Detection efficacy of virtual machine-based analysis with application specific events
First Claim
1. A computerized method, comprising:
- monitoring a first set of process operations associated with an object being analyzed for subsequent classification of the object as malicious or benign, information associated with the first set of process operations being stored as part of an event data structure;
capturing one or more process parameters associated with at least a first process operation of the first set of process operations, wherein the one or more process parameters describe a context in which the first process operation is performed;
conducting a first analysis stage by at leastcomparing a combination of the first process operation and the one or more process parameters with each of a plurality of combinations of a process operation and its corresponding process parameters, wherein the plurality of combinations comprises at least one of (i) a first set of expected process operations and process parameters, or (ii) a second set of anomalous process operations and process parameters, andresponsive to the first process operation and the one or more process parameters matching any combination of a process operation and its corresponding process parameters from the plurality of combinations, identifying the first process operation as malicious or as benign; and
conducting a second analysis stage by determining, based on each process operation of the first set of process operations and one or more corresponding parameters, including the first process operation and the one or more process parameters describing a context in which the first process operation is performed, whether (i) the first process operation is anomalous or (ii) one or more process operations has been omitted from the first set of process operations or (iii) one or more process operations of the first set of process operations has occurred out of order.
7 Assignments
0 Petitions
Accused Products
Abstract
A computerized system and method is described for classifying objects as malicious by processing the objects in a virtual environment and monitoring behaviors during processing by one or more monitors, where the monitoring is conducted in an electronic device that is different than the electronic device within which an analysis of attributes of the objects is conducted beforehand. The monitors may monitor and record selected sets of process operations and capture associated process parameters, which describe the context in which the process operations were performed. By recording the context of process operations, the system and method described herein improves the intelligence of classifications and consequently reduces the likelihood of incorrectly identifying objects as malware or vice versa.
-
Citations
41 Claims
-
1. A computerized method, comprising:
-
monitoring a first set of process operations associated with an object being analyzed for subsequent classification of the object as malicious or benign, information associated with the first set of process operations being stored as part of an event data structure; capturing one or more process parameters associated with at least a first process operation of the first set of process operations, wherein the one or more process parameters describe a context in which the first process operation is performed; conducting a first analysis stage by at least comparing a combination of the first process operation and the one or more process parameters with each of a plurality of combinations of a process operation and its corresponding process parameters, wherein the plurality of combinations comprises at least one of (i) a first set of expected process operations and process parameters, or (ii) a second set of anomalous process operations and process parameters, and responsive to the first process operation and the one or more process parameters matching any combination of a process operation and its corresponding process parameters from the plurality of combinations, identifying the first process operation as malicious or as benign; and conducting a second analysis stage by determining, based on each process operation of the first set of process operations and one or more corresponding parameters, including the first process operation and the one or more process parameters describing a context in which the first process operation is performed, whether (i) the first process operation is anomalous or (ii) one or more process operations has been omitted from the first set of process operations or (iii) one or more process operations of the first set of process operations has occurred out of order. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
-
-
22. An electronic device comprising:
-
one or more hardware processors; and a memory including one or more software modules including that, when executed by the one or more hardware processors; a first software module that, when executed by the one or more hardware processors, (i) monitors a first set of process operations associated with an object being analyzed for subsequent classification of the object as malicious or benign, information associated with the first set of process operations being stored as part of an event data structure and (ii) captures one or more process parameters associated with at least a first process operation of the first set of process operations, wherein the one or more process parameters describe a context in which the first process operation is performed, a second software module that, when executed by the one or more hardware processors, compares a combination of the first process operation and the one or more process parameters with each of a plurality of combinations of a process operation and its corresponding process parameters, where the plurality of combinations comprises at least one of (i) a first set of expected process operations and process parameters, or (ii) a second set of anomalous process operations and process parameters, a third software module that, when executed by the one or more hardware processors and in response to the first process operation and the one or more process parameters matching any combination of a process operation and its corresponding process parameters of the plurality of combination, identifies the first process operation as malicious or benign; and a fourth software module that, when executed by the one or more hardware processors, determines based on each process operation of the first set of process operations and one or more corresponding parameters, including the first process operation and the one or more process parameters describing a context in which the first process operation is performed, whether (i) the first process operation is anomalous, or (ii) one or more process operations have been omitted from the first set of process operations, or (iii) one or more process operations of the first set of process operations has occurred out of order. - View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41)
-
Specification