Techniques for behavior based malware analysis
First Claim
Patent Images
1. A computer-implemented method for behavior based analysis comprising:
- generating trace data associated with execution of a process, wherein generating trace data comprises using user level hooks to monitor execution of a suspected malware program in a safe environment;
preprocessing the trace data to provide consistent context indicators for analysis of the trace dataanalyzing, using at least one computer processor, observable events via the trace data to identify a plurality of low level actions;
analyzing the plurality of low level actions to identify at least one high level behavior; and
providing an output of the at least one high level behavior.
2 Assignments
0 Petitions
Accused Products
Abstract
Techniques for behavior based malware analysis are disclosed. In one particular exemplary embodiment, the techniques may be realized as a method for behavior based analysis comprising receiving trace data, analyzing, using at least one computer processor, observable events to identify low level actions, analyzing a plurality of low level actions to identify at least one high level behavior, and providing an output of the at least one high level behavior.
166 Citations
19 Claims
-
1. A computer-implemented method for behavior based analysis comprising:
-
generating trace data associated with execution of a process, wherein generating trace data comprises using user level hooks to monitor execution of a suspected malware program in a safe environment; preprocessing the trace data to provide consistent context indicators for analysis of the trace data analyzing, using at least one computer processor, observable events via the trace data to identify a plurality of low level actions; analyzing the plurality of low level actions to identify at least one high level behavior; and providing an output of the at least one high level behavior. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. An article of manufacture for behavior based analysis, the article of manufacture comprising:
-
at least one non-transitory processor readable medium; and instructions stored on the at least one medium; wherein the instructions are configured to be readable from the at least one medium by at least one processor and thereby cause the at least one processor to operate so as to; generate trace data associated with execution of a process, wherein generating trace data comprises using user level hooks to monitor execution of a suspected malware program in a safe environment; preprocess the trace data to provide consistent context indicators for analysis of the trace data analyze observable events via the trace data to identify a plurality of low level actions; analyze the plurality of low level actions to identify at least one high level behavior; and provide an output of the at least one high level behavior.
-
-
19. A system for behavior based analysis comprising:
one or more processors communicatively coupled to a network;
wherein the one or more processors are configured to;generate trace data associated with execution of a process, wherein generating trace data comprises using user level hooks to monitor execution of a suspected malware program in a safe environment; preprocess the trace data to provide consistent context indicators for analysis of the trace data analyze observable events via the trace data to identify a plurality of low level actions; analyze the plurality of low level actions to identify at least one high level behavior; and provide an output of the at least one high level behavior.
Specification