MALWARE FAMILY IDENTIFICATION USING PROFILE SIGNATURES

US 20160048683A1
Filed: 09/15/2015
Published: 02/18/2016
Est. Priority Date: 01/30/2013
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a security device configured to send a potential malware sample to a server associated with a security cloud service; and

the server associated with the security cloud service which is configured to;

execute the potential malware sample in a sandbox environment on the server, including by monitoring interaction of the potential malware sample with an application program interface (API), provided by the sandbox environment, in order to obtain an API log;

determine whether the potential malware sample is associated with a known malware family, including by determining, based at least in part on the API log, (1) if the potential malware sample created an executable file and (2) if the potential malware sample registered the executable file in a run key; and

in the event it is determined that the potential malware sample is associated with a known malware family, generating an alert.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A potential malware sample is received from a security device at a server associated with a security cloud service. The sample is executed in a sandbox environment on the server, including by monitoring interaction of the sample with an application program interface (API), provided by the sandbox environment, in order to obtain an API log. It is determined whether the sample is associated with a known malware family including by determining, based at least in part on the API log, if the sample created an executable file and if the sample registered the executable file in a run key. If it is determined that the sample is associated with a known malware family, then an alert is generated.

84 Citations

View as Search Results

15 Claims

1. A system, comprising:
- a security device configured to send a potential malware sample to a server associated with a security cloud service; and
  
  the server associated with the security cloud service which is configured to;
  
  execute the potential malware sample in a sandbox environment on the server, including by monitoring interaction of the potential malware sample with an application program interface (API), provided by the sandbox environment, in order to obtain an API log;
  
  determine whether the potential malware sample is associated with a known malware family, including by determining, based at least in part on the API log, (1) if the potential malware sample created an executable file and (2) if the potential malware sample registered the executable file in a run key; and
  
  in the event it is determined that the potential malware sample is associated with a known malware family, generating an alert.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The system of claim 1, wherein the security device includes one or more of the following:
    - a firewall, a host-based firewall, a gateway-based firewall, an appliance-based firewall, a server-based firewall, a security appliance, a host-based security appliance, a gateway-based security appliance, or a server-based security appliance.
  - 3. The system of claim 1, wherein the executable file must be in a specific directory in order for the server associated with the security cloud service to determine that the potential malware sample is associated with a particular, known malware family.
  - 4. The system of claim 1, wherein the executable file must have a specific name in order for the server associated with the security cloud service to determine that the potential malware sample is associated with a particular, known malware family.
  - 5. The system of claim 1, wherein:
    - the API log further includes network traffic activity of the potential malware sample; and
      
      determining whether the potential malware sample is associated with a known malware family further includes determining if the network traffic activity includes a specific pattern.

6. A method, comprising:
- receiving, from a security device, a potential malware sample at a server associated with a security cloud service;
  
  executing the potential malware sample in a sandbox environment on the server, including by monitoring interaction of the potential malware sample with an application program interface (API), provided by the sandbox environment, in order to obtain an API log;
  
  using the server associated with the security cloud service to determine whether the potential malware sample is associated with a known malware family, including by determining, based at least in part on the API log, (1) if the potential malware sample created an executable file and (2) if the potential malware sample registered the executable file in a run key; and
  
  in the event it is determined that the potential malware sample is associated with a known malware family, generating an alert.
- View Dependent Claims (7, 8, 9, 10, 12, 13, 14, 15)
- - 7. The method of claim 6, wherein the security device includes one or more of the following:
    - a firewall, a host-based firewall, a gateway-based firewall, an appliance-based firewall, a server-based firewall, a security appliance, a host-based security appliance, a gateway-based security appliance, or a server-based security appliance.
  - 8. The method of claim 6, wherein the executable file must be in a specific directory in order for the server associated with the security cloud service to determine that the potential malware sample is associated with a particular, known malware family.
  - 9. The method of claim 6, wherein the executable file must have a specific name in order for the server associated with the security cloud service to determine that the potential malware sample is associated with a particular, known malware family.
  - 10. The method of claim 6, wherein:
    - the API log further includes network traffic activity of the potential malware sample; and
      
      determining whether the potential malware sample is associated with a known malware family further includes determining if the network traffic activity includes a specific pattern.
  - 12. The method of claim 6, wherein the security device includes one or more of the following:
    - a firewall, a host-based firewall, a gateway-based firewall, an appliance-based firewall, a server-based firewall, a security appliance, a host-based security appliance, a gateway-based security appliance, or a server-based security appliance.
  - 13. The method of claim 6, wherein the executable file must be in a specific directory in order for it to be determined that the potential malware sample is associated with a particular, known malware family.
  - 14. The method of claim 6, wherein the executable file must have a specific name in order for it to be determined that the potential malware sample is associated with a particular, known malware family.
  - 15. The method of claim 6, wherein:
    - the API log further includes network traffic activity of the potential malware sample; and
      
      determining whether the potential malware sample is associated with a known malware family further includes determining if the network traffic activity includes a specific pattern.

11. A computer program product, the computer program product being embodied in a non-transitory computer readable storage medium and comprising computer instructions for:
- receiving, from a security device, a potential malware sample at a server associated with a security cloud service;
  
  executing the potential malware sample in a sandbox environment on the server, including by monitoring interaction of the potential malware sample with an application program interface (API), provided by the sandbox environment, in order to obtain an API log;
  
  determining whether the potential malware sample is associated with a known malware family, including by determining, based at least in part on the API log, (1) if the potential malware sample created an executable file and (2) if the potential malware sample registered the executable file in a run key; and
  
  in the event it is determined that the potential malware sample is associated with a known malware family, generating an alert.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palo Alto Networks Incorporated
Original Assignee
Palo Alto Networks Incorporated
Inventors
Sanders, Kyle, Wang, Xinran

Granted Patent

US 9,542,556 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/567   using dedicated hardware

G06F 2221/033   Test or assess software

H04L 63/02   for separating internal fro...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

MALWARE FAMILY IDENTIFICATION USING PROFILE SIGNATURES

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

84 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

MALWARE FAMILY IDENTIFICATION USING PROFILE SIGNATURES

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

84 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links