Method to detect zero-day malware applications using dynamic behaviors
First Claim
1. A method to identify and detect zero-day malware applications based on behavioural analysis comprising:
- identifying different behaviour types consisting of;
file read and write operations, started services, loaded classes, sent SMS and phone calls, listing broadcast receivers, cryptography operations performed using system calls;
creating an infrastructure to intercept and catch dynamic activities of a running application in offline mode through setting up a virtual machine or a sandbox on a server and hooking predefined system calls or activities; and
distributing a dynamic behaviour signature, said signature based on dynamic features, to antivirus engines running on user'"'"'s mobile devices;
scanning and monitoring by said antivirus engines said running application for behaviours of said application once said running application is started;
said dynamic behavior signature is created on server side comprising;
gathering malware applications belonging to a same malware family from a malware repository;
running said malware applications for several times and collecting the activity occurrences in time for each run;
creating said dynamic behaviour signature; and
storing said dynamic behaviour signature in a database to be distributed to clients;
intercepting activities of said application, collecting said activities and comparing with said dynamic behaviour signatures where a comparison between said dynamic signature and actual behaviour is performed based on behaviour type and time of occurrence;
determining a similarity ratio for each said dynamic signature; and
verdicting a detection of malware for said running application if the similarity ratio is above 90% of a profile where said profile is a dynamic signature of a malware family and said profile is created offline using virtual devices and/or real devices, running modified operating systems, in order to hook application runtime behaviours comprising;
determining threshold for acceptable occurrence rate;
determining threshold for acceptable time delay;
determining threshold for probability of occurrence; and
creating by aggregation process said profile for each malware family type.
0 Assignments
0 Petitions
Accused Products
Abstract
A method and system to identify and detect zero-day malware applications based on their behavioural analysis is disclosed. A new type of signature will be created out of dynamic behaviours of the applications, by monitoring and extracting some pre-defined features of the application such as file read/write, service start, loaded classes, incoming/outgoing network data which are gathered from the application at runtime. The method incorporates two steps for performing the identification: first, the dynamic behaviour is monitored and a pattern is extracted, then the activities of the actual application running on computer desktop or mobile device are intercepted and compared with the pattern previously extracted.
18 Citations
8 Claims
-
1. A method to identify and detect zero-day malware applications based on behavioural analysis comprising:
-
identifying different behaviour types consisting of;
file read and write operations, started services, loaded classes, sent SMS and phone calls, listing broadcast receivers, cryptography operations performed using system calls;creating an infrastructure to intercept and catch dynamic activities of a running application in offline mode through setting up a virtual machine or a sandbox on a server and hooking predefined system calls or activities; and distributing a dynamic behaviour signature, said signature based on dynamic features, to antivirus engines running on user'"'"'s mobile devices; scanning and monitoring by said antivirus engines said running application for behaviours of said application once said running application is started; said dynamic behavior signature is created on server side comprising; gathering malware applications belonging to a same malware family from a malware repository; running said malware applications for several times and collecting the activity occurrences in time for each run; creating said dynamic behaviour signature; and storing said dynamic behaviour signature in a database to be distributed to clients; intercepting activities of said application, collecting said activities and comparing with said dynamic behaviour signatures where a comparison between said dynamic signature and actual behaviour is performed based on behaviour type and time of occurrence; determining a similarity ratio for each said dynamic signature; and verdicting a detection of malware for said running application if the similarity ratio is above 90% of a profile where said profile is a dynamic signature of a malware family and said profile is created offline using virtual devices and/or real devices, running modified operating systems, in order to hook application runtime behaviours comprising; determining threshold for acceptable occurrence rate; determining threshold for acceptable time delay; determining threshold for probability of occurrence; and creating by aggregation process said profile for each malware family type. - View Dependent Claims (2, 3, 4)
-
-
5. A method to identify and detect zero-day malware applications based on behavioral analysis comprising:
-
identifying a set of dynamic behavior types of an unknown application, where said set of behavior types is selected from a group consisting of; file read and write operations, started services, loaded classes, sent SMS and phone calls, listing broadcast receivers, cryptography operations performed using system calls; creating an infrastructure to intercept and catch said dynamic activities of running said unknown application in offline mode wherein said infrastructure includes of a computing device comprising a non-transitory computer readable medium storing program instruction that, when executed by a processing unit, cause the processing unit to identify said dynamic behavior signature of said unknown application by running said unknown application on said computing device; monitoring and recording said set of dynamic behaviour types in said non-transitory computer-readable medium of said computing device; aggregating said set of dynamic behaviour types by a predetermined algorithm wherein said predetermined algorithm comprises; determining a threshold for acceptable occurrences rate of said dynamic behavior types and a threshold for the occurrence count of said dynamic behavior types and a threshold for acceptable time delay between each of said set of dynamic behavior types; calculating a mean and as standard deviation of each of said thresholds; determining a threshold for probability of occurrence; creating said profile of said unknown application based on said threshold for probability of occurrence; distributing said dynamic behavior signature to said antivirus engines running on mobile device of user where said dynamic behavior signature is created on server side comprising; gathering malware applications belonging to a same malware family from a malware repository; running said malware applications for several times and collecting the activity occurrences in time for each run; creating said dynamic behaviour signature; and storing said dynamic behaviour signature in a database to be distributed to clients. - View Dependent Claims (6, 7, 8)
-
Specification