Multistage system and method for analyzing obfuscated content for malware
First Claim
1. A system for detecting malicious content, comprising:
- a hardware storage device;
a first component stored within the hardware storage device, the first component to receive content and determine whether native code of the content is accessible;
a de-constructor stored within the hardware storage device, the de-constructor to receive the content from the first component in response to the native code being inaccessible to the first component, the de-constructor to select an analysis technique that implements a de-compiler to access the native code and output a deconstructed representation of the received content; and
a post-processor stored within the hardware storage device, the post-processor to receive the deconstructed representation of the received content from the de-constructor, determine whether the native code represented by the deconstructed representation of the received content is suspicious thereby indicating that at least a portion of the native code includes attributes associated with malware, establish a secure communication with a cloud computing service when the native code is determined to be suspicious or remove the native code from further analysis when the native code is determined to be non-suspicious, and provide at least the suspicious native code to the cloud computing service to perform a dynamic analysis of the native code by processing the native code within one or more virtual machines configured with a software profile suitable for the processing of the native code and analysis of an observed behavior of the one or more virtual machines.
7 Assignments
0 Petitions
Accused Products
Abstract
A malware detection system configured to detect suspiciousness in obfuscated content. A multi-stage static detection logic is utilized to detect obfuscation, make the obfuscated content accessible, identify suspiciousness in the accessible content and filter non-suspicious non-obfuscated content from further analysis. The multi-stage static detection logic includes a controller, a de-constructor, and a post-processor. The controller is configured to receive content while the de-constructor configured to receive content from the controller and deconstruct the content using the analysis technique selected by the controller. The post-processor is configured to receive the de-constructed content from the de-constructor, determine whether a specimen within the de-constructed content is suspicious, and remove non-suspicious content from further analysis.
-
Citations
20 Claims
-
1. A system for detecting malicious content, comprising:
-
a hardware storage device; a first component stored within the hardware storage device, the first component to receive content and determine whether native code of the content is accessible; a de-constructor stored within the hardware storage device, the de-constructor to receive the content from the first component in response to the native code being inaccessible to the first component, the de-constructor to select an analysis technique that implements a de-compiler to access the native code and output a deconstructed representation of the received content; and a post-processor stored within the hardware storage device, the post-processor to receive the deconstructed representation of the received content from the de-constructor, determine whether the native code represented by the deconstructed representation of the received content is suspicious thereby indicating that at least a portion of the native code includes attributes associated with malware, establish a secure communication with a cloud computing service when the native code is determined to be suspicious or remove the native code from further analysis when the native code is determined to be non-suspicious, and provide at least the suspicious native code to the cloud computing service to perform a dynamic analysis of the native code by processing the native code within one or more virtual machines configured with a software profile suitable for the processing of the native code and analysis of an observed behavior of the one or more virtual machines. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A system for detecting malicious content, comprising:
-
one or more processors; a communication interface communicatively coupled to the one or more processors; and a persistent hardware storage communicatively coupled to the one or more processors, the persistent hardware storage storing a controller to receive content via the communication interface and determine whether native code associated with the received content is accessible, a deconstruction engine to receive as input the received content from the controller, select an analysis technique that includes selection of a logic component to access the native code being inaccessible by the controller by at least deconstructing the received content according to the analysis technique selected by the controller to produce de-constructed content using the logic component, wherein the de-constructed content includes native code of the received content, and a post-processor to receive the de-constructed content from the deconstruction engine, determine whether a specimen associated with the received de-constructed content is suspicious based on an analysis of the received de-constructed content, remove non-suspicious content within the received de-constructed content from further analysis, and provide the suspicious content of the received de-constructed content for behavioral analysis of the suspicious content. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. A non-transitory computer readable medium including software that, upon execution by a hardware processor, performs operations to detect whether received content is malicious, the software comprising:
-
a first module that, upon execution by the hardware processor, is configured to receive content via the communication interface and determine whether native code associated with the received content is accessible; a deconstruction engine that, upon execution by the hardware processor, select an analysis technique that includes selection of a logic component to recover de-obfuscated content in response to the native code being inaccessible by the first component by at least deconstructing the received content according to the analysis technique selected by the first module to produce the de-constructed content using the logic component; and a post-processor that, upon execution by the hardware processor, determines whether a specimen associated with the de-constructed content is suspicious based on an analysis of the de-constructed content, remove non-suspicious content within the de-constructed content from further analysis, and provide the suspicious content of the de-constructed content for behavioral analysis. - View Dependent Claims (19, 20)
-
Specification