Techniques for behavior based malware analysis

US 8,555,385 B1
Filed: 03/14/2011
Issued: 10/08/2013
Est. Priority Date: 03/14/2011
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for behavior based analysis comprising:

generating trace data associated with execution of a process, wherein generating trace data comprises using user level hooks to monitor execution of a suspected malware program in a safe environment;

preprocessing the trace data to provide consistent context indicators for analysis of the trace dataanalyzing, using at least one computer processor, observable events via the trace data to identify a plurality of low level actions;

analyzing the plurality of low level actions to identify at least one high level behavior; and

providing an output of the at least one high level behavior.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for behavior based malware analysis are disclosed. In one particular exemplary embodiment, the techniques may be realized as a method for behavior based analysis comprising receiving trace data, analyzing, using at least one computer processor, observable events to identify low level actions, analyzing a plurality of low level actions to identify at least one high level behavior, and providing an output of the at least one high level behavior.

166 Citations

19 Claims

1. A computer-implemented method for behavior based analysis comprising:
- generating trace data associated with execution of a process, wherein generating trace data comprises using user level hooks to monitor execution of a suspected malware program in a safe environment;
  
  preprocessing the trace data to provide consistent context indicators for analysis of the trace dataanalyzing, using at least one computer processor, observable events via the trace data to identify a plurality of low level actions;
  
  analyzing the plurality of low level actions to identify at least one high level behavior; and
  
  providing an output of the at least one high level behavior.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The computer-implemented method of claim 1, wherein analyzing observable events comprises analyzing low level Application Programming Interface calls using at least one rule to identify a low level action performed by a low level Application Programming Interface call.
  - 3. The computer-implemented method of claim 2, wherein the observable events comprise one or more of:
    - system calls, execution history, API calls, a system log, a debug log, an HTTP access log, and a network activity log.
  - 4. The computer-implemented method of claim 1, wherein analyzing a plurality of low level actions to identify at least one high level behavior comprises using at least one rule to identify the at least one high level behavior.
  - 5. The computer-implemented method of claim 1, further comprising:
    - automatically determining if the trace data is associated with malware based at least in part on the at least one high level behavior.
  - 6. The computer-implemented method of claim 4, further comprising generating a signature associated with the trace data in the event the trace data is determined to be malware.
  - 7. The computer-implemented method of claim 5, wherein the at least one high level behavior comprises at least one of:
    - hiding information associated with the process, stealing information, terminating security software, monitoring itself, creating a backdoor, downloading malware, executing malware, and setting up instantiations of itself.
  - 8. The computer-implemented method of claim 1, wherein analyzing observable events comprises identifying a context of observable events and analyzing only observable events associated with the trace data.
  - 9. The computer-implemented method of claim 8, wherein identifying the context of observable events provides identification of malicious behavior performed by one or more of:
    - a non-process threat, a malware executable, a child process, and an injected thread.
  - 10. The computer-implemented method of claim 8, wherein the context is identified using at least one of:
    - a process thread, a process id, a thread id, a timestamp, and one or more API arguments.
  - 11. The computer-implemented method of claim 10, wherein identification of the context prevents association of an operating system utility exploited by malware and provides association of the high level behavior with a source utilizing the operating system utility.
  - 12. The computer-implemented method of claim 11, wherein the operating system utility comprises a utility to perform one or more of:
    - loading a DLL, injecting a remote process thread, running an executable, running a service, and adding a program to a Run registry key.
  - 13. The computer-implemented method of claim 1, further comprising:
    - generating a proof associating one or more observable events with the identified at least one high level behavior.
  - 14. The computer-implemented method of claim 1, wherein providing an output of the at least one high level behavior comprises at least one of:
    - providing a report of high level behavior, generating an alert, and generating a log entry.
  - 15. The computer-implemented method of claim 1, further comprising:
    - further comprising matching one or more signatures of malware behavior to identify high level behavior.
  - 16. The computer-implemented method of claim 1, wherein one or more analysis actions are performed by at least one of:
    - a gateway, a proxy server, a client, a service provider, and a firewall.
  - 17. At least one processor readable non-transitory storage medium for storing a computer program of instructions configured to be readable by at least one processor for instructing the at least one processor to execute a computer process for performing the computer-implemented method as recited in claim 1.

18. An article of manufacture for behavior based analysis, the article of manufacture comprising:
- at least one non-transitory processor readable medium; and
  
  instructions stored on the at least one medium;
  
  wherein the instructions are configured to be readable from the at least one medium by at least one processor and thereby cause the at least one processor to operate so as to;
  
  generate trace data associated with execution of a process, wherein generating trace data comprises using user level hooks to monitor execution of a suspected malware program in a safe environment;
  
  preprocess the trace data to provide consistent context indicators for analysis of the trace dataanalyze observable events via the trace data to identify a plurality of low level actions;
  
  analyze the plurality of low level actions to identify at least one high level behavior; and
  
  provide an output of the at least one high level behavior.

19. A system for behavior based analysis comprising:
- one or more processors communicatively coupled to a network;
  
  wherein the one or more processors are configured to;
  
  generate trace data associated with execution of a process, wherein generating trace data comprises using user level hooks to monitor execution of a suspected malware program in a safe environment;
  
  preprocess the trace data to provide consistent context indicators for analysis of the trace dataanalyze observable events via the trace data to identify a plurality of low level actions;
  
  analyze the plurality of low level actions to identify at least one high level behavior; and
  
  provide an output of the at least one high level behavior.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Bhatkar, Sandeep B., Nanda, Susanta, Wilhelm, Jeffrey Scott
Primary Examiner(s)
PERUNGAVOOR, VENKATANARAY

Application Number

US13/047,338
Time in Patent Office

939 Days
Field of Search

None
US Class Current

726/22
CPC Class Codes

G06F 11/302   where the computing system ...

G06F 11/3072   where the reporting involve...

G06F 11/3089   Monitoring arrangements det...

G06F 11/32   with visual or acoustical i...

G06F 21/556   involving covert channels, ...

Techniques for behavior based malware analysis

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

166 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Techniques for behavior based malware analysis

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

166 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links