System and Method for Computer Malware Detection

US 20100132038A1
Filed: 11/26/2008
Published: 05/27/2010
Est. Priority Date: 11/26/2008
Status: Active Grant

First Claim

Patent Images

1. A system for detecting malicious programs, the system comprising:

a processing system having at least one processor configurable toemulate execution of a program code;

monitor events of program execution;

classify the monitored events as malicious or non-malicious;

collect information about unclassifiable events; and

an analyst workstation connected to the processing system, the workstation includingmeans for isolating a program analyst from external audiovisual stimuli;

a video output device operable to display a list of unclassifiable events and event-related information to the program analyst; and

a user input device operable to receive analyst'"'"'s physiological response indicative of whether the displayed list of unclassifiable events exhibits malicious behavior.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed are systems and methods for computer malware detection. The system is configured to emulate execution of a program code, monitor events of program execution, classify the monitored events as malicious or non-malicious, and collect information about unclassifiable events. The system further includes one or more analyst workstations configured to isolate a program analyst from external audiovisual stimuli. The workstation includes a video output device operable to display a list of unclassifiable events and event-related information to the program analyst and a user input device operable to receive analyst'"'"'s physiological response indicative of whether the displayed list of unclassifiable events exhibits malicious behavior.

Citations

20 Claims

1. A system for detecting malicious programs, the system comprising:
- a processing system having at least one processor configurable toemulate execution of a program code;
  
  monitor events of program execution;
  
  classify the monitored events as malicious or non-malicious;
  
  collect information about unclassifiable events; and
  
  an analyst workstation connected to the processing system, the workstation includingmeans for isolating a program analyst from external audiovisual stimuli;
  
  a video output device operable to display a list of unclassifiable events and event-related information to the program analyst; and
  
  a user input device operable to receive analyst'"'"'s physiological response indicative of whether the displayed list of unclassifiable events exhibits malicious behavior.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The system of claim 1, wherein the isolating means include a head-mounted video display with headphones.
  - 3. The system of claim 2, wherein the head-mounted video display includes one of a video glasses and a video helmet.
  - 4. The system of claim 1, wherein the user input device includes one or more of(i) a push-button device responsive to analyst'"'"'s finger movements;
    - (ii) a pressure sensor responsive to analyst'"'"'s finger movements;
      
      (iii) a video camera monitoring analyst'"'"'s eye movements;
      
      (iv) an audio sensor detecting analysis voice commands; and
      
      (v) an electrical sensor monitoring analyst'"'"'s biosignals.
  - 5. The system of claim 1, wherein the information about unclassifiable events includes(i) frequency of occurrence of the unclassifiable event during program emulation;
    - and(ii) frequency of occurrence of the unclassifiable event in known malicious programs.
  - 6. The system of claim 1, wherein a list of unclassifiable events omits duplicate events.

7. A method for detecting malicious programs, the method comprising:
- emulating execution of a program code;
  
  monitoring events of program execution;
  
  classifying the monitored events as malicious or non-malicious;
  
  collecting event-related information about unclassifiable events;
  
  presenting a list of unclassifiable events and event-related information to a program analyst via a head-mounted video display,detecting analyst'"'"'s physiological response to the presented information; and
  
  determining based on the detected response whether the presented list of unclassifiable events exhibits malicious behavior.
- View Dependent Claims (8, 9, 10, 11, 12, 13)
- - 8. The method of claim 7, wherein monitoring an event includes detecting at least one of one or more program'"'"'s system calls and one or more system'"'"'s responses thereto.
  - 9. The method of claim 7, wherein classifying events includes comparing the generated events with a pattern of events associated with a malicious program.
  - 10. The method of claim 7, wherein the information about unclassifiable events includes(i) frequency of occurrence of the unclassifiable event during program emulation;
    - and(ii) frequency of occurrence of the unclassifiable event in known malicious programs.
  - 11. The method of claim 7, wherein a list of unclassifiable events omits duplicate events.
  - 12. The method of claim 7, wherein the head-mounted video display includes one of a video glasses and a video helmet.
  - 13. The method of claim 7, wherein the physiological response is detected via one or more of(i) a push-button device responsive to analyst'"'"'s finger movements;
    - (ii) a pressure sensor responsive to analyst'"'"'s finger movements;
      
      (iii) a video camera monitoring analyst'"'"'s eye movements;
      
      (iv) an audio sensor detecting analysis voice commands; and
      
      (v) an electrical sensor monitoring analyst'"'"'s biosignals.

14. A malware detection system comprising:
- a data store of malware-related information;
  
  a processing system being operable to classify a program event as malicious or non-malicious using at least malware-related information from the data store; and
  
  an analyst workstation connected to the processing system, the workstation includingmeans for isolating a program analyst from external audiovisual stimuli;
  
  a video output device operable to display to the program analyst at least a portion of unclassifiable program code and program-related information; and
  
  a user input device operable to receive analyst'"'"'s physiological response indicative of whether the displayed unclassifiable program exhibits malicious behavior.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The system of claim 14, wherein the isolating means include a head-mounted video display with headphones.
  - 16. The system of claim 15, wherein the head-mounted video display includes one of a video glasses and a video helmet.
  - 17. The system of claim 14, wherein the user input device includes one or more of(i) a push-button device responsive to analyst'"'"'s finger movements;
    - (ii) a pressure sensor responsive to analyst'"'"'s finger movements;
      
      (iii) a video camera monitoring analyst'"'"'s eye movements;
      
      (iv) an audio sensor detecting analysis voice commands; and
      
      (v) an electrical sensor monitoring analyst'"'"'s biosignals.
  - 18. The system of claim 14, wherein the information about unclassifiable program code includes(i) frequency of occurrence of the unclassifiable code during program emulation;
    - and(ii) frequency of occurrence of the unclassifiable code in known malware.
  - 19. The system of claim 14, wherein a list of unclassifiable events omits duplicate events.
  - 20. The system of claim 14, wherein the malware-related information includes behavior patterns known malware.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kaspersky Lab ZAO
Original Assignee
Kaspersky Lab ZAO
Inventors
Zaitsev, Oleg V.

Granted Patent

US 8,484,727 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

System and Method for Computer Malware Detection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and Method for Computer Malware Detection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links