Method and apparatus for detecting malicious code in an information handling system
First Claim
1. One or more computer-readable media storing program instructions executable by an information handling system to:
- while a first program is running on the information handling system in a manner that permits the first program to infect the information handling system, perform a plurality of detection routines to gather information relating to the first program, wherein the plurality of detection routines include a first set of malicious code detection routines and a second set of valid code detection routines;
calculate a first composite score and a second composite score based on results of the plurality of detection routines, wherein said first composite score is indicative of the likelihood that the first program is malicious and is calculated using weights associated with those detection routines within the first set of malicious code detection routines whose results are indicative of the first program being malicious code, and wherein said second composite score is indicative of the likelihood that the first program is valid and is calculated using weights associated with those detection routines within the second set of valid code detection routines whose results are indicative of the first program being valid code, and wherein the second composite score is calculated independently from the first composite score; and
use the first and/or second composite scores to categorize the first program with respect to the likelihood of the first program infecting the information handling system, including;
categorizing the first program as malicious code when the first composite score is above a malicious code threshold value and the second composite score is below a valid code threshold value; and
categorizing the first program as valid code when the second composite score is above the valid code threshold value.
7 Assignments
0 Petitions
Accused Products
Abstract
A method for detecting malicious code on an information handling system includes executing malicious code detection code (MCDC) on the information handling system. The malicious code detection code includes detection routines. The detection routines are applied to executable code under investigation running on the information handling system during the execution of the MCDC. The detection routines associate weights to respective executable code under investigation in response to detections of a valid program or malicious code as a function of respective detection routines. Lastly, executable code under investigation is determined a valid program or malicious code as a function of the weights associated by the detection routines. Computer-readable media and an information handling system are also disclosed.
-
Citations
54 Claims
-
1. One or more computer-readable media storing program instructions executable by an information handling system to:
-
while a first program is running on the information handling system in a manner that permits the first program to infect the information handling system, perform a plurality of detection routines to gather information relating to the first program, wherein the plurality of detection routines include a first set of malicious code detection routines and a second set of valid code detection routines; calculate a first composite score and a second composite score based on results of the plurality of detection routines, wherein said first composite score is indicative of the likelihood that the first program is malicious and is calculated using weights associated with those detection routines within the first set of malicious code detection routines whose results are indicative of the first program being malicious code, and wherein said second composite score is indicative of the likelihood that the first program is valid and is calculated using weights associated with those detection routines within the second set of valid code detection routines whose results are indicative of the first program being valid code, and wherein the second composite score is calculated independently from the first composite score; and use the first and/or second composite scores to categorize the first program with respect to the likelihood of the first program infecting the information handling system, including; categorizing the first program as malicious code when the first composite score is above a malicious code threshold value and the second composite score is below a valid code threshold value; and categorizing the first program as valid code when the second composite score is above the valid code threshold value. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 52)
-
-
25. One or more computer-readable media storing program instructions executable by an information handling system to:
-
while a first program is running on an operating system of the information handling system in a manner that permits the first program to infect the information handling system, perform a plurality of detection routines including; a first set of two or more detection routines that examine one or more files corresponding to the first program; and a second set of two or more detection routines that search for information about the first program from resources of the information handling system other than the one or more files, wherein the second set of detection routines includes one or more routines that access the operating system via one or more application programming interfaces (APIs) to determine information relating to the first program; and use results of the plurality of detection routines, including results of the first set of detection routines and results of the second set of detection routines, to compute a first score and a second score, and to categorize the first program as to the likelihood of the first program infecting the information handling system based on either or both of the first and second scores, wherein the first score is indicative of the likelihood that the first program is malicious, and wherein the second score is indicative of the likelihood that the first program is valid; wherein performing the plurality of detection routines does not prevent infection of the information handling system by the first program. - View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41)
-
-
42. A method, comprising:
-
while a first program is running on an information handling system in a manner that permits the first program to infect the information handling system, independently calculating a first composite score and a second composite score, wherein said first composite score is indicative of the likelihood that the first program is malicious, and wherein said second composite score is indicative of the likelihood that the first program is valid; and categorizing the first program with respect to the likelihood of the first program infecting the information handling system, wherein said categorizing includes; categorizing the first program as malicious code when the first composite score is above a malicious code threshold value and the second composite score is below a valid code threshold value; and categorizing the first program as valid code when the second composite score is above the valid code threshold value; wherein the first composite score is calculated by using weighted results from a first set of detection routines for detecting characteristics and/or behaviors typically associated with malicious code, and wherein the second composite score is calculated using weighted results from a second set of detection routines for detecting characteristics and/or behaviors typically associated with valid code. - View Dependent Claims (43, 53, 54)
-
-
44. A method, comprising:
-
while a first program is running on an operating system of an information handling system in a manner that permits the first program to infect the information handling system, performing a plurality of detection routines including; a first set of two or more detection routines that examine an image of one or more files corresponding to the first program; a second set of two or more detection routines that search for information about the first program from resources of the information handling system other than the one or more files, wherein the second set of detection routines includes one or more routines that access the operating system to determine information relating to the first program; and categorizing, using either or both of first and second scores computed from results of the first and second sets of detection routines, the first program as to the likelihood of the first program infecting the information handling system; wherein the first score is indicative of the likelihood that the first program is malicious, and wherein the second score is indicative of the likelihood that the first program is valid, and wherein performing the plurality of detection routines does not prevent infection of the information handling system by the first program. - View Dependent Claims (45, 46, 47)
-
-
48. An information handling system, comprising:
-
a central processing unit (CPU); a memory storing program instructions executable by the CPU to; while a first program is running on the information handling system in a manner that permits the first program to infect the information handling system, perform a plurality of detection routines and use the results to independently calculate a first composite score and a second composite score, wherein the first composite score is indicative of the likelihood that the first program is malicious, and wherein the second composite score is indicative of the likelihood that the first program is valid; and use the first and/or second composite scores to categorize the first program with respect to the likelihood of the first program compromising the security of the information handling system, including; categorizing the first program as malicious when the first composite score is above a first threshold value and the second composite score is below a second threshold value; and categorizing the first program as valid when the second composite score is above the second threshold value; wherein the first composite score is calculated using weighted results of a first set of detection routines for detecting characteristics and/or behaviors typically associated with malicious code, and wherein the second composite score is calculated using weighted results of a second set of detection routines for detecting characteristics and/or behaviors typically associated with valid code.
-
-
49. An information handling system, comprising:
-
a central processing unit (CPU); a memory storing program instructions executable by the CPU to; while a first program is running on an operating system of the information handling system in a manner that permits the first program to infect the information handling system, perform a plurality of detection routines including; a first set of two or more detection routines that examine an image of one or more files corresponding to the first program for one or more signatures; a second set of two or more detection routines that search for information about the first program from resources of the information handling system other than the one or more files, wherein the second set of detection routines includes one or more routines that access the operating system running on the information handling system in order to determine information relating to the first program; and use results of the plurality of detection routines, including results of the first set of detection routines and results of the second set of detection routines, to compute a first score and a second score, and to categorize, based on either or both of the first and second scores, the first program as to the likelihood of the first program compromising the security of the information handling system, wherein the first score is indicative of the likelihood that the first program is malicious, and wherein the second score is indicative of the likelihood that the first program is valid; wherein performing the plurality of detection routines does not prevent infection of the information handling system by the first program. - View Dependent Claims (50, 51)
-
Specification