BEHAVIOR PROFILING FOR MALWARE DETECTION
First Claim
1. A method, comprising:
- applying a domain specific language to a target, the domain specific language utilized to detect malware associated with the target;
observing a set of temporal sequences and events of the target;
determining presence of one or more markers within the set of temporal sequences and events that are indicative of malware; and
identifying the target as being associated with malware based on the one or more markers.
4 Assignments
0 Petitions
Accused Products
Abstract
Provided herein are systems and methods for behavior profiling of targets to determine malware presence. The method includes, in various embodiments, applying a domain specific language to a target, observing a set of temporal sequences and events of the target; determining presence of markers within the set of temporal sequences and events indicative of malware, and identifying the target as being associated with malware based on the markers. In some embodiments, a malware detection system is provided for creating a behavioral sandbox environment where a target is inspected for malware. The behavioral sandbox environment can include forensic collectors. Each of the collectors may be configured to apply a domain specific language to a target; observe a set of temporal sequences and events of the target; determine presence of markers within the set of temporal sequences and events indicative of malware; and detect malware presence based on the markers.
109 Citations
26 Claims
-
1. A method, comprising:
-
applying a domain specific language to a target, the domain specific language utilized to detect malware associated with the target; observing a set of temporal sequences and events of the target; determining presence of one or more markers within the set of temporal sequences and events that are indicative of malware; and identifying the target as being associated with malware based on the one or more markers. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A malware detection system, comprising:
-
a processor; and a memory for storing executable instructions, the instructions being executed by the processor to create a behavioral sandbox environment where a target is inspected for malware, the behavioral sandbox environment comprising a plurality of forensic analyzers that are each configured to; apply a domain specific language to a target; observe a set of temporal sequences and events of the target; determine presence of one or more markers within the set of temporal sequences and events that are indicative of malware; and detect malware presence based on the one or more markers. - View Dependent Claims (21, 22, 23, 24)
-
-
25. A non-transitory computer-readable medium having embodied thereon instructions being executable by at least one processor to perform a method for providing malware detection, the method comprising:
-
retrieving a URL, the retrieving comprising contacting a server to receive a home page code; performing a preliminary determination to determine if the home page code includes a malicious signature; in response to the home page code being deemed clean such that the preliminary determination is that no malicious signature is included on the home page code, parsing the home page code and translating the home page code onto a web page; rendering text and links to external databases for images on the web page; allocating memory to perform the rendering of the images; generating an event log of all items rendered on the web page; analyzing a chronological order of events in the event log to identify behavior patterns among the events; comparing identified behavior patterns to predetermined rules; and identifying the URL as including malware if a match is found between the identified behavior patterns and the predetermined rules. - View Dependent Claims (26)
-
Specification