SYSTEM AND METHOD FOR THE DETECTION OF MALWARE
First Claim
1. A method of automatically identifying malware, the method comprising:
- receiving, by an expert system knowledge base, an assembly language sequence from a binary file;
identifying an instruction sequence from the received assembly language sequence;
classifying, by the expert system knowledge base, the instruction sequence as threatening, non-threatening or non-classifiable by applying one or more rules of the expert system knowledge base to the instruction sequence;
if the instruction sequence is classified as threatening, transmitting information to a code analysis component, wherein the information comprises one or more of the following;
the instruction sequence,a label comprising an indication that the instruction sequence is threatening, anda request that one or more other assembly language sequences from the binary file be searched for at least a portion of the instruction sequence; and
notifying a user that the binary file includes malware.
11 Assignments
0 Petitions
Accused Products
Abstract
A method of automatically identifying malware may include receiving, by an expert system knowledge base, an assembly language sequence from a binary file, identifying an instruction sequence from the received assembly language sequence, and classifying, by the expert system knowledge base, the instruction sequence as threatening, non-threatening or non-classifiable by applying one or more rules of the expert system knowledge base to the instruction sequence. If the instruction sequence is classified as threatening, information may be transmitted to a code analysis component and a user may be notified that the binary file includes malware. The information may include one or more of the following: the instruction sequence, a label comprising an indication that the instruction sequence is threatening, and a request that one or more other assembly language sequences from the binary file be searched for at least a portion of the instruction sequence.
-
Citations
22 Claims
-
1. A method of automatically identifying malware, the method comprising:
-
receiving, by an expert system knowledge base, an assembly language sequence from a binary file; identifying an instruction sequence from the received assembly language sequence; classifying, by the expert system knowledge base, the instruction sequence as threatening, non-threatening or non-classifiable by applying one or more rules of the expert system knowledge base to the instruction sequence; if the instruction sequence is classified as threatening, transmitting information to a code analysis component, wherein the information comprises one or more of the following; the instruction sequence, a label comprising an indication that the instruction sequence is threatening, and a request that one or more other assembly language sequences from the binary file be searched for at least a portion of the instruction sequence; and notifying a user that the binary file includes malware. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method of automatically identifying malware, the method comprising:
-
receiving, by an expert system knowledge base, an assembly language sequence from a binary file; identifying an instruction sequence from the received assembly language sequence; classifying, by the expert system knowledge base, the instruction sequence as threatening, non-threatening or non-classifiable by applying one or more rules of the expert system knowledge base to the instruction sequence; if the instruction sequence is classified as non-threatening, transmitting information to a code analysis component, wherein the information comprises one or more of the following; the instruction sequence, and a label comprising an indication that the instruction sequence is non-threatening; and requesting a second instruction sequence. - View Dependent Claims (11)
-
-
12. A method of automatically identifying malware, the method comprising:
-
receiving, by an expert system knowledge base, an assembly language sequence from a binary file; identifying an instruction sequence from the received assembly-language sequence; classifying, by the expert system knowledge base, the instruction sequence as threatening, non-threatening or non-classifiable by applying one or more rules of the expert system to the instruction sequence; and if the instruction sequence is classified as non-classifiable; transmitting a request to a code analysis component that the assembly language sequence be reanalyzed, receiving a new instruction sequence corresponding to the reanalyzed assembly language sequence, and classifying the new instruction sequence as threatening, non-threatening or non-classifiable.
-
-
13. A method of automatically identifying malware, the method comprising:
-
analyzing, by a code analysis component, a binary file to generate an assembly language sequence and a corresponding instruction sequence; transmitting the instruction sequence to an expert system knowledge base; receiving, from the expert system knowledge base, classification information associated with the instruction sequence; if the classification information identifies the instruction sequence as threatening; identifying one or more other assembly language sequences from the binary file that comprise at least a portion of the instruction sequence, and transmitting at least one of the identified assembly language sequences to the expert system knowledge base; if the classification information identifies the instruction sequence as non-threatening, transmitting a second instruction sequence to the expert system knowledge base; and if the classification information identifies the instruction sequence as non-classifiable; reanalyzing the assembly language sequence to produce a new instruction sequence, and transmitting the new instruction sequence to the expert system knowledge base. - View Dependent Claims (14, 18, 19, 20, 21, 22)
-
-
15. A system for automatically identifying malware, the system comprising:
-
a code analysis component configured to identify an assembly language sequence from a binary file, wherein the assembly language sequence comprises one or more instruction sequences; and an expert system knowledge base in communication with the code analysis component, wherein the expert system knowledge base is configured to classify the instruction sequence as threatening, non-threatening or non-classifiable using one or more rules. - View Dependent Claims (16, 17)
-
Specification