System and Method for Detecting Time-Bomb Malware
First Claim
Patent Images
1. A system comprising:
- one or more counters;
comparison logic; and
one or more hardware processors communicatively coupled to the one or more counters and the comparison logic, the one or more hardware processors being configured to instantiate one or more virtual machines that are adapted to analyze received content, the one or more virtual machines being configured to monitor a delay caused by one or more events conducted during processing of the content and identify the content as including malware if the delay exceed a first time period.
6 Assignments
0 Petitions
Accused Products
Abstract
According to one embodiment, a system comprises one or more counters; comparison logic; and one or more hardware processors communicatively coupled to the one or more counters and the comparison logic. The one or more hardware processors are configured to instantiate one or more virtual machines that are adapted to analyze received content, where the one or more virtual machines are configured to monitor a delay caused by one or more events conducted during processing of the content and identify the content as including malware if the delay exceed a first time period.
279 Citations
20 Claims
-
1. A system comprising:
-
one or more counters; comparison logic; and one or more hardware processors communicatively coupled to the one or more counters and the comparison logic, the one or more hardware processors being configured to instantiate one or more virtual machines that are adapted to analyze received content, the one or more virtual machines being configured to monitor a delay caused by one or more events conducted during processing of the content and identify the content as including malware if the delay exceed a first time period. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A system comprising:
-
one or more processors; a memory communicatively coupled to the one or more processors, wherein the one or more processors being configured to instantiate one or more virtual machines that are adapted to analysis received content and determine if the content includes time-bomb malware by monitoring at least one of (i) a number of events that delay processing of the received content and (ii) an amount of delay caused by the events and correspondingly determining that the content includes malware if at least one of (a) the number of events exceeds a first threshold and (b) the amount of delay caused by the events exceeds a second threshold. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
-
-
20. A system comprising:
-
one or more counters; one or more comparators coupled to the one or more counters; and one or more hardware processors communicatively coupled to the one or more counters and the one or more comparators, the one or more hardware processors being configured to instantiate one or more virtual machines that are adapted to analyze received content, the one or more virtual machines being configured to (i) monitor a delay caused by at least one of (a) repetitive Sleep request messages or (b) Application Programming Interface (API) function calls that is conducted during processing of the content and (ii) identify the content as including malware if the delay exceed a first time period.
-
Specification