SYSTEM AND METHOD FOR THE DETECTION OF MALWARE

US 20100058474A1
Filed: 08/28/2009
Published: 03/04/2010
Est. Priority Date: 08/29/2008
Status: Abandoned Application

First Claim

Patent Images

1. A method of automatically identifying malware, the method comprising:

receiving, by an expert system knowledge base, an assembly language sequence from a binary file;

identifying an instruction sequence from the received assembly language sequence;

classifying, by the expert system knowledge base, the instruction sequence as threatening, non-threatening or non-classifiable by applying one or more rules of the expert system knowledge base to the instruction sequence;

if the instruction sequence is classified as threatening, transmitting information to a code analysis component, wherein the information comprises one or more of the following;

the instruction sequence,a label comprising an indication that the instruction sequence is threatening, anda request that one or more other assembly language sequences from the binary file be searched for at least a portion of the instruction sequence; and

notifying a user that the binary file includes malware.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of automatically identifying malware may include receiving, by an expert system knowledge base, an assembly language sequence from a binary file, identifying an instruction sequence from the received assembly language sequence, and classifying, by the expert system knowledge base, the instruction sequence as threatening, non-threatening or non-classifiable by applying one or more rules of the expert system knowledge base to the instruction sequence. If the instruction sequence is classified as threatening, information may be transmitted to a code analysis component and a user may be notified that the binary file includes malware. The information may include one or more of the following: the instruction sequence, a label comprising an indication that the instruction sequence is threatening, and a request that one or more other assembly language sequences from the binary file be searched for at least a portion of the instruction sequence.

Citations

22 Claims

1. A method of automatically identifying malware, the method comprising:
- receiving, by an expert system knowledge base, an assembly language sequence from a binary file;
  
  identifying an instruction sequence from the received assembly language sequence;
  
  classifying, by the expert system knowledge base, the instruction sequence as threatening, non-threatening or non-classifiable by applying one or more rules of the expert system knowledge base to the instruction sequence;
  
  if the instruction sequence is classified as threatening, transmitting information to a code analysis component, wherein the information comprises one or more of the following;
  
  the instruction sequence,a label comprising an indication that the instruction sequence is threatening, anda request that one or more other assembly language sequences from the binary file be searched for at least a portion of the instruction sequence; and
  
  notifying a user that the binary file includes malware.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein applying one or more rules comprises applying one or more rules written in C Language Integrated Production System language.
  - 3. The method of claim 1, wherein classifying the instruction sequence comprises one or more of the following:
    - applying one or more rules to the instruction sequence to determine whether a binary file structure of the binary file is proper;
      
      applying one or more worm defining operations to determine whether the instruction sequence comprises one or more instructions that replicate the assembly language sequence;
      
      applying one or more Trojan Horse defining operations to determine whether the instruction sequence comprises one or more instructions associated with one or more Trojan Horses; and
      
      applying one or more virus defining operations to determine whether the instruction sequence comprises one or more self-replicating instructions.
  - 4. The method of claim 1, wherein applying one or more rules comprises:
    - applying a set of precedential rules to the instruction sequence, wherein the set of precedential rules comprises a plurality of precedential rules, wherein each precedential rule is associated with a precedence with respect to the other precedential rules in the set.
  - 5. The method of claim 4, wherein applying a set of precedential rules comprises applying the precedential rules to the instruction sequence, in order of precedence, until the instruction sequence is classified or each precedential rule has been applied.
  - 6. The method of claim 4, wherein applying a set of precedential rules comprises ranking the precedential rules by giving precedence to rules having a higher number of matches to the instruction sequence.
  - 7. The method of claim 1, wherein classifying the instruction sequence comprises classifying the instruction sequence as threatening if the instruction sequence is unable to be traversed from start to finish.
  - 8. The method of claim 1, wherein classifying the instructions sequence comprises, for each node in the instruction sequence:
    - traversing the node;
      
      determining whether the node has previously been traversed; and
      
      if so, classifying the instruction sequence as threatening.
  - 9. The method of claim 1, wherein classifying the instruction sequence comprises classifying the instruction sequence as threatening if it includes one or more of the following:
    - encryption routines;
      
      decryption routines; and
      
      one or more instructions for replicating at least a portion of the instruction sequence.

10. A method of automatically identifying malware, the method comprising:
- receiving, by an expert system knowledge base, an assembly language sequence from a binary file;
  
  identifying an instruction sequence from the received assembly language sequence;
  
  classifying, by the expert system knowledge base, the instruction sequence as threatening, non-threatening or non-classifiable by applying one or more rules of the expert system knowledge base to the instruction sequence;
  
  if the instruction sequence is classified as non-threatening, transmitting information to a code analysis component, wherein the information comprises one or more of the following;
  
  the instruction sequence, anda label comprising an indication that the instruction sequence is non-threatening; and
  
  requesting a second instruction sequence.
- View Dependent Claims (11)
- - 11. The method of claim 10, wherein classifying the instruction sequence comprises classifying the instruction sequence as non-threatening if the expert system traverses the instruction sequence in its entirety.

12. A method of automatically identifying malware, the method comprising:
- receiving, by an expert system knowledge base, an assembly language sequence from a binary file;
  
  identifying an instruction sequence from the received assembly-language sequence;
  
  classifying, by the expert system knowledge base, the instruction sequence as threatening, non-threatening or non-classifiable by applying one or more rules of the expert system to the instruction sequence; and
  
  if the instruction sequence is classified as non-classifiable;
  
  transmitting a request to a code analysis component that the assembly language sequence be reanalyzed,receiving a new instruction sequence corresponding to the reanalyzed assembly language sequence, andclassifying the new instruction sequence as threatening, non-threatening or non-classifiable.

13. A method of automatically identifying malware, the method comprising:
- analyzing, by a code analysis component, a binary file to generate an assembly language sequence and a corresponding instruction sequence;
  
  transmitting the instruction sequence to an expert system knowledge base;
  
  receiving, from the expert system knowledge base, classification information associated with the instruction sequence;
  
  if the classification information identifies the instruction sequence as threatening;
  
  identifying one or more other assembly language sequences from the binary file that comprise at least a portion of the instruction sequence, andtransmitting at least one of the identified assembly language sequences to the expert system knowledge base;
  
  if the classification information identifies the instruction sequence as non-threatening, transmitting a second instruction sequence to the expert system knowledge base; and
  
  if the classification information identifies the instruction sequence as non-classifiable;
  
  reanalyzing the assembly language sequence to produce a new instruction sequence, andtransmitting the new instruction sequence to the expert system knowledge base.
- View Dependent Claims (14, 18, 19, 20, 21, 22)
- - 14. The method of claim 13, wherein analyzing a binary file comprises one or more of statically analyzing the binary file and dynamically analyzing the binary file.
  - 18. The system of claim 14, wherein the expert system knowledge base is populated with one or more of the following:
    - C Language Integrated Production System rules;
      
      binary file structures;
      
      worm defining operations;
      
      Trojan Horse defining operations; and
      
      virus defining operations.
  - 19. The system of claim 14, wherein the expert system knowledge base is configured to classify the instruction sequence by one or more of the following:
    - applying one or more rules to the instruction sequence to determine whether a binary file structure of the binary file is proper;
      
      applying one or more worm defining operations to determine whether the instruction sequence comprises one or more instructions that replicate the assembly language sequence;
      
      applying one or more Trojan Horse defining operations to determine whether the instruction sequence comprises one or more instructions associated with one or more Trojan Horses; and
      
      applying one or more virus defining operations to determine whether the instruction sequence comprises one or more self-replicating instructions.
  - 20. The system of claim 14, wherein the expert system knowledge base is configured to apply a set of precedential rules to the instruction sequence, wherein the set of precedential rules comprises a plurality of precedential rules, wherein each precedential rule is associated with a precedence with respect to the other precedential rules in the set.
  - 21. The system of claim 20, wherein the expert system knowledge base is further configured to apply the precedential rules to the instruction sequence, in order of precedence, until the instruction sequence is classified or each precedential rule has been applied.
  - 22. The system of claim 20, wherein the expert system knowledge base is further configured to rank the precedential rules by giving precedence to rules having a higher number of matches to the instruction sequence.

15. A system for automatically identifying malware, the system comprising:
- a code analysis component configured to identify an assembly language sequence from a binary file, wherein the assembly language sequence comprises one or more instruction sequences; and
  
  an expert system knowledge base in communication with the code analysis component, wherein the expert system knowledge base is configured to classify the instruction sequence as threatening, non-threatening or non-classifiable using one or more rules.
- View Dependent Claims (16, 17)
- - 16. The system of claim 15, further comprising a connector logic component in communication with the code analysis component and the expert system knowledge base, wherein the connector logic component is configured to enable communication between the code analysis component and the expert system knowledge base.
  - 17. The system of claim 16, wherein the connector logic component is configured to perform one or more of the following:
    - convert the instruction sequence into a format that the expert system knowledge base can process; and
      
      convert information received from the expert system knowledge base into a format that the code analysis component can process.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avast Software BV (Gen Digital Inc.)
Original Assignee
AVG Technologies CZ, sro (Gen Digital Inc.)
Inventors
Hicks, Ryan

Application Number

US12/550,025
Publication Number

US 20100058474A1
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 21/563 by source code analysis

G06N 5/02 Knowledge representation; S...

SYSTEM AND METHOD FOR THE DETECTION OF MALWARE

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR THE DETECTION OF MALWARE

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links