SYSTEM AND METHOD FOR DETECTING MULTI-COMPONENT MALWARE
First Claim
1. A computer-implemented method for detecting malicious behavior of a computer program, comprising:
- emulating at least a part of a computer system in an isolated computer environment;
emulating execution of the computer program in the isolated computer environment, including emulating execution of a first process and a second process of the computer program;
monitoring events being generated by the first process and the second process; and
determining, substantially in real time, based on at least one or more event generated by the first process and one or more event generated by the second process whether or not the computer program exhibits malicious behavior.
1 Assignment
0 Petitions
Accused Products
Abstract
Malicious behavior of a computer program is detected using an emulation engine, an event detector and an event analyzer. The emulation engine includes a system emulator configured to emulate, in an isolated computer environment, at least a part of a computer system and a program emulator configured to emulate in the isolated computer environment execution of the computer program, including execution of a plurality of executable components of the computer program, such as execution processes and threads. The event detector is configured to monitor events being generated by two or more of the executable components. The event analyzer is configured to determine, substantially in real time, based at least on one or more events generated by each of two or more of the plurality of executable components whether or not the computer program exhibits malicious behavior, wherein individually one or more of the plurality of executable components may exhibit benign behavior.
298 Citations
20 Claims
-
1. A computer-implemented method for detecting malicious behavior of a computer program, comprising:
-
emulating at least a part of a computer system in an isolated computer environment; emulating execution of the computer program in the isolated computer environment, including emulating execution of a first process and a second process of the computer program; monitoring events being generated by the first process and the second process; and determining, substantially in real time, based on at least one or more event generated by the first process and one or more event generated by the second process whether or not the computer program exhibits malicious behavior. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A system for detecting malicious behavior of a computer program, the system comprising:
-
a system memory; and a processor configured to emulate in an isolated computer environment of the system memory at least a part of a computer system; emulate in the isolated computer environment of the system memory execution of the computer program, including execution of a first process and a second process of the computer program; monitor events being generated by the first process and second process; and determine, substantially in real time, based at least on one or more events generated by the first process and one or more event generated by the second process whether or not the computer program exhibits malicious behavior. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A computer-readable medium comprising computer-executable instructions for detecting malicious behavior of a computer program, the computer-executable instructions include:
-
instructions for emulating in an isolated computer environment at least a part of a computer system; instructions for emulating execution of the computer program in the isolated computer environment, including instructions for emulating execution of a first process and a second process of the computer program; instructions for monitoring events being generated by the first process and second process; and instructions for determining, substantially in real time, based on at least one or more events generated by the first process and one or more events generated by the second process whether or not the computer program exhibits malicious behavior. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification