Malware detection system with contextual analysis

US 10,581,874 B1
Filed: 12/31/2015
Issued: 03/03/2020
Est. Priority Date: 12/31/2015
Status: Active Grant

First Claim

Patent Images

1. A computerized method for detecting malware associated with an object, the method comprising:

analyzing, by a static analysis logic system, an object to obtain a first set of attributes, the first set of attributes includes one or more characteristics associated with the object;

processing the object within a virtual machine associated with a dynamic analysis logic system and obtaining a second set of attributes, the second set of attributes corresponding to one or more monitored behaviors of the virtual machine during processing of the object;

conducting a secondary analysis to determine a threat index for the object based, at least in part, on an analysis of a multi-type attribute combination being a combination of at least one attribute of the first set of attributes received from the static analysis logic system and at least one attribute of the second set of attributes received from the dynamic analysis logic system, wherein the multi-type attribute combination being analyzed collectively as contextual information and the threat index representing a probability of maliciousness associated with the object; and

conducting an analysis of the object for a particular attribute in response to the particular attribute being absent from the multi-type attribute combination and present in an attribute pattern of a plurality of attributes patterns being used to identify whether the object is malicious or non-malicious.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computerized method for detecting malware associated with an object. The method includes operations of analyzing an object to obtain a first set of attributes, where the first set of attributes include one or more characteristics associated with the object. Furthermore, the object is processed with a virtual machine to obtain a second set of attributes. The second set of attributes corresponds to one or more monitored behaviors of the virtual machine during processing of the object. Thereafter, a threat index is determined based, at least in part, on a combination of at least one attribute of the first set of attributes and at least one attribute of the second set of attributes. The threat index represents a probability of maliciousness associated with the object.

Citations

22 Claims

1. A computerized method for detecting malware associated with an object, the method comprising:
- analyzing, by a static analysis logic system, an object to obtain a first set of attributes, the first set of attributes includes one or more characteristics associated with the object;
  
  processing the object within a virtual machine associated with a dynamic analysis logic system and obtaining a second set of attributes, the second set of attributes corresponding to one or more monitored behaviors of the virtual machine during processing of the object;
  
  conducting a secondary analysis to determine a threat index for the object based, at least in part, on an analysis of a multi-type attribute combination being a combination of at least one attribute of the first set of attributes received from the static analysis logic system and at least one attribute of the second set of attributes received from the dynamic analysis logic system, wherein the multi-type attribute combination being analyzed collectively as contextual information and the threat index representing a probability of maliciousness associated with the object; and
  
  conducting an analysis of the object for a particular attribute in response to the particular attribute being absent from the multi-type attribute combination and present in an attribute pattern of a plurality of attributes patterns being used to identify whether the object is malicious or non-malicious.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The computerized method of claim 1, wherein the conducting of the secondary analysis to determine the threat index for the object further comprises determining whether the combination of the at least one attribute of the first set of attributes and the at least one attribute of the second set of attributes forming the multi-type attribute combination matches the attribute pattern of the plurality of attribute patterns forming an expanded correlation rule set that is evaluated by a correlation logic within a classification engine to determine whether the object is malicious or non-malicious.
  - 3. The computerized method of claim 1, wherein the one or more characteristics include information pertaining to the object acquired without executing or opening the object.
  - 4. The computerized method of claim 3, where the one or more characteristics include one or metadata anomalies and formatting anomalies associated with the object.
  - 5. The computerized method of claim 1, wherein prior to analyzing the object to obtain the first plurality of analytic results, the method further comprising:
    - parsing an electronic mail (email) message including the object to extract information from a header or body of the email message, the extracted information being used, at least in part, to determine the threat index for the object.
  - 6. The computerized method of claim 1, wherein prior to analyzing the object to obtain the first plurality of analytic results, the method further comprising:
    - parsing a message including the object to extract information from a header or body of the message, the extracted information being used, at least in part, to determine the threat index for the object, the message being one or more packets being part of network traffic.
  - 7. The computerized method of claim 6, wherein the information from the header of the message comprises at least one of an hypertext transfer protocol (HTTP) request field or an HTTP response field.
  - 8. The computerized method of claim 6, wherein the information from the header of the message comprises a File Transfer Protocol (FTP) header.
  - 9. The computerized method of claim 1, wherein the conducting of the secondary analysis to determine the threat index for the object based on the combination of the one or more characteristics and the one or more monitored behaviors reduces a false-negative event that would have occurred without the analysis of a presence of both the one or more characteristics and the one or more monitored behaviors.
  - 10. The computerized method of claim 1 further comprising:
    - responsive to the threat index being less than a prescribed threshold, initializing a feedback operation by re-provisioning the virtual machine, and thereafter, processing the object within the virtual machine to determine a presence of a particular attribute of the combination of the at least one attribute of the first set of attributes and the at least one attribute of the second set of attributes that tends to have a larger influence on the classification of the object than other attributes.
  - 11. The computerized method of claim 1, wherein the conducting of the secondary analysis of the multi-type attribute combination includes conducting an analysis of a sequence of characteristics collected from each of the first set of attributes and the second set of attributes.

12. A network device comprising:
- one or more processors; and
  
  a memory communicatively coupled to the one or more processors, the memory comprisesa static analysis logic system that, when executed by the one or more processors, obtain a first set of attributes, the first set of attributes include one or more characteristics associated with the object,a dynamic analysis logic system including a virtual machine and monitoring logic being processed by the one or more processors, the virtual machine to process the object and the monitoring logic to detect a second set of attributes, the second set of attributes corresponding to one or more monitored behaviors of the virtual machine during processing of the object,a correlation logic communicatively coupled to the static analysis logic system and the dynamic analysis logic system, the correlation logic, when processed by the one or more processors, operates in accordance with a plurality of configuration rules to (i) generate a multi-type attribute combination being a combination of at least a first attribute of the first set of attributes received from the static analysis logic system and a second attribute of the second set of attributes received from the dynamic analysis logic system for detecting whether the object is malicious or non-malicious and (ii) request the dynamic analysis logic system to conduct an analysis of the object for a particular attribute in response to the particular attribute being absent from the multi-type attribute combination and present in an attribute pattern of a plurality of attributes patterns being monitored for by the correlation logic, andan object classification logic communicatively coupled to the correlation logic, the object classification logic, when processed by the one or more processors, determines a threat index representing a probability of maliciousness associated with the object based, at least in part, on a detection of the multi-type attribute combination being analyzed collectively as contextual information.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 13. The network device of claim 12 wherein the correlation logic to determine whether the multi-type attribute combination including at least the first attribute of the first set of attributes and the second attribute of the second set of attributes matches the attribute pattern of the plurality of attribute patterns to determine whether the object is malicious or non-malicious.
  - 14. The network device of claim 13, wherein the one or more characteristics include information pertaining to the object acquired without executing or opening the object.
  - 15. The network device of claim 13, where the one or more characteristics include one or metadata anomalies and formatting anomalies associated with the object.
  - 16. The network device of claim 12, wherein prior to analyzing the object to obtain the first plurality of analytic results, the network device comprising:
    - an extraction logic to parse parsing an electronic mail (email) message including the object to extract information from a header or body of the email message, the extracted information being used, at least in part, to determine the threat index for the object.
  - 17. The network device of claim 12, wherein the correlation logic to determine the threat index for the object based on the multi-type attribute combination of the one or more characteristics and the one or more monitored behaviors thereby reducing either a false-negative event that would have occurred without the analysis of a presence of both the one or more characteristics and the one or more monitored behaviors.
  - 18. The network device of claim 12 further comprising:
    - a controller communicatively coupled to the correlation logic, the static analysis logic system and the dynamic analysis logic system, the controller, responsive to feedback signaling from the correlation logic, to re-provision the virtual machine, and thereafter, process the object within the virtual machine to determine a presence of a particular attribute of the multi-type attribute combination that tends to have a larger influence on the classification of the object than other attributes.
  - 19. The network device of claim 12 further comprising:
    - a controller communicatively coupled to the object classification logic, the static analysis logic system and the dynamic analysis logic system, the controller, responsive to feedback signaling from the object classification logic, to re-provision the virtual machine, and thereafter, process the object within the virtual machine to determine a presence of a particular attribute of the multi-type attribute combination that tends to have a larger influence on the classification of the object than other attributes.
  - 20. The network device of claim 12 being an endpoint device including a security agent, the security agent comprises the static analysis logic system, the dynamic analysis logic system, the correlation logic and the object classification logic.
  - 21. The network device of claim 12, wherein the object classification logic analyzing of the multi-type attribute combination being the combination of characteristics, from each of the first set of attributes and the second set of attributes, that collectively form a sequence of characteristics.

22. An endpoint device comprising:
- one or more processors; and
  
  a memory communicatively coupled to the one or more processors, the memory comprisesa static analysis logic system that, when processed by the one or more processors, obtains a first set of attributes, the first set of attributes include one or more characteristics associated with the object,a virtual machine to process the object upon which a second set of attributes is detected during processing of the object, the second set of attributes corresponding to one or more monitored behaviors of the virtual machine during processing of the object,a correlation logic communicatively coupled to the static analysis logic system, the correlation logic that, when processed by the one or more processors, operates in accordance with a plurality of configuration rules to generate a combination of at least a first attribute of the first set of attributes and the second set of attributes operating as an observed multi-type attribute combination and signal the virtual machine to conduct re-process the object and monitor behaviors of the object for a behavior corresponding to a particular attribute in response to the particular attribute being absent from the multi-type attribute combination and present in an attribute pattern of a plurality of attributes patterns being part of an expanded correlation rule set, andan object classification logic communicatively coupled to the correlation logic, the object classification logic that, when processed by the one or more processors, determines a threat index representing a probability of maliciousness associated with the object based, at least in part, on a detection of the observed multi-type attribute combination including the combination of at least the first attribute of the first set of attributes.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
FireEye, Inc. (Alphabet Inc.)
Inventors
Khalid, Yasir, Vashisht, Sai Omkar, Otvagin, Alexander
Primary Examiner(s)
Brown, Christopher J

Application Number

US14/986,417
Time in Patent Office

1,524 Days
Field of Search

726 23
US Class Current
CPC Class Codes

G06F 21/562   Static detection

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 67/02   based on web technology, e....

H04L 67/06   specially adapted for file ...

Malware detection system with contextual analysis

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Malware detection system with contextual analysis

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links