Context-based analysis of applications
First Claim
Patent Images
1. A system, comprising:
- a processor configured to;
receive a sample;
determine, based at least in part by performing static analysis on the sample, a set of function call paths that include execution of a sensitive code segment comprising the sample;
build a system component dependency graph; and
assign a maliciousness verdict to the sample at least in part by using the system component dependency graph to evaluate the set of function call paths, including by determining whether, for each function call path included in the set of function call paths, the sensitive code segment is called in response to a human interaction;
wherein, for at least one function call path included in the set of function call paths, the sensitive code segment is not called in response to a human interaction; and
a memory coupled to the processor and configured to provide the processor with instructions.
1 Assignment
0 Petitions
Accused Products
Abstract
Evaluating samples is disclosed. A sample is received. A determination is made that the sample includes at least one sensitive code segment. A set of paths that include execution of the code segment is determined based at least in part using static analysis. A verdict for the sample is determined based at least in part on the set of paths.
-
Citations
21 Claims
-
1. A system, comprising:
- a processor configured to;
receive a sample; determine, based at least in part by performing static analysis on the sample, a set of function call paths that include execution of a sensitive code segment comprising the sample; build a system component dependency graph; and assign a maliciousness verdict to the sample at least in part by using the system component dependency graph to evaluate the set of function call paths, including by determining whether, for each function call path included in the set of function call paths, the sensitive code segment is called in response to a human interaction; wherein, for at least one function call path included in the set of function call paths, the sensitive code segment is not called in response to a human interaction; and a memory coupled to the processor and configured to provide the processor with instructions. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- a processor configured to;
-
11. A computer implemented method by at least one hardware processor, the method comprising:
- receiving a sample;
determining by the at least one hardware processor, based at least in part by performing static analysis on the sample, a set of function call paths that include execution of a sensitive code segment;
building a system component dependency graph; andassigning a maliciousness verdict to the sample at least in part by using the system component dependency graph to evaluate the set of function call paths, including by determining whether, for each function call path included in the set of function call paths, the sensitive code segment is called in response to a human interaction;
wherein, for at least one function call path included in the set of function call paths, the sensitive code segment is not called in response to a human interaction. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- receiving a sample;
-
21. A computer program product embodied in a non-transitory computer readable storage medium and comprising computer instructions for:
-
receiving a sample; determining, based at least in part by performing static analysis on the sample, a set of function call paths that include execution of a sensitive code segment;
building a system component dependency graph; andassigning a maliciousness verdict to the sample at least in part by using the system component dependency graph to evaluate the set of function call paths, including by determining whether, for each function call path included in the set of function call paths, the sensitive code segment is called in response to a human interaction;
wherein, for at least one function call path included in the set of function call paths, the sensitive code segment is not called in response to a human interaction.
-
Specification