Multistage system and method for analyzing obfuscated content for malware

US 10,657,251 B1
Filed: 06/26/2017
Issued: 05/19/2020
Est. Priority Date: 09/30/2013
Status: Active Grant

First Claim

Patent Images

1. A system for detecting malicious content, comprising:

a hardware storage device;

a first component stored within the hardware storage device, the first component to receive content and determine whether native code of the content is accessible;

a de-constructor stored within the hardware storage device, the de-constructor to receive the content from the first component in response to the native code being inaccessible to the first component, the de-constructor to select an analysis technique that implements a de-compiler to access the native code and output a deconstructed representation of the received content; and

a post-processor stored within the hardware storage device, the post-processor to receive the deconstructed representation of the received content from the de-constructor, determine whether the native code represented by the deconstructed representation of the received content is suspicious thereby indicating that at least a portion of the native code includes attributes associated with malware, establish a secure communication with a cloud computing service when the native code is determined to be suspicious or remove the native code from further analysis when the native code is determined to be non-suspicious, and provide at least the suspicious native code to the cloud computing service to perform a dynamic analysis of the native code by processing the native code within one or more virtual machines configured with a software profile suitable for the processing of the native code and analysis of an observed behavior of the one or more virtual machines.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A malware detection system configured to detect suspiciousness in obfuscated content. A multi-stage static detection logic is utilized to detect obfuscation, make the obfuscated content accessible, identify suspiciousness in the accessible content and filter non-suspicious non-obfuscated content from further analysis. The multi-stage static detection logic includes a controller, a de-constructor, and a post-processor. The controller is configured to receive content while the de-constructor configured to receive content from the controller and deconstruct the content using the analysis technique selected by the controller. The post-processor is configured to receive the de-constructed content from the de-constructor, determine whether a specimen within the de-constructed content is suspicious, and remove non-suspicious content from further analysis.

Citations

20 Claims

1. A system for detecting malicious content, comprising:
- a hardware storage device;
  
  a first component stored within the hardware storage device, the first component to receive content and determine whether native code of the content is accessible;
  
  a de-constructor stored within the hardware storage device, the de-constructor to receive the content from the first component in response to the native code being inaccessible to the first component, the de-constructor to select an analysis technique that implements a de-compiler to access the native code and output a deconstructed representation of the received content; and
  
  a post-processor stored within the hardware storage device, the post-processor to receive the deconstructed representation of the received content from the de-constructor, determine whether the native code represented by the deconstructed representation of the received content is suspicious thereby indicating that at least a portion of the native code includes attributes associated with malware, establish a secure communication with a cloud computing service when the native code is determined to be suspicious or remove the native code from further analysis when the native code is determined to be non-suspicious, and provide at least the suspicious native code to the cloud computing service to perform a dynamic analysis of the native code by processing the native code within one or more virtual machines configured with a software profile suitable for the processing of the native code and analysis of an observed behavior of the one or more virtual machines.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1, wherein the first component being a controller configured to select the analysis technique when the controller cannot access the native code associated with the received content.
  - 3. The system of claim 2, wherein the controller selects the analysis technique from a plurality of analysis techniques, including the de-compiler, when the controller cannot access the native code associated with the received content.
  - 4. The system of claim 1, wherein the post-processor determines suspiciousness of the received content by establishing a correlation with a set of indicators of suspiciousness and the dynamic analysis of the native code is conducted by processing the native code within the one or more virtual machines and the analysis of one or more observed behaviors of the one or more virtual machines or the native code.
  - 5. The system of claim 2, wherein the controller, the de-constructor and the post-processor are performed by the cloud computing service to receive the content over a network.
  - 6. The system of claim 2, wherein the controller selects the analysis technique based on the file type.
  - 7. The system of claim 4, wherein the set of indicators includes known malware characteristics including a number or size of decompiled files.

8. A system for detecting malicious content, comprising:
- one or more processors;
  
  a communication interface communicatively coupled to the one or more processors; and
  
  a persistent hardware storage communicatively coupled to the one or more processors, the persistent hardware storage storinga controller to receive content via the communication interface and determine whether native code associated with the received content is accessible,a deconstruction engine to receive as input the received content from the controller, select an analysis technique that includes selection of a logic component to access the native code being inaccessible by the controller by at least deconstructing the received content according to the analysis technique selected by the controller to produce de-constructed content using the logic component, wherein the de-constructed content includes native code of the received content, anda post-processor to receive the de-constructed content from the deconstruction engine, determine whether a specimen associated with the received de-constructed content is suspicious based on an analysis of the received de-constructed content, remove non-suspicious content within the received de-constructed content from further analysis, and provide the suspicious content of the received de-constructed content for behavioral analysis of the suspicious content.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 9. The system of claim 8, wherein the logic component includes a de-compiler when the controller cannot access the native code of the received content.
  - 10. The system of claim 8, wherein the logic component comprises an emulator, and the controller selects the analysis technique that uses the emulator when the controller determines that received content is obfuscated.
  - 11. The system of claim 8, wherein the controller selects the analysis technique based on a file type of the received content.
  - 12. The system of claim 8, wherein the post-processor of the persistent hardware storage determines a level suspiciousness of the de-constructed content by establishing a correlation with a set of indicators of suspiciousness.
  - 13. The system of claim 8, wherein the deconstruction engine is configured to receive the content in response to the controller being unable to access native code of the content.
  - 14. The system of claim 8, wherein the post-processor determines whether the specimen is suspicious based on the analysis of the received de-constructed content by at least comparing the received de-constructed content with known malware characteristics.
  - 15. The system of claim 8, wherein the controller, the deconstruction engine and the post-processor are performed by a cloud computing service receiving the content over a network.
  - 16. The system of claim 8, wherein the post-processor of the persistent hardware storage provides the suspicious content of the received de-constructed content to a dynamic analyzer deployed as part of a cloud computing service.
  - 17. The system of claim 16, wherein the post-processor of the persistent hardware storage provides the suspicious content to the dynamic analyzer that includes one or more virtual machines configured with a software profile suitable for the processing of the native code.

18. A non-transitory computer readable medium including software that, upon execution by a hardware processor, performs operations to detect whether received content is malicious, the software comprising:
- a first module that, upon execution by the hardware processor, is configured to receive content via the communication interface and determine whether native code associated with the received content is accessible;
  
  a deconstruction engine that, upon execution by the hardware processor, select an analysis technique that includes selection of a logic component to recover de-obfuscated content in response to the native code being inaccessible by the first component by at least deconstructing the received content according to the analysis technique selected by the first module to produce the de-constructed content using the logic component; and
  
  a post-processor that, upon execution by the hardware processor, determines whether a specimen associated with the de-constructed content is suspicious based on an analysis of the de-constructed content, remove non-suspicious content within the de-constructed content from further analysis, and provide the suspicious content of the de-constructed content for behavioral analysis.
- View Dependent Claims (19, 20)
- - 19. The non-transitory computer readable medium of claim 18, wherein the logic component includes one of a de-compiler or an emulator.
  - 20. The non-transitory computer readable medium of claim 19, wherein the first module selects the analysis technique that includes the de-compiler when the first module cannot access the native code of the received content.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
FireEye, Inc. (Alphabet Inc.)
Inventors
Malik, Amit, Deshpande, Shivani, Singh, Abhishek, Zheng, Wei
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Gao, Shu Chun

Application Number

US15/633,058
Time in Patent Office

1,058 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/562 Static detection

G06F 21/566 Dynamic detection, i.e. det...

Multistage system and method for analyzing obfuscated content for malware

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Multistage system and method for analyzing obfuscated content for malware

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links