System and method for malware analysis using thread-level event monitoring

US 10,671,726 B1
Filed: 09/22/2014
Issued: 06/02/2020
Est. Priority Date: 09/22/2014
Status: Active Grant

First Claim

Patent Images

1. A computerized method comprising:

processing one or more objects by a plurality of threads of execution, the plurality of threads of execution being part of a multi-thread process and executed by logic within a threat detection platform;

selecting threads of the plurality of threads for monitoring;

monitoring events of a first selected thread of the selected threads during the processing of the one or more objects, and excluding, from monitoring, events of non-selected threads of the plurality of threads, wherein the monitoring includes monitoring for events by both a first monitoring logic and a second monitoring logic that is different from the first monitoring logic, and wherein the second monitoring logic is part of a virtual execution environment;

storing information associated with a first monitored event of the monitored events within an event log, the information comprises at least an identifier of the first selected thread to maintain an association between the first monitored events and the first selected thread; and

accessing the stored information within the event log for rendering a graphical display of the monitored events and the first selected thread on a display screen.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to one embodiment, a computerized method comprises processing one or more objects by a first thread of execution that are part of a multi-thread process, monitoring events that occur during the processing of the one or more objects by the first thread, and storing information associated with the monitored events within an event log. The stored information comprises at least an identifier of the first thread to maintain an association between the monitored events and the first thread. Subsequently, the stored information within the event log is accessed for rendering a graphical display of the monitored events detected during processing of the one or more objects by the first thread on a display screen.

Citations

50 Claims

1. A computerized method comprising:
- processing one or more objects by a plurality of threads of execution, the plurality of threads of execution being part of a multi-thread process and executed by logic within a threat detection platform;
  
  selecting threads of the plurality of threads for monitoring;
  
  monitoring events of a first selected thread of the selected threads during the processing of the one or more objects, and excluding, from monitoring, events of non-selected threads of the plurality of threads, wherein the monitoring includes monitoring for events by both a first monitoring logic and a second monitoring logic that is different from the first monitoring logic, and wherein the second monitoring logic is part of a virtual execution environment;
  
  storing information associated with a first monitored event of the monitored events within an event log, the information comprises at least an identifier of the first selected thread to maintain an association between the first monitored events and the first selected thread; and
  
  accessing the stored information within the event log for rendering a graphical display of the monitored events and the first selected thread on a display screen.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The computerized method of claim 1, wherein the multi-thread process includes a second thread that is a thread checking for software updates.
  - 3. The computerized method of claim 1, wherein the stored information associated with at least one monitored event detected during processing of the one or more objects by the first selected thread further comprises information directed to (a) a type of event and (b) information associated with a particular activity.
  - 4. The computerized method of claim 3, the particular activity that occurs during the processing of the one or more objects comprises setting or accessing a registry of the threat detection platform.
  - 5. The computerized method of claim 1 further comprising:
    - processing the one or more objects by a third thread of execution being executed by the logic within the threat detection platform;
      
      monitoring events that occur during the processing of the one or more objects by the third thread;
      
      storing information associated with the monitored events that occur during the processing of the one or more objects by the third thread within the event log, the information comprises at least an identifier of the third thread.
  - 6. The computerized method of claim 5, wherein the graphical display illustrates a relationship between the first selected thread and the third thread of the process.
  - 7. The computerized method of claim 6, wherein the graphical display further illustrates a relationship between at least (1) the monitored events detected during processing of the one or more objects by the first selected thread of the process and (2) the monitored events detected during processing of the one or more objects by the third thread of the process.
  - 8. The computerized method of claim 1, wherein the multi-thread process further comprises a memory allocated for an image of executable software associated with the process.
  - 9. The computerized method of claim 1, wherein the storing of the information associated with the monitored events within the event log further comprises storing an identifier for the multi-thread process that includes the first selected thread producing the monitored events.
  - 10. The computerized method of claim 9, wherein the storing of the information associated with the monitored events within the event log further comprises storing a generalized description of the operability of the first selected thread.
  - 11. The computerized method of claim 1, wherein the processing of the one or more objects by the first selected thread, the monitoring of the events that occur during the processing of the one or more objects by the first selected thread, and the storing of the information associated with the monitored events within the event log enables the threat detection platform to determine whether the one or more objects that comprises a particular script is malicious.
  - 12. The computerized method of claim 1 further comprising:
    - determining that the monitored events are associated with keylogging when the monitored events triggered by the first selected thread processing the one or more objects represent fake keystrokes.
  - 13. The computerized method of claim 1, wherein the virtual execution environment is maintained by a dynamic analysis engine.
  - 14. The computerized method of claim 13, wherein the dynamic analysis engine is deployed within cloud computing services.
  - 15. The computerized method of claim 1, wherein each of the plurality of threads of execution perform operations on an object of the one or more objects under analysis resulting in an event of one or more detected events.
  - 16. The computerized method of claim 1, wherein the virtual execution environment includes one or more virtual machines operably configured to perform processing of the one or more objects.
  - 17. The computerized method of claim 1, wherein each of the one or more objects under analysis includes a collection of data having a logical structure or organization that enables classification for purposes of analysis or storage.
  - 18. The computerized method of claim 1, wherein the first monitoring logic is configured to conduct a heuristic analysis or a rule-based analysis on the one or more detected events.
  - 19. The computerized method of claim 1, wherein the second monitoring logic includes one or more thread monitors each configured to monitor a particular thread of the plurality of threads of execution.

20. A threat detection platform operating at least partly via cloud computing services, the threat detection platform comprising:
- a communication interface;
  
  a storage device operating at least in part as an event log;
  
  circuitry communicatively coupled to the communication interface, the circuitry comprises logic to (i) execute a plurality of threads of execution of a multi-threaded process to process one or more objects, (ii) select one or more of the plurality of threads, (iii) monitor execution of a first selected thread of the one or more selected threads during processing of the one or more objects to detect a first set of events, and exclude from monitoring execution of non-selected threads of the plurality of threads, wherein the monitoring includes detecting one or more events, the monitoring performed by both a first monitoring logic and a second monitoring logic that is different from the first monitoring logic, and wherein the second monitoring logic is part of a virtual execution environment, and (iv) store information associated with a first detected event of the first set of events within the event log, the stored information comprises at least an identifier of the first selected thread to maintain an association between the first detected event and the first selected thread; and
  
  a rendering subsystem in communication with the circuitry, the rendering subsystem to access the stored information within the event log for rendering a graphical display of the first detected event and the first selected thread.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38)
- - 21. The threat detection platform of claim 20, wherein the one or more objects is received by the circuitry via the communication interface.
  - 22. The threat detection platform of claim 20, wherein the stored information associated with the first set of events detected during processing of the one or more objects by the first selected thread further comprises information directed to a type of object.
  - 23. The threat detection platform of claim 20, wherein the stored information associated with the first set of events detected during processing of the one or more objects by the first selected thread further comprises information associated with a particular activity.
  - 24. The threat detection platform of claim 20, wherein the logic to (i) process the one or more objects by a third thread of execution being part of the multi-threaded process executed by the logic of the threat detection platform, (ii) monitor execution of the third thread and detect a second set of events that occur during the processing of the one or more objects by the third thread, and (iii) store information associated with the second set of set of events within the event log, the stored information associated with the second set of events for the third thread comprises at least an identifier of the third thread.
  - 25. The threat detection platform of claim 24, wherein the graphical display illustrates a relationship between the first selected thread and the third selected thread of the process.
  - 26. The threat detection platform of claim 25, wherein the graphical display further illustrates a relationship between the first set of events detected during processing of the one or more objects by the first selected thread of the process and the second set of events detected during processing of the one or more objects by the third thread of the process.
  - 27. The threat detection platform of claim 20, wherein the logic to monitor the execution of the first selected thread and detect the first set of events that occur during processing of the one or more objects by the first thread comprises a security agent, the security agent, when executed by the circuitry, is configured to (i) execute the first selected thread, (ii) monitor the execution of the first selected thread and detect the first set of events that occur during processing of the one or more objects by the first selected thread, and (iii) store the information associated with the first set of events within the event log.
  - 28. The threat detection platform of claim 20, wherein circuitry to monitor the execution of the first selected thread and detect the first set of events that occur during processing of the one or more objects by the first selected thread comprises a virtual machine monitor, the virtual machine monitor includes logic deployed as part of a host operating system that is configured to (i) execute the first selected thread, (ii) monitor the execution of the first selected thread and detect the first set of events that occur during processing of the one or more objects by the first selected thread, and (iii) store the information associated with the first set of events within the event log.
  - 29. The threat detection platform of claim 20, wherein circuitry to monitor the execution of the first selected thread and detect the first set of events that occur during processing of the one or more objects by the first selected thread comprises a hypervisor, the hypervisor includes logic that is deployed as an interface between a guest operating system and circuitry, the hypervisor is configured to (i) execute the first selected thread, (ii) monitor the execution of the first selected thread and detect the first set of events that occur during processing of the one or more objects by the first selected thread, and (iii) store the information associated with the first set of events within the event log.
  - 30. The threat detection platform of claim 20, wherein the information associated with the first set of events that are stored within the event log by the logic further comprises a generalized description of the operability of the first selected thread.
  - 31. The threat detection platform of claim 20, wherein the circuitry includes processing circuitry and the logic includes a software module that is executable by the processing circuitry.
  - 32. The threat detection platform of claim 20, wherein the virtual execution environment is maintained by a dynamic analysis engine.
  - 33. The threat detection platform of claim 32, wherein the dynamic analysis engine is deployed within cloud computing services.
  - 34. The threat detection platform of claim 20, wherein each of the plurality of threads of execution perform operations on an object of the one or more objects under analysis resulting in an event of one or more detected events.
  - 35. The threat detection platform of claim 20, wherein the virtual execution environment includes one or more virtual machines operably configured to perform processing of the one or more objects.
  - 36. The threat detection platform of claim 20, wherein each of the one or more objects under analysis includes a collection of data having a logical structure or organization that enables classification for purposes of analysis or storage.
  - 37. The threat detection platform of claim 20, wherein the first monitoring logic is configured to conduct a heuristic analysis or a rule-based analysis on the one or more detected events.
  - 38. The threat detection platform of claim 20, wherein the second monitoring logic includes one or more thread monitors each configured to monitor a particular thread of the plurality of threads of execution.

39. A non-transitory computer readable medium including logic that, upon execution by circuitry within a threat detection platform, performs operations comprising:
- processing one or more objects by a plurality of threads of execution, the plurality of threads of execution being part of a multi-threaded process and executed by logic of the threat detection platform;
  
  selecting one or more threads of the plurality of threads;
  
  monitoring execution of a first selected thread of the one or more selected threads during the processing of the one or more objects to detect a first set of events while excluding from monitoring execution of non-selected threads of the plurality of threads, wherein the monitoring includes detecting one or more events, the monitoring performed by both a first monitoring logic and a second monitoring logic that is different from the first monitoring logic, and wherein the second monitoring logic is part of a virtual execution environment;
  
  storing information associated with a first detected event of the first set of events within an event log, the information comprises at least an identifier of the first selected thread to maintain an association between the first detected event and the first selected thread; and
  
  accessing the stored information within the event log for rendering a graphical display of the first detected event and the first selected thread on a display screen.
- View Dependent Claims (40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50)
- - 40. The non-transitory computer readable medium of claim 39, wherein the logic that, upon execution by the circuitry within the threat detection platform, is configured to monitor and report through graphical display script execution.
  - 41. The non-transitory computer readable medium of claim 39, wherein the logic that, upon execution by the circuitry within the threat detection platform, is configured to allow for exclusively tracking of activities of injected code executed by the first selected thread without monitoring of other events associated with the multi-threaded process.
  - 42. The non-transitory computer readable medium of claim 39, wherein the logic that, upon execution by the circuitry within the threat detection platform, is configured to enable monitoring of execution of the first selected thread and disable monitoring of execution of a second thread of the multi-threaded process, the second thread configured to detect types of functions or events different than the prescribed types of functions or events.
  - 43. The non-transitory computer readable medium of claim 39, wherein the logic that, upon execution by the circuitry within the threat detection platform, is configured to add or remove thread selection criteria to concentrate the monitoring to detect the prescribed types of functions or events associated with the first selected thread.
  - 44. The non-transitory computer readable medium of claim 39, wherein the virtual execution environment is maintained by a dynamic analysis engine.
  - 45. The non-transitory computer readable medium of claim 44, wherein the dynamic analysis engine is deployed within cloud computing services.
  - 46. The non-transitory computer readable medium of claim 39, wherein each of the plurality of threads of execution perform operations on an object of the one or more objects under analysis resulting in an event of one or more detected events.
  - 47. The non-transitory computer readable medium of claim 39, wherein the virtual execution environment includes one or more virtual machines operably configured to perform processing of the one or more objects.
  - 48. The non-transitory computer readable medium of claim 39, wherein each of the one or more objects under analysis includes a collection of data having a logical structure or organization that enables classification for purposes of analysis or storage.
  - 49. The non-transitory computer readable medium of claim 39, wherein the first monitoring logic is configured to conduct a heuristic analysis or a rule-based analysis on the one or more detected events.
  - 50. The non-transitory computer readable medium of claim 39, wherein the second monitoring logic includes one or more thread monitors each configured to monitor a particular thread of the plurality of threads of execution.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
FireEye, Inc. (Alphabet Inc.)
Inventors
Paithane, Sushant, Vincent, Michael, Vashisht, Sai
Primary Examiner(s)
Zaidi, Syed A

Application Number

US14/493,201
Time in Patent Office

2,080 Days
Field of Search

726 24
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/561   Virus type analysis

G06F 21/562   Static detection

G06F 21/564   by virus signature recognition

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/1416   Event detection, e.g. attac...

System and method for malware analysis using thread-level event monitoring

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

50 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for malware analysis using thread-level event monitoring

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

50 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links