System and method for classifying malware within content created during analysis of a specimen

US 10,515,214 B1
Filed: 10/23/2015
Issued: 12/24/2019
Est. Priority Date: 09/30/2013
Status: Active Grant

First Claim

Patent Images

1. A system of detecting malware in a specimen of computer content or network traffic, the system comprising:

a processor; and

a memory coupled to the processor, the memory comprises;

(i) an analysis plan that identifies an order of a plurality of analyses to be performed on the specimen to detect a presence of malware associated with the specimen, the analysis plan being separate from content of the specimen,(ii) a static analysis logic that, when executed by the processor, performs a static analysis of the specimen in accordance with the analysis plan to identify one or more suspicious indicators, wherein the static analysis being one of the plurality of analyses, and(iii) a dynamic analysis logic that, when executed by the processor, performs a dynamic analysis of the specimen in accordance with the analysis plan, wherein the dynamic analysis being one of the plurality of analyses and including processing of the specimen in a virtual machine and monitoring for one or more unexpected behaviors during processing of the specimen in the virtual machine.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to one embodiment, a system of detecting malware in a specimen of computer content or network traffic comprises a processor and a memory. The memory includes a first analysis logic and a second analysis logic that may be executed by the processor. Upon execution, the first analysis logic performs a static analysis in accordance with an analysis plan to identify one or more suspicious indicators associated with malware and one or more characteristics related to processing of the specimen. The second analysis logic performs a second analysis in accordance with the analysis plan by processing of the specimen in a virtual machine and monitoring for one or more unexpected behaviors during virtual processing of the specimen in the virtual machine. The analysis plan may be altered based on the results of one of the analyzes.

750 Citations

43 Claims

1. A system of detecting malware in a specimen of computer content or network traffic, the system comprising:
- a processor; and
  
  a memory coupled to the processor, the memory comprises;
  
  (i) an analysis plan that identifies an order of a plurality of analyses to be performed on the specimen to detect a presence of malware associated with the specimen, the analysis plan being separate from content of the specimen,(ii) a static analysis logic that, when executed by the processor, performs a static analysis of the specimen in accordance with the analysis plan to identify one or more suspicious indicators, wherein the static analysis being one of the plurality of analyses, and(iii) a dynamic analysis logic that, when executed by the processor, performs a dynamic analysis of the specimen in accordance with the analysis plan, wherein the dynamic analysis being one of the plurality of analyses and including processing of the specimen in a virtual machine and monitoring for one or more unexpected behaviors during processing of the specimen in the virtual machine.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The system of claim 1, wherein the memory further comprises a controller that, when executed by the processor and after receiving the specimen, determines the analysis plan that includes(i) a number of analyses to be performed by either (a) the static analysis logic, (b) the dynamic analysis logic or (c) both the static analysis logic and the dynamic analysis logic, and(ii) the order of the plurality of analyses, and(iii) one or more specific behaviors to be monitored in the dynamic analysis, or (b) one or more specific characteristics to be checked, verified or examined in the static analysis.
  - 3. The system of claim 1, wherein the analysis plan comprises information to identify the order of the plurality of analyses including a second static analysis of at least one of (i) the specimen or (ii) a result of the dynamic analysis of the specimen that occurs subsequent to the static analysis of the specimen.
  - 4. The system of claim 3, wherein the memory further comprises a classifier that, when executed by the processor, determines whether the specimen should be classified as malicious based on further analysis of the result of the dynamic analysis of the specimen.
  - 5. The system of claim 1, wherein the analysis plan further comprises information that controls the processor, in response to a result of one of the static analysis or dynamic analysis of the specimen, to unpack a packed object included in the specimen and perform a subsequent analysis, wherein the subsequent analysis comprises a second static analysis on the object.
  - 6. The system of claim 1, wherein the memory further comprises a controller that, when executed by the processor and in response to the dynamic analysis of the specimen producing a result, alters the analysis plan to conduct one or more analyses based on the result produced during dynamic analysis of the specimen, the result being a second specimen produced by the specimen.
  - 7. The system of claim 6, wherein the specimen comprises a first file and the result comprises a second file that is created in response to the processing of the first file in the virtual machine.
  - 8. The system of claim 6, wherein the specimen comprises a file that is created during prior processing of a second file within a second virtual machine separate from the virtual machine.
  - 9. The system of claim 1, wherein the memory further comprises a controller that, when executed by the processor, associates a priority with each of a plurality of specimens received by the system including the specimen and sets the order of the plurality of analyses to be performed in the analysis plan.
  - 10. The system of claim 9, wherein the controller, when executed by the processor, modifies the priorities of the plurality of specimens identified in the analysis plan based on a result of the static analysis.
  - 11. The system of claim 9, wherein the controller, when executed by the processor, modifies the order of the plurality of analyses in the analysis plan based on a result of the static analysis.
  - 12. The system of claim 1, wherein the memory further comprises a classifier that, when executed by the processor, determines whether the specimen should be classified as malicious based on at least one of (i) the one or more identified suspicious indicators associated with malware and (ii) the one or more unexpected behaviors.
  - 13. The system of claim 1, wherein the analysis plan being configured independently from content of the specimen by the analysis plan being separate data from the content of the specimen.

14. A system of detecting malware in a specimen of computer content or network traffic, the system comprising:
- a processor; and
  
  a memory coupled to the processor, the memory comprises (i) a first analysis logic that, when executed by the processor, performs a first analysis on the specimen in accordance with an analysis plan to identify one or more suspicious indicators, and (ii) a second analysis logic that, when executed by the processor, performs a second analysis on the specimen in accordance with the analysis plan by processing of the specimen in a virtual machine and monitoring for one or more unexpected behaviors during processing of the specimen in the virtual machine,wherein the analysis plan includes a plurality of rules governing at least an order of analyses of the specimen including the first analysis and the second analysis and identifies what protocols to be followed by the processor during the analyses, the analysis plan including information that is separate from data associated with the specimen.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 15. The system of claim 14, wherein the memory further comprises a controller that, when executed by the processor, determines the analysis plan based on the specimen, the analysis plan identifies the order of the analyses of the specimen that includes at least the first analysis that corresponds to a static analysis of the specimen and the second analysis that corresponds to a dynamic analysis of the specimen.
  - 16. The system of claim 15, wherein the analysis plan comprises information to identify the order of the analyses including the first analysis of the specimen, followed by the second analysis of the specimen.
  - 17. The system of claim 16, wherein the analysis plan comprises information to identify the order of the analyses including a third analysis of the specimen or a result produced during the second analysis of the specimen, the third analysis comprises a static analysis.
  - 18. The system of claim 16, wherein the analysis plan further comprises information that controls the processor, in response to a result of one of the static analysis or dynamic analysis of the specimen, to unpack a packed object included in the specimen and perform a subsequent analysis, wherein the subsequent analysis comprises a third analysis on the object that is different from the first analysis and the second analysis.
  - 19. The system of claim 15, wherein the memory further comprises a controller that, when executed by the processor, associates a priority with each of a plurality of specimens received by the system for malware detection and sets the order of analyses to be performed in the analysis plan, the plurality of specimens includes the specimen.
  - 20. The system of claim 19, wherein the controller, when executed by the processor, modifies the priorities of the plurality of specimens in the analysis plan based on a result of the static analysis.
  - 21. The system of claim 19, wherein the controller, when executed by the processor, modifies the order of the analyses in the analysis plan based on a result of the static analysis.
  - 22. The system of claim 14, wherein the memory further comprises a controller that, during execution by the processor and in response to the second analysis of the specimen producing a result, automatically alters the analysis plan to conduct one or more analyses on the result produced during the second analysis of the specimen.
  - 23. The system of claim 22, wherein the specimen comprises a first file and the result comprises a second file that is created in response to the processing of the first file in the virtual machine.
  - 24. The system of claim 22, wherein the specimen comprises a file and the result comprises a process that is created in response to the processing of the file in the virtual machine.
  - 25. The system of claim 14, wherein the memory further comprises a classifier that, when executed by the processor, determines whether the specimen should be classified as malicious based on at least one of (i) the one or more identified suspicious indicators associated with malware and (ii) the one or more unexpected behaviors.

26. A non-transitory computer readable medium including software that is executable by a processor and configured to detect malware in a specimen of computer content or network traffic, the non-transitory computer readable medium comprising:
- a controller being software for execution by processor, the controller to receive the specimen and determine an analysis plan for the specimen, the analysis plan identifies at least an order of analysis of the specimen for a plurality of analyses including one or more of (i) a static analysis of the specimen, (ii) a dynamic analysis of the specimen, or (iii) a static analysis of a packed object of the specimen after unpacking of the packed object;
  
  a static analysis logic being software for execution by the processor and communicatively coupled to the controller, the static analysis logic to perform the static analysis on the specimen in accordance with the analysis plan to identify one or more suspicious indicators;
  
  a dynamic analysis logic being software for execution by the processor and communicatively coupled to the controller, the dynamic analysis logic to perform a dynamic analysis of the specimen in accordance with the analysis plan, wherein the dynamic analysis being one of the plurality of analyses and including processing of the specimen in a virtual machine, and monitoring for one or more unexpected behaviors during processing of the specimen in the virtual machine; and
  
  a classifier being software for execution by the processor and configured to determine whether the specimen should be classified as malicious based on a result from the static analysis logic and a result from the dynamic analysis logic,wherein the controller being configured to alter the analysis plan that includes a plurality of rules for analysis and is configured independently from content of the specimen in response to (i) the result of the static analysis, (ii) the result of the dynamic analysis, or (iii) the result of the static analysis and the result of the dynamic analysis.
- View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41)
- - 27. The non-transitory computer readable medium of claim 26, wherein the analysis plan being configured independently from the content of the specimen based on the analysis plan including information separate from the content of the specimen.
  - 28. The non-transitory computer readable medium of claim 27, wherein the analysis plan includes(i) a number of analyses to be performed by either (a) the static analysis logic, (b) the dynamic analysis logic or (c) both the static analysis logic and the dynamic analysis logic, and(ii) the order of the plurality of analyses, and(iii) one or more specific behaviors to be monitored in the dynamic analysis, or (b) one or more specific characteristics to be checked, verified or examined in the static analysis.
  - 29. The non-transitory computer readable medium of claim 27, wherein the analysis plan comprises information to identify the order of the plurality of analyses including a second static analysis of at least one of (i) the specimen or (ii) a result of the dynamic analysis of the specimen that occurs subsequent to the static analysis of the specimen.
  - 30. The non-transitory computer readable medium of claim 29, wherein the analysis plan further comprises information that controls the processor, in response to a result of one of the static analysis or dynamic analysis of the specimen, to unpack a packed object included in the specimen and perform a subsequent analysis, wherein the subsequent analysis comprises a second static analysis on the object.
  - 31. The non-transitory computer readable medium of claim 27, wherein the controller, when executed by the processor and in response to the dynamic analysis of the specimen producing the result, alters the analysis plan to conduct one or more analyses based on the result of the dynamic analysis of the specimen, the result being a second specimen produced by the specimen.
  - 32. The non-transitory computer readable medium of claim 31, wherein the specimen comprises a first file and the result comprises a second file that is created in response to the processing of the first file in the virtual machine.
  - 33. The non-transitory computer readable medium of claim 31, wherein the specimen comprises a file that is created during prior processing of a second file within a second virtual machine separate from the virtual machine.
  - 34. The non-transitory computer readable medium of claim 27 further comprising a classifier that, when executed by the processor, determines whether the specimen should be classified as malicious based on further analysis of the result of the dynamic analysis of the specimen.
  - 35. The non-transitory computer readable medium of claim 27, wherein the controller, when executed by the processor, associates a priority with each of a plurality of specimens including the specimen and sets the order of the plurality of analyses to be performed in the analysis plan.
  - 36. The non-transitory computer readable medium of claim 35, wherein the controller, when executed by the processor, modifies the priorities of the plurality of specimens identified in the analysis plan to alter the order of the plurality of analyses.
  - 37. The non-transitory computer readable medium of claim 35, wherein the controller, when executed by the processor, modifies the order of the plurality of analyses in the analysis plan based on a result of the static analysis.
  - 38. The non-transitory computer readable medium of claim 27 further comprising a classifier that, when executed by the processor, determines whether the specimen should be classified as malicious based on at least one of (i) the one or more identified suspicious indicators associated with malware and (ii) the one or more unexpected behaviors.
  - 39. The non-transitory computer readable medium of claim 27, wherein the analysis plan being configured independently from the content of the specimen by the analysis plan being separate data from the content of the specimen.
  - 40. The non-transitory computer readable medium of claim 26, wherein the analysis plan further specifies analysis protocols for performing each of the plurality of analyses and parameters associated with the plurality of analyses being performed.
  - 41. The non-transitory computer readable medium of claim 40, wherein the parameters specified by the analysis plan includes specific behaviors to be monitored in the dynamic analysis and specific characteristics to be monitored in the static analysis.

42. A system of detecting malware in a specimen of computer content or network traffic, the system comprising:
- a processor; and
  
  a memory coupled to the processor, the memory comprises (i) a first analysis logic that, when executed by the processor, performs a first analysis on the specimen that generates results associated with the first analysis, (ii) a second analysis logic that, when executed by the processor, performs a second analysis on the specimen that generates results associated with the second analysis, (iii) a classifier to classify whether the specimen is likely malicious based on the results associated with the first analysis as conducted by the first analysis logic and the results associated with the second analysis as conducted by the second analysis logic, and (iv) a controller communicatively coupled to the first analysis logic, the second analysis logic and the classifier, the controller to determine whether an additional analysis or any additional analyses are to be performed on the specimen by either the first analysis logic or the second analysis logic based on feedback from the classifier, the first analysis logic and the second analysis logic.
- View Dependent Claims (43)
- - 43. The system of claim 42, wherein the results associated with the first analysis on the specimen identify one or more suspicious indicators associated with malware and the results associated with the second analysis on the specimen identify one or more unexpected behaviors that occur during processing of the specimen in the virtual machine.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Vincent, Michael, Mesdaq, Ali, Thioux, Emmanuel, Singh, Abhishek, Vashisht, Sal
Primary Examiner(s)
Moorthy, Aravind K

Application Number

US14/922,030
Time in Patent Office

1,523 Days
Field of Search

726 23, 726 22, 726 24, 713188
US Class Current
CPC Class Codes

G06F 21/562   Static detection

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/034   Test or assess a computer o...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

System and method for classifying malware within content created during analysis of a specimen

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

750 Citations

43 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for classifying malware within content created during analysis of a specimen

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

750 Citations

43 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links