Malware Target Recognition

US 20120260342A1
Filed: 04/03/2012
Published: 10/11/2012
Est. Priority Date: 04/05/2011
Status: Active Grant

First Claim

Patent Images

1. A method of recognizing malware in a computing environment having at least one computer, the method comprising:

receiving a sample;

automatically determining by the at least one computer if the sample is malware using static analysis methods;

in response to the static analysis methods determining the sample is malware, using dynamic analysis methods by the at least one computer to automatically determine if the sample is malware;

in response to the dynamic analysis methods determining the sample is malware, present the sample to a malware analyst to adjudicate the automatic determinations of the static and dynamic analyses; and

in response to the adjudication determining the sample is malware, initiate a response action to recover from or mitigate a threat of the sample.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, apparatus and program product are provided to recognize malware in a computing environment having at least one computer. A sample is received. An automatic determination is made by the at least one computer to determine if the sample is malware using static analysis methods. If the static analysis methods determine the sample is malware, dynamic analysis methods are used by the at least one computer to automatically determine if the sample is malware. If the dynamic analysis methods determine the sample is malware, the sample is presented to a malware analyst to adjudicate the automatic determinations of the static and dynamic analyses. If the adjudication determines the sample is malware, a response action is initiated to recover from or mitigate a threat of the sample.

295 Citations

20 Claims

1. A method of recognizing malware in a computing environment having at least one computer, the method comprising:
- receiving a sample;
  
  automatically determining by the at least one computer if the sample is malware using static analysis methods;
  
  in response to the static analysis methods determining the sample is malware, using dynamic analysis methods by the at least one computer to automatically determine if the sample is malware;
  
  in response to the dynamic analysis methods determining the sample is malware, present the sample to a malware analyst to adjudicate the automatic determinations of the static and dynamic analyses; and
  
  in response to the adjudication determining the sample is malware, initiate a response action to recover from or mitigate a threat of the sample.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further comprising:
    - recording automatic determination of static analysis methods in a central classification database.
  - 3. The method of claim 1, further comprising:
    - recording automatic determination of dynamic analysis methods in a central classification database.
  - 4. The method of claim 1, further comprising:
    - recording adjudication of malware analyst in a central classification database.
  - 5. The method of claim 1, wherein the sample is a portable executable file.
  - 6. The method of claim 1, wherein the static analysis methods comprise:
    - determining if the sample is malware;
      
      in response to determining the sample is malware, predicting a payload of the sample and predicting a propagation method of the malware; and
      
      recording analysis results, including payload and propagation, in a central classification database.
  - 7. The method of claim 6, wherein the propagation method is selected from a group consisting of Trojan, virus, worm, and combinations thereof.
  - 8. The method of claim 6, wherein the determination comprises:
    - identifying high-level program structural anomalies,wherein the structural anomalies include logical operations on program header information or file areas pointed to by header information.
  - 9. The method of claim 8, wherein classes of structural anomalies are selected from a group consisting of:
    - section names, section characteristics, entry point, imports, exports, alignment, and combinations thereof.
  - 10. The method of claim 1, wherein an operator initiates a check in a file classification database for a specific file by providing the file as the sample.
  - 11. The method of claim 10, wherein the operator is a malware analyst.

12. An apparatus comprising:
- a memory;
  
  a processor; and
  
  a program code resident in the memory and configured to be executed by the processor for recognizing malware, the program code further configured to receive a sample, automatically determine if the sample is malware using static analysis methods, in response to the static analysis methods determining the sample is malware, use dynamic analysis methods to automatically determine if the sample is malware, in response to the dynamic analysis methods determining the sample is malware, present the sample to a malware analyst to adjudicate the automatic determinations of the static and dynamic analyses, and receive a response action to recover from or mitigate a threat of the sample if the adjudication determines the sample is malware.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The apparatus of claim 12, wherein the program code is further configured to:
    - record automatic determination of static analysis methods in a central classification database.
  - 14. The apparatus of claim 12, wherein the program code is further configured to:
    - record automatic determination of dynamic analysis methods in a central classification database.
  - 15. The apparatus of claim 12, wherein the program code is further configured to:
    - record adjudication of malware analyst in a central classification database.
  - 16. The apparatus of claim 12, wherein the static analysis methods of the program code are configured to:
    - determine if the sample is malware;
      
      in response to determining the sample is malware, predict a payload of the sample and predict a propagation method of the malware; and
      
      record analysis results, including payload and propagation, in a central classification database.
  - 17. The apparatus of claim 16, wherein the propagation method is selected from a group consisting of Trojan, virus, worm, and combinations thereof.
  - 18. The apparatus of claim 16, wherein the program code is configured to determine if the sample is malware by:
    - identifying high-level program structural anomalies,wherein the structural anomalies include logical operations on program header information or file areas pointed to by header information.
  - 19. The apparatus of claim 18, wherein classes of structural anomalies are selected from a group consisting of:
    - section names, section characteristics, entry point, imports, exports, alignment, and combinations thereof.

20. A program product comprising:
- a computer recordable type medium; and
  
  a program code configured to recognize malware, the program code resident on the computer recordable type medium and further configured, when executed on a hardware implemented processor, to receive a sample, automatically determine if the sample is malware using static analysis methods, in response to the static analysis methods determining the sample is malware, use dynamic analysis methods to automatically determine if the sample is malware, in response to the dynamic analysis methods determining the sample is malware, present the sample to a malware analyst to adjudicate the automatic determinations of the static and dynamic analyses, and receive a response action to recover from or mitigate a threat of the sample if the adjudication determines the sample is malware.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
US Department of The Air Force (U.S. Department Of Defense)
Original Assignee
US Department of The Air Force (U.S. Department Of Defense)
Inventors
Rogers, Steven K., Dube, Thomas E., Raines, Richard A.

Granted Patent

US 8,756,693 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 21/564 by virus signature recognition

Malware Target Recognition

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

295 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Malware Target Recognition

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

295 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links