Systems and Methods For Malware Classification

US 20100180344A1
Filed: 12/04/2009
Published: 07/15/2010
Est. Priority Date: 01/10/2009
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for malware classification, the method comprising:

loading a software code into a software emulator;

emulating the software code and recording actions of the software code in an activity log;

analyzing the software code and the activity log thereof for the presence of a malware;

generating from the activity log an execution flow graph of the emulated software code;

parsing the execution flow graph of the emulates software code to identify one or more malicious behavior patterns therein;

computing similarity indexes between the identified malicious behavior patterns and one or more malicious behavior patterns associated with known classes of malware;

classifying the emulated software code into one or more classes of malware based on the computed similarity indexes for the one or more malicious behavior patterns; and

generating a malware report from the execution flow graph and malware classifications.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed are systems, methods and computer program products for detection, classification and reporting of malicious software. A method comprises loading software code into a computer system memory and emulating the software code. The software code and its activity log are then analyzed for presence of a malware. If a malware is detected, an execution flow graph is created from the activity log. The execution flow graph is then parsed using heuristic analysis to identify one or more malicious behavior patterns therein. Then, similarity indexes between the identified malicious behavior patterns and one or more malicious behavior patterns associated with known classes of malware are computed. The emulated software code is then classified into one or more classes of malware based on the computed similarity indexes. Finally, a comprehensive malware report of the emulated software code is generated based on the execution flow graph and malware classification information.

Citations

33 Claims

1. A computer-implemented method for malware classification, the method comprising:
- loading a software code into a software emulator;
  
  emulating the software code and recording actions of the software code in an activity log;
  
  analyzing the software code and the activity log thereof for the presence of a malware;
  
  generating from the activity log an execution flow graph of the emulated software code;
  
  parsing the execution flow graph of the emulates software code to identify one or more malicious behavior patterns therein;
  
  computing similarity indexes between the identified malicious behavior patterns and one or more malicious behavior patterns associated with known classes of malware;
  
  classifying the emulated software code into one or more classes of malware based on the computed similarity indexes for the one or more malicious behavior patterns; and
  
  generating a malware report from the execution flow graph and malware classifications.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 22)
- - 2. The method of claim 1 further comprising generating a customized malware report based on the generated malware report and localization information.
  - 3. The method of claim 2 further comprising generating a graphic cluster diagram of the malware classifications associated with the emulated software code.
  - 4. The method of claim 3, wherein analyzing the software code includes performing malware signature matching on the software code.
  - 5. The method of claim 4, wherein analyzing the activity log includes computing security rating for the emulated software code.
  - 6. The method of claim 5, wherein the software emulator includes one or more of a script emulator, an encrypted script emulator and a customized sandbox.
  - 7. The method of claim 1, wherein emulating the software code includes emulating user actions.
  - 8. The method of claim 1, wherein the execution flow graph includes a plurality of blocks identifying actions of the emulated software code, wherein differently shaped blocks represent different actions of the emulates software code and differently colored blocks represent different malicious actions of the emulated software code.
  - 9. The method of claim 1, wherein parsing the execution flow graph includes performing a heuristic analysis of the actions of the emulated software code identified in the execution flow graph to identify one or more malicious behavior patterns therein.
  - 10. The method of claim 1, wherein the similarity index being computed as a function of a number of API calls and associated parameters of the malicious behavior patterns identified in the emulated software code that are similar to API calls and associated parameters of malicious behavior patterns associated with known classes of malware.
  - 11. The method of claim 1, wherein a malware report includes one or more of the following items of information about the emulates software code:
    - malware classification information;
      
      information about created or modified files;
      
      information about accessed URL addresses;
      
      information about accessed, modified or deleted registry keys;
      
      information about opened windows;
      
      information about executed processes;
      
      security rating information; and
      
      malicious signature matching information.
  - 22. The method of claim 1, wherein a malware report includes one or more of the following items of information about the emulates software code:
    - malware classification information;
      
      information about created or modified files;
      
      information about accessed URL addresses;
      
      information about accessed, modified or deleted registry keys;
      
      information about opened windows;
      
      information about executed processes;
      
      security ratings information; and
      
      malware signature matching information.

12. A system for malware classification, the system comprising:
- a system memory for storing a computer-executable software code; and
  
  a processor configured toload a software code into a system memory;
  
  emulate the software code and recording actions of the software code in an activity log;
  
  analyze the software code and the activity log thereof for the presence of a malware;
  
  generate from the activity log an execution flow graph of the emulated software code;
  
  parse the execution flow graph of the emulates software code to identify one or more malicious behavior patterns therein;
  
  compute similarity indexes between the identified malicious behavior patterns and one or more malicious behavior patterns associated with known classes of malware;
  
  classify the emulated software code into one or more classes of malware based on the computed similarity indexes for the one or more malicious behavior patterns; and
  
  generate a malware report from the execution flow graph and malware classifications.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 13. The system of claim 12, wherein the processor being further configured to generate a customized malware report based on the generated malware report and localization information.
  - 14. The system of claim 13, wherein the processor being further configured to generate a graphic cluster diagram of the malware classifications associated with the emulated software code.
  - 15. The system of claim 14, wherein the processor being further configured to perform malware signature matching on the software code.
  - 16. The system of claim 15, wherein the processor being further configured to compute security rating for the emulated software code.
  - 17. The system of claim 16, wherein the processor being further configured to emulate the software code in one or more of a script emulator, an encrypted script emulator and a customized sandbox.
  - 18. The system of claim 12, wherein the processor being further configured to emulate user actions.
  - 19. The system of claim 12, wherein the execution flow graph includes a plurality of blocks identifying actions of the emulated software code, wherein differently shaped blocks represent different actions of the emulates software code and differently colored blocks represent different malicious actions of the emulated software code.
  - 20. The system of claim 19, wherein the processor being further configured to parse the execution flow graph by performing a heuristic analysis of the actions of the emulated software code identified in the execution flow graph to identify one or more malicious behavior patterns therein.
  - 21. The system of claim 12, wherein the similarity index being computed as a function of a number of API calls and associated parameters of the malicious behavior patterns identified in the emulated software code that are similar to API calls and associated parameters of malicious behavior patterns associated with known classes of malware.

23. A computer program product for malware classification comprising a computer-readable medium including computer executable instructions for:
- loading a software code into a software emulator;
  
  emulating the software code and recording actions of the software code in an activity log;
  
  analyzing the software code and the activity log thereof for the presence of a malware;
  
  generating from the activity log an execution flow graph of the emulated software code;
  
  parsing the execution flow graph of the emulates software code to identify one or more malicious behavior patterns therein;
  
  computing similarity indexes between the identified malicious behavior patterns and one or more malicious behavior patterns associated with known classes of malware;
  
  classifying the emulated software code into one or more classes of malware based on the computed similarity indexes for the one or more malicious behavior patterns; and
  
  generating a malware report from the execution flow graph and malware classifications.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
- - 24. The computer-readable medium of claim 23 further comprising instructions for generating a customized malware report based on the generated malware report and localization information.
  - 25. The computer-readable medium of claim 24 further comprising instruction for generating a graphic cluster diagram of the malware classifications associated with the emulated software code.
  - 26. The computer-readable medium of claim 25, wherein instructions for analyzing the software code include instructions for performing malware signature matching on the software code.
  - 27. The computer-readable medium of claim 26, wherein instructions for analyzing the activity log include instructions for computing security rating for the emulated software code.
  - 28. The computer-readable medium of claim 27, wherein the software emulator includes one or more of a script emulator, an encrypted script emulator and a customized sandbox.
  - 29. The computer-readable medium of claim 23, wherein instruction for emulating the software code include instructions for emulating user actions.
  - 30. The computer-readable medium of claim 23, wherein the execution flow graph includes a plurality of blocks identifying actions of the emulated software code, wherein differently shaped blocks represent different actions of the emulates software code and differently colored blocks represent different malicious actions of the emulated software code.
  - 31. The computer-readable medium of claim 30, wherein instructions for parsing the execution flow graph include instructions for performing a heuristic analysis of the actions of the emulated software code identified in the execution flow graph to identify one or more malicious behavior patterns therein.
  - 32. The computer-readable medium of claim 23, wherein the similarity index being computed as a function of a number of API calls and associated parameters of the malicious behavior patterns identified in the emulated software code that are similar to API calls and associated parameters of malicious behavior patterns associated with known classes of malware.
  - 33. The computer-readable medium of claim 23, wherein a malware report includes one or more of the following items of information about the emulates software code:
    - malware classification information;
      
      information about created or modified files;
      
      information about accessed URL addresses;
      
      information about accessed, modified or deleted registry keys;
      
      information about opened windows;
      
      information about executed processes;
      
      security ratings information; and
      
      signature matching information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kaspersky Lab ZAO
Original Assignee
Kaspersky Lab ZAO
Inventors
Llin, Dmitry, Biyachuev, Timur, Malyshev, Alexey

Granted Patent

US 8,635,694 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/552   involving long-term monitor...

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/033   Test or assess software

G06F 2221/2101   Auditing as a secondary aspect

H04L 63/145   the attack involving the pr...

Systems and Methods For Malware Classification

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and Methods For Malware Classification

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links