Method and Product for Providing a Predictive Security Product and Evaluating Existing Security Products

US 20160173515A1
Filed: 02/19/2016
Published: 06/16/2016
Est. Priority Date: 02/10/2013
Status: Active Grant

First Claim

Patent Images

1. A malware evaluator system, comprising:

a non-transitory memory storing a variant of a malware specimen; and

one or more hardware processors coupled to the non-transitory memory and configured to read instructions from the non-transitory memory to cause the system to perform operations comprising;

scanning the variant with one or more malware detectors to determine an evasiveness characteristic of the variant and a maliciousness characteristic of the variant;

determining a likelihood that the variant meets one or more criteria based at least on the evasiveness characteristic of the variant and the maliciousness characteristic of the variant;

based on the determined likelihood, selecting the variant for mutation; and

mutating the selected variant to generate one or more successive variants.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, product and computer program product for evaluating a generation of malware variants, the method including the steps of: scanning, with one or more malware detectors, a variant of a malware specimen; determining an evasiveness characteristic of the variant and a maliciousness characteristic of the variant; determining a likelihood that the variant meets one or more criteria based at least on the evasiveness characteristic of the variant and the maliciousness characteristic of the variant; and based on the determined likelihood, selecting the variant for propagation.

Citations

22 Claims

1. A malware evaluator system, comprising:
- a non-transitory memory storing a variant of a malware specimen; and
  
  one or more hardware processors coupled to the non-transitory memory and configured to read instructions from the non-transitory memory to cause the system to perform operations comprising;
  
  scanning the variant with one or more malware detectors to determine an evasiveness characteristic of the variant and a maliciousness characteristic of the variant;
  
  determining a likelihood that the variant meets one or more criteria based at least on the evasiveness characteristic of the variant and the maliciousness characteristic of the variant;
  
  based on the determined likelihood, selecting the variant for mutation; and
  
  mutating the selected variant to generate one or more successive variants.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system of claim 1, wherein determining the evasiveness characteristic of the variant comprises assigning the variant a value corresponding to the evasiveness characteristic, andwherein determining the maliciousness characteristic of the variant comprises assigning the variant a value corresponding to the maliciousness characteristic.
  - 3. The system of claim 1, wherein the operations further comprise:
    - scanning a second variant of the malware specimen with the one or more malware detectors to determine an evasiveness characteristic of the second variant and a maliciousness characteristic of the second variant;
      
      determining a likelihood that the second variant meets the one or more criteria based at least on the evasiveness characteristic of the second variant and the maliciousness characteristic of the second variant; and
      
      selecting the variant or the second variant for propagation, wherein the selecting is based on which of the variants has a highest determined likelihood of meeting the one or more criteria.
  - 4. The system of claim 1, wherein the determining of the evasiveness characteristic is based on at least one of (i) an amount of the one or more malware detectors that are unable to detect the variant and (ii) a quality of the one or more malware detectors that are unable to detect the variant.
  - 5. The system of claim 1, wherein the operations further comprise:
    - storing the selected variant in a database that is accessed for training at least one malware detector.
  - 6. The system of claim 1, wherein the operations further comprise:
    - comparing a first trace corresponding to virtual machine execution of the variant with a second trace corresponding to non-virtual machine execution of the variant.
  - 7. The system of claim 1, wherein the operations further comprise:
    - identifying code regions of the variant that are not executed.
  - 8. The system of claim 1, wherein the determined likelihood comprises a value that indicates evasiveness and maliciousness of the variant.
  - 9. The system of claim 1, wherein the operations further comprise:
    - determining an amount of divergence between the variant and a malware specimen from which the variant was generated.

10. A non-transitory machine-readable medium having stored thereon machine-readable instructions executable to cause a machine to perform operations comprising:
- scanning, with one or more malware detectors, a variant of a malware specimen;
  
  determining an evasiveness characteristic corresponding to the variant and a maliciousness characteristic corresponding to the variant;
  
  determining a likelihood that the variant meets one or more criteria based at least on the evasiveness characteristic corresponding to the variant and the maliciousness characteristic corresponding to the variant; and
  
  based on the determined likelihood, selecting the variant for mutation.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The non-transitory machine-readable medium of claim 10, wherein determining the evasiveness characteristic corresponding to the variant comprises assigning the variant a value based on the evasiveness characteristic, andwherein determining a maliciousness characteristic corresponding to the variant comprises assigning the variant a value based on the maliciousness characteristic.
  - 12. The non-transitory machine-readable medium of claim 10, wherein the operations further comprise:
    - scanning a second variant of the malware specimen with the one or more malware detectors to determine an evasiveness characteristic corresponding to the second variant and a maliciousness characteristic corresponding to the second variant;
      
      determining a likelihood that the second variant meets the one or more criteria based at least on the evasiveness characteristic corresponding to the second variant and the maliciousness characteristic corresponding to the second variant; and
      
      selecting one of the variant or the second variant for propagation, wherein the selecting is based on which of the variants has a highest determined likelihood of meeting the one or more criteria.
  - 13. The non-transitory machine-readable medium of claim 10, wherein the evasiveness characteristic is determined based on at least one of (i) an amount of the one or more malware detectors that are unable to detect the variant and (ii) a quality of the one or more malware detectors that are unable to detect the variant.
  - 14. The non-transitory machine-readable medium of claim 10, wherein the operations further comprise:
    - storing the selected variant in a database that is accessed for training at least one malware detector.
  - 15. The non-transitory machine-readable medium of claim 10, wherein the determined likelihood comprises a value that indicates evasiveness and maliciousness corresponding to the variant.

16. A method for evaluating a generation of malware variants comprising:
- scanning, with one or more malware detectors, a variant of a malware specimen;
  
  determining an evasiveness characteristic of the variant and a maliciousness characteristic of the variant;
  
  determining a likelihood that the variant meets one or more criteria based at least on the evasiveness characteristic and the maliciousness characteristic of the variant; and
  
  based on the determined likelihood, selecting the variant for propagation.
- View Dependent Claims (17, 18, 19, 20, 21)
- - 17. The method of claim 16, wherein determining the evasiveness characteristic of the variant comprises assigning the variant a value corresponding to the evasiveness characteristic, andwherein determining the maliciousness characteristic of the variant comprises assigning the variant a value corresponding to the maliciousness characteristic.
  - 18. The method of claim 16, further comprising:
    - scanning a second variant of the malware specimen with the one or more malware detectors to determine an evasiveness characteristic of the second variant and a maliciousness characteristic of the second variant;
      
      determining a likelihood that the second variant meets the one or more criteria based at least on the evasiveness characteristic of the second variant and the maliciousness characteristic of the second variant; and
      
      selecting the variant or the second variant for propagation, wherein the selecting is based on which of the variants has a highest determined likelihood of meeting the one or more criteria.
  - 19. The method of claim 16, wherein the evasiveness characteristic is determined based on at least one of (i) an amount of the one or more malware detectors that are unable to detect the variant and (ii) a quality of the one or more malware detectors that are unable to detect the variant.
  - 20. The method of claim 16, further comprising:
    - storing the selected variant in a database that is accessed to train at least one malware detector.
  - 21. The method of claim 16, wherein the determined likelihood comprises a value that indicates evasiveness and maliciousness of the variant.

22. A method for evaluating a generation of malware variants comprising:
- scanning, with one or more malware detectors, two or more variants of a malware specimen;
  
  determining an evasiveness characteristic and a maliciousness characteristic of each of the variants;
  
  determining a likelihood that each of the variants meets one or more criteria based at least on the evasiveness characteristic and the maliciousness characteristic of each of the variants; and
  
  selecting a variant of the two or more variants that has a highest determined likelihood of meeting the one or more criteria; and
  
  mutating the selected variant to generate one or more successive variants.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
PayPal, Inc. (PayPal Holdings, Inc.)
Original Assignee
PayPal, Inc. (PayPal Holdings, Inc.)
Inventors
Boutnaru, Shiomi, Tancman, Liran, Markzon, Michael

Granted Patent

US 9,838,406 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/564   by virus signature recognition

G06F 21/567   using dedicated hardware

G06F 2221/033   Test or assess software

G06F 2221/2145   Inheriting rights or proper...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

Method and Product for Providing a Predictive Security Product and Evaluating Existing Security Products

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Method and Product for Providing a Predictive Security Product and Evaluating Existing Security Products

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links