Malware detection system with contextual analysis
First Claim
1. A computerized method for detecting malware associated with an object, the method comprising:
- analyzing, by a static analysis logic system, an object to obtain a first set of attributes, the first set of attributes includes one or more characteristics associated with the object;
processing the object within a virtual machine associated with a dynamic analysis logic system and obtaining a second set of attributes, the second set of attributes corresponding to one or more monitored behaviors of the virtual machine during processing of the object;
conducting a secondary analysis to determine a threat index for the object based, at least in part, on an analysis of a multi-type attribute combination being a combination of at least one attribute of the first set of attributes received from the static analysis logic system and at least one attribute of the second set of attributes received from the dynamic analysis logic system, wherein the multi-type attribute combination being analyzed collectively as contextual information and the threat index representing a probability of maliciousness associated with the object; and
conducting an analysis of the object for a particular attribute in response to the particular attribute being absent from the multi-type attribute combination and present in an attribute pattern of a plurality of attributes patterns being used to identify whether the object is malicious or non-malicious.
7 Assignments
0 Petitions
Accused Products
Abstract
A computerized method for detecting malware associated with an object. The method includes operations of analyzing an object to obtain a first set of attributes, where the first set of attributes include one or more characteristics associated with the object. Furthermore, the object is processed with a virtual machine to obtain a second set of attributes. The second set of attributes corresponds to one or more monitored behaviors of the virtual machine during processing of the object. Thereafter, a threat index is determined based, at least in part, on a combination of at least one attribute of the first set of attributes and at least one attribute of the second set of attributes. The threat index represents a probability of maliciousness associated with the object.
-
Citations
22 Claims
-
1. A computerized method for detecting malware associated with an object, the method comprising:
-
analyzing, by a static analysis logic system, an object to obtain a first set of attributes, the first set of attributes includes one or more characteristics associated with the object; processing the object within a virtual machine associated with a dynamic analysis logic system and obtaining a second set of attributes, the second set of attributes corresponding to one or more monitored behaviors of the virtual machine during processing of the object; conducting a secondary analysis to determine a threat index for the object based, at least in part, on an analysis of a multi-type attribute combination being a combination of at least one attribute of the first set of attributes received from the static analysis logic system and at least one attribute of the second set of attributes received from the dynamic analysis logic system, wherein the multi-type attribute combination being analyzed collectively as contextual information and the threat index representing a probability of maliciousness associated with the object; and conducting an analysis of the object for a particular attribute in response to the particular attribute being absent from the multi-type attribute combination and present in an attribute pattern of a plurality of attributes patterns being used to identify whether the object is malicious or non-malicious. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A network device comprising:
-
one or more processors; and a memory communicatively coupled to the one or more processors, the memory comprises a static analysis logic system that, when executed by the one or more processors, obtain a first set of attributes, the first set of attributes include one or more characteristics associated with the object, a dynamic analysis logic system including a virtual machine and monitoring logic being processed by the one or more processors, the virtual machine to process the object and the monitoring logic to detect a second set of attributes, the second set of attributes corresponding to one or more monitored behaviors of the virtual machine during processing of the object, a correlation logic communicatively coupled to the static analysis logic system and the dynamic analysis logic system, the correlation logic, when processed by the one or more processors, operates in accordance with a plurality of configuration rules to (i) generate a multi-type attribute combination being a combination of at least a first attribute of the first set of attributes received from the static analysis logic system and a second attribute of the second set of attributes received from the dynamic analysis logic system for detecting whether the object is malicious or non-malicious and (ii) request the dynamic analysis logic system to conduct an analysis of the object for a particular attribute in response to the particular attribute being absent from the multi-type attribute combination and present in an attribute pattern of a plurality of attributes patterns being monitored for by the correlation logic, and an object classification logic communicatively coupled to the correlation logic, the object classification logic, when processed by the one or more processors, determines a threat index representing a probability of maliciousness associated with the object based, at least in part, on a detection of the multi-type attribute combination being analyzed collectively as contextual information. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21)
-
-
22. An endpoint device comprising:
-
one or more processors; and a memory communicatively coupled to the one or more processors, the memory comprises a static analysis logic system that, when processed by the one or more processors, obtains a first set of attributes, the first set of attributes include one or more characteristics associated with the object, a virtual machine to process the object upon which a second set of attributes is detected during processing of the object, the second set of attributes corresponding to one or more monitored behaviors of the virtual machine during processing of the object, a correlation logic communicatively coupled to the static analysis logic system, the correlation logic that, when processed by the one or more processors, operates in accordance with a plurality of configuration rules to generate a combination of at least a first attribute of the first set of attributes and the second set of attributes operating as an observed multi-type attribute combination and signal the virtual machine to conduct re-process the object and monitor behaviors of the object for a behavior corresponding to a particular attribute in response to the particular attribute being absent from the multi-type attribute combination and present in an attribute pattern of a plurality of attributes patterns being part of an expanded correlation rule set, and an object classification logic communicatively coupled to the correlation logic, the object classification logic that, when processed by the one or more processors, determines a threat index representing a probability of maliciousness associated with the object based, at least in part, on a detection of the observed multi-type attribute combination including the combination of at least the first attribute of the first set of attributes.
-
Specification