Detecting malicious computer program activity using external program calls with dynamic rule sets

US 8,627,458 B2
Filed: 01/13/2004
Issued: 01/07/2014
Est. Priority Date: 01/13/2004
Status: Active Grant

First Claim

Patent Images

1. A computer program product embodied on a non-transitory tangible computer readable medium and provided on a computer that includes a central processing unit (CPU) and an operating system, the computer program product, comprising:

logging code operable to log a stream of external program calls during an execution of a computer program;

primary set identifying code operable to identify, within said stream of external program calls, a primary set of one or more external program calls matching one or more rules indicative of malicious computer program activity from among a set of rules;

secondary set identifying code operable to identify, within said stream, at least one secondary set of one or more external program calls associated with said primary set of one or more external program calls, wherein one of said at least one secondary set of one or more external program calls (2) precedes or succeeds said primary set of one or more external program calls within said stream of external program calls and (2) originates from the same computer program, memory region, or thread of the primary set of external program calls;

modifying code operable to modify said set of rules such that said at least one secondary set of one or more external program calls are more strongly associated with malicious computer program activity than said primary set of said one or more external program calls by increasing a score value associated with the secondary set of one or more external program for use in triggering an anti-malware response;

wherein said set of rules is modified to include a new rule corresponding to said secondary set of one or more external program calls, said new rule thereafter being used in addition to other rules within said set of rules.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A stream 14 of external computer program calls made from an application program 2 to an operating system 4 is logged by an anti-malware layer 8. This stream 14 is examined for a primary set XYZ of external program calls known to be associated with malicious computer program activity. When such a primary set XYZ of external computer program calls is identified, the malicious activity is blocked and the logged stream 14 is examined to determine one or more secondary sets of external program calls which are now added to the set of rules 10 against which the logged stream 14 of external program calls is tested. In this way the set of rules 10 is dynamically adapted so as to more rapidly and proactively identify malicious computer program activity.

23 Citations

View as Search Results

47 Claims

1. A computer program product embodied on a non-transitory tangible computer readable medium and provided on a computer that includes a central processing unit (CPU) and an operating system, the computer program product, comprising:
- logging code operable to log a stream of external program calls during an execution of a computer program;
  
  primary set identifying code operable to identify, within said stream of external program calls, a primary set of one or more external program calls matching one or more rules indicative of malicious computer program activity from among a set of rules;
  
  secondary set identifying code operable to identify, within said stream, at least one secondary set of one or more external program calls associated with said primary set of one or more external program calls, wherein one of said at least one secondary set of one or more external program calls (2) precedes or succeeds said primary set of one or more external program calls within said stream of external program calls and (2) originates from the same computer program, memory region, or thread of the primary set of external program calls;
  
  modifying code operable to modify said set of rules such that said at least one secondary set of one or more external program calls are more strongly associated with malicious computer program activity than said primary set of said one or more external program calls by increasing a score value associated with the secondary set of one or more external program for use in triggering an anti-malware response;
  
  wherein said set of rules is modified to include a new rule corresponding to said secondary set of one or more external program calls, said new rule thereafter being used in addition to other rules within said set of rules.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 46, 47)
- - 2. A computer program product as claimed in claim 1, wherein said external program calls are application program interface calls to an operating system.
  - 3. A computer program product as claimed in claim 1, wherein each of said external program calls has one or more characteristics compared against said set of rules.
  - 4. A computer program product as claimed in claim 3, wherein said one or more characteristics include:
    - a call name;
      
      a return address;
      
      one or more parameter values;
      
      and one or more returned results.
  - 5. A computer program product as claimed in claim 1, wherein rules within said set of rules specify score values of external program calls having predetermined characteristics and a set of one or more external program calls is identified as corresponding to malicious computer program activity if said set of one or more external program calls has a combined score value exceeding a threshold level.
  - 6. A computer program product as claimed in claim 5, wherein score values within a set of rules associated with said secondary set of one or more external program calls are increased to more strongly associate said secondary set of external program calls with malicious computer program activity than said primary set of said one or more external program calls.
  - 7. A computer program product as claimed in claim 1, wherein said set of rules include at least one of:
    - one or more pattern matching rules; and
      
      one or more regular expression rules.
  - 8. A computer program product as claimed in claim 1, wherein said set of rules are responsive to ordering of external program calls.
  - 9. A computer program product as claimed in claim 1, wherein said modifying code dynamically adapts said set of rules in response to detected streams of external program calls performing malicious computer program activity.
  - 10. A computer program product as claimed in claim 1, wherein at least changes within said set of rules are transmitted to one or more remote computers such that said one or more remote computers can use said modified set of rules without having to suffer said malicious computer program activity.
  - 11. A computer program product as claimed in claim 1, wherein changes within said set of rules are transmitted to a rule supplier.
  - 12. A computer program product as claimed in claim 1, wherein said stream of external program calls are logged following emulation of execution of a computer program.
  - 13. A computer program product as claimed in claim 1, comprising starting point identifying code operable to identify a starting point of malicious computer program activity within said stream of external program calls.
  - 14. A computer program product as claimed in claim 13, wherein said starting point corresponds to one of:
    - starting execution of a computer file; and
      
      a switch of memory address region from which program instructions are executed.
  - 15. A computer program product as claimed in claim 1, wherein said set of rules is subject to a validity check after modification to determine if said set of rules is more effectively detecting malicious computer program activity.
  - 46. A computer program product as claimed in claim 1, further comprising applying high level rules to said modified set of rules, and promoting said modified set of rules from said temporary set to said permanent set based on the application of the high level rules to said modified set of rules.
  - 47. A computer program product as claimed in claim 1, wherein one or more other rules are applied to said modified set of rules to determine if said modified set of rules is more effectively detecting malicious computer program activity after modification.

16. A method of detecting malicious computer program activity using a processor and a memory of a computer, comprising:
- logging a stream of external program calls during an execution of a computer program;
  
  identifying within said stream of external program calls a primary set of one or more external program calls matching one or more rules indicative of malicious computer program activity from among a set of rules;
  
  identifying within said stream at least one secondary set of one or more external program calls associated with said primary set of one or more external program calls, wherein one of said at least one secondary set of one or more external program calls (1) precedes or succeeds said primary set of one or more external program calls within said stream of external program calls and (2) originates from the same computer program, memory region, or thread of the primary set of external program calls;
  
  modifying said set of rules such that said at least one secondary set of one or more external program calls are more strongly associated with malicious computer program activity than said primary set of said one or more external program calls by increasing a score value associated with the secondary set of one or more external program for use in triggering an anti-malware response;
  
  wherein said set of rules is modified to include a new rule corresponding to said secondary set of one or more external program calls, said new rule thereafter being used in addition to other rules within said set of rules.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 17. A method as claimed in claim 16, wherein said external program calls are application program interface calls to an operating system.
  - 18. A method as claimed in claim 16, wherein each of said external program calls has one or more characteristics compared against said set of rules.
  - 19. A method as claimed in claim 18, wherein said one or more characteristics include:
    - a call name;
      
      a return address;
      
      one or more parameter values; and
      
      one or more returned results.
  - 20. A method as claimed in claim 16, wherein rules within said set of rules specify score values of external program calls having predetermined characteristics and a set of one or more external program calls is identified as corresponding to malicious computer program activity if said set of one or more external program calls has a combined score value exceeding a threshold level.
  - 21. A method as claimed in claim 20, wherein score values within a set of rules associated with said secondary set of one or more external program calls are increased to more strongly associate said secondary set of external program calls with malicious computer program activity than said primary set of said one or more external program calls.
  - 22. A method as claimed in claim 16, wherein said set of rules include at least one of:
    - one or more pattern matching rules; and
      
      one or more regular expression rules.
  - 23. A method as claimed in claim 16, wherein said set of rules are responsive to ordering of external program calls.
  - 24. A method as claimed in claim 16, wherein said step of modifying said set of rules dynamically adapts said set of rules in response to detected streams of external program calls performing malicious computer program activity.
  - 25. A method as claimed in claim 16, wherein at least changes within said set of rules are transmitted to one or more remote computers such that said one or more remote computers can use said modified set of rules without having to suffer said malicious computer program activity.
  - 26. A method as claimed in claim 16, wherein changes within said set of rules are transmitted to a rule supplier.
  - 27. A method as claimed in claim 16, wherein said stream of external program calls are logged following emulation of execution of a computer program.
  - 28. A method as claimed in claim 16, comprising identifying a starting point of malicious computer program activity within said stream of external program calls.
  - 29. A method as claimed in claim 28, wherein said starting point corresponds to one of:
    - starting execution of a computer file; and
      
      a switch of memory address region from which program instructions are executed.
  - 30. A method as claimed in claim 16, wherein said set of rules is subject to a validity check after modification to determine if said set of rules is more effectively detecting malicious computer program activity.

31. A data processing apparatus operable to detect malicious computer program activity, said apparatus comprising:
- a central processing unit (CPU);
  
  an operating system;
  
  logging code operable to log a stream of external program calls during an execution of a computer program;
  
  primary set identifying code operable to identify, within said stream of external program calls, a primary set of one or more external program calls matching one or more rules indicative of malicious computer program activity from among a set of rules;
  
  secondary set identifying code operable to identify, within said stream, at least one secondary set of one or more external program calls associated with said primary set of one or more external program calls, wherein one of said at least one secondary set of one or more external program calls (1) precedes or succeeds said primary set of one or more external program calls within said stream of external program calls and (2) originates from the same computer program, memory region, or thread of the primary set of external program calls;
  
  modifying code operable to modify said set of rules such that said at least one secondary set of one or more external program calls are more strongly associated with malicious computer program activity than said primary set of said one or more external program calls by increasing a score value associated with the secondary set of one or more external program for use in triggering an anti-malware response;
  
  wherein said set of rules is modified to include a new rule corresponding to said secondary set of one or more external program calls, said new rule thereafter being used in addition to other rules within said set of rules.
- View Dependent Claims (32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45)
- - 32. An apparatus as claimed in claim 31, wherein said external program calls are application program interface calls to an operating system.
  - 33. An apparatus as claimed in claim 31, wherein each of said external program calls has one or more characteristics compared against said set of rules.
  - 34. An apparatus as claimed in claim 33, wherein said one or more characteristics include:
    - a call name;
      
      a return address;
      
      one or more parameter values; and
      
      one or more returned results.
  - 35. An apparatus as claimed in claim 31, wherein rules within said set of rules specify score values of external program calls having predetermined characteristics and a set of one or more external program calls is identified as corresponding to malicious computer program activity if said set of one or more external program calls has a combined score value exceeding a threshold level.
  - 36. An apparatus as claimed in claim 35, wherein score values within a set of rules associated with said secondary set of one or more external program calls are increased to more strongly associate said secondary set of external program calls with malicious computer program activity than said primary set of said one or more external program calls.
  - 37. An apparatus as claimed in claim 31, wherein said set of rules include at least one of:
    - one or more pattern matching rules; and
      
      one or more regular expression rules.
  - 38. An apparatus as claimed in claim 31, wherein said set of rules are responsive to ordering of external program calls.
  - 39. An apparatus as claimed in claim 31 wherein said modifying logic dynamically adapts said set of rules in response to detected streams of external program calls performing malicious computer program activity.
  - 40. An apparatus as claimed in claim 31, wherein at least changes within said set of rules are transmitted to one or more remote computers such that said one or more remote computers can use said modified set of rules without having to suffer said malicious computer program activity.
  - 41. An apparatus as claimed in claim 31, wherein changes within said set of rules are transmitted to a rule supplier.
  - 42. An apparatus as claimed in claim 31, wherein said stream of external program calls are logged following emulation of execution of a computer program.
  - 43. An apparatus as claimed in claim 31, comprising starting point identifying logic operable to identify a starting point of malicious computer program activity within said stream of external program calls.
  - 44. An apparatus as claimed in claim 43, wherein said starting point corresponds to one of:
    - starting execution of a computer file; and
      
      a switch of memory address region from which program instructions are executed.
  - 45. An apparatus as claimed in claim 31, wherein said set of rules is subject to a validity check after modification to determine if said set of rules is more effectively detecting malicious computer program activity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Muttik, Igor Garrievich
Primary Examiner(s)
LANIER, BENJAMIN E

Application Number

US10/755,450
Publication Number

US 20050154900A1
Time in Patent Office

3,647 Days
Field of Search

None
US Class Current

726/22
CPC Class Codes

G06F 21/55 Detecting local intrusion o...

Detecting malicious computer program activity using external program calls with dynamic rule sets

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

23 Citations

47 Claims

Specification

Use Cases

Quick Links

Others

Detecting malicious computer program activity using external program calls with dynamic rule sets

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

23 Citations

47 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others