Classification of malware using clustering that orders events in accordance with the time of occurance

US 7,809,670 B2
Filed: 12/08/2006
Issued: 10/05/2010
Est. Priority Date: 12/09/2005
Status: Active Grant

First Claim

Patent Images

1. A computer system for an application group classification, the computer system comprising:

one or more databases for including a plurality of application groups and a set of application classifying rules, wherein each application group has been classified based on the set of application classifying rules and includes one or more member applications sharing a set of common behavior patterns according to an event sequence, wherein each event includes information about the event'"'"'s action including event object information, event subject information, action parameters and status of the action; and

a computing device, in communication with the one or more databases, that performs the following;

receives a request to classify an application into a corresponding application group among the plurality of application groups;

obtains an event sequence according to a predefined specific set of events that identify two or more specified malware features, the predefined events including at least one of “

registry open,”

“

registry write,”

“

registry query,”

“

file open,”

“

file write,”

“

virtual memory allocation,”

“

virtual memory write,”

“

network access,” and

“

process open,”

wherein the event sequence is collected while the application is being executed, and wherein the collected events are ordered according to the time of the occurrence of program actions and environment state transitions;

determines the corresponding application group for the application by applying the set of application classifying rules to the obtained event sequence; and

provides information about the determined application group as a response to the request.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention is directed to a method and system for automatically classifying an application into an application group which is previously classified in a knowledge base. More specifically, a runtime behavior of an application is captured as a series of events which are monitored and recorded during the execution of the application. The series of events are analyzed to find a proper application group which shares common runtime behavior patterns with the application. The knowledge base of application groups is previously constructed based on a large number of sample applications. The construction of the knowledge base is done in such a manner that each sample application can be classified into application groups based on a set of classification rules in the knowledge base. The set of classification rules are applied to a new application in order to classify the new application into one of the application groups.

50 Citations

View as Search Results

20 Claims

1. A computer system for an application group classification, the computer system comprising:
- one or more databases for including a plurality of application groups and a set of application classifying rules, wherein each application group has been classified based on the set of application classifying rules and includes one or more member applications sharing a set of common behavior patterns according to an event sequence, wherein each event includes information about the event'"'"'s action including event object information, event subject information, action parameters and status of the action; and
  
  a computing device, in communication with the one or more databases, that performs the following;
  
  receives a request to classify an application into a corresponding application group among the plurality of application groups;
  
  obtains an event sequence according to a predefined specific set of events that identify two or more specified malware features, the predefined events including at least one of “
  
  registry open,”
  
  “
  
  registry write,”
  
  “
  
  registry query,”
  
  “
  
  file open,”
  
  “
  
  file write,”
  
  “
  
  virtual memory allocation,”
  
  “
  
  virtual memory write,”
  
  “
  
  network access,” and
  
  “
  
  process open,”
  
  wherein the event sequence is collected while the application is being executed, and wherein the collected events are ordered according to the time of the occurrence of program actions and environment state transitions;
  
  determines the corresponding application group for the application by applying the set of application classifying rules to the obtained event sequence; and
  
  provides information about the determined application group as a response to the request.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The computer system of claim 1, wherein sample applications are classified into the plurality of application groups through a clustering process.
  - 3. The computer system of claim 1, wherein the computing device adds the application into the determined application group as a member application.
  - 4. The computer system of claim 1, wherein the set of application classifying rules calculate and compare a degree of similarity between the application and each application group to determine the application group for the application.
  - 5. The computer system of claim 1, wherein each member of the corresponding application group has an event sequence similar to the obtained event sequence.
  - 6. The computer system of claim 5, wherein the degree of similarity is measured via an event edit cost analysis.

7. A computer implemented method for classifying an application into an application group based on behavior patterns of the application, the computer implemented method comprising:
- collecting an event sequence of an application;
  
  obtaining a set of application groups, wherein each application group includes one or more member applications sharing a set of common behavior patterns according to an event sequence, wherein each event includes information about the event'"'"'s action including event object information, event subject information, action parameters and status of the action;
  
  determining an application group corresponding to the application based on the collected event sequence, wherein the event sequence is obtained according to a predefined specific set of events that identify two or more specified malware features, the predefined events including at least one of “
  
  registry open,”
  
  “
  
  registry write,”
  
  “
  
  registry query,”
  
  “
  
  file open,”
  
  “
  
  file write,”
  
  “
  
  virtual memory allocation,”
  
  “
  
  virtual memory write,”
  
  “
  
  network access,” and
  
  “
  
  process open,”
  
  wherein the event sequence is collected while the application is being executed, and wherein the collected events are ordered according to the time of the occurrence of program actions and environment state transitions; and
  
  updating the determined application group to include the application; and
  
  providing information about the determined application group.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15)
- - 8. The computer implemented method of claim 7, wherein the set of common behavior patterns is represented by a representative event sequence.
  - 9. The computer implemented method of claim 8, wherein determining an application group corresponding to the application includes calculating a similarity distance between the application and each application group;
    - andwherein the similarity distance is calculated by comparing the representative event sequence of each application group and the collected event sequence.
  - 10. The computer implemented method of claim 9, further comprising:
    - identifying an application group which has a closest similarity distance from the application, wherein the identified application group is selected to be the application group corresponding to the application.
  - 11. The computer implemented method of claim 10, further comprising:
    - if no application group is determined to correspond to the application, determining whether a new application group needs to be created; and
      
      if a new application group needs to be created, creating the new application group to include the application.
  - 12. The computer implemented method of claim 10, wherein when the similarity distances between the application and the set of application groups exceed a threshold, no application group is determined to correspond to the application.
  - 13. The computer implemented method of claim 11, further comprising:
    - if a new group needs not to be created, providing information indicating that no application group is determined for the application.
  - 14. The computer implemented method of claim 10, further comprising:
    - if more than one application groups are determined to have the closest similarity distance, reorganizing the set of application groups so that only one application group has the closest similarity distance from the application.
  - 15. The computer implemented method of claim 12, wherein the similarity distance is calculated via a distance measure which defines a similarity distance among event sequences.

16. An application classification system for automatically classifying an application in response to a classification request, the application classification system comprising:
- a knowledge base component for providing information about a plurality of application classifications and a set of classification rules;
  
  an event sequence component for collecting an runtime event sequence of an application in response to a classification request, wherein each event includes information about the event'"'"'s action including event object information, event subject information, action parameters and status of the action, and wherein the event sequence is obtained according to a predefined specific set of events that identify two or more specified malware features, the predefined events including at least one of “
  
  registry open,”
  
  “
  
  registry write,”
  
  “
  
  registry query,”
  
  “
  
  file open,”
  
  “
  
  file write,”
  
  “
  
  virtual memory allocation,”
  
  “
  
  virtual memory write,”
  
  “
  
  network access,” and
  
  “
  
  process open,”
  
  wherein the event sequence is collected while the application is being executed, and wherein the collected events are ordered according to the time of the occurrence of program actions and environment state transitions; and
  
  a classification component for identifying an application classification in which the application is to be classified based on the collected runtime event sequence and for adding the application to the identified application classification,wherein the identified application classification has a reprehensive event sequence similar to the collected runtime event sequence; and
  
  wherein the information about the determined application group includes an indication that the application is a variant of a known malware application.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The application classification system of claim 16, wherein the set of classification rules are defined for an enterprise system.
  - 18. The application classification system of claim 17, wherein the knowledge base component builds a local knowledge base representing the information about a plurality of new application classifications based on the set of classification rules.
  - 19. The application classification system of claim 18, wherein the local knowledge base is utilized to determine the application has runtime behaviors which are allowed within the enterprise system.
  - 20. The application classification system of claim 16, wherein the identified application classification is provided as a response to the classification request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Lee, Tony, Lin, Ying Lena, Marinescu, Adrian M., Mody, Jigar J., Polyakov, Alexey A.
Primary Examiner(s)
VINCENT, DAVID ROBERT

Application Number

US11/608,625
Publication Number

US 20070136455A1
Time in Patent Office

1,397 Days
Field of Search

706/20, 706/59, 380/28, 713/160, 713/187, 713/188, 726/13, 726 22- 26
US Class Current

706/59
CPC Class Codes

G06F 21/564 by virus signature recognition

Classification of malware using clustering that orders events in accordance with the time of occurance

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

50 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Classification of malware using clustering that orders events in accordance with the time of occurance

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

50 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links