Method and apparatus for detecting harmful software

US 8,719,924 B1
Filed: 03/03/2006
Issued: 05/06/2014
Est. Priority Date: 03/04/2005
Status: Active Grant

First Claim

Patent Images

1. A method for detecting harmful running software, comprising:

running a software application on a computing device, wherein the software application is associated with a probability that the software application is harmful, wherein the software application performs a plurality of behaviors while running, wherein each of the plurality of behaviors defines a specific action that the software application performs;

while the software application is running, for each behavior performed by the software application;

determining if the behavior is required for the software application to be identified as harmful,identifying the behavior as a necessary behavior if the behavior is required for the software application to be identified as harmful,determining an updated probability that the software application is malicious based on the behavior, andin response to the updated probability exceeding a threshold value and the software application having performed at least one necessary behavior;

identifying the software application as harmful, andperforming an action on the software application.

View all claims

14 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Various embodiments for detecting harmful software are disclosed.

87 Citations

View as Search Results

23 Claims

1. A method for detecting harmful running software, comprising:
- running a software application on a computing device, wherein the software application is associated with a probability that the software application is harmful, wherein the software application performs a plurality of behaviors while running, wherein each of the plurality of behaviors defines a specific action that the software application performs;
  
  while the software application is running, for each behavior performed by the software application;
  
  determining if the behavior is required for the software application to be identified as harmful,identifying the behavior as a necessary behavior if the behavior is required for the software application to be identified as harmful,determining an updated probability that the software application is malicious based on the behavior, andin response to the updated probability exceeding a threshold value and the software application having performed at least one necessary behavior;
  
  identifying the software application as harmful, andperforming an action on the software application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein identifying the behavior as a necessary behavior comprises:
    - determining a class of software associated with the software application;
      
      comparing the behavior to a classifier associated with the class to determine whether the behavior is a necessary behavior for the class.
  - 3. The method of claim 1, wherein identifying the behavior as a necessary behavior comprises:
    - identifying the software application as a Trojan Horse; and
      
      identifying one or more of the following as a necessary behavior;
      
      surviving a reboot,an ability to remain hidden from a computer user,a disguised executable,use of a network,capturing one or more keystrokes, andinjecting code into one or more running processes.
  - 4. The method of claim 1, wherein identifying the behavior as a necessary behavior comprises:
    - identifying the software application as a mass-mailer; and
      
      identifying one or more of the following as a necessary behavior;
      
      searching a files systems,accessing an email address book,sending a large volume of emails to a plurality of different recipients, andquerying a domain name system to find one or more addresses of computers that accept email for particular domains.
  - 5. The method of claim 1, wherein determining an updated probability comprises:
    - applying a classifier to the software application, wherein the classifier comprises;
      
      a plurality of characteristics that define one or more software behaviors, metadata corresponding the plurality of characteristics, and one or more characteristic weights associated with the plurality of characteristics.
  - 6. The method of claim 5, wherein the classifier is created using a code portion that is at least partly different from at least one code portion of the software application.
  - 7. The method of claim 5, wherein the characteristics comprise one or more of the following:
    - an executable attempts to turn off a firewall;
      
      an executable attempts to load a kernel module; and
      
      an executable spawns one or more processes.
  - 8. The method of claim 1, wherein the probability is based on one or more characteristics that define one or more software behaviors and metadata associated with the one or more characteristics.
  - 9. The method of claim 1, wherein determining an updated probability comprises:
    - in response to determining that the behavior is included on a whitelist, excluding the behavior in determining the updated probability.
  - 10. The method of claim 1, wherein identifying the software application as harmful comprises:
    - in response to the software application being identified on a whitelist, not identifying the software application as harmful, wherein the whitelist identifies software applications that are not harmful; and
      
      in response to the software application not being identified on the whitelist, identifying the software application as harmful.
  - 11. The method of claim 1, wherein performing an action on the software application comprises performing one or more of the following:
    - alerting the user that the software application is harmful;
      
      quarantining the software application;
      
      removing the software application; and
      
      killing the software application.

12. A method for detecting harmful running software, comprising:
- running a software application on a computing device, wherein the software application is associated with a probability that the software application is harmful, wherein the software application performs a plurality of behaviors while running, wherein each of the plurality of behaviors defines a specific action that the software application performs; and
  
  while the software application is running, for each behavior performed by the software application;
  
  determining if the behavior is required for the software to be identified as a class of harmful software,identifying the behavior as a necessary behavior if the behavior is required for the software application to be identified as a class of harmful software,identifying the behavior as a sufficient behavior if the behavior is indicative of the class of harmful software, but is not a necessary behavior,determining, by the computing device, an updated probability based on the behavior, andin response to the updated probability exceeding a threshold value and the software application having performed all necessary behaviors associated with the class of harmful software and at least one sufficient behavior associated with the class of harmful software;
  
  identifying the software application as harmful, andperforming an action on the software application.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
- - 13. The method of claim 12, wherein identifying the behavior as a necessary behavior comprises:
    - identifying the software application as a Trojan Horse; and
      
      identifying one or more of the following as a necessary behavior;
      
      surviving a reboot,an ability to remain hidden from a computer user,a disguised executable,use of a network,capturing one or more keystrokes, andinjecting code into one or more running processes.
  - 14. The method of claim 12, wherein identifying the behavior as a necessary behavior comprises:
    - identifying the software application as a mass-mailer; and
      
      identifying one or more of the following as a necessary;
      
      searching a files systems,accessing an email address book,sending a large volume of emails to a plurality of different recipients, andquerying a domain name system to find one or more addresses of computers that accept email for particular domains.
  - 15. The method of claim 12, wherein determining an updated probability comprises:
    - applying a classifier to the software application, wherein the classifier comprises;
      
      a plurality of characteristics that define one or more software behaviors, metadata corresponding the plurality of characteristics, and one or more characteristic weights associated with the plurality of characteristics.
  - 16. The method of claim 15, wherein the classifier is created using a code portion that is at least partly different from at least one code portion of the software application.
  - 17. The method of claim 15, wherein the probability is based on one or more characteristics that define one or more software behaviors and metadata associated with the one or more characteristics.
  - 18. The method of claim 15, wherein determining an updated probability based on the behavior comprises:
    - in response to determining that the behavior is included on a whitelist, excluding the behavior from determining the updated probability.
  - 19. The method of claim 15, wherein identifying the software application as harmful comprises:
    - in response to the software application being identified on a whitelist, not identifying the software application as harmful, wherein the whitelist identifies software applications that are not harmful; and
      
      in response to the software application not being identified on the whitelist, identifying the software application as harmful.
  - 20. The method of claim 12, wherein performing an action on the software application comprises performing one or more of the following:
    - alerting the user that the software application is harmful;
      
      quarantining the software application;
      
      removing the software application; and
      
      killing the software application.

21. A method for detecting harmful running software, comprising:
- running a software application on a computing device, wherein the software application is associated with a probability that the software application is harmful, wherein the software application performs a plurality of behaviors while running, wherein each of the plurality of behaviors defines a specific action that the software application performs; and
  
  while the software application is running, for each behavior performed by the software application;
  
  determining if the behavior is required for the software application to be identified as a class of harmful software or if the behavior is indicative of the class of harmful software,identifying the behavior as a necessary behavior if the behavior is required for the software application to be identified as a class of harmful software,identifying the behavior as a sufficient behavior if the behavior is indicative of the class of harmful software, but is not a necessary behavior,determining whether the behavior causes one or more low level system events, wherein each low level system event corresponds to a request made by the software application from an operating system,determining, by the computing device, an updated probability based on the behavior and the one or more low level system events, andin response to the updated probability exceeding a threshold value and the software application having performed all necessary behaviors associated with the class of harmful software and at least one sufficient behavior associated with the class of harmful software;
  
  identifying the software application as harmful, andperforming an action on the software application.
- View Dependent Claims (22, 23)
- - 22. The method of claim 21, wherein the low level system events comprise one or more of the following:
    - setting a registry value;
      
      installing a global hook; and
      
      generating a snapshot of a screen.
  - 23. The method of claim 21, wherein performing an action on the software application comprises performing one or more of the following:
    - alerting the user that the software application is harmful;
      
      quarantining the software application;
      
      removing the software application; and
      
      killing the software application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avast Software SRO (Gen Digital Inc.)
Original Assignee
AVG Technologies N.V. (Gen Digital Inc.)
Inventors
Williamson, Matthew, Gorelik, Vladimir
Primary Examiner(s)
Najjar, Saleh
Assistant Examiner(s)
PLOTKIN, JASON R

Application Number

US11/368,339
Time in Patent Office

2,986 Days
Field of Search

713/188, 726/22, 726/24
US Class Current

726/22
CPC Class Codes

G06F 21/561   Virus type analysis

G06F 21/562   Static detection

G06F 21/565   by checking file integrity

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/568   eliminating virus, restorin...

G06F 2221/033   Test or assess software

Method and apparatus for detecting harmful software

First Claim

14 Assignments

0 Petitions

Accused Products

Abstract

87 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for detecting harmful software

First Claim

14 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

87 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links