Dynamically adaptive framework and method for classifying malware using intelligent static, emulation, and dynamic analyses
First Claim
1. A system for adjusting malware analysis of a specimen received as input, the system comprising:
- a data storage device being hardware that is configured to store control information that identifies (i) a first plurality of analyses and (ii) an order of the first plurality of analyses to be conducted on the specimen;
a first analysis module being software that is configured, upon execution, to conduct, in accordance with the control information, at least one or more analysis of a first type of analysis on the specimen, wherein the one or more analysis of the first type of analysis included as a portion of the first plurality of analyses;
a second analysis module being software that is configured, upon execution, to conduct, in accordance with the control information, at least one or more analysis of a second type of analysis on the specimen, wherein the one or more analysis of the second type of analysis included as a portion of the first plurality of analyses; and
a controller communicatively coupled to the data storage device, the first analysis module, and the second analysis module, the controller to modify the control information in response to feedback information based on results from at least one of the first plurality of analyses conducted by the first analysis module or the second analysis module, the modified control information to change the malware analysis of the specimen from being conducted in accordance with the first plurality of analyses to being conducted in accordance with a second plurality of analyses different from the first plurality of analyses in analysis type or in order of analyses.
5 Assignments
0 Petitions
Accused Products
Abstract
A method of detecting malware in a specimen of computer content or network traffic is described. The method features conducting a first analysis on the specimen in accordance with a first plurality of analyses and an order of the first plurality of analyses. A second analysis is conducted on the specimen different than the first analysis type. Thereafter, further analyses on the specimen may be altered by modifying information associated with the first plurality of analyses or the order of the first plurality of analyses in response to feedback information based on results from at least the first analysis. The modified information changes a malware analysis of the specimen from being conducted in accordance with the first plurality of analyses to being conducted in accordance with a second plurality of analyses different in analysis type or in order of analyses than the first plurality of analyses.
743 Citations
52 Claims
-
1. A system for adjusting malware analysis of a specimen received as input, the system comprising:
-
a data storage device being hardware that is configured to store control information that identifies (i) a first plurality of analyses and (ii) an order of the first plurality of analyses to be conducted on the specimen; a first analysis module being software that is configured, upon execution, to conduct, in accordance with the control information, at least one or more analysis of a first type of analysis on the specimen, wherein the one or more analysis of the first type of analysis included as a portion of the first plurality of analyses; a second analysis module being software that is configured, upon execution, to conduct, in accordance with the control information, at least one or more analysis of a second type of analysis on the specimen, wherein the one or more analysis of the second type of analysis included as a portion of the first plurality of analyses; and a controller communicatively coupled to the data storage device, the first analysis module, and the second analysis module, the controller to modify the control information in response to feedback information based on results from at least one of the first plurality of analyses conducted by the first analysis module or the second analysis module, the modified control information to change the malware analysis of the specimen from being conducted in accordance with the first plurality of analyses to being conducted in accordance with a second plurality of analyses different from the first plurality of analyses in analysis type or in order of analyses. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
-
-
25. A non-transitory machine-readable medium storing a plurality of modules, when executed by a processor, cause the processor to perform operations for detecting malware in a specimen, the non-transitory machine-readable medium comprising:
-
a first analysis module being configured, during execution by the processor, to conduct one or more analysis associated with at least a first type of analysis on the specimen in accordance with a first plurality of analyses and an order of the first plurality of analyses to be conducted on the specimen; a second analysis module being configured, during execution by the processor, to conduct one or more analysis associated with at least second type of analysis on the specimen, the second type of analysis being different than the first type of analysis conducted by the first analysis module; and a controller being configured, during execution by the processor, to receive feedback information based on results from one or more analysis associated with at least the first type of analysis corresponding to at least one of the first plurality of analyses conducted by the first analysis module or one or more analysis associated with at least the second type of analysis corresponding to at least one of the first plurality of analyses conducted by the second analysis module to change the malware analysis of the specimen from being conducted in accordance with the first plurality of analyses and the order of the first plurality of analyses to being conducted in accordance with a second plurality of analyses and an order of the second plurality of analyses being different than at least the order of the first plurality of analyses. - View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
-
-
37. A computer implemented method of detecting malware in a specimen of computer content or network traffic, the method comprising:
-
conducting, by a first analysis module executed by a processor, at least one analysis associated with a first type of analysis on the specimen in accordance with a first plurality of analyses and an order of the first plurality of analyses; conducting, by a second analysis module executed by the processor, at least one analysis associated with a second type of analysis on the specimen different than the first type of analysis conducted by the first analysis module; and modifying, by a controller executed by the processor, an analysis on the specimen by at least modifying information associated with the first plurality of analyses or the order of the first plurality of analyses in response to feedback information based on results from the at least one analysis of the first plurality of analyses conducted by the first analysis module, the modified control information changes a malware analysis of the specimen from being conducted in accordance with the first plurality of analyses to being conducted in accordance with a second plurality of analyses different in analysis type or in order of analyses than the first plurality of analyses. - View Dependent Claims (38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52)
-
Specification