Method and Apparatus for Modeling Computer Program Behaviour for Behavioural Detection of Malicious Program

US 20090019546A1
Filed: 04/18/2008
Published: 01/15/2009
Est. Priority Date: 07/10/2007
Status: Active Grant

First Claim

Patent Images

1. A method of modeling a behavior of a computer program that is executed in a computer system, the method comprising:

collecting system use information about resources of the computer system that the computer program uses;

extracting a behavior signature of the computer program from the collected system use information; and

encoding the extracted behavior signature to generate a behavior vector.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for modeling a behavior of a computer program that is executed in a computer system is described. The method and apparatus for modeling a behavior of a computer program may be used to detect a malicious program based on the behavior of the computer program. A method includes collecting system use information about resources of the computer system the computer program uses; extracting a behavior signature of the computer program from the collected system use information; and encoding the extracted behavior signature to generate a behavior vector. As a result, behaviors of a particular computer program may be modeled to enable a malicious program detection program and to determine whether the computer program is either normal or malicious.

58 Citations

View as Search Results

29 Claims

1. A method of modeling a behavior of a computer program that is executed in a computer system, the method comprising:
- collecting system use information about resources of the computer system that the computer program uses;
  
  extracting a behavior signature of the computer program from the collected system use information; and
  
  encoding the extracted behavior signature to generate a behavior vector.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein collecting the system use information includes collecting information about an interface function provided by the computer system that is called by the computer program.
  - 3. The method of claim 1, wherein collecting the system use information includes collecting event generation information of the computer system associated with the computer program.
  - 4. The method of claim 1, wherein the collecting of the system use information includes collecting a plurality of system use information at different times, andextracting the behavior signature includes generating a plurality of operational functions about the computer program based on a correlation between the plurality of collected system use information.
  - 5. The method of claim 4, wherein extracting the behavior signature includes extracting an execution frequency of each of the extracted operational functions.
  - 6. The method of claim 4, wherein extracting the behavior signature includes extracting a temporal precedence relation between the plurality of operational functions.
  - 7. The method of claim 4, wherein encoding the extracted behavior signature to generate the behavior vector includes encoding a plurality of elements that corresponds to the plurality of operational functions, and storing the execution frequency of each corresponding operational function in each of the elements.
  - 8. The method of claim 4, wherein encoding the extracted behavior signature to generate the behavior vector includes encoding a plurality of elements that respectively corresponds to combinations of two random operational functions among the plurality of operational functions, and storing a temporal precedence relation between the two operational functions in each of the elements.
  - 9. The method of claim 8, wherein encoding the plurality of elements includes encoding a binary value for each of the elements.
  - 10. The method of claim 1, wherein encoding includes encoding a similarity between a first behavior signature and a second behavior signature that is inversely proportional to a distance between a first behavior vector corresponding to the first behavior signature and a second behavior vector corresponding to the second behavior signature.
  - 11. The method of claim 1 further comprising:
    - using the generated behavior vector to detect a malicious program.
  - 12. The method of claim 1 further comprising using the generated behavior vector to detect an unknown variant of a known malicious program.
  - 13. The method of claim 1 further comprising:
    - comparing the generated behavior vector to a behavior vector of a known malicious program; and
      
      determining whether the computer program is a malicious program based on the comparison.

14. An apparatus to model a behavior of a computer program that is executed in a computer system, the apparatus comprising:
- a collector to collect system use information about resources of the computer system the computer program uses;
  
  an extractor to extract a behavior signature of the computer program from the collected system use information; and
  
  an encoder to encode the extracted behavior signature to generate a behavior vector.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 15. The apparatus of claim 14, wherein the system use information includes information about an interface function provided by the computer system that is called by the computer program.
  - 16. The apparatus of claim 14, wherein the system use information includes event generation information of the computer system associated with the computer program.
  - 17. The apparatus of claim 14, wherein the collector collects a plurality of system use information at different times, and the extractor generates a plurality of operational functions about the computer program based on a correlation between the plurality of collected system use information.
  - 18. The apparatus of claim 17, wherein the extractor extracts an execution frequency of each of the extracted operational functions as the behavior signature.
  - 19. The apparatus of claim 17, wherein the extractor extracts a temporal precedence relation between the plurality of operational functions as the behavior signature.
  - 20. The apparatus of claim 17, wherein the behavior vector includes a plurality of elements that corresponds to the plurality of operational functions respectively, and each of the elements stores the execution frequency of each corresponding operational function.
  - 21. The apparatus of claim 17, wherein the behavior vector includes a plurality of elements that respectively corresponds to combinations of two random operational functions among the plurality of operational functions, and each of the elements stores a temporal precedence relation between the two operational functions.
  - 22. The apparatus of claim 21, wherein each of the elements has a binary value.
  - 23. The apparatus of claim 14, wherein the encoder encodes a similarity between a first behavior signature and a second behavior signature that is inversely proportional to a distance between a first behavior vector corresponding to the first behavior signature and a second behavior vector corresponding to the second behavior signature.
  - 24. The apparatus of claim 14 wherein the generated behavior vector is used to detect a malicious program.
  - 25. The apparatus of claim 14 wherein the generated behavior vector is used to detect an unknown variant of a known malicious program.
  - 26. The apparatus of claim 14 wherein the generated behavior vector is compared to a behavior vector of a known malicious program to determine whether the computer program is a malicious program.
  - 27. The apparatus of claim 14 wherein the apparatus is a mobile computing device.

28. A computer-readable recording medium storing a program for implementing a method of modeling a behavior of a computer program that is executed in a computer system, the program including instructions to cause a computer to:
- collect system use information about resources of the computer system the computer program uses;
  
  extract a behavior signature of the computer program from the collected system use information; and
  
  encode the extracted behavior signature to generate a behavior vector.

29. A computer-readable recording medium storing data for access by a computer program being executed by a computer system, the data comprising:
- a data frame stored in the computer medium, the data frame including;
  
  a frequency storage region to store an execution frequency of a plurality of operational functions with respect to the computer program; and
  
  a precedence relation storage region which stores a temporal relation between the plurality of operational functionsgenerated based on a correlation between a plurality of system use information about resources of the computer system that the computer program uses.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Samsung Electronics Co. Ltd., Board of Regents of the University of Michigan (University of Michigan)
Original Assignee
Samsung Electronics Co. Ltd., Board of Regents of the University of Michigan (University of Michigan)
Inventors
Bose, Abhijit, SHIN, Kang Guen, Hu, Xin, Park, Taejoon

Granted Patent

US 8,713,680 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/552   involving long-term monitor...

G06F 21/57   Certifying or maintaining t...

Method and Apparatus for Modeling Computer Program Behaviour for Behavioural Detection of Malicious Program

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

58 Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

Method and Apparatus for Modeling Computer Program Behaviour for Behavioural Detection of Malicious Program

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

58 Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links