Detection efficacy of virtual machine-based analysis with application specific events

US 10,534,906 B1
Filed: 03/12/2018
Issued: 01/14/2020
Est. Priority Date: 02/05/2014
Status: Active Grant

First Claim

Patent Images

1. A computerized method, comprising:

monitoring a first set of process operations associated with an object being analyzed for subsequent classification of the object as malicious or benign, information associated with the first set of process operations being stored as part of an event data structure;

capturing one or more process parameters associated with at least a first process operation of the first set of process operations, wherein the one or more process parameters describe a context in which the first process operation is performed;

conducting a first analysis stage by at leastcomparing a combination of the first process operation and the one or more process parameters with each of a plurality of combinations of a process operation and its corresponding process parameters, wherein the plurality of combinations comprises at least one of (i) a first set of expected process operations and process parameters, or (ii) a second set of anomalous process operations and process parameters, andresponsive to the first process operation and the one or more process parameters matching any combination of a process operation and its corresponding process parameters from the plurality of combinations, identifying the first process operation as malicious or as benign; and

conducting a second analysis stage by determining, based on each process operation of the first set of process operations and one or more corresponding parameters, including the first process operation and the one or more process parameters describing a context in which the first process operation is performed, whether (i) the first process operation is anomalous or (ii) one or more process operations has been omitted from the first set of process operations or (iii) one or more process operations of the first set of process operations has occurred out of order.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computerized system and method is described for classifying objects as malicious by processing the objects in a virtual environment and monitoring behaviors during processing by one or more monitors, where the monitoring is conducted in an electronic device that is different than the electronic device within which an analysis of attributes of the objects is conducted beforehand. The monitors may monitor and record selected sets of process operations and capture associated process parameters, which describe the context in which the process operations were performed. By recording the context of process operations, the system and method described herein improves the intelligence of classifications and consequently reduces the likelihood of incorrectly identifying objects as malware or vice versa.

Citations

41 Claims

1. A computerized method, comprising:
- monitoring a first set of process operations associated with an object being analyzed for subsequent classification of the object as malicious or benign, information associated with the first set of process operations being stored as part of an event data structure;
  
  capturing one or more process parameters associated with at least a first process operation of the first set of process operations, wherein the one or more process parameters describe a context in which the first process operation is performed;
  
  conducting a first analysis stage by at leastcomparing a combination of the first process operation and the one or more process parameters with each of a plurality of combinations of a process operation and its corresponding process parameters, wherein the plurality of combinations comprises at least one of (i) a first set of expected process operations and process parameters, or (ii) a second set of anomalous process operations and process parameters, andresponsive to the first process operation and the one or more process parameters matching any combination of a process operation and its corresponding process parameters from the plurality of combinations, identifying the first process operation as malicious or as benign; and
  
  conducting a second analysis stage by determining, based on each process operation of the first set of process operations and one or more corresponding parameters, including the first process operation and the one or more process parameters describing a context in which the first process operation is performed, whether (i) the first process operation is anomalous or (ii) one or more process operations has been omitted from the first set of process operations or (iii) one or more process operations of the first set of process operations has occurred out of order.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 2. The computerized method of claim 1, wherein the monitoring of the first set of process operations and the capturing of the one or more process parameters is conducted during run-time of the object in a safe runtime environment.
  - 3. The computerized method of claim 2, wherein the safe runtime environment is a virtual machine.
  - 4. The computerized method of claim 3, wherein prior to both the monitoring of the first set of process operations and the capturing of the one or more process parameters associated with at least the first process operation, the method further comprises placing one or more monitors at one or more particular locations within software associated with the virtual machine to monitor the first process operation and to capture the one or more process parameters.
  - 5. The computerized method of claim 2, wherein a process including the first process operation is an instance of a software program.
  - 6. The computerized method of claim 1, wherein the first process operation includes a function call.
  - 7. The computerized method of claim 1, wherein the one or more process parameters identify a context in which the first process operation is performed to increase an accuracy of classifying the object as malware.
  - 8. The computerized method of claim 1, wherein the one or more process parameters matching the expected process parameters when a prescribed degree of correlation exists between the one or more process parameters and the expected process parameters.
  - 9. The computerized method of claim 1 further-comprising:
    - updating the event data structure to include captured process operations each corresponding to an event and associated process parameters associated with each captured process operation including the one or more process parameters associated with at least the first process operation of the first set of process operations.
  - 10. The computerized method of claim 9 comprising:
    - identifying the one or more omitted process operations from the first set of process operations based on a state machine for a process being a representation of an expected sequencing of process operations that the process is expected to yield when monitored;
      
      generating any additional process operations corresponding to one or more of the one or more omitted process operations based on the partial match of the expected sequencing of process operations to the first set of process operations; and
      
      updating the event data structure with information associated with the additional process operations.
  - 11. The computerized method of claim 9 further comprising:
    - identifying whether omitted events have occurred in an order different than an expected sequencing of process operations;
      
      generating any additional events corresponding to the one or more omitted events based on the partial match of the expected sequencing of events to the events associated with the process; and
      
      updating the event data structure with the information associated with the additional events.
  - 12. The computerized method of claim 1, wherein the conducting of the first analysis stage further comprises:
    - responsive to the first process operation and the one or more process parameters failing to match any combination of the first set of expected process operations and process parameters and the second set of anomalous process operations and process parameters, identifying the first process operation and the one or more parameters as suspicious.
  - 13. The computerized method of claim 1, wherein the plurality of combinations comprises the first set of expected process operations and process parameters operating as a whitelist.
  - 14. The computerized method of claim 1, wherein the plurality of combinations comprises the second set of anomalous process operations and process parameters operating as a blacklist.
  - 15. The computerized method of claim 1, wherein the one or more process parameters describes a context in which the first process operation is performed and provide insight into characteristics of the object.
  - 16. The computerized method of claim 1, wherein the determining whether the first process operation is anomalous comprises determining whether the first process operation constitutes an unexpected operation.
  - 17. The computerized method of claim 1, wherein the determining whether the one or more process operations has been omitted comprises determining the one or more process operations that should have been monitored during the monitoring operation and the monitoring of the one or more operations appears to have been omitted.
  - 18. The computerized method of claim 1, wherein the conducting of the second stage analysis further comprises generating additional process operations based on a partial match of the first set of process operations.
  - 19. The computerized method of claim 1 further comprising:
    - conducting a third analysis stage to generate a confidence score associated with the object from analyses conducted at the first analysis stage and the second analysis stage, the confidence score being associated with a probability of the object being malicious and the confidence score being used to classify the object as malware.
  - 20. The computerized method of claim 1, wherein the one or more parameters associated with the first process operation includes data for use in detecting malicious behavior.
  - 21. The computerized method of claim 1, wherein the one or more parameters associated with the first process operation includes data that identifies a loading or running a macro.

22. An electronic device comprising:
- one or more hardware processors; and
  
  a memory including one or more software modules including that, when executed by the one or more hardware processors;
  
  a first software module that, when executed by the one or more hardware processors, (i) monitors a first set of process operations associated with an object being analyzed for subsequent classification of the object as malicious or benign, information associated with the first set of process operations being stored as part of an event data structure and (ii) captures one or more process parameters associated with at least a first process operation of the first set of process operations, wherein the one or more process parameters describe a context in which the first process operation is performed,a second software module that, when executed by the one or more hardware processors, compares a combination of the first process operation and the one or more process parameters with each of a plurality of combinations of a process operation and its corresponding process parameters, where the plurality of combinations comprises at least one of (i) a first set of expected process operations and process parameters, or (ii) a second set of anomalous process operations and process parameters,a third software module that, when executed by the one or more hardware processors and in response to the first process operation and the one or more process parameters matching any combination of a process operation and its corresponding process parameters of the plurality of combination, identifies the first process operation as malicious or benign; and
  
  a fourth software module that, when executed by the one or more hardware processors, determines based on each process operation of the first set of process operations and one or more corresponding parameters, including the first process operation and the one or more process parameters describing a context in which the first process operation is performed, whether (i) the first process operation is anomalous, or (ii) one or more process operations have been omitted from the first set of process operations, or (iii) one or more process operations of the first set of process operations has occurred out of order.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41)
- - 23. The electronic device of claim 22, wherein the first software module to monitor the first set of process operations and capture the one or more process parameters during run-time of the object in a safe runtime environment.
  - 24. The electronic device of claim 23, wherein the safe runtime environment is a virtual machine.
  - 25. The electronic device of claim 24, wherein prior to operations conducted by the first software module and the second software module, the first process operation and one or more process parameters are pre-selected based on a location within the virtual machine in which one or more monitors applied to the virtual machine is located.
  - 26. The electronic device of claim 23, wherein a process including the first process operation being an instance of a software program.
  - 27. The electronic device of claim 22, wherein the first process operation includes a function call.
  - 28. The electronic device of claim 22, wherein the one or more process parameters identify a context in which the first process operation is performed to increase an accuracy of classifying the object as malware.
  - 29. The electronic device of claim 22, wherein the one or more process parameters matching the expected process parameters when a prescribed degree of correlation exists between the one or more process parameters and the expected process parameters.
  - 30. The electronic device of claim 22, wherein the memory further comprising:
    - a fifth software module that, when executed by the one or more hardware processors, (i) performs an analysis to identify the one or more omitted process operations from the first set of process operations for a process being a representation of an expected sequencing of events that the process is expected to yield when monitored, (ii) generates any additional process operations based on a partial match of the expected sequencing of process operations to process operations associated with the process, and (iii) updates the event data structure to include the additional process operations.
  - 31. The electronic device of claim 22, wherein the memory further comprising:
    - a fifth software module that, when executed by the one or more hardware processors, (i) performs an analysis to identify whether any of the first set of process operations associated with a process have occurred in an order different than an expected sequencing of process operations, (ii) generates any additional process operations based on a partial match of the expected sequencing of process operations to the first set of process operations associated with the process, and (iii) updates the event data structure to include the additional process operations.
  - 32. The electronic device of claim 22, wherein the third software module is further configured to, in response to the first process operation and the one or more process parameters failing to match any combination of the first set of expected process operations and process parameters or the second set of anomalous process operations and process parameters, identifying the first process operation and the one or more parameters as suspicious.
  - 33. The electronic device of claim 22, wherein the plurality of combinations comprises the first set of expected process operations and process parameters operating as a whitelist.
  - 34. The electronic device of claim 22, wherein the plurality of combinations comprises the second set of anomalous process operations and process parameters operating as a blacklist.
  - 35. The electronic device of claim 22, wherein the one or more process parameters associated with the first process operation describes a context in which the first process operation is performed and provide insight into characteristics of the object.
  - 36. The electronic device of claim 22, wherein the fourth software module is configured to determine whether the first process operation is anomalous by at least determining whether the first process operation constitutes an unexpected operation.
  - 37. The electronic device of claim 22, wherein the fourth software module is configured to determine whether the one or more process operations have been omitted by at least determining at least one process operation that should have been monitored during the monitoring operation and the monitoring of the at least operation appears to have been omitted.
  - 38. The electronic device of claim 22, wherein the fourth software module is configured to further generate additional process operations based on a partial match of the first set of process operations.
  - 39. The electronic device of claim 22, wherein the memory further comprising:
    - a fifth software module being configured to generate a confidence score associated with the object from analyses conducted by at least the fourth software module, the confidence score being associated with a probability of the object being malicious and the confidence score being used to classify the object as malware.
  - 40. The electronic device of claim 22, wherein the one or more parameters associated with the first process operation includes data for use in detecting malicious behavior.
  - 41. The electronic device of claim 22, wherein the one or more parameters associated with the first process operation includes data that identifies a loading or running a macro.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
FireEye, Inc. (Alphabet Inc.)
Inventors
Paithane, Sushant, Vashisht, Sai
Primary Examiner(s)
Mehedi, Morshed

Application Number

US15/919,085
Time in Patent Office

673 Days
Field of Search
US Class Current
CPC Class Codes

G06F 2009/45591   Monitoring or debugging sup...

G06F 21/53   by executing in a restricte...

G06F 21/552   involving long-term monitor...

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/033   Test or assess software

G06F 9/45558   Hypervisor-specific managem...

H04L 63/145   the attack involving the pr...

Detection efficacy of virtual machine-based analysis with application specific events

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

41 Claims

Specification

Solutions

Use Cases

Quick Links

Detection efficacy of virtual machine-based analysis with application specific events

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

41 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links