MALWARE FAMILY IDENTIFICATION USING PROFILE SIGNATURES
First Claim
1. A system, comprising:
- a security device configured to send a potential malware sample to a server associated with a security cloud service; and
the server associated with the security cloud service which is configured to;
execute the potential malware sample in a sandbox environment on the server, including by monitoring interaction of the potential malware sample with an application program interface (API), provided by the sandbox environment, in order to obtain an API log;
determine whether the potential malware sample is associated with a known malware family, including by determining, based at least in part on the API log, (1) if the potential malware sample created an executable file and (2) if the potential malware sample registered the executable file in a run key; and
in the event it is determined that the potential malware sample is associated with a known malware family, generating an alert.
0 Assignments
0 Petitions
Accused Products
Abstract
A potential malware sample is received from a security device at a server associated with a security cloud service. The sample is executed in a sandbox environment on the server, including by monitoring interaction of the sample with an application program interface (API), provided by the sandbox environment, in order to obtain an API log. It is determined whether the sample is associated with a known malware family including by determining, based at least in part on the API log, if the sample created an executable file and if the sample registered the executable file in a run key. If it is determined that the sample is associated with a known malware family, then an alert is generated.
84 Citations
15 Claims
-
1. A system, comprising:
-
a security device configured to send a potential malware sample to a server associated with a security cloud service; and the server associated with the security cloud service which is configured to; execute the potential malware sample in a sandbox environment on the server, including by monitoring interaction of the potential malware sample with an application program interface (API), provided by the sandbox environment, in order to obtain an API log; determine whether the potential malware sample is associated with a known malware family, including by determining, based at least in part on the API log, (1) if the potential malware sample created an executable file and (2) if the potential malware sample registered the executable file in a run key; and in the event it is determined that the potential malware sample is associated with a known malware family, generating an alert. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A method, comprising:
-
receiving, from a security device, a potential malware sample at a server associated with a security cloud service; executing the potential malware sample in a sandbox environment on the server, including by monitoring interaction of the potential malware sample with an application program interface (API), provided by the sandbox environment, in order to obtain an API log; using the server associated with the security cloud service to determine whether the potential malware sample is associated with a known malware family, including by determining, based at least in part on the API log, (1) if the potential malware sample created an executable file and (2) if the potential malware sample registered the executable file in a run key; and in the event it is determined that the potential malware sample is associated with a known malware family, generating an alert. - View Dependent Claims (7, 8, 9, 10, 12, 13, 14, 15)
-
-
11. A computer program product, the computer program product being embodied in a non-transitory computer readable storage medium and comprising computer instructions for:
-
receiving, from a security device, a potential malware sample at a server associated with a security cloud service; executing the potential malware sample in a sandbox environment on the server, including by monitoring interaction of the potential malware sample with an application program interface (API), provided by the sandbox environment, in order to obtain an API log; determining whether the potential malware sample is associated with a known malware family, including by determining, based at least in part on the API log, (1) if the potential malware sample created an executable file and (2) if the potential malware sample registered the executable file in a run key; and in the event it is determined that the potential malware sample is associated with a known malware family, generating an alert.
-
Specification