Context-based analysis of applications

US 10,565,377 B1
Filed: 12/21/2016
Issued: 02/18/2020
Est. Priority Date: 12/21/2016
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a processor configured to;

receive a sample;

determine, based at least in part by performing static analysis on the sample, a set of function call paths that include execution of a sensitive code segment comprising the sample;

build a system component dependency graph; and

assign a maliciousness verdict to the sample at least in part by using the system component dependency graph to evaluate the set of function call paths, including by determining whether, for each function call path included in the set of function call paths, the sensitive code segment is called in response to a human interaction;

wherein, for at least one function call path included in the set of function call paths, the sensitive code segment is not called in response to a human interaction; and

a memory coupled to the processor and configured to provide the processor with instructions.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Evaluating samples is disclosed. A sample is received. A determination is made that the sample includes at least one sensitive code segment. A set of paths that include execution of the code segment is determined based at least in part using static analysis. A verdict for the sample is determined based at least in part on the set of paths.

Citations

21 Claims

1. A system, comprising:
- a processor configured to;
  
  receive a sample;
  
  determine, based at least in part by performing static analysis on the sample, a set of function call paths that include execution of a sensitive code segment comprising the sample;
  
  build a system component dependency graph; and
  
  assign a maliciousness verdict to the sample at least in part by using the system component dependency graph to evaluate the set of function call paths, including by determining whether, for each function call path included in the set of function call paths, the sensitive code segment is called in response to a human interaction;
  
  wherein, for at least one function call path included in the set of function call paths, the sensitive code segment is not called in response to a human interaction; and
  
  a memory coupled to the processor and configured to provide the processor with instructions.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system of claim 1 wherein the maliciousness verdict assigned to the sample is “
    - benign”
      
      when the set of function call paths is empty.
  - 3. The system of claim 1 wherein the maliciousness verdict for the sample is that the sample is benign.
  - 4. The system of claim 1 wherein the maliciousness verdict for the sample is that the sample is malicious.
  - 5. The system of claim 1 wherein the maliciousness verdict for the sample is that the sample is suspicious.
  - 6. The system of claim 1 wherein the processor is further configured to assign the maliciousness verdict at least in part by determining a dependency relation between a system event and a system component.
  - 7. The system of claim 1 wherein the processor is further configured to assign the maliciousness verdict at least in part by determining a dependency relation between a set of system components.
  - 8. The system of claim 1 wherein the processor is further configured to assign the maliciousness verdict at least in part by determining a dependency relation between a system component and an indirect call.
  - 9. The system of claim 1 wherein the processor is further configured to perform dynamic analysis on the sample.
  - 10. The system of claim 9 wherein the dynamic analysis to be performed is selected at least in part based on the set of function call paths.

11. A computer implemented method by at least one hardware processor, the method comprising:
- receiving a sample;
  
  determining by the at least one hardware processor, based at least in part by performing static analysis on the sample, a set of function call paths that include execution of a sensitive code segment;
  
  building a system component dependency graph; and
  
  assigning a maliciousness verdict to the sample at least in part by using the system component dependency graph to evaluate the set of function call paths, including by determining whether, for each function call path included in the set of function call paths, the sensitive code segment is called in response to a human interaction;
  
  wherein, for at least one function call path included in the set of function call paths, the sensitive code segment is not called in response to a human interaction.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The method of claim 11 wherein the maliciousness verdict assigned to the sample is “
    - benign”
      
      when the set of function call paths is empty.
  - 13. The method of claim 11 wherein the maliciousness verdict for the sample is that the sample is benign.
  - 14. The method of claim 11 wherein the maliciousness verdict for the sample is that the sample is malicious.
  - 15. The method of claim 11 wherein the maliciousness verdict for the sample is that the sample is suspicious.
  - 16. The method of claim 11 further comprising assigning the maliciousness verdict at least in part by determining a dependency relation between a system event and a system component.
  - 17. The method of claim 11 further comprising assigning the maliciousness verdict at least in part by determining a dependency relation between a set of system components.
  - 18. The method of claim 11 further comprising assigning the maliciousness verdict at least in part by determining a dependency relation between a system component and an indirect call.
  - 19. The method of claim 11 further comprising performing dynamic analysis on the sample.
  - 20. The method of claim 19 wherein the dynamic analysis to be performed is selected at least in part based on the set of function call paths.

21. A computer program product embodied in a non-transitory computer readable storage medium and comprising computer instructions for:
- receiving a sample;
  
  determining, based at least in part by performing static analysis on the sample, a set of function call paths that include execution of a sensitive code segment;
  
  building a system component dependency graph; and
  
  assigning a maliciousness verdict to the sample at least in part by using the system component dependency graph to evaluate the set of function call paths, including by determining whether, for each function call path included in the set of function call paths, the sensitive code segment is called in response to a human interaction;
  
  wherein, for at least one function call path included in the set of function call paths, the sensitive code segment is not called in response to a human interaction.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palo Alto Networks Incorporated
Original Assignee
Palo Alto Networks Incorporated
Inventors
Zheng, Cong, Xu, Zhi
Primary Examiner(s)
Lemma, Samson B

Application Number

US15/387,593
Time in Patent Office

1,154 Days
Field of Search

726 23
US Class Current
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/563   by source code analysis

H04L 63/0227   Filtering policies mail mes...

H04L 63/0254   Stateful filtering

H04L 63/168   above the transport layer

Context-based analysis of applications

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Context-based analysis of applications

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links