BEHAVIOR PROFILING FOR MALWARE DETECTION

US 20150261955A1
Filed: 03/16/2015
Published: 09/17/2015
Est. Priority Date: 03/17/2014
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

applying a domain specific language to a target, the domain specific language utilized to detect malware associated with the target;

observing a set of temporal sequences and events of the target;

determining presence of one or more markers within the set of temporal sequences and events that are indicative of malware; and

identifying the target as being associated with malware based on the one or more markers.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Provided herein are systems and methods for behavior profiling of targets to determine malware presence. The method includes, in various embodiments, applying a domain specific language to a target, observing a set of temporal sequences and events of the target; determining presence of markers within the set of temporal sequences and events indicative of malware, and identifying the target as being associated with malware based on the markers. In some embodiments, a malware detection system is provided for creating a behavioral sandbox environment where a target is inspected for malware. The behavioral sandbox environment can include forensic collectors. Each of the collectors may be configured to apply a domain specific language to a target; observe a set of temporal sequences and events of the target; determine presence of markers within the set of temporal sequences and events indicative of malware; and detect malware presence based on the markers.

109 Citations

View as Search Results

26 Claims

1. A method, comprising:
- applying a domain specific language to a target, the domain specific language utilized to detect malware associated with the target;
  
  observing a set of temporal sequences and events of the target;
  
  determining presence of one or more markers within the set of temporal sequences and events that are indicative of malware; and
  
  identifying the target as being associated with malware based on the one or more markers.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The method of claim 1, further comprising creating a behavior profile for the target based on the set of temporal sequences and events.
  - 3. The method of claim 1, wherein the target comprises any of an HTTP conversation, a URL, a starting URL, an advertisement tag, a document file, an executable file, and combinations thereof.
  - 4. The method of claim 1, further comprising, determining a maliciousness, an identification, and behavior of the target if malware is detected.
  - 5. The method of claim 1, further comprising:
    - determining if the malware is configured to protected itself from a monitored lab environment; and
      
      if the malware is configured to protect itself from a monitored lab environment provoking the malware to attack; and
      
      in response to the provoking, recording activities of the malware.
  - 6. The method of claim 1, further comprising creating one or more scenes from malicious behavior of the malware.
  - 7. The method of claim 6, wherein each of the one or more scenes comprises a plurality of evidences, and further wherein each of the one or more scenes comprises an aggregated set of proofs and interpretations.
  - 8. The method of claim 6, wherein each of the one or more scenes comprises any of a URL opening, a document opening, and an execution of an executable file.
  - 9. The method of claim 6, wherein each of the one or more scenes comprises one or more sub-scenes that are based on an initiating scene.
  - 10. The method of claim 6, further comprising executing a plurality of forensic collectors to gather evidence from the malware, wherein the evidence comprises activities of the malware that occur within the one or more scenes.
  - 11. The method of claim 10, wherein the activities comprise any of HTTP requests and responses, exploitation efforts, file creation and modification, process creation, registry changes, foreign memory manipulation, and combinations thereof.
  - 12. The method of claim 10, wherein each of the activities comprises a time stamp such that the activities can be arranged in a chronological order.
  - 13. The method of claim 10, wherein each of the plurality of forensic collectors is configured to generate a forensic report comprising proofs, exhibits, interpretations, and correlations.
  - 14. The method of claim 13, wherein the proofs comprise a predefined set of facts, the predefined set of facts being such that an analyzer tries to prove existence of the predefined set of facts within the one or more scenes.
  - 15. The method of claim 14, wherein the proofs are derived from exhibits.
  - 16. The method of claim 15, wherein each of the exhibits comprise a section of evidence having a special meaning used to infer presence of the malware.
  - 17. The method of claim 13, wherein each of the interpretations comprises a judgment of one of the forensic collectors relative to one of the scenes and based on a derived set of the proofs.
  - 18. The method of claim 13, wherein each of the correlations comprises a causal relationship between instances of the evidence.
  - 19. The method of claim 18, further comprising displaying the causal relationships in a tree representation.

20. A malware detection system, comprising:
- a processor; and
  
  a memory for storing executable instructions, the instructions being executed by the processor to create a behavioral sandbox environment where a target is inspected for malware, the behavioral sandbox environment comprising a plurality of forensic analyzers that are each configured to;
  
  apply a domain specific language to a target;
  
  observe a set of temporal sequences and events of the target;
  
  determine presence of one or more markers within the set of temporal sequences and events that are indicative of malware; and
  
  detect malware presence based on the one or more markers.
- View Dependent Claims (21, 22, 23, 24)
- - 21. The system of claim 20, wherein each of the plurality of forensic analyzers of the behavioral sandbox environment is further configured to:
    - allow a target to execute therein; and
      
      collect evidence from the malware using a plurality of collector modules, wherein the evidence comprises activities of the malware.
  - 22. The system of claim 20, further comprising an Internet Protocol (IP) randomizer module for thwarting IP cloaking of the malware;
    - the IP randomizer module being configured to;
      
      cause network traffic to be routed via multiple geographic locations so as to leverage a larger IP address pool; and
      
      switch IP addresses at a frequency such that the same IP address is not used for a predetermined period of time.
  - 23. The system of claim 20, wherein each of the plurality forensics analyzers are further configured to:
    - determine malicious behavior from the set of temporal sequences and events; and
      
      log the target in response to the malicious behavior being determined or suspected.
  - 24. The system of claim 23, further comprising a static analysis module configured to:
    - evaluate the target if the target is logged; and
      
      create a rule set based on the malicious behavior of the target.

25. A non-transitory computer-readable medium having embodied thereon instructions being executable by at least one processor to perform a method for providing malware detection, the method comprising:
- retrieving a URL, the retrieving comprising contacting a server to receive a home page code;
  
  performing a preliminary determination to determine if the home page code includes a malicious signature;
  
  in response to the home page code being deemed clean such that the preliminary determination is that no malicious signature is included on the home page code, parsing the home page code and translating the home page code onto a web page;
  
  rendering text and links to external databases for images on the web page;
  
  allocating memory to perform the rendering of the images;
  
  generating an event log of all items rendered on the web page;
  
  analyzing a chronological order of events in the event log to identify behavior patterns among the events;
  
  comparing identified behavior patterns to predetermined rules; and
  
  identifying the URL as including malware if a match is found between the identified behavior patterns and the predetermined rules.
- View Dependent Claims (26)
- - 26. The non-transitory computer-readable medium of claim 25, further comprising using one or more analyzers to perform the comparing identified behavior patterns to the predetermined rules, each analyzer generating a report based on the comparing, and compiling the reports of the one or more analyzers.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Proofpoint Incorporated
Original Assignee
Proofpoint Incorporated
Inventors
Huang, Wayne, IDLE, M. JAMES

Granted Patent

US 9,734,332 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/562   Static detection

G06F 21/563   by source code analysis

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/567   using dedicated hardware

G06F 2221/034   Test or assess a computer o...

H04L 63/1433   Vulnerability analysis

H04L 63/145   the attack involving the pr...

BEHAVIOR PROFILING FOR MALWARE DETECTION

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

109 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

BEHAVIOR PROFILING FOR MALWARE DETECTION

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

109 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links