SYSTEM AND METHOD FOR DETECTING MULTI-COMPONENT MALWARE
First Claim
1. A computer-implemented method for detecting malicious program behavior, comprising:
- emulating at least a part of a computer system in an isolated computer environment;
emulating execution of the computer program in the isolated computer environment, including emulating execution of one or more remote threads of the computer program;
detecting events being generated by the one or more remote threads of the emulated computer program;
determining, substantially in real time, whether each detected event is associated with malicious program behaviors;
storing in a data structure each detected event associated with the malicious program behaviors;
periodically comparing a totality of events stored in the data structure for the emulated computer program with one or more event patterns associated with the malicious program behaviors; and
terminating emulation of the computer program if, based on the comparison, the totality of events stored in the data structure for the emulated computer program corresponds to one of the event patterns associated with the malicious program behaviors.
3 Assignments
0 Petitions
Accused Products
Abstract
Malicious behavior of a computer program is detected using an emulation engine, an event detector and an event analyzer. The emulation engine includes a system emulator configured to emulate, in an isolated computer environment, at least a part of a computer system and a program emulator configured to emulate in the isolated computer environment execution of the computer program, including execution of a plurality of executable components of the computer program, such as execution processes and threads. The event detector is configured to monitor events being generated by two or more of the executable components. The event analyzer is configured to determine, substantially in real time, based at least on one or more events generated by each of two or more of the plurality of executable components whether or not the computer program exhibits malicious behavior, wherein individually one or more of the plurality of executable components may exhibit benign behavior.
-
Citations
23 Claims
-
1. A computer-implemented method for detecting malicious program behavior, comprising:
-
emulating at least a part of a computer system in an isolated computer environment; emulating execution of the computer program in the isolated computer environment, including emulating execution of one or more remote threads of the computer program; detecting events being generated by the one or more remote threads of the emulated computer program; determining, substantially in real time, whether each detected event is associated with malicious program behaviors; storing in a data structure each detected event associated with the malicious program behaviors; periodically comparing a totality of events stored in the data structure for the emulated computer program with one or more event patterns associated with the malicious program behaviors; and terminating emulation of the computer program if, based on the comparison, the totality of events stored in the data structure for the emulated computer program corresponds to one of the event patterns associated with the malicious program behaviors. - View Dependent Claims (2, 3, 5, 6, 19, 20)
-
-
4. (canceled)
-
7. A system for detecting malicious program behavior, comprising:
-
a system memory; and a processor configured to emulate in an isolated computer environment of the system memory at least a part of a computer system; emulate in the isolated computer environment execution of the computer program, including execution of one or more remote threads of the computer program; detect events being generated by the one or more remote threads of the emulated computer program; determine, substantially in real times whether each detected event is associated with malicious program behaviors; store in a data structure each detected event associated with the malicious program behaviors; periodically compare a totality of events stored in the data structure for the emulated computer program with one or more event patterns associated with the malicious program behaviors; and terminate emulation of the computer program if, based on the comparison, the totality of events stored in the data structure for the emulated computer program corresponds to one of the event patterns associated with the malicious program behaviors. - View Dependent Claims (8, 9, 11, 12, 21, 22)
-
-
10. (canceled)
-
13. A computer-readable medium comprising computer-executable instructions for detecting malicious program behavior, the computer-executable instructions include:
-
instructions for emulating in an isolated computer environment at least a part of a computer system; instructions for emulating execution of the computer program in the isolated computer environment, including instructions for emulating execution of one or more remote threads of the computer program; instructions for detecting events being generated by the one or more remote threads of the emulated computer program; instructions for determining, substantially in real time, whether each detected event is associated with malicious program behaviors; instructions for storing in a data structure each detected event associated with the malicious program behaviors; instructions for periodically comparing a totality of events stored in the data structure for the emulated computer program with one or more event patterns associated with the malicious program behaviors; and instructions for terminating emulation of the computer program if, based on the comparison, the totality of events stored in the data structure for the emulated computer program corresponds to one of the event patterns associated with the malicious program behaviors. - View Dependent Claims (14, 15, 17, 18, 23)
-
-
16. (canceled)
Specification