System and method for malware analysis using thread-level event monitoring
First Claim
1. A computerized method comprising:
- processing one or more objects by a plurality of threads of execution, the plurality of threads of execution being part of a multi-thread process and executed by logic within a threat detection platform;
selecting threads of the plurality of threads for monitoring;
monitoring events of a first selected thread of the selected threads during the processing of the one or more objects, and excluding, from monitoring, events of non-selected threads of the plurality of threads, wherein the monitoring includes monitoring for events by both a first monitoring logic and a second monitoring logic that is different from the first monitoring logic, and wherein the second monitoring logic is part of a virtual execution environment;
storing information associated with a first monitored event of the monitored events within an event log, the information comprises at least an identifier of the first selected thread to maintain an association between the first monitored events and the first selected thread; and
accessing the stored information within the event log for rendering a graphical display of the monitored events and the first selected thread on a display screen.
7 Assignments
0 Petitions
Accused Products
Abstract
According to one embodiment, a computerized method comprises processing one or more objects by a first thread of execution that are part of a multi-thread process, monitoring events that occur during the processing of the one or more objects by the first thread, and storing information associated with the monitored events within an event log. The stored information comprises at least an identifier of the first thread to maintain an association between the monitored events and the first thread. Subsequently, the stored information within the event log is accessed for rendering a graphical display of the monitored events detected during processing of the one or more objects by the first thread on a display screen.
-
Citations
50 Claims
-
1. A computerized method comprising:
-
processing one or more objects by a plurality of threads of execution, the plurality of threads of execution being part of a multi-thread process and executed by logic within a threat detection platform; selecting threads of the plurality of threads for monitoring; monitoring events of a first selected thread of the selected threads during the processing of the one or more objects, and excluding, from monitoring, events of non-selected threads of the plurality of threads, wherein the monitoring includes monitoring for events by both a first monitoring logic and a second monitoring logic that is different from the first monitoring logic, and wherein the second monitoring logic is part of a virtual execution environment; storing information associated with a first monitored event of the monitored events within an event log, the information comprises at least an identifier of the first selected thread to maintain an association between the first monitored events and the first selected thread; and accessing the stored information within the event log for rendering a graphical display of the monitored events and the first selected thread on a display screen. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A threat detection platform operating at least partly via cloud computing services, the threat detection platform comprising:
-
a communication interface; a storage device operating at least in part as an event log; circuitry communicatively coupled to the communication interface, the circuitry comprises logic to (i) execute a plurality of threads of execution of a multi-threaded process to process one or more objects, (ii) select one or more of the plurality of threads, (iii) monitor execution of a first selected thread of the one or more selected threads during processing of the one or more objects to detect a first set of events, and exclude from monitoring execution of non-selected threads of the plurality of threads, wherein the monitoring includes detecting one or more events, the monitoring performed by both a first monitoring logic and a second monitoring logic that is different from the first monitoring logic, and wherein the second monitoring logic is part of a virtual execution environment, and (iv) store information associated with a first detected event of the first set of events within the event log, the stored information comprises at least an identifier of the first selected thread to maintain an association between the first detected event and the first selected thread; and a rendering subsystem in communication with the circuitry, the rendering subsystem to access the stored information within the event log for rendering a graphical display of the first detected event and the first selected thread. - View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38)
-
-
39. A non-transitory computer readable medium including logic that, upon execution by circuitry within a threat detection platform, performs operations comprising:
-
processing one or more objects by a plurality of threads of execution, the plurality of threads of execution being part of a multi-threaded process and executed by logic of the threat detection platform; selecting one or more threads of the plurality of threads; monitoring execution of a first selected thread of the one or more selected threads during the processing of the one or more objects to detect a first set of events while excluding from monitoring execution of non-selected threads of the plurality of threads, wherein the monitoring includes detecting one or more events, the monitoring performed by both a first monitoring logic and a second monitoring logic that is different from the first monitoring logic, and wherein the second monitoring logic is part of a virtual execution environment; storing information associated with a first detected event of the first set of events within an event log, the information comprises at least an identifier of the first selected thread to maintain an association between the first detected event and the first selected thread; and accessing the stored information within the event log for rendering a graphical display of the first detected event and the first selected thread on a display screen. - View Dependent Claims (40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50)
-
Specification