DETECTION EFFICACY OF VIRTUAL MACHINE-BASED ANALYSIS WITH APPLICATION SPECIFIC EVENTS
First Claim
1. A computerized method for classifying an object based on detected process operations and associated process parameters that describe the context of the process operations, comprising:
- receiving, by a malware content detection system, an object to be examined for malware; and
performing dynamic analysis on the object, wherein the dynamic analysis includes;
processing the object within a virtual machine, wherein a monitor for examining the object is located within a component of the virtual machine,capturing, by the monitor, a process operation and corresponding set of process parameters associated with the process operation, anddetermining whether the object is malware based on the captured process operation and the corresponding set of process parameters.
5 Assignments
0 Petitions
Accused Products
Abstract
A computerized system and method is described for classifying objects as malicious by processing the objects in a virtual environment and monitoring behaviors during processing by one or more monitors. The monitors may monitor and record selected sets of process operations and capture associated process parameters, which describe the context in which the process operations were performed. By recording the context of process operations, the system and method described herein improves the intelligence of classifications and consequently reduces the likelihood of incorrectly identifying objects as malware or vice versa.
311 Citations
24 Claims
-
1. A computerized method for classifying an object based on detected process operations and associated process parameters that describe the context of the process operations, comprising:
-
receiving, by a malware content detection system, an object to be examined for malware; and performing dynamic analysis on the object, wherein the dynamic analysis includes; processing the object within a virtual machine, wherein a monitor for examining the object is located within a component of the virtual machine, capturing, by the monitor, a process operation and corresponding set of process parameters associated with the process operation, and determining whether the object is malware based on the captured process operation and the corresponding set of process parameters. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A non-transitory storage medium including instructions that, when executed by one or more hardware processors, perform a plurality of operations, comprising:
-
receiving, by a malware content detection system, an object to be examined for malware; and performing dynamic analysis on the object, wherein the dynamic analysis includes; processing the object within a virtual machine, wherein a monitor for examining the object is located within a component of the virtual machine, capturing, by the monitor, a process operation and corresponding set of process parameters associated with the process operation, and determining whether the object is malware based on the captured process operation and the corresponding set of process parameters. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A system comprising:
-
one or more hardware processors; a memory including one or more software modules that, when executed by the one or more hardware processors; perform dynamic analysis on a received object, wherein the dynamic analysis includes; process the object within a virtual machine, wherein a monitor for examining the object is located within a component of the virtual machine, capture, by the monitor, a process operation and corresponding set of process parameters associated with the process operation, and determine whether the object is malware based on the captured process operation and the corresponding set of process parameters. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
-
Specification