Classification of malware using clustering that orders events in accordance with the time of occurance
First Claim
1. A computer system for an application group classification, the computer system comprising:
- one or more databases for including a plurality of application groups and a set of application classifying rules, wherein each application group has been classified based on the set of application classifying rules and includes one or more member applications sharing a set of common behavior patterns according to an event sequence, wherein each event includes information about the event'"'"'s action including event object information, event subject information, action parameters and status of the action; and
a computing device, in communication with the one or more databases, that performs the following;
receives a request to classify an application into a corresponding application group among the plurality of application groups;
obtains an event sequence according to a predefined specific set of events that identify two or more specified malware features, the predefined events including at least one of “
registry open,”
“
registry write,”
“
registry query,”
“
file open,”
“
file write,”
“
virtual memory allocation,”
“
virtual memory write,”
“
network access,” and
“
process open,”
wherein the event sequence is collected while the application is being executed, and wherein the collected events are ordered according to the time of the occurrence of program actions and environment state transitions;
determines the corresponding application group for the application by applying the set of application classifying rules to the obtained event sequence; and
provides information about the determined application group as a response to the request.
2 Assignments
0 Petitions
Accused Products
Abstract
The present invention is directed to a method and system for automatically classifying an application into an application group which is previously classified in a knowledge base. More specifically, a runtime behavior of an application is captured as a series of events which are monitored and recorded during the execution of the application. The series of events are analyzed to find a proper application group which shares common runtime behavior patterns with the application. The knowledge base of application groups is previously constructed based on a large number of sample applications. The construction of the knowledge base is done in such a manner that each sample application can be classified into application groups based on a set of classification rules in the knowledge base. The set of classification rules are applied to a new application in order to classify the new application into one of the application groups.
50 Citations
20 Claims
-
1. A computer system for an application group classification, the computer system comprising:
-
one or more databases for including a plurality of application groups and a set of application classifying rules, wherein each application group has been classified based on the set of application classifying rules and includes one or more member applications sharing a set of common behavior patterns according to an event sequence, wherein each event includes information about the event'"'"'s action including event object information, event subject information, action parameters and status of the action; and a computing device, in communication with the one or more databases, that performs the following; receives a request to classify an application into a corresponding application group among the plurality of application groups; obtains an event sequence according to a predefined specific set of events that identify two or more specified malware features, the predefined events including at least one of “
registry open,”
“
registry write,”
“
registry query,”
“
file open,”
“
file write,”
“
virtual memory allocation,”
“
virtual memory write,”
“
network access,” and
“
process open,”
wherein the event sequence is collected while the application is being executed, and wherein the collected events are ordered according to the time of the occurrence of program actions and environment state transitions;determines the corresponding application group for the application by applying the set of application classifying rules to the obtained event sequence; and provides information about the determined application group as a response to the request. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A computer implemented method for classifying an application into an application group based on behavior patterns of the application, the computer implemented method comprising:
-
collecting an event sequence of an application; obtaining a set of application groups, wherein each application group includes one or more member applications sharing a set of common behavior patterns according to an event sequence, wherein each event includes information about the event'"'"'s action including event object information, event subject information, action parameters and status of the action; determining an application group corresponding to the application based on the collected event sequence, wherein the event sequence is obtained according to a predefined specific set of events that identify two or more specified malware features, the predefined events including at least one of “
registry open,”
“
registry write,”
“
registry query,”
“
file open,”
“
file write,”
“
virtual memory allocation,”
“
virtual memory write,”
“
network access,” and
“
process open,”
wherein the event sequence is collected while the application is being executed, and wherein the collected events are ordered according to the time of the occurrence of program actions and environment state transitions; andupdating the determined application group to include the application; and
providing information about the determined application group. - View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. An application classification system for automatically classifying an application in response to a classification request, the application classification system comprising:
-
a knowledge base component for providing information about a plurality of application classifications and a set of classification rules; an event sequence component for collecting an runtime event sequence of an application in response to a classification request, wherein each event includes information about the event'"'"'s action including event object information, event subject information, action parameters and status of the action, and wherein the event sequence is obtained according to a predefined specific set of events that identify two or more specified malware features, the predefined events including at least one of “
registry open,”
“
registry write,”
“
registry query,”
“
file open,”
“
file write,”
“
virtual memory allocation,”
“
virtual memory write,”
“
network access,” and
“
process open,”
wherein the event sequence is collected while the application is being executed, and wherein the collected events are ordered according to the time of the occurrence of program actions and environment state transitions; anda classification component for identifying an application classification in which the application is to be classified based on the collected runtime event sequence and for adding the application to the identified application classification, wherein the identified application classification has a reprehensive event sequence similar to the collected runtime event sequence; and wherein the information about the determined application group includes an indication that the application is a variant of a known malware application. - View Dependent Claims (17, 18, 19, 20)
-
Specification