Method of malware detection and system thereof

US 10,664,596 B2
Filed: 06/15/2017
Issued: 05/26/2020
Est. Priority Date: 08/11/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of detecting malware in real-time in an operating system of an environment, the method comprising:

monitoring, by a computer system, a sequence of linked operations performed by a program running in the operating system;

generating, by the computer system, an event data characterizing each monitored operation, wherein the event data comprises, for each monitored operation, at least an operation type and a source of the operation;

building, by the computer system, a stateful model in accordance with the event data, wherein the stateful model comprises a data structure representing a real-time updated system state resulting from the sequence of linked operations, and wherein the building the stateful model comprises;

retrieving one or more objects associated with the event data, each of the one or more objects representing an entity involved in one of the monitored operations, the retrieved one or more objects comprising at least one object for each monitored operation that represents the source of the operation;

determining one or more relationships among the one or more objects in accordance with the event data, the determined relationships comprising at least the type of each monitored operation and one or more interconnections between the objects of one monitored operation and the objects of another monitored operation;

inferring an event context comprising the one or more objects and the determined relationships thereof; and

generating a stateful model comprising the event context if the monitored operation is a first monitored operation or otherwise updating an existing stateful model based at least in part on the event context, thereby building an updated stateful model representing a hierarchical structure comprising one or more entities involved in the sequence of linked operations and interconnections between the one or more entities resulting from the linked operations;

analyzing, by the computer system, the updated stateful model in accordance with one or more predefined behavioral logics that are indicative of specific behavioral patterns;

identifying, by the computer system, from the updated stateful model, one or more kernel related operations as operations of interest, wherein the one or more kernel related operations comprise one or more operations performed in a kernel space of the operating system;

monitoring, by the computer system, the operations of interest by registering one or more kernel filter drivers for the one or more kernel related operations via one or more callback functions using an Out-of-Band monitoring module; and

determining, by the computer system, part or all of the program to be malicious based at least in part on the monitored operations of interest, wherein determining part or all of the program to be malicious comprises;

determining a presence of at least one behavior upon any of the predefined behavioral logics being met, the at least one behavior related to a sequence of events of the stateful model;

determining a behavior score for the at least one behavior;

assigning a weight factor to each behavior score associated with the at least one behavior, wherein the behavior score indicates the likelihood of the presence of malware based on the at least one behavior;

searching if there is a previous stateful model score associated with the existing stateful model;

if not, determining a sum of respective weighted behavioral scores assigned for each of the at least one behavior as the stateful model score associated with the stateful models;

otherwise increasing the previous stateful model score with the sum, giving rise to the stateful model score; and

comparing the stateful model score with a predefined threshold and determining the presence of malware if the stateful model score passes the predefined threshold,wherein the computer system comprises a computer processor and an electronic storage medium.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

There is provided a system and a computer-implemented method of detecting malware in real time in a live environment. The method comprises: monitoring one or more operations of at least one program concurrently running in the live environment, building at least one stateful model in accordance with the one or more operations, analyzing the at least one stateful model to identify one or more behaviors, and determining the presence of malware based on the identified one or more behaviors.

104 Citations

33 Claims

1. A computer-implemented method of detecting malware in real-time in an operating system of an environment, the method comprising:
- monitoring, by a computer system, a sequence of linked operations performed by a program running in the operating system;
  
  generating, by the computer system, an event data characterizing each monitored operation, wherein the event data comprises, for each monitored operation, at least an operation type and a source of the operation;
  
  building, by the computer system, a stateful model in accordance with the event data, wherein the stateful model comprises a data structure representing a real-time updated system state resulting from the sequence of linked operations, and wherein the building the stateful model comprises;
  
  retrieving one or more objects associated with the event data, each of the one or more objects representing an entity involved in one of the monitored operations, the retrieved one or more objects comprising at least one object for each monitored operation that represents the source of the operation;
  
  determining one or more relationships among the one or more objects in accordance with the event data, the determined relationships comprising at least the type of each monitored operation and one or more interconnections between the objects of one monitored operation and the objects of another monitored operation;
  
  inferring an event context comprising the one or more objects and the determined relationships thereof; and
  
  generating a stateful model comprising the event context if the monitored operation is a first monitored operation or otherwise updating an existing stateful model based at least in part on the event context, thereby building an updated stateful model representing a hierarchical structure comprising one or more entities involved in the sequence of linked operations and interconnections between the one or more entities resulting from the linked operations;
  
  analyzing, by the computer system, the updated stateful model in accordance with one or more predefined behavioral logics that are indicative of specific behavioral patterns;
  
  identifying, by the computer system, from the updated stateful model, one or more kernel related operations as operations of interest, wherein the one or more kernel related operations comprise one or more operations performed in a kernel space of the operating system;
  
  monitoring, by the computer system, the operations of interest by registering one or more kernel filter drivers for the one or more kernel related operations via one or more callback functions using an Out-of-Band monitoring module; and
  
  determining, by the computer system, part or all of the program to be malicious based at least in part on the monitored operations of interest, wherein determining part or all of the program to be malicious comprises;
  
  determining a presence of at least one behavior upon any of the predefined behavioral logics being met, the at least one behavior related to a sequence of events of the stateful model;
  
  determining a behavior score for the at least one behavior;
  
  assigning a weight factor to each behavior score associated with the at least one behavior, wherein the behavior score indicates the likelihood of the presence of malware based on the at least one behavior;
  
  searching if there is a previous stateful model score associated with the existing stateful model;
  
  if not, determining a sum of respective weighted behavioral scores assigned for each of the at least one behavior as the stateful model score associated with the stateful models;
  
  otherwise increasing the previous stateful model score with the sum, giving rise to the stateful model score; and
  
  comparing the stateful model score with a predefined threshold and determining the presence of malware if the stateful model score passes the predefined threshold,wherein the computer system comprises a computer processor and an electronic storage medium.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The computer-implemented method of claim 1, wherein each of the specific behavioral patterns represents one or more entities having specific interconnections therein resulted from a specific sequence of operations performed thereupon, and wherein the analyzing the updated stateful model comprises matching the hierarchical structure represented in the updated stateful model with the one or more predefined behavior logics.
  - 3. The computer-implemented method of claim 1, wherein the determining the one or more relationships further comprises:
    - for each object, generating one or more parameters characterizing said object, the one or more parameters indicative of objects related thereto and determined relationships between the object and the related objects, thereby giving rise to an event context comprising the one or more objects each associated with one or more parameters.
  - 4. The computer-implemented method of claim 1, wherein each of the one or more objects comprises at least one of a process object, file object, network object, registry object, or windows object.
  - 5. The computer-implemented method of claim 1, wherein the one or more predefined behavioral logics comprises determining a behavior of self-execution when a target of an execution event comprises one or more of an originating process of the execution event, a child process of the originating process, or a parent process of the originating process.
  - 6. The computer-implemented method of claim 1, wherein the one or more predefined behavioral logics comprises determining a behavior of self-deletion when a source file of a targeting process of a deletion event comprises one or more of a source file of an originating process of the deletion event or a source file of a parent process of the originating process.
  - 7. The computer-implemented method of claim 1, wherein the one or more predefined behavioral logics comprises determining a behavior of code injection when associated operations of memory write, memory execution permission, and/or code execution are included in the stateful model.
  - 8. The computer-implemented method of claim 1, wherein the stateful model comprises a program-level stateful model that represents entities and interconnections thereof involved in the sequence of linked operations related to the program.
  - 9. The computer-implemented method of claim 1, wherein the stateful model comprises a system-level stateful model that represents entities and interconnections thereof involved in operations related to a plurality of programs that run concurrently in the environment, the system-level stateful model comprising one or more program-level stateful models each representing entities and interconnections thereof involved in the sequence of linked operations related to the given program.
  - 10. The computer-implemented method of claim 1, wherein the sequence of linked operations comprises one or more in-process operations and/or kernel related operations, wherein the kernel related operations comprise one or more of file system operations, process and memory operations, registry operations, or network operations.
  - 11. The computer-implemented method of claim 1, further comprising remediating, by the computer system, the part or all of the program determined to be malicious.
  - 12. The computer-implemented method of claim 11, wherein the remediating further comprises terminating at least one object of the stateful model related to the part or all of the program determined to be malicious.
  - 13. The computer-implemented method of claim 11, wherein the remediating further comprises removing at least one object of the stateful model related to the part or all of the program determined to be malicious.
  - 14. The computer-implemented method of claim 11, wherein the remediating further comprises undoing at least one operation performed by at least one object of the stateful model related to the part or all of the program determined to be malicious.
  - 15. The computer-implemented method of claim 11, wherein the remediating further comprises displaying information to an end user regarding the part or all of the program determined to be malicious.

16. A system for detecting malware in real-time in an operating system of an environment, the system comprising:
- one or more computer readable storage devices configured to store a plurality of computer executable instructions; and
  
  one or more hardware computer processors in communication with the one or more computer readable storage devices and configured to execute the plurality of computer executable instructions in order to cause the system to;
  
  monitor a sequence of linked operations performed by at least one program running in the operating system;
  
  generate an event data characterizing each monitored operation, wherein the event data comprises, for each monitored operation, at least an operation type and source of the operation;
  
  build a stateful model in accordance with the event data, wherein the stateful model comprises a data structure representing a real-time updated system state resulting from the sequence of linked operations, and wherein the building the stateful model comprises;
  
  retrieving one or more objects associated with the event data, each of the one or more objects representing an entity involved in one of the monitored operations, the retrieved one or more objects comprising at least one object for each monitored operation that represents the source of the operation;
  
  determining one or more relationships among the one or more objects in accordance with the event data, the determined relationships comprising at least the type of each monitored operation and one or more interconnections between the objects of one monitored operation and the objects of another monitored operation;
  
  inferring an event context comprising the one or more objects and the determined relationships thereof; and
  
  generating a stateful model comprising the event context if the monitored operation is a first monitored operation or otherwise updating an existing stateful model based at least in part on the event context, thereby building an updated stateful model representing a hierarchical structure comprising one or more entities involved in the sequence of linked operations and interconnections between the one or more entities resulting from the linked operations;
  
  analyze the updated stateful model in accordance with one or more predefined behavioral logics that are indicative of specific behavioral patterns;
  
  identify, from the updated stateful model, one or more kernel related operations as operations of interest, wherein the one or more kernel related operations comprise one or more operations performed in a kernel space of the operating system;
  
  monitor the operations of interest by registering one or more kernel filter drivers for the one or more kernel related operations via one or more callback functions using an Out-of-Band monitoring module; and
  
  determine part or all of the program to be malicious based at least in part on the monitored operations of interest, wherein determining part or all of the program to be malicious comprises;
  
  determining a presence of at least one behavior upon any of the predefined behavioral logics being met, the at least one behavior related to a sequence of events of the stateful model;
  
  determining a behavior score for the at least one behavior;
  
  assigning a weight factor to each behavior score associated with the at least one behavior, wherein the behavior score indicates the likelihood of the presence of malware based on the at least one behavior;
  
  searching if there is a previous stateful model score associated with the existing stateful model;
  
  if not, determining a sum of respective weighted behavioral scores assigned for each of the at least one behavior as the stateful model score associated with the stateful model;
  
  otherwise increasing the previous stateful model score with the sum, giving rise to the stateful model score; and
  
  comparing the stateful model score with a predefined threshold and determining the presence of malware if the stateful model score passes the predefined threshold.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 17. The system of claim 16, wherein each of the specific behavioral patterns represents one or more entities having specific interconnections therein resulted from a specific sequence of operations performed thereupon, and wherein the analyzing the updated stateful model comprises matching the hierarchical structure represented in the updated stateful model with the one or more predefined behavior logics.
  - 18. The system of claim 16, wherein the determining the one or more relationships further comprises:
    - for each object, generating one or more parameters characterizing said object, the one or more parameters indicative of objects related thereto and determined relationships between the object and the related objects, thereby giving rise to an event context comprising the one or more objects each associated with one or more parameters.
  - 19. The system of claim 16, wherein the one or more predefined behavioral logics comprises determining a behavior of self-execution when a target of an execution event comprises one or more of an originating process of the execution event, a child process of the originating process, or a parent process of the originating process.
  - 20. The system of claim 16, wherein the one or more predefined behavioral logics comprises determining a behavior of self-deletion when a source file of a targeting process of a deletion event comprises one or more of a source file of an originating process of the deletion event or a source file of a parent process of the originating process.
  - 21. The system of claim 16, wherein the one or more predefined behavioral logics comprises determining a behavior of code injection when associated operations of memory write, memory execution permission, and/or code execution are included in the stateful model.
  - 22. The system of claim 16, wherein the system is further caused to remediate the part or all of the program determined to be malicious.
  - 23. The system of claim 22, wherein the remediating further comprises terminating at least one object of the stateful model related to the part or all of the program determined to be malicious.
  - 24. The system of claim 22, wherein the remediating further comprises removing at least one object of the stateful model related to the part or all of the program determined to be malicious.
  - 25. The system of claim 22, wherein the remediating further comprises undoing at least one operation performed by at least one object of the stateful model related to the part or all of the program determined to be malicious.
  - 26. The system of claim 22, wherein the remediating further comprises displaying information to an end user regarding the part or all of the program determined to be malicious.

27. A non-transitory program storage device readable by computer, tangibly embodying a program of instructions executable by the computer to perform a method for detecting malware in real-time in an operating system of an environment, the method comprising:
- monitoring a sequence of linked operations performed by a program running in the operating system;
  
  generating an event data characterizing each monitored operation, wherein the event data comprises, for each monitored operation, at least an operation type and a source of the operation;
  
  building a stateful model in accordance with the event data, wherein the stateful model comprises a data structure representing a real-time updated system state resulting from the sequence of linked operations, and wherein the building the stateful model comprises;
  
  retrieving one or more objects associated with the event data, each of the one or more objects representing an entity involved in one of the monitored operations, the retrieved one or more objects comprising at least one object for each monitored operation that represents the source of the operation;
  
  determining one or more relationships among the one or more objects in accordance with the event data, the determined relationships comprising at least the type of each monitored operation and one or more interconnections between the objects of one monitored operation and the objects of another monitored operation;
  
  inferring an event context comprising the one or more objects and the determined relationships thereof; and
  
  generating a stateful model comprising the event context if the monitored operation is a first monitored operation or otherwise updating an existing stateful model based at least in part on the event context, thereby building an updated stateful model representing a hierarchical structure comprising one or more entities involved in the sequence of linked operations and interconnections between the one or more entities resulting from the linked operations;
  
  analyzing, by the computer system, the updated stateful model in accordance with one or more predefined behavioral logics that are indicative of specific behavioral patterns;
  
  identifying, from the updated stateful model, one or more kernel related operations as operations of interest, wherein the one or more kernel related operations comprise one or more operations performed in a kernel space of the operating system;
  
  monitoring the operations of interest by registering one or more kernel filter drivers for the one or more kernel related operations via one or more callback functions using an Out-of-Band monitoring module; and
  
  determining part or all of the program to be malicious based at least in part on the monitored operations of interest, wherein determining part or all of the program to be malicious comprises;
  
  determining a presence of at least one behavior upon any of the predefined behavioral logics being met, the at least one behavior related to a sequence of events of the stateful model;
  
  determining a behavior score for the at least one behavior;
  
  assigning a weight factor to each behavior score associated with the at least one behavior, wherein the behavior score indicates the likelihood of the presence of malware based on the at least one behavior;
  
  searching if there is a previous stateful model score associated with the existing stateful model;
  
  if not, determining a sum of respective weighted behavioral scores assigned for each of the at least one behavior as the stateful model score associated with the stateful model;
  
  otherwise increasing the previous stateful model score with the sum, giving rise to the stateful model score; and
  
  comparing the stateful model score with a predefined threshold and determining the presence of malware if the stateful model score passes the predefined threshold.

28. A computer-implemented method of generating a stateful model representing a real-time updated system state of an operating system in an environment, the method comprising:
- monitoring, by a computer system, a sequence of linked operations performed by a program running in the operating system;
  
  generating, by the computer system, an event data characterizing each monitored operation, wherein the event data comprises, for each monitored operation, at least an operation type and a source of the operation;
  
  building, by the computer system, a stateful model in accordance with the event data, wherein the stateful model comprises a data structure representing a real-time updated system state resulting from the sequence of linked operations, and wherein the building the stateful model comprises;
  
  retrieving one or more objects associated with the event data, each of the one or more objects representing an entity involved in one of the monitored operations, the retrieved one or more objects comprising at least one object for each monitored operation that represents the source of the operation;
  
  identifying one or more relationships among the one or more objects in accordance with the event data, the identified relationships comprising at least the type of each monitored operation and one or more interconnections between the objects of one monitored operation and the objects of another monitored operation;
  
  determining an event context comprising the one or more objects and the identified relationships thereof; and
  
  generating a stateful model including said event context if the monitored operation is a first monitored operation or otherwise updating an existing stateful model based at least in part on the event context, thereby building an updated stateful model representing a hierarchical structure comprising one or more entities involved in the sequence of linked operations and interconnections between the one or more entities resulting from the linked operations;
  
  analyzing, by the computer system, the updated stateful model in accordance with one or more predefined behavioral logics that are indicative of specific behavioral patterns;
  
  identifying, from the updated stateful model, one or more kernel related operations as operations of interest, wherein the one or more kernel related operations comprise one or more operations performed in a kernel space of the operating system;
  
  monitoring the operations of interest by registering one or more kernel filter drivers for the one or more kernel related operations via one or more callback functions using an Out-of-Band monitoring module; and
  
  determining, by the computer system, part or all of the program to be malicious based at least in part on the monitored operations of interest, wherein determining part or all of the program to be malicious comprises;
  
  determining a presence of at least one behavior upon any of the predefined behavioral logics being met, the at least one behavior related to a sequence of events of the stateful model;
  
  determining a behavior score for the at least one behavior;
  
  assigning a weight factor to each behavior score associated with the at least one behavior, wherein the behavior score indicates the likelihood of the presence of malware based on the at least one behavior;
  
  searching if there is a previous stateful model score associated with the existing stateful model;
  
  if not, determining a sum of respective weighted behavioral scores assigned for each of the at least one behavior as the stateful model score associated with the stateful model;
  
  otherwise increasing the previous stateful model score with the sum, giving rise to the stateful model score; and
  
  comparing the stateful model score with a predefined threshold and determining the presence of malware if the stateful model score passes the predefined threshold,wherein the computer system comprises a computer processor and an electronic storage medium.
- View Dependent Claims (29, 30, 31, 32)
- - 29. The computer-implemented method of claim 28, wherein the identifying the one or more relationships further comprises:
    - for each object of the one or more objects, generating one or more parameters characterizing said object, the one or more parameters indicative of objects related thereto and identified relationships between the object and the related objects, thereby giving rise to an event context comprising the one or more objects each associated with one or more parameters.
  - 30. The computer-implemented method of claim 28, wherein each of the one or more objects comprises at least one of a process object, file object, network object, registry object or windows object.
  - 31. The computer-implemented method of claim 28, wherein the stateful model comprises a program-level stateful model that represents entities and interconnections thereof involved in the sequence of linked operations related to the program.
  - 32. The computer-implemented method of claim 28, wherein the stateful model comprises a system-level stateful model that represents entities and interconnections thereof involved in operations related to a plurality of programs that run concurrently in the environment, the system-level stateful model comprising one or more program-level stateful models each representing entities and interconnections thereof involved in the sequence of linked operations related to the given program.

33. A system for generating a stateful model representing a real-time updated system state of an operating system in an environment, the system comprising:
- one or more computer readable storage devices configured to store a plurality of computer executable instructions; and
  
  one or more hardware computer processors in communication with the one or more computer readable storage devices and configured to execute the plurality of computer executable instructions in order to cause the system to;
  
  monitor a sequence of linked operations performed by a program running in the operating system;
  
  generate an event data characterizing each monitored operation, wherein the event data comprises, for each monitored operation, at least an operation type and a source of the operation;
  
  build a stateful model in accordance with the event data, wherein the stateful model comprises a data structure representing a real-time updated system state resulting from the sequence of linked operations, and wherein the building the stateful model comprises;
  
  retrieving one or more objects associated with the event data, each of the one or more objects representing an entity involved in one of the monitored operations, the retrieved one or more objects comprising at least one object for each monitored operation that represents the source of the operation;
  
  identifying one or more relationships among the one or more objects in accordance with the event data, the identified relationships comprising at least the type of each monitored operation and one or more interconnections between the objects of one monitored operation and the objects of another monitored operation;
  
  determining an event context comprising the one or more objects and the identified relationships thereof; and
  
  generating a stateful model comprising the event context if the monitored operation is a first monitored operation or otherwise updating an existing stateful model based at least in part on the event context, thereby building an updated stateful model representing a hierarchical structure comprising one or more entities involved in the sequence of linked operations and interconnections between the one or more resulting from the linked operations;
  
  analyzing the updated stateful model in accordance with one or more predefined behavioral logics that are indicative of specific behavioral patterns;
  
  identifying, from the updated stateful model, one or more kernel related operations as operations of interest, wherein the one or more kernel related operations comprise one or more operations performed in a kernel space of the operating system;
  
  monitoring the operations of interest by registering one or more kernel filter drivers for the one or more kernel related operations via one or more callback functions using an Out-of-Band monitoring module; and
  
  determining part or all of the program to be malicious based at least in part on the monitored operations of interest, wherein determining part or all of the program to be malicious comprises;
  
  determining a presence of at least one behavior upon any of the predefined behavioral logics being met, the at least one behavior related to a sequence of events of the stateful model;
  
  determining a behavior score for the at least one behavior;
  
  assigning a weight factor to each behavior score associated with the at least one behavior, wherein the behavior score indicates the likelihood of the presence of malware based on the at least one behavior;
  
  searching if there is a previous stateful model score associated with the existing stateful model;
  
  if not, determining a sum of respective weighted behavioral scores assigned for each of the at least one behavior as the stateful model score associated with the stateful model;
  
  otherwise increasing the previous stateful model score with the sum, giving rise to the stateful model score; and
  
  comparing the stateful model score with a predefined threshold and determining the presence of malware if the stateful model score passes the predefined threshold.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sentinel Labs Israel, Ltd. (SentinelOne Inc.)
Original Assignee
Sentinel Labs Israel, Ltd. (SentinelOne Inc.)
Inventors
Weingarten, Tomer, Cohen, Almog, Shamir, Udi, Motil, Kirill
Primary Examiner(s)
Lesniewski, Victor

Application Number

US15/623,669
Publication Number

US 20170286676A1
Time in Patent Office

1,076 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/56 Computer malware detection ...

G06F 21/566 Dynamic detection, i.e. det...

Method of malware detection and system thereof

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

104 Citations

33 Claims

Specification

Use Cases

Quick Links

Others

Method of malware detection and system thereof

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

104 Citations

33 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others