corresponds to a hash result produced by performing a hash operation on the first instruction sequence.
  - 9. The non-transitory storage medium of claim 8, wherein the generating of the representation of each instruction sequence of the one or more basic blocks further comprisesgenerating a first representation of a first subset of a second instruction sequence of a second basic block of the one or more basic blocks;
    - andgenerating a second representation of a second subset of the second instruction sequence,wherein the first subset of the second instruction sequence differs from the second subset of the second instruction sequence and the first subset of the second instruction sequence sharing at least one instruction with the second subset of the second instruction sequence.
  - 10. The non-transitory storage medium of claim 9, wherein the first subset of the second instruction sequence and the second subset of the second instruction sequence are selected through a sliding analysis window having a width corresponding to the selected number of instructions.
  - 11. The non-transitory storage medium of claim 1, wherein the generating of the representation of each instruction sequence of the one or more basic blocks comprisesgenerating a first representation of a first subset of a first instruction sequence of a first basic block of the one or more basic blocks;
    - andgenerating a second representation of a second subset of the first instruction sequence,wherein the first subset of the first instruction sequence differs from the second subset of the first instruction sequence and the first subset of the first instruction sequence sharing at least one instruction with the second subset of the first instruction sequence.
  - 12. The non-transitory storage medium of claim 11, wherein the first subset of the first instruction sequence and the second subset of the first instruction sequence are selected through a sliding analysis window having a width corresponding to a selected number of instructions being lesser in number than a number of instructions forming the first basic block.
  - 13. The non-transitory storage medium of claim 1, wherein prior the generating of the object fingerprint, selecting a width of an analysis window to a selected number of instructions, the analysis window being used in the generating of the representation of each instruction sequence of the one or more basic blocks that includes at least the selected number of instructions.
  - 14. The non-transitory storage medium of claim 1, wherein the information for transmission includes a report based on the analyzing of the object fingerprint, the report includes one or more of (i) a source of the object, (ii) a probability of the object being malicious or benign, or (iii) a known malicious family to which the object pertains.
  - 15. The non-transitory storage medium of claim 1, wherein the information for transmission comprises includes an alert including one or more messages to warn of detection of the obj ect as a malicious object.

16. A computerized method for detection of malware, comprising:
- receiving an object for analysis;
  
  extracting content from the object, the content includes a first plurality of instructions recovered from non-binary code of the object;
  
  arranging the extracted content into one or more basic blocks, each basic block including at least an instruction sequence corresponding to two or more instructions of the first plurality of instructions;
  
  generating an object fingerprint based on an analysis of the one or more basic blocks by malware detection logic, operating within a network device, at least (i) generating a representation of each instruction sequence of the one or more basic blocks, (ii) aggregating one or more representations associated with each instruction sequence of the one or more basic blocks, and (iii) comparing each of the one or more aggregated representations to a plurality of instruction sequences being monitored as being potentially malicious to produce a result, the result corresponding to the object fingerprint;
  
  analyzing the object fingerprint by at least comparing the object fingerprint to one or more malware family fingerprints to determine whether the object is potentially malicious and associated with an advanced malware; and
  
  generating information, based on the analyzing of the object fingerprint, for transmission from the network device to a second network device.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 17. The method of claim 16, wherein the generating of the information for transmission includes the comparing of the object fingerprint to the one or more malware family fingerprints, for transmission to the network device being a security appliance that is configured to conduct a secondary malware analysis of the object.
  - 18. The method of claim 16, wherein the content includes the first plurality of instructions disassembled from the binary code of the object.
  - 19. The method of claim 18, wherein the arranging the extracted content comprisesarranging the first plurality of instructions in accordance with an operational flow of the object, the operational flow is determined from an analysis of an order of execution of the first plurality of instructions without execution of the first plurality of instructions;
    - andsegmenting the first plurality of instructions arranged in accordance with the operational flow into the one or more basic blocks,wherein each instruction for each basic block of the one or more basic blocks completes operation without a change in control flow.
  - 20. The method of claim 18, wherein the arranging the extracted content comprises generating an object control graph including the one or more basic blocks.
  - 21. The method of claim 20, wherein the generating of the object control graph comprisesarranging the first plurality of instructions in accordance with a determined order that is based, at least in part, on an order of execution of the first plurality of instructions without execution of the first plurality of instructions;
    - andsegmenting the first plurality of instructions arranged in accordance with the determined order into the one or more basic blocks, each of the one or more basic blocks includes one or more instructions of the first plurality of instructions that correspond to an instruction sequence and each instruction of the instruction sequence completes operation without a change in control flow.
  - 22. The method of claim 18, wherein each instruction of the instruction sequence completes operation without a change in control flow.
  - 23. The method of claim 16, wherein the generating of the representation of each instruction sequence of the one or more basic blocks comprisesgenerating a first representation of a first instruction sequence that includes a selected number of instructions, the first representation corresponds to a hash result produced by performing a hash operation on the first instruction sequence.
  - 24. The method of claim 23, wherein the generating of the representation of each instruction sequence of the one or more basic blocks that includes at least the selected number of instructions further comprisesgenerating a first representation of a first subset of a second instruction sequence of a second basic block of the one or more basic blocks;
    - andgenerating a second representation of a second subset of the second instruction sequence,wherein the first subset of the second instruction sequence differs from the second subset of the second instruction sequence and the first subset of the second instruction sequence sharing at least one instruction with the second subset of the second instruction sequence.
  - 25. The method of claim 24, wherein the first subset of the second instruction sequence and the second subset of the second instruction sequence are selected through a sliding analysis window having a width corresponding to the selected number of instructions.
  - 26. The method of claim 16, wherein the generating of the representation of each instruction sequence of the one or more basic comprisesgenerating a first representation of a first subset of a first instruction sequence of a first basic block of the one or more basic blocks, wherein the first instruction sequence includes a selected number of instructions and the first basic block includes a number of instructions greater than the selected number of instructions;
    - andgenerating a second representation of a second subset of the first instruction sequence,wherein the first subset of the first instruction sequence differs from the second subset of the first instruction sequence and the first subset of the first instruction sequence sharing at least one instruction with the second subset of the first instruction sequence.
  - 27. The method of claim 26, wherein the first subset of the first instruction sequence and the second subset of the first instruction sequence are selected through a sliding analysis window having a width corresponding to the selected number of instructions.
  - 28. The method of claim 16, wherein prior the generating of the object fingerprint, selecting a width of an analysis window to a selected number of instructions, the analysis window being used in the generating of the representation of each instruction sequence of the one or more basic blocks that includes at least the selected number of instructions.
  - 29. The method of claim 16, wherein the information for transmission includes a report based on the analyzing of the object fingerprint, the report includes one or more of (i) a source of the object, (ii) a probability of the object being malicious or benign, or (iii) a known malicious family to which the object pertains.
  - 30. The method of claim 16, wherein the information for transmission comprises includes an alert including one or more messages to warn of detection of the object as a malicious object.

31. A network device, comprising:
- a transmission medium;
  
  one or more hardware processors coupled to the transmission medium;
  
  communication interface logic coupled to the transmission medium, the communication interface logic to receive an object for analysis; and
  
  a memory coupled to the transmission medium, the memory comprisesdisassembly logic that, when executed by the one or more hardware processors, extracts content from the object, the content includes a first plurality of instructions recovered from binary code of the object,aggregation logic that, when executed by the one or more hardware processors, arranges the extracted content into one or more basic blocks, each basic block including at least an instruction sequence corresponding to two or more instructions of the first plurality of instructions, andfingerprint generation logic that, when executed by the one or more hardware processors, generates an object fingerprint based on an analysis of the one or more basic blocks by at least (i) generating a representation of each instruction sequence of the one or more basic blocks, (ii) aggregating one or more representations associated with each instruction sequence of the one or more basic blocks, and (iii) comparing each of the one or more aggregated representations to a plurality of instruction sequences being monitored as being potentially malicious to produce a result, the result corresponding to the object fingerprint;
  
  classification logic that, when executed by the one or more hardware processors, analyzes the object fingerprint by at least comparing the object fingerprint to one or more malware family fingerprints to determine whether the object is potentially malicious; and
  
  logic that, when executed by the one or more hardware processors, generates information resulting from analysis of the object fingerprint by the classification logic, for transmission from the network device to a second network device.
- View Dependent Claims (32, 33, 34, 35, 36, 37, 38, 39, 40)
- - 32. The network device of claim 31, wherein the information for transmission includes a report based on the analyzing of the object fingerprint, the report includes one or more of (i) a source of the object, (ii) a probability of the object being malicious or benign, or (iii) a known malicious family to which the object pertains.
  - 33. The network device of claim 31, wherein the information for transmission comprises includes an alert including one or more messages to warn of detection of the object as a malicious object.
  - 34. The network device of claim 31, wherein the aggregation logic arranges the extracted content by at leastarranging the first plurality of instructions in accordance with an operational flow of the object, the operational flow is determined from an analysis of an order of execution of the first plurality of instructions without execution of the first plurality of instructions;
    - andsegmenting the first plurality of instructions arranged in accordance with the operational flow into the one or more basic blocks,wherein each instruction for each basic block of the one or more basic blocks completes operation without a change in control flow.
  - 35. The network device of claim 31, wherein the aggregation logic arranges the extracted content to at least generate an object control graph including the one or more basic blocks.
  - 36. The network device of claim 35, wherein the aggregation logic to generate the object control graph by at leastarranging the first plurality of instructions in accordance with a determined order that is based, at least in part, on an order of execution of the first plurality of instructions without execution of the first plurality of instructions;
    - andsegmenting the first plurality of instructions arranged in accordance with the determined order into the one or more basic blocks,wherein instruction for each instruction sequence of the one or more basic blocks completes operation without a change in control flow.
  - 37. The network device of claim 31, wherein each instruction of the instruction sequence completes operation without a change in control flow.
  - 38. The network device of claim 31, wherein the fingerprint generation logic to generate the representation of each instruction sequence of the one or more basic blocks by at least generating a first representation of a first instruction sequence that includes a selected number of instructions, the first instruction sequence included as a first block of the one or more basic blocks, the first representation corresponds to a hash result produced by performing a hash operation on the first instruction sequence.
  - 39. The network device of claim 31, wherein the fingerprint generation logic to further generate the representation of each instruction sequence of the one or more basic blocks by at leastgenerating a first representation of a first subset of a second instruction sequence of a second basic block of the one or more basic blocks;
    - andgenerating a second representation of a second subset of the second instruction sequence,wherein the first subset of the second instruction sequence differs from the second subset of the second instruction sequence and the first subset of the second instruction sequence sharing at least one instruction with the second subset of the second instruction sequence.
  - 40. The network device of claim 39, wherein the first subset of the second instruction sequence and the second subset of the second instruction sequence are selected through a sliding analysis window having a width corresponding to the selected number of instructions.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Su, Jimmy Zhigang
Primary Examiner(s)
Homayounmehr, Farid
Assistant Examiner(s)
Torres-Diaz, Lizbeth

Application Number

US15/280,854
Time in Patent Office

1,153 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/562   Static detection

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

Advanced malware detection using similarity analysis

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

748 Citations

40 Claims

Specification

Solutions

Use Cases

Quick Links

Advanced malware detection using similarity analysis

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

748 Citations

40 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links