System and method for detection of complex malware
First Claim
Patent Images
1. A method for detection of computer malware, the method comprising:
- monitoring execution of processes or threads of one or more software objects;
determining if the one or more objects are trusted objects or non-trusted objects;
storing, in a plurality of separate object contexts, events of execution of the monitored processes or threads of each non-trusted object;
determining if the monitored processes or threads stored in separate object contexts are related to each other;
merging events stored in the object contexts of related processes or threads into a common context; and
analyzing the events of the monitored processes or threads stored both in the common context and in separate object contexts using malware behavior rules to identify malicious objects.
1 Assignment
0 Petitions
Accused Products
Abstract
Disclosed are systems, methods and computer program products for detection of malware with complex infection patterns. The system provides enhanced protection against malware by identifying potentially harmful software objects, monitoring execution of various processes and threads of potentially harmful objects, compiling contexts of events of execution of the monitored processes and threads, and merging contexts of related processes and threads. Based on the analysis of the individual and merged object contexts using malware behavior rules, the system allows detection of malicious objects that have simple and complex behavior patterns.
92 Citations
20 Claims
-
1. A method for detection of computer malware, the method comprising:
-
monitoring execution of processes or threads of one or more software objects; determining if the one or more objects are trusted objects or non-trusted objects; storing, in a plurality of separate object contexts, events of execution of the monitored processes or threads of each non-trusted object; determining if the monitored processes or threads stored in separate object contexts are related to each other; merging events stored in the object contexts of related processes or threads into a common context; and analyzing the events of the monitored processes or threads stored both in the common context and in separate object contexts using malware behavior rules to identify malicious objects. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A system for detection of computer malware, comprising:
-
a memory being configured to store a list of trusted software objects and malware behavior rules; and a processor coupled to the memory, the processor being configured to; monitor execution of processes or threads of one or more software objects; determine if the one or more objects are trusted objects or non-trusted objects; store, in a plurality of separate object contexts, events of execution of the monitored processes or threads of each non-trusted object; determine if the monitored processes or threads stored in separate object contexts are related to each other; merge events stored in the object contexts of related processes and threads into a common context; analyze the events of execution of the monitored processes or threads stored both in the common context and in separate object contexts using malware behavior rules to identify malicious objects. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A computer program product embedded in a non-transitory computer-readable storage medium, the computer-readable storage medium comprising computer-executable instructions for detection of computer malware, the instructions for:
-
monitoring execution of processes or threads of one or more software objects; determining if the one or more objects are trusted objects or non-trusted objects; storing in a plurality of separate object contexts events of execution of the monitored processes or threads of each non-trusted object; determining if the monitored processes or threads stored in separate object contexts are related to each other; merging events stored in the object contexts of related processes or threads into a common context; and analyzing the events of the monitored processes or threads stored both in the common context and in separate object contexts using malware behavior rules to identify malicious objects. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification