Enhanced malware detection for generated objects

US 10,581,879 B1
Filed: 06/19/2017
Issued: 03/03/2020
Est. Priority Date: 12/22/2016
Status: Active Grant

First Claim

Patent Images

1. A system to detect malware generated by an object, the system comprising:

a storage device;

one or more processors communicatively coupled to the storage device, the one or more processors configured to execute dynamic analysis logic, an Abstract Syntax Tree (AST) generator, a correlation engine, a classification engine and a reporting engine, whereinthe dynamic analysis logic, stored in the storage device and configured with a monitoring logic, to process the object and identify features associated with the processing of the object, detect an object generated during the processing of the object, and provide the generated object to the AST generator and the correlation engine;

the AST generator, stored in the storage device, being configured to receive the generated object, generate an AST representation of the generated object and remove one or more parameters from the AST representation prior to providing the AST representation to the correlation engine;

the correlation engine, stored in the storage device, being configured to (i) receive the features generated during the processing of the object by the dynamic analysis logic and the AST representation and (ii) perform a correlation of at least the AST representation with a labeled set of one or more ASTs associated with known malicious objects, to generate a likelihood of maliciousness;

the classification engine, stored in the storage device, being configured to receive from the correlation engine the likelihood of maliciousness associated with the generated object and the AST representation, and classifying the object as malicious in response to the correlation; and

the reporting engine being configured to generate and issue alerts in response to the object being classified as malicious by the classification engine.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computerized method to identify malicious code generated by seemingly benign objects is described. The generated malware detection system described identifies generated objects (code) and analyzes each generated object to collect features which may be associated with maliciousness. The analysis may determine if an Abstract Syntax Tree (AST) representation of the generated object is correlated with known malware ASTs. Correlation of the features identified during processing of the generated objects, including the sequences of generated object, may be used in classifying the object as malicious. The malware detection system may communicate with the one or more endpoint devices to influence detection and reporting of behaviors and malware by those device(s).

Citations

22 Claims

1. A system to detect malware generated by an object, the system comprising:
- a storage device;
  
  one or more processors communicatively coupled to the storage device, the one or more processors configured to execute dynamic analysis logic, an Abstract Syntax Tree (AST) generator, a correlation engine, a classification engine and a reporting engine, whereinthe dynamic analysis logic, stored in the storage device and configured with a monitoring logic, to process the object and identify features associated with the processing of the object, detect an object generated during the processing of the object, and provide the generated object to the AST generator and the correlation engine;
  
  the AST generator, stored in the storage device, being configured to receive the generated object, generate an AST representation of the generated object and remove one or more parameters from the AST representation prior to providing the AST representation to the correlation engine;
  
  the correlation engine, stored in the storage device, being configured to (i) receive the features generated during the processing of the object by the dynamic analysis logic and the AST representation and (ii) perform a correlation of at least the AST representation with a labeled set of one or more ASTs associated with known malicious objects, to generate a likelihood of maliciousness;
  
  the classification engine, stored in the storage device, being configured to receive from the correlation engine the likelihood of maliciousness associated with the generated object and the AST representation, and classifying the object as malicious in response to the correlation; and
  
  the reporting engine being configured to generate and issue alerts in response to the object being classified as malicious by the classification engine.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The system of claim 1, wherein the monitoring logic detects creation of the generated object by identifying the use of a virtual machine resource to generate the generated object.
  - 3. The system of claim 1, wherein the AST generator comprises a compiler.
  - 4. The system of claim 1, wherein the dynamic analysis logic includes one or more virtual machines configured to process the object to determine if one or more generated objects are created during processing.
  - 5. The system of claim 4, wherein the correlation engine correlates a sequence comprising the object and one or more generated objects with a likelihood of maliciousness associated with the sequence and provides the likelihood of maliciousness to the classification engine, wherein the sequence indicated by a sequence identifier being part of metadata associated with the object or a generated object of the one or more generated objects.
  - 6. The system of claim 5, wherein the sequence identifier is a timestamp associated with the generation of each generated object.
  - 7. The system of claim 5, wherein the sequence identifier is a timestamp associated with the beginning of processing of each generated object.
  - 8. The system of claim 1, further comprising reporting of the classification of the object via a communication interface, by issuing an alert associated with the object.
  - 9. The system of claim 1, further comprising:
    - the features associated with the processing of the object are received by the correlation engine, the features extracted by an event database and logic from events monitored by the monitoring logic;
      
      the correlation engine combining the features received from the event database and logic with features associated with the AST representation to generate a further correlation with maliciousness; and
      
      the further correlation with maliciousness provided to the classification engine.
  - 10. The system of claim 1, wherein a scheduler terminates further processing by the virtual machine when processing time exceeds a specified duration.
  - 11. The system of claim 10, wherein the scheduler modifies the specified duration for processing by the virtual machine in response to the generation of the generated object.
  - 12. The system of claim 1, wherein the correlation engine determines a likelihood of maliciousness for the AST representation of each generated object in response to a similarity analysis, including (i) performing a fuzzy hash to generate a hash list, and (ii) applying one or more similarity checks to one or more entries in the hash list.
  - 13. The system of claim 5, wherein the correlation engine determines a likelihood of maliciousness for the sequence of AST representations of the generated object in response to a similarity analysis, including (i) performing a fuzzy hash to generate a hash list, and (ii) applying one or more similarity checks to one or more entries in the hash list.
  - 14. The system of claim 1, wherein the dynamic analysis logic is configured to process and monitor the behavior of objects using one or more virtual machines configured with the monitoring logic.
  - 15. The system of claim 1, wherein the AST generator is configured to extract AST features from the AST representation of the generated object and provide the extract AST features to the correlation engine.

16. A computerized method for detecting a generated malware cyber-attack, the method comprising:
- monitoring the processing of a first object in a virtual machine of a malware detection system; and
  
  responsive to detecting a second object generated during processing of the first object by an application operating within the virtual machine, where the second object is different than the first object,providing the generated second object to an Abstract Syntax Tree (AST) generator;
  
  generating an AST representation by the AST generator for the received generated second object and providing the AST representation to a correlation engine;
  
  determining correlation results, by the correlation engine, based at least in part on the received AST representation and providing the correlation results to a classification engine; and
  
  classifying, by the classification engine, the first object as malicious in response to the received correlation results exceeding a maliciousness threshold.
- View Dependent Claims (17, 18, 19, 20, 21, 22)
- - 17. The method of claim 16, wherein the correlation of the AST representation includes performing a similarity analysis on at least a portion of the received AST representation with respect to a set of one or more AST representations of known malicious objects to generate a similarity score indicating whether the first object is associated with malware.
  - 18. The method of claim 17, wherein the correlation of the AST representation is performed on a sequence of AST representations associated with the generated second objects created during processing of the first object in the virtual machine.
  - 19. The method of claim 16, wherein the processing time for the first object in the virtual machine is limited by a scheduler.
  - 20. The method of claim 16, wherein responsive to detecting the generation of the generated second object in the virtual machine, the processing time is modified by the scheduler.
  - 21. The method of claim 16, further comprising generating a report related to the maliciousness of the first object and issuing an alert by the reporting engine in response to a classification by the classification engine.
  - 22. The method of claim 16, further comprising the correlation engine:
    - extracting features of the generated second object;
      
      generating a correlation with maliciousness of the extracted features by the correlation engine; and
      
      providing the correlation associated with the extracted features to the classification engine.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
FireEye, Inc. (Alphabet Inc.)
Inventors
Paithane, Sushant, Vashisht, Sai Omkar
Primary Examiner(s)
Najjar, Saleh
Assistant Examiner(s)
Almaghayreh, Khalid M

Application Number

US15/627,270
Time in Patent Office

988 Days
Field of Search

719315-316, 718 1, 726 22- 25
US Class Current
CPC Class Codes

G06F 21/566   Dynamic detection, i.e. det...

G06F 9/45533   Hypervisors; Virtual machin...

H04L 63/1416   Event detection, e.g. attac...

Enhanced malware detection for generated objects

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Enhanced malware detection for generated objects

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links