DETECTION EFFICACY OF VIRTUAL MACHINE-BASED ANALYSIS WITH APPLICATION SPECIFIC EVENTS

US 20150220735A1
Filed: 02/05/2014
Published: 08/06/2015
Est. Priority Date: 02/05/2014
Status: Active Grant

First Claim

Patent Images

1. A computerized method for classifying an object based on detected process operations and associated process parameters that describe the context of the process operations, comprising:

receiving, by a malware content detection system, an object to be examined for malware; and

performing dynamic analysis on the object, wherein the dynamic analysis includes;

processing the object within a virtual machine, wherein a monitor for examining the object is located within a component of the virtual machine,capturing, by the monitor, a process operation and corresponding set of process parameters associated with the process operation, anddetermining whether the object is malware based on the captured process operation and the corresponding set of process parameters.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computerized system and method is described for classifying objects as malicious by processing the objects in a virtual environment and monitoring behaviors during processing by one or more monitors. The monitors may monitor and record selected sets of process operations and capture associated process parameters, which describe the context in which the process operations were performed. By recording the context of process operations, the system and method described herein improves the intelligence of classifications and consequently reduces the likelihood of incorrectly identifying objects as malware or vice versa.

311 Citations

24 Claims

1. A computerized method for classifying an object based on detected process operations and associated process parameters that describe the context of the process operations, comprising:
- receiving, by a malware content detection system, an object to be examined for malware; and
  
  performing dynamic analysis on the object, wherein the dynamic analysis includes;
  
  processing the object within a virtual machine, wherein a monitor for examining the object is located within a component of the virtual machine,capturing, by the monitor, a process operation and corresponding set of process parameters associated with the process operation, anddetermining whether the object is malware based on the captured process operation and the corresponding set of process parameters.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computerized method of claim 1, wherein the process operation and the set of process parameters are pre-selected based on the location within the virtual machine in which the monitor is located.
  - 3. The computerized method of claim 1, wherein the process operation is a function call, a process/thread lifecycle operation, or a module operation.
  - 4. The computerized method of claim 1, wherein the set of process parameters defines one or more of a state of modules within the virtual machine and a state of modules within the component.
  - 5. The computerized method of claim 1, wherein the component in which the monitor is located is a process running within the virtual machine, a portion of an operating system running in the virtual machine, or a virtual machine manager (VMM) running outside the virtual machine.
  - 6. The computerized method of claim 1, wherein determining whether the object is malware comprises:
    - comparing the captured process operation and process parameters with one or more of a set of expected process operations and process parameters for the component of the virtual machine and a set of anomalous process operations and process parameters for the component of the virtual machine; and
      
      flagging the captured process operation as an application specific behavior upon determining the process operation was unexpected or anomalous.
  - 7. The computerized method of claim 6, wherein determining whether the object is malware further comprises:
    - analyzing one or more flagged process operations in a state machine associated with the component to determine the likelihood the object is malware; and
      
      classifying the object as benign when the likelihood the object is malware is below a predefined level.
  - 8. The computerized method of claim 7, wherein determining whether the object is malware further comprises:
    - generating, upon the likelihood score being equal or above the predefined level, a confidence score that the object is malware based on behaviors of known malware and benign objects;
      
      classifying the object as malware upon the confidence score being equal or above a predefined malware threshold value; and
      
      classifying the object as benign or requiring further analysis upon the confidence score being below the predefined malware threshold value.

9. A non-transitory storage medium including instructions that, when executed by one or more hardware processors, perform a plurality of operations, comprising:
- receiving, by a malware content detection system, an object to be examined for malware; and
  
  performing dynamic analysis on the object, wherein the dynamic analysis includes;
  
  processing the object within a virtual machine, wherein a monitor for examining the object is located within a component of the virtual machine,capturing, by the monitor, a process operation and corresponding set of process parameters associated with the process operation, anddetermining whether the object is malware based on the captured process operation and the corresponding set of process parameters.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The non-transitory storage medium of claim 9, wherein the process operation and the set of process parameters are pre-selected based on the location within the virtual machine in which the monitor is located.
  - 11. The non-transitory storage medium of claim 9, wherein the process operation is a function call, a process/thread lifecycle operation, or a module operation.
  - 12. The non-transitory storage medium of claim 9, wherein the set of process parameters define one or more of a state of modules within the virtual machine and a state of modules within the component.
  - 13. The non-transitory storage medium of claim 9, wherein the component in which the monitor is located is a process running within the virtual machine, a portion of an operating system running in the virtual machine, or a virtual machine manager (VMM) running outside the virtual machine.
  - 14. The non-transitory storage medium of claim 9, wherein determining whether the object is malware comprises:
    - comparing the captured process operation and process parameters with one or more of a set of expected process operations and process parameters for the component of the virtual machine and a set of anomalous process operations and process parameters for the component of the virtual machine; and
      
      flagging the captured process operation as an application specific behavior upon determining the process operation was unexpected or anomalous.
  - 15. The non-transitory storage medium of claim 14, wherein determining whether the object is malware further comprises:
    - analyzing one or more flagged process operations in a state machine associated with the component to determine the likelihood the object is malware; and
      
      classifying the object as benign when the likelihood the object is malware is below a predefined level.
  - 16. The non-transitory storage medium of claim 15, wherein determining whether the object is malware further comprises:
    - generating, upon the likelihood score being equal or above the predefined level, a confidence score that the object is malware based on behaviors of known malware and benign objects.

17. A system comprising:
- one or more hardware processors;
  
  a memory including one or more software modules that, when executed by the one or more hardware processors;
  
  perform dynamic analysis on a received object, wherein the dynamic analysis includes;
  
  process the object within a virtual machine, wherein a monitor for examining the object is located within a component of the virtual machine,capture, by the monitor, a process operation and corresponding set of process parameters associated with the process operation, anddetermine whether the object is malware based on the captured process operation and the corresponding set of process parameters.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The system of claim 17, wherein the process operation and the set of process parameters are pre-selected based on the location within the virtual machine in which the monitor is located.
  - 19. The system of claim 17, wherein the process operation is a function call, a process/thread lifecycle operation, or a module operation.
  - 20. The system of claim 17, wherein the set of process parameters defines one or more of a state of modules within the virtual machine and a state of modules within the component.
  - 21. The system of claim 17, wherein the component in which the monitor is located is a process running within the virtual machine, a portion of an operating system running in the virtual machine, or a virtual machine manager (VMM) running outside the virtual machine.
  - 22. The system of claim 17, wherein determining whether the object is malware comprises:
    - comparing the captured process operation and process parameters with one or more of a set of expected process operations and process parameters for the component of the virtual machine and a set of anomalous process operations and process parameters for the component of the virtual machine; and
      
      flagging the captured process operation as an application specific behavior upon determining the process operation was unexpected or anomalous.
  - 23. The system of claim 22, wherein determining whether the object is malware further comprises:
    - analyzing one or more flagged process operations in a state machine associated with the component to determine the likelihood the object is malware; and
      
      classifying the object as benign when the likelihood the object is malware is below a predefined level.
  - 24. The system of claim 23, wherein determining whether the object is malware further comprises:
    - generating, upon the likelihood score being equal or above the predefined level, a confidence score that the object is malware based on behaviors of known malware and benign objects;
      
      classifying the object as malware upon the confidence score being equal or above a predefined malware threshold value; and
      
      classifying the object as benign or requiring further analysis upon the confidence score being below the predefined malware threshold value.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Paithane, Sushant, Vashisht, Sai

Granted Patent

US 9,262,635 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 2009/45591   Monitoring or debugging sup...

G06F 21/53   by executing in a restricte...

G06F 21/552   involving long-term monitor...

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/033   Test or assess software

G06F 9/45558   Hypervisor-specific managem...

H04L 63/145   the attack involving the pr...

DETECTION EFFICACY OF VIRTUAL MACHINE-BASED ANALYSIS WITH APPLICATION SPECIFIC EVENTS

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

311 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

DETECTION EFFICACY OF VIRTUAL MACHINE-BASED ANALYSIS WITH APPLICATION SPECIFIC EVENTS

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

311 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links