Systems and Methods For Malware Classification
First Claim
1. A computer-implemented method for malware classification, the method comprising:
- loading a software code into a software emulator;
emulating the software code and recording actions of the software code in an activity log;
analyzing the software code and the activity log thereof for the presence of a malware;
generating from the activity log an execution flow graph of the emulated software code;
parsing the execution flow graph of the emulates software code to identify one or more malicious behavior patterns therein;
computing similarity indexes between the identified malicious behavior patterns and one or more malicious behavior patterns associated with known classes of malware;
classifying the emulated software code into one or more classes of malware based on the computed similarity indexes for the one or more malicious behavior patterns; and
generating a malware report from the execution flow graph and malware classifications.
2 Assignments
0 Petitions
Accused Products
Abstract
Disclosed are systems, methods and computer program products for detection, classification and reporting of malicious software. A method comprises loading software code into a computer system memory and emulating the software code. The software code and its activity log are then analyzed for presence of a malware. If a malware is detected, an execution flow graph is created from the activity log. The execution flow graph is then parsed using heuristic analysis to identify one or more malicious behavior patterns therein. Then, similarity indexes between the identified malicious behavior patterns and one or more malicious behavior patterns associated with known classes of malware are computed. The emulated software code is then classified into one or more classes of malware based on the computed similarity indexes. Finally, a comprehensive malware report of the emulated software code is generated based on the execution flow graph and malware classification information.
-
Citations
33 Claims
-
1. A computer-implemented method for malware classification, the method comprising:
-
loading a software code into a software emulator; emulating the software code and recording actions of the software code in an activity log; analyzing the software code and the activity log thereof for the presence of a malware; generating from the activity log an execution flow graph of the emulated software code; parsing the execution flow graph of the emulates software code to identify one or more malicious behavior patterns therein; computing similarity indexes between the identified malicious behavior patterns and one or more malicious behavior patterns associated with known classes of malware; classifying the emulated software code into one or more classes of malware based on the computed similarity indexes for the one or more malicious behavior patterns; and generating a malware report from the execution flow graph and malware classifications. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 22)
-
-
12. A system for malware classification, the system comprising:
-
a system memory for storing a computer-executable software code; and a processor configured to load a software code into a system memory; emulate the software code and recording actions of the software code in an activity log; analyze the software code and the activity log thereof for the presence of a malware; generate from the activity log an execution flow graph of the emulated software code; parse the execution flow graph of the emulates software code to identify one or more malicious behavior patterns therein; compute similarity indexes between the identified malicious behavior patterns and one or more malicious behavior patterns associated with known classes of malware; classify the emulated software code into one or more classes of malware based on the computed similarity indexes for the one or more malicious behavior patterns; and generate a malware report from the execution flow graph and malware classifications. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21)
-
-
23. A computer program product for malware classification comprising a computer-readable medium including computer executable instructions for:
-
loading a software code into a software emulator; emulating the software code and recording actions of the software code in an activity log; analyzing the software code and the activity log thereof for the presence of a malware; generating from the activity log an execution flow graph of the emulated software code; parsing the execution flow graph of the emulates software code to identify one or more malicious behavior patterns therein; computing similarity indexes between the identified malicious behavior patterns and one or more malicious behavior patterns associated with known classes of malware; classifying the emulated software code into one or more classes of malware based on the computed similarity indexes for the one or more malicious behavior patterns; and generating a malware report from the execution flow graph and malware classifications. - View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
-
Specification