System and method for classifying malware within content created during analysis of a specimen
First Claim
1. A system of detecting malware in a specimen of computer content or network traffic, the system comprising:
- a processor; and
a memory coupled to the processor, the memory comprises;
(i) an analysis plan that identifies an order of a plurality of analyses to be performed on the specimen to detect a presence of malware associated with the specimen, the analysis plan being separate from content of the specimen,(ii) a static analysis logic that, when executed by the processor, performs a static analysis of the specimen in accordance with the analysis plan to identify one or more suspicious indicators, wherein the static analysis being one of the plurality of analyses, and(iii) a dynamic analysis logic that, when executed by the processor, performs a dynamic analysis of the specimen in accordance with the analysis plan, wherein the dynamic analysis being one of the plurality of analyses and including processing of the specimen in a virtual machine and monitoring for one or more unexpected behaviors during processing of the specimen in the virtual machine.
5 Assignments
0 Petitions
Accused Products
Abstract
According to one embodiment, a system of detecting malware in a specimen of computer content or network traffic comprises a processor and a memory. The memory includes a first analysis logic and a second analysis logic that may be executed by the processor. Upon execution, the first analysis logic performs a static analysis in accordance with an analysis plan to identify one or more suspicious indicators associated with malware and one or more characteristics related to processing of the specimen. The second analysis logic performs a second analysis in accordance with the analysis plan by processing of the specimen in a virtual machine and monitoring for one or more unexpected behaviors during virtual processing of the specimen in the virtual machine. The analysis plan may be altered based on the results of one of the analyzes.
750 Citations
43 Claims
-
1. A system of detecting malware in a specimen of computer content or network traffic, the system comprising:
-
a processor; and a memory coupled to the processor, the memory comprises; (i) an analysis plan that identifies an order of a plurality of analyses to be performed on the specimen to detect a presence of malware associated with the specimen, the analysis plan being separate from content of the specimen, (ii) a static analysis logic that, when executed by the processor, performs a static analysis of the specimen in accordance with the analysis plan to identify one or more suspicious indicators, wherein the static analysis being one of the plurality of analyses, and (iii) a dynamic analysis logic that, when executed by the processor, performs a dynamic analysis of the specimen in accordance with the analysis plan, wherein the dynamic analysis being one of the plurality of analyses and including processing of the specimen in a virtual machine and monitoring for one or more unexpected behaviors during processing of the specimen in the virtual machine. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A system of detecting malware in a specimen of computer content or network traffic, the system comprising:
-
a processor; and a memory coupled to the processor, the memory comprises (i) a first analysis logic that, when executed by the processor, performs a first analysis on the specimen in accordance with an analysis plan to identify one or more suspicious indicators, and (ii) a second analysis logic that, when executed by the processor, performs a second analysis on the specimen in accordance with the analysis plan by processing of the specimen in a virtual machine and monitoring for one or more unexpected behaviors during processing of the specimen in the virtual machine, wherein the analysis plan includes a plurality of rules governing at least an order of analyses of the specimen including the first analysis and the second analysis and identifies what protocols to be followed by the processor during the analyses, the analysis plan including information that is separate from data associated with the specimen. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
-
-
26. A non-transitory computer readable medium including software that is executable by a processor and configured to detect malware in a specimen of computer content or network traffic, the non-transitory computer readable medium comprising:
-
a controller being software for execution by processor, the controller to receive the specimen and determine an analysis plan for the specimen, the analysis plan identifies at least an order of analysis of the specimen for a plurality of analyses including one or more of (i) a static analysis of the specimen, (ii) a dynamic analysis of the specimen, or (iii) a static analysis of a packed object of the specimen after unpacking of the packed object; a static analysis logic being software for execution by the processor and communicatively coupled to the controller, the static analysis logic to perform the static analysis on the specimen in accordance with the analysis plan to identify one or more suspicious indicators; a dynamic analysis logic being software for execution by the processor and communicatively coupled to the controller, the dynamic analysis logic to perform a dynamic analysis of the specimen in accordance with the analysis plan, wherein the dynamic analysis being one of the plurality of analyses and including processing of the specimen in a virtual machine, and monitoring for one or more unexpected behaviors during processing of the specimen in the virtual machine; and a classifier being software for execution by the processor and configured to determine whether the specimen should be classified as malicious based on a result from the static analysis logic and a result from the dynamic analysis logic, wherein the controller being configured to alter the analysis plan that includes a plurality of rules for analysis and is configured independently from content of the specimen in response to (i) the result of the static analysis, (ii) the result of the dynamic analysis, or (iii) the result of the static analysis and the result of the dynamic analysis. - View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41)
-
-
42. A system of detecting malware in a specimen of computer content or network traffic, the system comprising:
-
a processor; and a memory coupled to the processor, the memory comprises (i) a first analysis logic that, when executed by the processor, performs a first analysis on the specimen that generates results associated with the first analysis, (ii) a second analysis logic that, when executed by the processor, performs a second analysis on the specimen that generates results associated with the second analysis, (iii) a classifier to classify whether the specimen is likely malicious based on the results associated with the first analysis as conducted by the first analysis logic and the results associated with the second analysis as conducted by the second analysis logic, and (iv) a controller communicatively coupled to the first analysis logic, the second analysis logic and the classifier, the controller to determine whether an additional analysis or any additional analyses are to be performed on the specimen by either the first analysis logic or the second analysis logic based on feedback from the classifier, the first analysis logic and the second analysis logic. - View Dependent Claims (43)
-
Specification