Technique for detecting executable malicious code using a combination of static and dynamic analyses
First Claim
1. A method for detecting malicious code comprising:
- performing static analysis of an application prior to execution of the application identifying any invocations of at least one predetermined target routine;
determining, prior to executing said at least one predetermined target routine during execution of the application, whether a run time invocation of the at least one predetermined target routine has been identified by said static analysis as being invoked from a predetermined location in said application; and
if the run time invocation of the at least one predetermined target routine has not been identified from a predetermined location by said static analysis, determining that the application includes malicious code.
2 Assignments
0 Petitions
Accused Products
Abstract
Described are techniques used for automatic detection of malicious code by verifying that an application executes in accordance with a model defined using calls to a predetermined set of targets, such as external routines. A model is constructed using a static analysis of a binary form of the application, and is comprised of a list of calls to targets, their invocation and target locations, and possibly other call-related information. When the application is executed, dynamic analysis is used to intercept calls to targets and verify them against the model. The verification may involve comparing the invocation and target location, as well as other call-related information, available at the time of call interception to the corresponding information identified by static analysis. A failed verification determines that the application includes malicious code. As an option, once detected, the malicious code may be allowed to execute to gather information about its behavior.
-
Citations
74 Claims
-
1. A method for detecting malicious code comprising:
-
performing static analysis of an application prior to execution of the application identifying any invocations of at least one predetermined target routine;
determining, prior to executing said at least one predetermined target routine during execution of the application, whether a run time invocation of the at least one predetermined target routine has been identified by said static analysis as being invoked from a predetermined location in said application; and
if the run time invocation of the at least one predetermined target routine has not been identified from a predetermined location by said static analysis, determining that the application includes malicious code. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35)
-
-
36. A method for detecting malicious code comprising:
-
determining, prior to executing at least one predetermined target routine during execution of the application, whether a run time invocation of the at least one predetermined target routine is identified by a model as being invoked from a predetermined location in said application, said model identifying locations within said application from which invocations of the at least one predetermined target routine occur; and
if the run time invocation of the at least one predetermined target routine has not been identified from a predetermined location by said model, determining that the application includes malicious code.
-
-
37. A method for detecting malicious code comprising:
-
obtaining static analysis information of an application identifying any invocations of at least one predetermined target routine;
determining, prior to executing said at least one predetermined target routine during execution of the application, whether a run time invocation of the at least one predetermined target routine has been identified by said static analysis information as being invoked from a predetermined location in said application; and
if the run time invocation of the at least one predetermined target routine has not been identified from a predetermined location by said static analysis information, determining that the application includes malicious code.
-
-
38. A computer program product that detects malicious code comprising:
-
executable code that performs static analysis of an application prior to execution of the application identifying any invocations of at least one predetermined target routine;
executable code that determines, prior to executing said at least one predetermined target routine during execution of the application, whether a run time invocation of the at least one predetermined target routine has been identified by said static analysis as being invoked from a predetermined location in said application; and
executable code that, if the run time invocation of the at least one predetermined target routine has not been identified from a predetermined location by said static analysis, determines that the application includes malicious code. - View Dependent Claims (39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72)
-
-
73. A computer program product that detects malicious code comprising:
-
executable code that determines, prior to executing at least one predetermined target routine during execution of the application, whether a run time invocation of the at least one predetermined target routine is identified by a model as being invoked from a predetermined location in said application, said model identifying locations within said application from which invocations of the at least one predetermined target routine occur; and
executable code that, if the run time invocation of the at least one predetermined target routine has not been identified from a predetermined location by said model, determines that the application includes malicious code.
-
-
74. A computer program product that detects malicious code comprising:
-
executable code that obtains static analysis information of an application identifying any invocations of at least one predetermined target routine;
executable code that determines, prior to executing said at least one predetermined target routine during execution of the application, whether a run time invocation of the at least one predetermined target routine has been identified by said static analysis information as being invoked from a predetermined location in said application; and
executable code that, if the run time invocation of the at least one predetermined target routine has not been identified from a predetermined location by said static analysis information, determines that the application includes malicious code.
-
Specification