Method to detect zero-day malware applications using dynamic behaviors

US 10,607,011 B1
Filed: 07/21/2016
Issued: 03/31/2020
Est. Priority Date: 07/21/2015
Status: Active Grant

First Claim

Patent Images

1. A method to identify and detect zero-day malware applications based on behavioural analysis comprising:

identifying different behaviour types consisting of;

file read and write operations, started services, loaded classes, sent SMS and phone calls, listing broadcast receivers, cryptography operations performed using system calls;

creating an infrastructure to intercept and catch dynamic activities of a running application in offline mode through setting up a virtual machine or a sandbox on a server and hooking predefined system calls or activities; and

distributing a dynamic behaviour signature, said signature based on dynamic features, to antivirus engines running on user'"'"'s mobile devices;

scanning and monitoring by said antivirus engines said running application for behaviours of said application once said running application is started;

said dynamic behavior signature is created on server side comprising;

gathering malware applications belonging to a same malware family from a malware repository;

running said malware applications for several times and collecting the activity occurrences in time for each run;

creating said dynamic behaviour signature; and

storing said dynamic behaviour signature in a database to be distributed to clients;

intercepting activities of said application, collecting said activities and comparing with said dynamic behaviour signatures where a comparison between said dynamic signature and actual behaviour is performed based on behaviour type and time of occurrence;

determining a similarity ratio for each said dynamic signature; and

verdicting a detection of malware for said running application if the similarity ratio is above 90% of a profile where said profile is a dynamic signature of a malware family and said profile is created offline using virtual devices and/or real devices, running modified operating systems, in order to hook application runtime behaviours comprising;

determining threshold for acceptable occurrence rate;

determining threshold for acceptable time delay;

determining threshold for probability of occurrence; and

creating by aggregation process said profile for each malware family type.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system to identify and detect zero-day malware applications based on their behavioural analysis is disclosed. A new type of signature will be created out of dynamic behaviours of the applications, by monitoring and extracting some pre-defined features of the application such as file read/write, service start, loaded classes, incoming/outgoing network data which are gathered from the application at runtime. The method incorporates two steps for performing the identification: first, the dynamic behaviour is monitored and a pattern is extracted, then the activities of the actual application running on computer desktop or mobile device are intercepted and compared with the pattern previously extracted.

18 Citations

View as Search Results

8 Claims

1. A method to identify and detect zero-day malware applications based on behavioural analysis comprising:
- identifying different behaviour types consisting of;
  
  file read and write operations, started services, loaded classes, sent SMS and phone calls, listing broadcast receivers, cryptography operations performed using system calls;
  
  creating an infrastructure to intercept and catch dynamic activities of a running application in offline mode through setting up a virtual machine or a sandbox on a server and hooking predefined system calls or activities; and
  
  distributing a dynamic behaviour signature, said signature based on dynamic features, to antivirus engines running on user'"'"'s mobile devices;
  
  scanning and monitoring by said antivirus engines said running application for behaviours of said application once said running application is started;
  
  said dynamic behavior signature is created on server side comprising;
  
  gathering malware applications belonging to a same malware family from a malware repository;
  
  running said malware applications for several times and collecting the activity occurrences in time for each run;
  
  creating said dynamic behaviour signature; and
  
  storing said dynamic behaviour signature in a database to be distributed to clients;
  
  intercepting activities of said application, collecting said activities and comparing with said dynamic behaviour signatures where a comparison between said dynamic signature and actual behaviour is performed based on behaviour type and time of occurrence;
  
  determining a similarity ratio for each said dynamic signature; and
  
  verdicting a detection of malware for said running application if the similarity ratio is above 90% of a profile where said profile is a dynamic signature of a malware family and said profile is created offline using virtual devices and/or real devices, running modified operating systems, in order to hook application runtime behaviours comprising;
  
  determining threshold for acceptable occurrence rate;
  
  determining threshold for acceptable time delay;
  
  determining threshold for probability of occurrence; and
  
  creating by aggregation process said profile for each malware family type.
- View Dependent Claims (2, 3, 4)
- - 2. The method according to claim 1, where said dynamic signature for a legitimate application downloaded from application stores is created and malicious re-packaged applications are detected comprising:
    - downloading said legitimate application from application markets and/or Internet;
      
      installing said legitimate application by said server into several of said virtual machines and/or said sandboxes, running said application for a predefined period of time and monitoring the behaviours while collecting the activity types and their respective timestamps;
      
      collecting and aggregating activity logs and generating said dynamic behaviour signature;
      
      saving said dynamic behaviour signature into a signature database of a server application;
      
      installing by user an application that presumably is re-packaged and has the same application identifier as the original application;
      
      downloading by said client device said re-packaged application from said application market;
      
      sending said application identifier to said server;
      
      checking by said server if there is said dynamic behaviour signature for the application in said signature database by sending only package information;
      
      extracting by server said dynamic behaviour signature and returning said dynamic behaviour signature to said client;
      
      monitoring by said client application the runtime behaviour of said application,extracting activities type and times from said application and performing an anomaly detection with regard to said dynamic behaviour signature, which is gathered from said server;
      
      concluding that said application contains malicious activities and is said re-packaged malware application if an anomaly is detected.
  - 3. The method according to claim 1, where said acceptable occurrence rate is selected as half of total number of runs.
  - 4. The method according to claim 1 wherein said different behaviour types further consists of incoming/outgoing network data.

5. A method to identify and detect zero-day malware applications based on behavioral analysis comprising:
- identifying a set of dynamic behavior types of an unknown application, where said set of behavior types is selected from a group consisting of;
  
  file read and write operations, started services, loaded classes, sent SMS and phone calls, listing broadcast receivers, cryptography operations performed using system calls;
  
  creating an infrastructure to intercept and catch said dynamic activities of running said unknown application in offline mode wherein said infrastructure includes of a computing device comprising a non-transitory computer readable medium storing program instruction that, when executed by a processing unit, cause the processing unit to identify said dynamic behavior signature of said unknown application by running said unknown application on said computing device;
  
  monitoring and recording said set of dynamic behaviour types in said non-transitory computer-readable medium of said computing device;
  
  aggregating said set of dynamic behaviour types by a predetermined algorithm wherein said predetermined algorithm comprises;
  
  determining a threshold for acceptable occurrences rate of said dynamic behavior types and a threshold for the occurrence count of said dynamic behavior types and a threshold for acceptable time delay between each of said set of dynamic behavior types;
  
  calculating a mean and as standard deviation of each of said thresholds;
  
  determining a threshold for probability of occurrence;
  
  creating said profile of said unknown application based on said threshold for probability of occurrence;
  
  distributing said dynamic behavior signature to said antivirus engines running on mobile device of userwhere said dynamic behavior signature is created on server side comprising;
  
  gathering malware applications belonging to a same malware family from a malware repository;
  
  running said malware applications for several times and collecting the activity occurrences in time for each run;
  
  creating said dynamic behaviour signature; and
  
  storing said dynamic behaviour signature in a database to be distributed to clients.
- View Dependent Claims (6, 7, 8)
- - 6. The method to identify and detect zero-day malware applications based on behavioral analysis according to claim 5 wherein said behavior types monitored during execution of said malware applications of the same malware family are presented as an activity map comprising:
    - collecting various samples of said malware applications belonging to the same malware family after multiple different runs of each of said sample;
      
      aggregating outputs of sample collecting and extracting common items using data mining and pattern recognition techniques;
      
      providing said activity map by said outputs aggregation which is considered as said profile of the malware family or said dynamic behaviour signature.
  - 7. The method according to claim 5, where said acceptable occurrences rate is selected as half of total number of runs.
  - 8. The method according to claim 5 wherein said set of behavior types is selected from a group consisting of:
    - file read and write operations, started services, loaded classes, sent SMS and phone calls, listing broadcast receivers, cryptography operations performed using system calls, and incoming/outgoing network data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fatih Orhan
Original Assignee
Fatih Orhan
Inventors
Orhan, Fatih
Primary Examiner(s)
Rashid, Harunur

Application Number

US15/215,793
Time in Patent Office

1,349 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/566 Dynamic detection, i.e. det...

G06F 2221/2151 Time stamp

Method to detect zero-day malware applications using dynamic behaviors

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

18 Citations

8 Claims

Specification

Solutions

Use Cases

Quick Links

Method to detect zero-day malware applications using dynamic behaviors

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

18 Citations

8 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links