Detecting malicious software by analyzing patterns of system calls generated during emulation
First Claim
1. A method for determining whether software is likely to exhibit malicious behavior by analyzing patterns of system calls made during emulation of the software, comprising:
- receiving the software;
emulating the software within an insulated environment in a computer system so that the computer system is insulated from malicious actions of the software;
recording a pattern of system calls directed to an operating system of the computer system during emulation of the software;
comparing the pattern of system calls against a database containing suspect patterns of system calls;
determining whether the software is likely to exhibit malicious behavior based upon the comparison; and
terminating the method if one of the following occurs;
a maximum number of instructions are executed during the emulation, and a maximum number of system calls are made during the emulation.
11 Assignments
0 Petitions
Accused Products
Abstract
One embodiment of the present invention provides a system for determining whether software is likely to exhibit malicious behavior by analyzing patterns of system calls made during emulation of the software. The system operates by emulating the software within an insulated environment in a computer system so that the computer system is insulated from malicious actions of the software. During the emulation process, the system records a pattern of system calls directed to an operating system of the computer system. The system compares the pattern of system calls against a database containing suspect patterns of system calls. Based upon this comparison, the system determines whether the software is likely to exhibit malicious behavior. In one embodiment of the present invention, if the software is determined to be likely to exhibit malicious behavior, the system reports this fact to a user of the computer system. In one embodiment of the present invention, the process of comparing the pattern of system calls is performed on-the-fly as the emulation generates system calls.
-
Citations
27 Claims
-
1. A method for determining whether software is likely to exhibit malicious behavior by analyzing patterns of system calls made during emulation of the software, comprising:
-
receiving the software;
emulating the software within an insulated environment in a computer system so that the computer system is insulated from malicious actions of the software;
recording a pattern of system calls directed to an operating system of the computer system during emulation of the software;
comparing the pattern of system calls against a database containing suspect patterns of system calls;
determining whether the software is likely to exhibit malicious behavior based upon the comparison; and
terminating the method if one of the following occurs;
a maximum number of instructions are executed during the emulation, and a maximum number of system calls are made during the emulation. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A computer-readable storage medium storing instructions that when executed by a computer cause the computer to perform a method for determining whether software is likely to exhibit malicious behavior by analyzing patterns of system calls made during emulation of the software, the method comprising:
-
receiving the software;
emulating the software within an insulated environment in a computer system so that the computer system is insulated from malicious actions of the software;
recording a pattern of system calls directed to an operating system of the computer system during emulation of the software;
comparing the pattern of system calls against a database containing suspect patterns of system calls;
determining whether the software is likely to exhibit malicious behavior based upon the comparison; and
terminating the method if one of the following occurs;
a maximum number of instructions are executed during the emulation, and a maximum number of system calls are made during the emulation. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
-
-
20. An apparatus that determines whether software is likely to exhibit malicious behavior by analyzing patterns of system calls made during emulation of the software, comprising:
-
a receiving mechanism that receives the software;
an emulator that emulates the software within an insulated environment in a computer system so that the computer system is insulated from malicious actions of the software;
a recording mechanism that records a pattern of system calls directed to an operating system of the computer system during emulation of the software;
a comparison mechanism that compares the pattern of system calls against a database containing suspect patterns of system calls; and
a determination mechanism that determines whether the software is likely to exhibit malicious behavior based upon the comparison;
wherein termination occurs if one of the following occurs;
a maximum number of instructions are executed during the emulation, and a maximum number of system calls are made during the emulation. - View Dependent Claims (21, 22, 23, 24, 25, 26, 27)
-
Specification