Method of malware detection and system thereof
First Claim
Patent Images
1. A computer-implemented method of detecting malware in real-time in an operating system of an environment, the method comprising:
- monitoring, by a computer system, a sequence of linked operations performed by a program running in the operating system;
generating, by the computer system, an event data characterizing each monitored operation, wherein the event data comprises, for each monitored operation, at least an operation type and a source of the operation;
building, by the computer system, a stateful model in accordance with the event data, wherein the stateful model comprises a data structure representing a real-time updated system state resulting from the sequence of linked operations, and wherein the building the stateful model comprises;
retrieving one or more objects associated with the event data, each of the one or more objects representing an entity involved in one of the monitored operations, the retrieved one or more objects comprising at least one object for each monitored operation that represents the source of the operation;
determining one or more relationships among the one or more objects in accordance with the event data, the determined relationships comprising at least the type of each monitored operation and one or more interconnections between the objects of one monitored operation and the objects of another monitored operation;
inferring an event context comprising the one or more objects and the determined relationships thereof; and
generating a stateful model comprising the event context if the monitored operation is a first monitored operation or otherwise updating an existing stateful model based at least in part on the event context, thereby building an updated stateful model representing a hierarchical structure comprising one or more entities involved in the sequence of linked operations and interconnections between the one or more entities resulting from the linked operations;
analyzing, by the computer system, the updated stateful model in accordance with one or more predefined behavioral logics that are indicative of specific behavioral patterns;
identifying, by the computer system, from the updated stateful model, one or more kernel related operations as operations of interest, wherein the one or more kernel related operations comprise one or more operations performed in a kernel space of the operating system;
monitoring, by the computer system, the operations of interest by registering one or more kernel filter drivers for the one or more kernel related operations via one or more callback functions using an Out-of-Band monitoring module; and
determining, by the computer system, part or all of the program to be malicious based at least in part on the monitored operations of interest, wherein determining part or all of the program to be malicious comprises;
determining a presence of at least one behavior upon any of the predefined behavioral logics being met, the at least one behavior related to a sequence of events of the stateful model;
determining a behavior score for the at least one behavior;
assigning a weight factor to each behavior score associated with the at least one behavior, wherein the behavior score indicates the likelihood of the presence of malware based on the at least one behavior;
searching if there is a previous stateful model score associated with the existing stateful model;
if not, determining a sum of respective weighted behavioral scores assigned for each of the at least one behavior as the stateful model score associated with the stateful models;
otherwise increasing the previous stateful model score with the sum, giving rise to the stateful model score; and
comparing the stateful model score with a predefined threshold and determining the presence of malware if the stateful model score passes the predefined threshold,wherein the computer system comprises a computer processor and an electronic storage medium.
3 Assignments
0 Petitions
Accused Products
Abstract
There is provided a system and a computer-implemented method of detecting malware in real time in a live environment. The method comprises: monitoring one or more operations of at least one program concurrently running in the live environment, building at least one stateful model in accordance with the one or more operations, analyzing the at least one stateful model to identify one or more behaviors, and determining the presence of malware based on the identified one or more behaviors.
104 Citations
33 Claims
-
1. A computer-implemented method of detecting malware in real-time in an operating system of an environment, the method comprising:
-
monitoring, by a computer system, a sequence of linked operations performed by a program running in the operating system; generating, by the computer system, an event data characterizing each monitored operation, wherein the event data comprises, for each monitored operation, at least an operation type and a source of the operation; building, by the computer system, a stateful model in accordance with the event data, wherein the stateful model comprises a data structure representing a real-time updated system state resulting from the sequence of linked operations, and wherein the building the stateful model comprises; retrieving one or more objects associated with the event data, each of the one or more objects representing an entity involved in one of the monitored operations, the retrieved one or more objects comprising at least one object for each monitored operation that represents the source of the operation; determining one or more relationships among the one or more objects in accordance with the event data, the determined relationships comprising at least the type of each monitored operation and one or more interconnections between the objects of one monitored operation and the objects of another monitored operation; inferring an event context comprising the one or more objects and the determined relationships thereof; and generating a stateful model comprising the event context if the monitored operation is a first monitored operation or otherwise updating an existing stateful model based at least in part on the event context, thereby building an updated stateful model representing a hierarchical structure comprising one or more entities involved in the sequence of linked operations and interconnections between the one or more entities resulting from the linked operations; analyzing, by the computer system, the updated stateful model in accordance with one or more predefined behavioral logics that are indicative of specific behavioral patterns; identifying, by the computer system, from the updated stateful model, one or more kernel related operations as operations of interest, wherein the one or more kernel related operations comprise one or more operations performed in a kernel space of the operating system; monitoring, by the computer system, the operations of interest by registering one or more kernel filter drivers for the one or more kernel related operations via one or more callback functions using an Out-of-Band monitoring module; and determining, by the computer system, part or all of the program to be malicious based at least in part on the monitored operations of interest, wherein determining part or all of the program to be malicious comprises; determining a presence of at least one behavior upon any of the predefined behavioral logics being met, the at least one behavior related to a sequence of events of the stateful model; determining a behavior score for the at least one behavior; assigning a weight factor to each behavior score associated with the at least one behavior, wherein the behavior score indicates the likelihood of the presence of malware based on the at least one behavior; searching if there is a previous stateful model score associated with the existing stateful model; if not, determining a sum of respective weighted behavioral scores assigned for each of the at least one behavior as the stateful model score associated with the stateful models; otherwise increasing the previous stateful model score with the sum, giving rise to the stateful model score; and comparing the stateful model score with a predefined threshold and determining the presence of malware if the stateful model score passes the predefined threshold, wherein the computer system comprises a computer processor and an electronic storage medium. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A system for detecting malware in real-time in an operating system of an environment, the system comprising:
-
one or more computer readable storage devices configured to store a plurality of computer executable instructions; and one or more hardware computer processors in communication with the one or more computer readable storage devices and configured to execute the plurality of computer executable instructions in order to cause the system to; monitor a sequence of linked operations performed by at least one program running in the operating system; generate an event data characterizing each monitored operation, wherein the event data comprises, for each monitored operation, at least an operation type and source of the operation; build a stateful model in accordance with the event data, wherein the stateful model comprises a data structure representing a real-time updated system state resulting from the sequence of linked operations, and wherein the building the stateful model comprises; retrieving one or more objects associated with the event data, each of the one or more objects representing an entity involved in one of the monitored operations, the retrieved one or more objects comprising at least one object for each monitored operation that represents the source of the operation; determining one or more relationships among the one or more objects in accordance with the event data, the determined relationships comprising at least the type of each monitored operation and one or more interconnections between the objects of one monitored operation and the objects of another monitored operation; inferring an event context comprising the one or more objects and the determined relationships thereof; and generating a stateful model comprising the event context if the monitored operation is a first monitored operation or otherwise updating an existing stateful model based at least in part on the event context, thereby building an updated stateful model representing a hierarchical structure comprising one or more entities involved in the sequence of linked operations and interconnections between the one or more entities resulting from the linked operations; analyze the updated stateful model in accordance with one or more predefined behavioral logics that are indicative of specific behavioral patterns; identify, from the updated stateful model, one or more kernel related operations as operations of interest, wherein the one or more kernel related operations comprise one or more operations performed in a kernel space of the operating system; monitor the operations of interest by registering one or more kernel filter drivers for the one or more kernel related operations via one or more callback functions using an Out-of-Band monitoring module; and determine part or all of the program to be malicious based at least in part on the monitored operations of interest, wherein determining part or all of the program to be malicious comprises; determining a presence of at least one behavior upon any of the predefined behavioral logics being met, the at least one behavior related to a sequence of events of the stateful model; determining a behavior score for the at least one behavior; assigning a weight factor to each behavior score associated with the at least one behavior, wherein the behavior score indicates the likelihood of the presence of malware based on the at least one behavior; searching if there is a previous stateful model score associated with the existing stateful model; if not, determining a sum of respective weighted behavioral scores assigned for each of the at least one behavior as the stateful model score associated with the stateful model; otherwise increasing the previous stateful model score with the sum, giving rise to the stateful model score; and comparing the stateful model score with a predefined threshold and determining the presence of malware if the stateful model score passes the predefined threshold. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
-
-
27. A non-transitory program storage device readable by computer, tangibly embodying a program of instructions executable by the computer to perform a method for detecting malware in real-time in an operating system of an environment, the method comprising:
-
monitoring a sequence of linked operations performed by a program running in the operating system; generating an event data characterizing each monitored operation, wherein the event data comprises, for each monitored operation, at least an operation type and a source of the operation; building a stateful model in accordance with the event data, wherein the stateful model comprises a data structure representing a real-time updated system state resulting from the sequence of linked operations, and wherein the building the stateful model comprises; retrieving one or more objects associated with the event data, each of the one or more objects representing an entity involved in one of the monitored operations, the retrieved one or more objects comprising at least one object for each monitored operation that represents the source of the operation; determining one or more relationships among the one or more objects in accordance with the event data, the determined relationships comprising at least the type of each monitored operation and one or more interconnections between the objects of one monitored operation and the objects of another monitored operation; inferring an event context comprising the one or more objects and the determined relationships thereof; and generating a stateful model comprising the event context if the monitored operation is a first monitored operation or otherwise updating an existing stateful model based at least in part on the event context, thereby building an updated stateful model representing a hierarchical structure comprising one or more entities involved in the sequence of linked operations and interconnections between the one or more entities resulting from the linked operations; analyzing, by the computer system, the updated stateful model in accordance with one or more predefined behavioral logics that are indicative of specific behavioral patterns; identifying, from the updated stateful model, one or more kernel related operations as operations of interest, wherein the one or more kernel related operations comprise one or more operations performed in a kernel space of the operating system; monitoring the operations of interest by registering one or more kernel filter drivers for the one or more kernel related operations via one or more callback functions using an Out-of-Band monitoring module; and determining part or all of the program to be malicious based at least in part on the monitored operations of interest, wherein determining part or all of the program to be malicious comprises; determining a presence of at least one behavior upon any of the predefined behavioral logics being met, the at least one behavior related to a sequence of events of the stateful model; determining a behavior score for the at least one behavior; assigning a weight factor to each behavior score associated with the at least one behavior, wherein the behavior score indicates the likelihood of the presence of malware based on the at least one behavior; searching if there is a previous stateful model score associated with the existing stateful model; if not, determining a sum of respective weighted behavioral scores assigned for each of the at least one behavior as the stateful model score associated with the stateful model; otherwise increasing the previous stateful model score with the sum, giving rise to the stateful model score; and comparing the stateful model score with a predefined threshold and determining the presence of malware if the stateful model score passes the predefined threshold.
-
-
28. A computer-implemented method of generating a stateful model representing a real-time updated system state of an operating system in an environment, the method comprising:
-
monitoring, by a computer system, a sequence of linked operations performed by a program running in the operating system; generating, by the computer system, an event data characterizing each monitored operation, wherein the event data comprises, for each monitored operation, at least an operation type and a source of the operation; building, by the computer system, a stateful model in accordance with the event data, wherein the stateful model comprises a data structure representing a real-time updated system state resulting from the sequence of linked operations, and wherein the building the stateful model comprises; retrieving one or more objects associated with the event data, each of the one or more objects representing an entity involved in one of the monitored operations, the retrieved one or more objects comprising at least one object for each monitored operation that represents the source of the operation; identifying one or more relationships among the one or more objects in accordance with the event data, the identified relationships comprising at least the type of each monitored operation and one or more interconnections between the objects of one monitored operation and the objects of another monitored operation; determining an event context comprising the one or more objects and the identified relationships thereof; and generating a stateful model including said event context if the monitored operation is a first monitored operation or otherwise updating an existing stateful model based at least in part on the event context, thereby building an updated stateful model representing a hierarchical structure comprising one or more entities involved in the sequence of linked operations and interconnections between the one or more entities resulting from the linked operations; analyzing, by the computer system, the updated stateful model in accordance with one or more predefined behavioral logics that are indicative of specific behavioral patterns; identifying, from the updated stateful model, one or more kernel related operations as operations of interest, wherein the one or more kernel related operations comprise one or more operations performed in a kernel space of the operating system; monitoring the operations of interest by registering one or more kernel filter drivers for the one or more kernel related operations via one or more callback functions using an Out-of-Band monitoring module; and determining, by the computer system, part or all of the program to be malicious based at least in part on the monitored operations of interest, wherein determining part or all of the program to be malicious comprises; determining a presence of at least one behavior upon any of the predefined behavioral logics being met, the at least one behavior related to a sequence of events of the stateful model; determining a behavior score for the at least one behavior; assigning a weight factor to each behavior score associated with the at least one behavior, wherein the behavior score indicates the likelihood of the presence of malware based on the at least one behavior; searching if there is a previous stateful model score associated with the existing stateful model; if not, determining a sum of respective weighted behavioral scores assigned for each of the at least one behavior as the stateful model score associated with the stateful model; otherwise increasing the previous stateful model score with the sum, giving rise to the stateful model score; and comparing the stateful model score with a predefined threshold and determining the presence of malware if the stateful model score passes the predefined threshold, wherein the computer system comprises a computer processor and an electronic storage medium. - View Dependent Claims (29, 30, 31, 32)
-
-
33. A system for generating a stateful model representing a real-time updated system state of an operating system in an environment, the system comprising:
-
one or more computer readable storage devices configured to store a plurality of computer executable instructions; and one or more hardware computer processors in communication with the one or more computer readable storage devices and configured to execute the plurality of computer executable instructions in order to cause the system to; monitor a sequence of linked operations performed by a program running in the operating system; generate an event data characterizing each monitored operation, wherein the event data comprises, for each monitored operation, at least an operation type and a source of the operation; build a stateful model in accordance with the event data, wherein the stateful model comprises a data structure representing a real-time updated system state resulting from the sequence of linked operations, and wherein the building the stateful model comprises; retrieving one or more objects associated with the event data, each of the one or more objects representing an entity involved in one of the monitored operations, the retrieved one or more objects comprising at least one object for each monitored operation that represents the source of the operation; identifying one or more relationships among the one or more objects in accordance with the event data, the identified relationships comprising at least the type of each monitored operation and one or more interconnections between the objects of one monitored operation and the objects of another monitored operation; determining an event context comprising the one or more objects and the identified relationships thereof; and generating a stateful model comprising the event context if the monitored operation is a first monitored operation or otherwise updating an existing stateful model based at least in part on the event context, thereby building an updated stateful model representing a hierarchical structure comprising one or more entities involved in the sequence of linked operations and interconnections between the one or more resulting from the linked operations; analyzing the updated stateful model in accordance with one or more predefined behavioral logics that are indicative of specific behavioral patterns; identifying, from the updated stateful model, one or more kernel related operations as operations of interest, wherein the one or more kernel related operations comprise one or more operations performed in a kernel space of the operating system; monitoring the operations of interest by registering one or more kernel filter drivers for the one or more kernel related operations via one or more callback functions using an Out-of-Band monitoring module; and determining part or all of the program to be malicious based at least in part on the monitored operations of interest, wherein determining part or all of the program to be malicious comprises; determining a presence of at least one behavior upon any of the predefined behavioral logics being met, the at least one behavior related to a sequence of events of the stateful model; determining a behavior score for the at least one behavior; assigning a weight factor to each behavior score associated with the at least one behavior, wherein the behavior score indicates the likelihood of the presence of malware based on the at least one behavior; searching if there is a previous stateful model score associated with the existing stateful model; if not, determining a sum of respective weighted behavioral scores assigned for each of the at least one behavior as the stateful model score associated with the stateful model; otherwise increasing the previous stateful model score with the sum, giving rise to the stateful model score; and comparing the stateful model score with a predefined threshold and determining the presence of malware if the stateful model score passes the predefined threshold.
-
Specification