×

Detection efficacy of virtual machine-based analysis with application specific events

  • US 10,534,906 B1
  • Filed: 03/12/2018
  • Issued: 01/14/2020
  • Est. Priority Date: 02/05/2014
  • Status: Active Grant
First Claim
Patent Images

1. A computerized method, comprising:

  • monitoring a first set of process operations associated with an object being analyzed for subsequent classification of the object as malicious or benign, information associated with the first set of process operations being stored as part of an event data structure;

    capturing one or more process parameters associated with at least a first process operation of the first set of process operations, wherein the one or more process parameters describe a context in which the first process operation is performed;

    conducting a first analysis stage by at leastcomparing a combination of the first process operation and the one or more process parameters with each of a plurality of combinations of a process operation and its corresponding process parameters, wherein the plurality of combinations comprises at least one of (i) a first set of expected process operations and process parameters, or (ii) a second set of anomalous process operations and process parameters, andresponsive to the first process operation and the one or more process parameters matching any combination of a process operation and its corresponding process parameters from the plurality of combinations, identifying the first process operation as malicious or as benign; and

    conducting a second analysis stage by determining, based on each process operation of the first set of process operations and one or more corresponding parameters, including the first process operation and the one or more process parameters describing a context in which the first process operation is performed, whether (i) the first process operation is anomalous or (ii) one or more process operations has been omitted from the first set of process operations or (iii) one or more process operations of the first set of process operations has occurred out of order.

View all claims
  • 7 Assignments
Timeline View
Assignment View
    ×
    ×