Dynamically adaptive framework and method for classifying malware using intelligent static, emulation, and dynamic analyses

US 10,713,362 B1
Filed: 03/05/2018
Issued: 07/14/2020
Est. Priority Date: 09/30/2013
Status: Active Grant

First Claim

Patent Images

1. A system for adjusting malware analysis of a specimen received as input, the system comprising:

a data storage device being hardware that is configured to store control information that identifies (i) a first plurality of analyses and (ii) an order of the first plurality of analyses to be conducted on the specimen;

a first analysis module being software that is configured, upon execution, to conduct, in accordance with the control information, at least one or more analysis of a first type of analysis on the specimen, wherein the one or more analysis of the first type of analysis included as a portion of the first plurality of analyses;

a second analysis module being software that is configured, upon execution, to conduct, in accordance with the control information, at least one or more analysis of a second type of analysis on the specimen, wherein the one or more analysis of the second type of analysis included as a portion of the first plurality of analyses; and

a controller communicatively coupled to the data storage device, the first analysis module, and the second analysis module, the controller to modify the control information in response to feedback information based on results from at least one of the first plurality of analyses conducted by the first analysis module or the second analysis module, the modified control information to change the malware analysis of the specimen from being conducted in accordance with the first plurality of analyses to being conducted in accordance with a second plurality of analyses different from the first plurality of analyses in analysis type or in order of analyses.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of detecting malware in a specimen of computer content or network traffic is described. The method features conducting a first analysis on the specimen in accordance with a first plurality of analyses and an order of the first plurality of analyses. A second analysis is conducted on the specimen different than the first analysis type. Thereafter, further analyses on the specimen may be altered by modifying information associated with the first plurality of analyses or the order of the first plurality of analyses in response to feedback information based on results from at least the first analysis. The modified information changes a malware analysis of the specimen from being conducted in accordance with the first plurality of analyses to being conducted in accordance with a second plurality of analyses different in analysis type or in order of analyses than the first plurality of analyses.

743 Citations

52 Claims

1. A system for adjusting malware analysis of a specimen received as input, the system comprising:
- a data storage device being hardware that is configured to store control information that identifies (i) a first plurality of analyses and (ii) an order of the first plurality of analyses to be conducted on the specimen;
  
  a first analysis module being software that is configured, upon execution, to conduct, in accordance with the control information, at least one or more analysis of a first type of analysis on the specimen, wherein the one or more analysis of the first type of analysis included as a portion of the first plurality of analyses;
  
  a second analysis module being software that is configured, upon execution, to conduct, in accordance with the control information, at least one or more analysis of a second type of analysis on the specimen, wherein the one or more analysis of the second type of analysis included as a portion of the first plurality of analyses; and
  
  a controller communicatively coupled to the data storage device, the first analysis module, and the second analysis module, the controller to modify the control information in response to feedback information based on results from at least one of the first plurality of analyses conducted by the first analysis module or the second analysis module, the modified control information to change the malware analysis of the specimen from being conducted in accordance with the first plurality of analyses to being conducted in accordance with a second plurality of analyses different from the first plurality of analyses in analysis type or in order of analyses.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 2. The system of claim 1, wherein the first analysis module corresponds to a static analysis module being software configured to conduct, in accordance with the control information, one or more analysis of the first type of analysis on the specimen for characteristics that suggest the specimen includes malware.
  - 3. The system of claim 2, wherein the second analysis module corresponds to a dynamic analysis module being software configured to conduct, in accordance with the control information, one or more analysis of the second type of analysis on the specimen to detect at least one unexpected behavior that occurs during processing of the specimen within one or more virtual machines.
  - 4. The system of claim 3, wherein the controller being configured to modify content of the control information to modify an order of the first plurality of analyses in response to receipt of the feedback information based on results from at least one of (i) the one or more analysis conducted by the static analysis module and (ii) the one or more analysis conducted by the dynamic analysis module.
  - 5. The system of claim 3, wherein the controller modifies content of the control information by including an additional analysis that is conducted by the dynamic analysis module between or after a first analysis and a second analysis, the first analysis being one of the one or more analysis of the first type of analysis conducted by the static analysis module and the second analysis being one of the one or more analysis of the second type of analysis conducted by the dynamic analysis module.
  - 6. The system of claim 2, wherein the controller modifies content of the control information by including an additional analysis that is conducted by the static analysis module after an analysis of the one or more analysis being conducted by the dynamic analysis module.
  - 7. The system of claim 4, wherein the controller to modify content of the control information that modifies an analysis protocol and parameters associated with the first plurality of analyses in response to the feedback information.
  - 8. The system of claim 7, wherein the analysis protocol and parameters include a type of operating system and its version used by the one or more virtual machines conducting an analysis that is part of the first plurality of analyses.
  - 9. The system of claim 7, wherein the analysis protocol and parameters include a length of time to conduct a dynamic analysis on the specimen, the dynamic analysis being one of the first plurality of analyses.
  - 10. The system of claim 7, wherein the analysis protocol and parameters include a type or location of monitors to deploy to monitor behaviors, including least one unexpected behavior, that occurs during processing of the specimen within the one or more virtual machines.
  - 11. The system of claim 1, wherein the controller to modify content of the control information to modify an order of the first plurality of analyses in response to receipt of the feedback information.
  - 12. The system of claim 11, wherein the feedback information includes results from the analysis of the specimen for at least one or more characteristics that suggest the specimen includes malware.
  - 13. The system of claim 11, wherein the feedback information includes results from the analysis of the specimen for the at least one unexpected behavior that occurs during processing of the specimen within one or more virtual machines.
  - 14. The system of claim 1, wherein the controller modifies content of the control information by including an additional analysis that is conducted between an analysis conducted by the first analysis module and an analysis conducted by the second analysis module.
  - 15. The system of claim 1, wherein the controller modifies content of the control information by including an additional analysis different than any of the first plurality of analyses.
  - 16. The system of claim 1, wherein the controller modifies the control information by terminating at least one upcoming analysis in accordance with the control information to be conducted by either the first analysis module or the second analysis module.
  - 17. The system of claim 1, wherein the second analysis module corresponds to a dynamic analysis module being software to conduct, in accordance with the control information, one or more analysis of the specimen to detect at least one unexpected behavior that occurs during processing of the specimen within one or more virtual machines and the controller modifies content of the control information after conducting a first analysis of the one or more analysis by modifying an operating environment of the one or more virtual machines for a second analysis subsequent to the first analysis in the control information.
  - 18. The system of claim 1 further comprising:
    - a classifier communicatively coupled to the data storage device, the classifier to determine whether the specimen should be classified as malicious based on results of (i) one or more analysis conducted on the specimen by the first analysis module, (ii) one or more analysis conducted on the specimen by the second analysis module, or (iii) the one or more analysis conducted on the specimen by the first analysis module and the one or more analysis being conducted on the specimen by the second analysis module.
  - 19. The system of claim 18 further comprising:
    - an emulation analysis module communicatively coupled to the controller, the emulation analysis module being software to emulate operations associated with a processing of the specimen in context with an emulated computer application or in context with an emulated dynamic library,wherein the controller to further coordinate at least an order of the emulated operations being a portion of the first plurality of analyses.
  - 20. The system of claim 19, wherein at least one of the emulated operations include unpacking of the specimen, the specimen includes a file provided for analysis.
  - 21. The system of claim 1, wherein operability of the system is being managed by a management system implemented as a web server.
  - 22. The system of claim 1, wherein the specimen is provided as input via a web interface.
  - 23. The system of claim 1, wherein the one or more analysis of the first type of analysis being conducted by the first analysis module operating at a client site and the one or more analysis of the second type of analysis being conducted by the second analysis module operating within a cloud network.
  - 24. The system of claim 1, wherein at least a portion of the system being deployed within a cloud network.

25. A non-transitory machine-readable medium storing a plurality of modules, when executed by a processor, cause the processor to perform operations for detecting malware in a specimen, the non-transitory machine-readable medium comprising:
- a first analysis module being configured, during execution by the processor, to conduct one or more analysis associated with at least a first type of analysis on the specimen in accordance with a first plurality of analyses and an order of the first plurality of analyses to be conducted on the specimen;
  
  a second analysis module being configured, during execution by the processor, to conduct one or more analysis associated with at least second type of analysis on the specimen, the second type of analysis being different than the first type of analysis conducted by the first analysis module; and
  
  a controller being configured, during execution by the processor, to receive feedback information based on results from one or more analysis associated with at least the first type of analysis corresponding to at least one of the first plurality of analyses conducted by the first analysis module or one or more analysis associated with at least the second type of analysis corresponding to at least one of the first plurality of analyses conducted by the second analysis module to change the malware analysis of the specimen from being conducted in accordance with the first plurality of analyses and the order of the first plurality of analyses to being conducted in accordance with a second plurality of analyses and an order of the second plurality of analyses being different than at least the order of the first plurality of analyses.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
- - 26. The non-transitory machine-readable medium of claim 25, wherein the first analysis module corresponds to a static analysis module being configured to conduct, in accordance with the first plurality of analyses and the order of the first plurality of analyses, the one or more analysis of the first type of analysis on the specimen for characteristics that suggest the specimen includes malware.
  - 27. The non-transitory machine-readable medium of claim 26, wherein the second analysis module corresponds to a dynamic analysis module being configured to conduct, in accordance with the first plurality of analyses and the order of the first plurality of analyses, the one or more analysis of the second type of analysis on the specimen to detect at least one unexpected behavior that occurs during processing of the specimen within one or more virtual machines.
  - 28. The non-transitory machine-readable medium of claim 27, wherein the controller modifies content associated with the first plurality of analyses and the order of the first plurality of analyses by at least including an additional analysis that is conducted by the static analysis module after an analysis of the one or more analysis associated with at least the second type of analysis by the dynamic analysis module.
  - 29. The non-transitory machine-readable medium of claim 25, wherein the controller being configured to modify the order of the first plurality of analyses in response to receipt of the feedback information based on results from at least one of (i) the one or more analysis conducted by the first analysis module and (ii) the one or more analysis conducted by the second analysis module.
  - 30. The non-transitory machine-readable medium of claim 25, wherein the controller to modify the order of the first plurality of analyses into the order of the second plurality of analyses in response to receipt of the feedback information.
  - 31. The non-transitory machine-readable medium of claim 30, wherein the feedback information includes results from the one or more analysis associated with at least the first type of analysis on the specimen for at least one or more characteristics that suggest the specimen includes malware.
  - 32. The non-transitory machine-readable medium of claim 25, wherein the feedback information includes results from the one or more analysis on the specimen by the first analysis module for at least one unexpected behavior that occurs during processing of the specimen within one or more virtual machines.
  - 33. The non-transitory machine-readable medium of claim 25, wherein the controller modifies content associated with the first plurality of analyses and the order of the first plurality of analyses by including an additional analysis that is conducted between the one or more analysis conducted by the first analysis module and the one or more analysis conducted by the second analysis module.
  - 34. The non-transitory machine-readable medium of claim 25, wherein the controller modifies content associated with the first plurality of analyses and the order of the first plurality of analyses by including an additional analysis different than any of the first plurality of analyses.
  - 35. The non-transitory machine-readable medium of claim 25, wherein the controller modifies content associated with the first plurality of analyses and the order of the first plurality of analyses by including an additional analysis that is conducted by the second analysis module between or after a first analysis and a second analysis, the first analysis being one of the one or more analysis associated with the first plurality of analyses conducted by the first analysis module and the second analysis being one of the one or more analysis associated with the second plurality of analyses conducted by the second analysis module.
  - 36. The non-transitory machine-readable medium of claim 25 further storing a module that, during execution by the processor, cause the processor to perform further operations for detecting malware in a specimen, the non-transitory machine-readable medium comprising:
    - a classifier module that, during execution by the processor, determines whether the specimen should be classified as malicious based on results of (i) the one or more analysis conducted on the specimen by the first analysis module, (ii) the one or more analysis conducted on the specimen by the second analysis module, or (iii) the one or more analysis conducted on the specimen by the first analysis module and the one or more analysis being conducted on the specimen by the second analysis module.

37. A computer implemented method of detecting malware in a specimen of computer content or network traffic, the method comprising:
- conducting, by a first analysis module executed by a processor, at least one analysis associated with a first type of analysis on the specimen in accordance with a first plurality of analyses and an order of the first plurality of analyses;
  
  conducting, by a second analysis module executed by the processor, at least one analysis associated with a second type of analysis on the specimen different than the first type of analysis conducted by the first analysis module; and
  
  modifying, by a controller executed by the processor, an analysis on the specimen by at least modifying information associated with the first plurality of analyses or the order of the first plurality of analyses in response to feedback information based on results from the at least one analysis of the first plurality of analyses conducted by the first analysis module, the modified control information changes a malware analysis of the specimen from being conducted in accordance with the first plurality of analyses to being conducted in accordance with a second plurality of analyses different in analysis type or in order of analyses than the first plurality of analyses.
- View Dependent Claims (38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52)
- - 38. The computer implemented method of claim 37, wherein the first analysis module corresponds to a static analysis module being configured to conduct, in accordance with the first plurality of analyses and the order of the first plurality of analyses, the at least one analysis associated with the first type of analysis on the specimen for characteristics that suggest the specimen includes malware.
  - 39. The computer implemented method of claim 38, wherein the second analysis module corresponds to a dynamic analysis module being configured to conduct, in accordance with the first plurality of analyses and the order of the first plurality of analyses, the at least one analysis associated with the second type of analysis on the specimen to detect at least one unexpected behavior that occurs during processing of the specimen within one or more virtual machines.
  - 40. The computer implemented method of claim 39, wherein the controller modifies content associated with the first plurality of analyses and the order of the first plurality of analyses by at least including an additional analysis that is conducted by the static analysis module after an analysis of the at least one analysis associated with the second type of analysis by the dynamic analysis module.
  - 41. The computer implemented method of claim 37, wherein the controller to modify the order of the first plurality of analyses in response to receipt of the feedback information based on results from at least one of (i) the at least one analysis conducted by the first analysis module and (ii) the at least one analysis conducted by the second analysis module.
  - 42. The computer implemented method of claim 37, wherein the controller to modify the order of the first plurality of analyses into the order of the second plurality of analyses in response to receipt of the feedback information.
  - 43. The computer implemented method of claim 42, wherein the feedback information includes results from the at least one analysis associated with at least the first type of analysis on the specimen for at least one or more characteristics that suggest the specimen includes malware.
  - 44. The computer implemented method of claim 37, wherein the feedback information includes results from the at least one analysis on the specimen by the first analysis module for at least one unexpected behavior that occurs during processing of the specimen within one or more virtual machines.
  - 45. The computer implemented method of claim 37, wherein the controller modifies the information associated with the first plurality of analyses and the order of the first plurality of analyses by including an additional analysis that is conducted between the at least one analysis conducted by the first analysis module and the at least one analysis conducted by the second analysis module.
  - 46. The computer implemented method of claim 37, wherein the controller modifies content associated with the first plurality of analyses and the order of the first plurality of analyses by including an additional analysis different than any of the first plurality of analyses.
  - 47. The computer implemented method of claim 37, wherein the controller modifies content associated with the first plurality of analyses and the order of the first plurality of analyses by including an additional analysis that is conducted by the second analysis module between or after a first analysis and a second analysis, the first analysis being one of the at least one analysis of the first plurality of analyses conducted by the first analysis module and the second analysis being one of the at least one analysis of the first plurality of analyses conducted by the second analysis module.
  - 48. The computer implemented method of claim 37 further storing a module that, during execution by the processor, cause the processor to perform further operations for detecting malware in a specimen, the non-transitory machine-readable medium comprising:
    - a classifier module that, during execution by the processor, determines whether the specimen should be classified as malicious based on results of (i) the at least one analysis conducted on the specimen by the first analysis module, (ii) the at least one analysis conducted on the specimen by the second analysis module, or (iii) the at least one analysis conducted on the specimen by the first analysis module and the at least one analysis being conducted on the specimen by the second analysis module.
  - 49. The computer implemented method of claim 37, wherein the specimen is provided as input via a web interface.
  - 50. The computer implemented method of claim 37, wherein the conducting of the at least one analysis by the first analysis module is performed at a client site and the conducting of the at least one analysis is performed by the second analysis module one or more analysis of the second type of analysis is performed at a cloud network.
  - 51. The computer implemented method of claim 37, wherein the conducting of operations is performed by the first analysis module deployed at a client site and the conducting of operations by the second analysis module is performed by the second analysis module being deployed within a cloud network.
  - 52. The computer implemented method of claim 37, wherein at least one of the first analysis module and the second analysis module are deployed within a cloud network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Vincent, Michael, Mesdaq, Ali, Thioux, Emmanuel, Singh, Abhishek, Vashisht, Sai
Primary Examiner(s)
Abyaneh, Ali S
Assistant Examiner(s)
Gao, Shu Chun

Application Number

US15/912,474
Time in Patent Office

862 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/562   Static detection

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/034   Test or assess a computer o...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

Dynamically adaptive framework and method for classifying malware using intelligent static, emulation, and dynamic analyses

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

743 Citations

52 Claims

Specification

Solutions

Use Cases

Quick Links

Dynamically adaptive framework and method for classifying malware using intelligent static, emulation, and dynamic analyses

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

743 Citations

52 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links