Malware Modeling Detection System And Method for Mobile Platforms

US 20070240217A1
Filed: 04/06/2007
Published: 10/11/2007
Est. Priority Date: 04/06/2006
Status: Active Grant

First Claim

Patent Images

1. A method of developing a probability model for a plurality of malware, said method comprising:

extracting a feature set from a plurality of executables, said feature set comprising one or more feature elements;

heuristically training one or more rules using a plurality of predetermined malware-free and malware-infected executables, wherein said rules describe a malicious probability relationship of said feature elements in said feature set; and

,creating the probability model from said rules and said feature set.

View all claims

15 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for detecting malware by modeling the behavior of malware and comparing a suspect executable with the model. The system and method extracts feature elements from malware-infected applications, groups the feature elements into feature sets, and develops rules describing a malicious probability relationship between the feature elements. Using malware-free and malware-infected applications as training data, the system and method heuristically trains the rules and creates a probability model for identifying malware. To detect malware, the system and method scans the suspect executable for feature sets and applies the results to the probability model to determine the probability that the suspect executable is malware-infected.

Citations

40 Claims

1. A method of developing a probability model for a plurality of malware, said method comprising:
- extracting a feature set from a plurality of executables, said feature set comprising one or more feature elements;
  
  heuristically training one or more rules using a plurality of predetermined malware-free and malware-infected executables, wherein said rules describe a malicious probability relationship of said feature elements in said feature set; and
  
  ,creating the probability model from said rules and said feature set.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein said one or more rules are Bayesian rules.
  - 3. The method of claim 1, further comprising:
    - distributing the probability model for use in a mobile platform.
  - 4. The method of claim 3, wherein said distributing the probability model is performed using a device independent secure management protocol.
  - 5. The method of claim 1, further comprising:
    - receiving a new malware-infected executable;
      
      recalculating a new probability model using said new malware-infected executable as one of said plurality of predetermined malware-free and malware-infected executables; and
      
      ,distributing said new probability model for use in a mobile platform.
  - 6. The method of claim 1, wherein said feature elements are DLL imports, said plurality of executables is a plurality of executables from a family of malware, said extracting creates said feature set from a plurality of DLL imports from said plurality of executables from said family of malware, and wherein developing the probability model further comprises:
    - deriving said rules using said feature set, said rules comprising a plurality of weighting probabilities for said DLL imports in said feature set.
  - 7. The method of claim 6, further comprising:
    - eliminating from said feature set a subset of DLL imports associated with malware-free executables.
  - 8. The method of claim 1, wherein said feature elements are code instructions, said extracting creates said feature set from a plurality of code instructions from said plurality of executables, and wherein developing the probability model further comprises:
    - deriving said rules using said feature set, said rules comprising a plurality of weighting probabilities for said code instructions in said feature set.
  - 9. The method of claim 8, wherein said one or more rules are histograms describing an occurrence of each of said code instructions in each of said feature sets and wherein an index of each of said histograms is a set of code instructions and said data of each of said histograms is said occurrence of said code instructions.
  - 10. The method of claim 9 wherein said index of each of said histograms is a plurality of logically grouped categories of code instructions and said data of each of said histograms is said occurrence of said code instructions in said categories.
  - 11. The method of claim 8, wherein said code instructions are executable on an ARM processor.
  - 12. The method of claim 1, wherein said feature elements are one or more object code sections each associated with one or more potentially malicious activated functions, and wherein said extracting comprises:
    - extracting a plurality of object code sections from said plurality of executables;
      
      executing said plurality of object code sections on a test platform;
      
      monitoring said test platform for said potentially malicious activated functions; and
      
      ,creating said feature set from each said object code sections associated with said potentially malicious activated functions;
      
      and wherein developing the probability model further comprises;
      
      deriving a rule using said feature set, wherein said rule comprises a plurality of weighting probabilities for said object code sections in said feature set.

13. A method of detecting malware, comprising:
- selecting a probability model, each of said probability models comprising one or more rules and one or more feature sets, said feature sets each comprising a set of feature elements, and each of said rules describing a malicious probability relationships of said feature elements in one of said feature sets;
  
  scanning a target executable to determine a presence of one or more feature elements of a feature set to determine a set of present feature elements; and
  
  ,applying said present feature elements to said probability model to calculate a probability of malware in said target executable.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21)
- - 14. The method of claim 13, wherein each of said feature elements is selected from the group consisting of a DLL import, a code instruction, and an object code section.
  - 15. The method of claim 13, further comprising:
    - reporting said target executable to an operational support system if said probability of malware in said target executable exceeds a threshold reporting probability.
  - 16. The method of claim 15, wherein said threshold reporting probability is 90%.
  - 17. The method of claim 13, further comprising:
    - prompting a user to take an action regarding said target executable if said probability of malware in said target executable exceeds a threshold prompting probability.
  - 18. The method of claim 17 wherein said threshold prompting probability is 10%.
  - 19. The method of claim 13 further comprising:
    - receiving a new probability model.
  - 20. The method of claim 19 wherein said receiving is performed using a device independent secure management protocol.
  - 21. The method of claim 13, wherein the method executes on a mobile platform selected from a group consisting of:
    - a mobile telephone, a smart phone, a mobile computing device, a smart handheld device, and a network element.

22. A system for developing a probability model for a plurality of malware comprising:
- an extracting means for extracting a feature set from a plurality of executables, said feature set comprising one or more feature elements;
  
  a training means for heuristically training one or more rules using a plurality of predetermined malware-free and malware-infected executables, wherein said rules describe a malicious probability relationship of said feature elements in said feature set; and
  
  ,a modeling means for creating the probability model from said rules and said feature set.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
- - 23. The system of claim 22, wherein said one or more rules are Bayesian rules.
  - 24. The system of claim 22, further comprising:
    - a distributing means for distributing the probability model for use in a mobile platform.
  - 25. The system of claim 24, wherein said distributing means is a device independent secure management protocol.
  - 26. The system of claim 22, further comprising:
    - a receiving means for receiving a new malware-infected executable, wherein said modeling means creates a new probability model using said new malware-infected executable as one of said plurality of predetermined malware-free and malware-infected executables; and
      
      ,a distributing means for distributing said new probability model for use in a mobile platform.
  - 27. The system of claim 22, wherein said feature elements are DLL imports, said plurality of executables is a plurality of executables from a family of malware, said extracting means creates said feature set from a plurality of DLL imports from said plurality of executables from said family of malware, and further comprising:
    - a deriving means for deriving said rules using said feature set, said rules comprising a plurality of weighting probabilities for said DLL imports in said feature set.
  - 28. The system of claim 27, further comprising:
    - an eliminating means for eliminating from said feature set a subset of DLL imports associated with malware-free executables.
  - 29. The system of claim 22, wherein said feature elements are code instructions, said extracting means creates said feature set from a plurality of code instructions from said plurality of executables, and further comprising:
    - a deriving means for deriving said rules using said feature set, said rules comprising a plurality of weighting probabilities for said code instructions in said feature set.
  - 30. The system of claim 29, wherein said one or more rules are histograms describing an occurrence of each of said code instructions in each of said feature sets and wherein an index of each of said histograms is a set of code instructions and said data of each of said histograms is said occurrence of said code instructions.
  - 31. The system of claim 30, wherein said index of each of said histograms is a plurality of logically grouped categories of code instructions and said data of each of said histograms is said occurrence of said code instructions in said categories.
  - 32. The system of claim 29, wherein said code instructions are ARM processor code instructions.
  - 33. The system of claim 22, wherein said feature elements are one or more object code sections each associated with one or more potentially malicious activated functions, and wherein said extracting means for creating said feature set extracts a plurality of object code sections from said plurality of executables and further comprises:
    - a test platform for executing said plurality of object code sections, and monitoring said potentially malicious activated functions, and wherein said feature set is created from each said object code section that activated one of said potentially malicious activated functions;
      
      and the system further comprising;
      
      a deriving means for deriving a rule using said feature set, wherein said rule comprises a plurality of weighting probabilities for said object code sections in said feature set.

34. A system for detecting malware, comprising:
- one or more probability models, each of said probability models comprising one or more rules and one or more feature sets, said feature sets each comprising a set of feature elements, and each of said rules describing a malicious probability relationships of said feature elements in one of said feature sets;
  
  a selecting means for selected a probability model from said one or more probability models;
  
  a scanning means for scanning a target executable to determine a presence of one or more feature elements of a feature set associated with said probability model to determine a set of present feature elements; and
  
  ,a computing means for applying said present feature elements to said probability model to calculate a probability of malware in said target executable.
- View Dependent Claims (35, 36, 37, 38, 39, 40)
- - 35. The system of claim 34, wherein each of said feature elements is selected from the group consisting of a DLL import, a code instruction, and an object code section.
  - 36. The system of claim 34, further comprising:
    - a reporting means for reporting said target executable to an operational support system if said probability of malware in said target executable exceeds a threshold reporting probability.
  - 37. The system of claim 34, further comprising:
    - a prompting means for prompting a user to take an action regarding said target executable if said probability of malware in said target executable exceeds a threshold prompting probability.
  - 38. The system of claim 34, further comprising:
    - a receiving means for receiving a new probability model.
  - 39. The system of claim 34, wherein said system resides on a mobile platform, said mobile platform selected from a group consisting of:
    - a mobile telephone, a smart phone, a mobile computing device, a smart handheld device, and a network element.
  - 40. The system of claim 34, wherein said system resides on a mobile platform, said mobile platform comprising an ARM processor.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pulse Secure, LLC (Ivanti Software, Inc.)
Original Assignee
Juniper Networks Incorporated
Inventors
Tuvell, George, Venugopal, Deepak, Hu, Guoning

Granted Patent

US 8,321,941 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 16/245   Query processing

G06F 21/56   Computer malware detection ...

G06F 21/562   Static detection

G06F 21/563   by source code analysis

G06F 21/564   by virus signature recognition

G06F 21/565   by checking file integrity

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/033   Test or assess software

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

H04W 12/10   Integrity

H04W 12/12   Detection or prevention of ...

H04W 12/128   Anti-malware arrangements, ...

Malware Modeling Detection System And Method for Mobile Platforms

First Claim

15 Assignments

0 Petitions

Accused Products

Abstract

Citations

40 Claims

Specification

Solutions

Use Cases

Quick Links

Malware Modeling Detection System And Method for Mobile Platforms

First Claim

15 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

40 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links