System and method for establishing rules for filtering insignificant events for analysis of software program

US 8,762,948 B1
Filed: 12/20/2012
Issued: 06/24/2014
Est. Priority Date: 12/20/2012
Status: Active Grant

First Claim

Patent Images

1. A system for generating a set of event filtering rules for filtering events being produced in response to emulation of a program, the system comprising:

computing hardware, including a processor, a data store, and input/output facilities;

an operating system executable on the computing hardware;

a sample program creation module executable on the computing hardware and configured to automatically construct a plurality of sample programs based on a plurality of known program development tools, wherein the plurality of sample programs are free of malware;

an emulator module executable on the computing hardware and configured to perform emulated execution of the plurality of sample programs in an isolated virtual machine environment and record events occurring in the virtual machine environment as a result of the emulated execution of the plurality of sample programs in an event log;

a rule generator module executable on the computing hardware and configured to automatically formulate a set of insignificant event filtering rules for distinguishing events from among the event log that are determined to be insignificant with respect to malware detection processing to be performed.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for generating a set of event filtering rules for filtering events being produced in response to emulation of a program. A plurality of sample programs is constructed based on a plurality of known program development tools. Emulated execution of the plurality of sample programs is carried out in an isolated virtual machine environment and events occurring in the virtual machine environment as a result of the emulated execution of the plurality of sample programs are recorded in an event log. A set of rules is formulated for distinguishing events from among the event log that are determined to be insignificant with respect to malware detection processing to be performed.

72 Citations

View as Search Results

26 Claims

1. A system for generating a set of event filtering rules for filtering events being produced in response to emulation of a program, the system comprising:
- computing hardware, including a processor, a data store, and input/output facilities;
  
  an operating system executable on the computing hardware;
  
  a sample program creation module executable on the computing hardware and configured to automatically construct a plurality of sample programs based on a plurality of known program development tools, wherein the plurality of sample programs are free of malware;
  
  an emulator module executable on the computing hardware and configured to perform emulated execution of the plurality of sample programs in an isolated virtual machine environment and record events occurring in the virtual machine environment as a result of the emulated execution of the plurality of sample programs in an event log;
  
  a rule generator module executable on the computing hardware and configured to automatically formulate a set of insignificant event filtering rules for distinguishing events from among the event log that are determined to be insignificant with respect to malware detection processing to be performed.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The system of claim 1, further comprising:
    - an event analyzer module executable on the computing hardware and configured to analyze events in the event log to perform the determination as to whether any of the events are insignificant.
  - 3. The system of claim 1, further comprising:
    - a whitelist database of events associated with known non-malicious programs;
      
      a blacklist database of events associated with known malicious programs; and
      
      event analyzer module executable on the computing hardware and configured to analyze the events from the whitelist and the blacklist to identify insignificant events that are defined as being associated with the whitelist and blacklist databases.
  - 4. The system of claim 1, wherein the insignificant event filtering rules are defined based on previous analysis of events produced from emulation of a plurality of sample programs automatically created using a knowledge base of existing software development tools.
  - 5. The system of claim 4, wherein the knowledge base includes at least one knowledge base selected from the group consisting of:
    - a knowledge base of compilers, a knowledge base of packers, a knowledge base of protectors, a knowledge base of archivers, or any combination thereof.
  - 6. The system of claim 1, wherein the insignificant event filtering rules are defined based on previous analysis of events produced from emulation of a plurality of sample programs carried out by a remote service.
  - 7. The system of claim 1, wherein the insignificant event filtering rules are defined based on previous analysis of events produced from emulation of a plurality known harmless programs and a plurality of known harmful programs, wherein the event filtering rules define insignificant events as those not strongly associated with known harmful activity.
  - 8. The system of claim 1, wherein the plurality of known program development tools are executed by a remote service.
  - 9. The system of claim 1, further comprising:
    - an update module executable on the computing hardware and configured to communicate with a plurality of remote workstation computers to provide an updated set of rules for distinguishing events from the event log that are determined to be insignificant with respect to malware detection processing, whereby each of the plurality of remote workstation computers is enabled to locally filter out insignificant events in response to event log generation due to emulation of unknown programs.
  - 10. The system of claim 1, wherein the plurality of known program development tools include at least one of a plurality of different compilers, packers, protectors, encryptors and code libraries.
  - 11. The system of claim 1, wherein the plurality of known program development tools include a plurality of different packers.

12. A computer-implemented method for generating a set of event filtering rules for filtering events being produced in response to emulation of a program, the method being executed by a computer system having computing resources includinga processor, a data store, input/output facilities, and an operating system executable on the processor, the method comprising:
- constructing a plurality of sample programs based on a plurality of known program development tools, wherein the plurality of sample programs are free of malware;
  
  performing emulated execution of the plurality of sample programs in an isolated virtual machine environment and recording events occurring in the virtual machine environment as a result of the emulated execution of the plurality of sample programs in an event log; and
  
  formulating a set of rules for distinguishing events from among the event log that are determined to be insignificant with respect to malware detection processing to be performed.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 13. The method of claim 12, further comprising:
    - analyzing events in the event log to perform the determination as to whether any of the events are insignificant.
  - 14. The method of claim 12, further comprising:
    - accessing a whitelist database of events associated with known non-malicious programs;
      
      accessing a blacklist database of events associated with known malicious programs; and
      
      analyzing the events from the whitelist and the blacklist to identify insignificant events that are defined as being associated with the whitelist and blacklist databases.
  - 15. The method of claim 12, wherein the insignificant event filtering rules are defined based on previous analysis of events produced from emulation of a plurality of sample programs automatically created using a knowledge base of existing software development tools.
  - 16. The method of claim 12, wherein the insignificant event filtering rules are defined based on previous analysis of events produced from emulation of a plurality of sample programs carried out by a remote service.
  - 17. The method of claim 12, wherein the insignificant event filtering rules are defined based on previous analysis of events produced from emulation of a plurality known harmless programs and a plurality of known harmful programs, wherein the event filtering rules define insignificant events as those not strongly associated with known harmful activity.
  - 18. The method of claim 12, further comprising:
    - executing the plurality of known program development tools as part of constructing the plurality of sample programs.
  - 19. The method of claim 18, wherein executing the plurality of known program development tools includes executing a plurality of different compilers and code libraries.
  - 20. The method of claim 18, wherein executing the plurality of known program development tools includes executing a plurality of different packers.
  - 21. The method of claim 12, further comprising:
    - communicating with a plurality of remote workstation computers to provide an updated set of rules for distinguishing events from the event log that are determined to be insignificant with respect to malware detection processing, whereby each of the plurality of remote workstation computers is enabled to locally filter out insignificant events in response to event log generation due to emulation of unknown programs.

22. A security arrangement for detecting a presence of malware in an unknown program stored in a computer system, the security arrangement comprising:
- computing hardware, including a processor, a data store, and input/output facilities;
  
  an operating system executable on the computing hardware;
  
  a tracing module executable on the computing hardware and configured to perform assessment of the unknown program and record, in a local event log, events occurring as a result of the analysis of the unknown program;
  
  an event filtering module executable on the computing hardware and configured to filter the local event log, based on event filtering rules, to produce a filtered event log that excludes events determined to be insignificant with respect to malware detection processing to be performed;
  
  an event filtering rules database implemented in the data store that contains the event filtering rules usable by the event filtering module to identify the insignificant events to be excluded, the event filtering rules being defined based on previous analysis of events produced from emulation of a plurality of sample programs carried out by a remote service, wherein the remote service constructs a plurality of sample programs based on a plurality of known program development tools, performs automated assessment of the plurality of sample programs and records events occurring as a result of the assessment in a remote service event log, and formulates a set of rules for distinguishing events from among the event log that are determined to be insignificant with respect to malware detection processing to be performed.
- View Dependent Claims (23, 24, 25, 26)
- - 23. The security arrangement of claim 22, further comprising:
    - an event filtering rules update module executable on the computing hardware and configured to obtain, via the input/output facilities, updates to the event filtering rules database from the remote service.
  - 24. The security arrangement of claim 22, wherein the tracing module includes an isolated execution environment in which the unknown program is assessed.
  - 25. The security arrangement of claim 22, wherein the tracing module includes at least one of:
    - a disassemble, a tracer, an emulator, or any combination thereof.
  - 26. The security arrangement of claim 22, further comprising:
    - a malware analyzer module configured to analyze events of the filtered event log and generate an assessment of risk associated with the unknown program.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lab A.O. Kaspersky
Original Assignee
Kaspersky Lab ZAO
Inventors
Zaitsev, Oleg V.
Primary Examiner(s)
Khatri, Anil

Application Number

US13/722,619
Publication Number

US 20140181805A1
Time in Patent Office

551 Days
Field of Search

717124-131, 717140-143
US Class Current

717/124
CPC Class Codes

G06F 21/566   Dynamic detection, i.e. det...

G06F 9/45533   Hypervisors; Virtual machin...

G06F 9/45558   Hypervisor-specific managem...

System and method for establishing rules for filtering insignificant events for analysis of software program

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

72 Citations

26 Claims

Specification

Use Cases

Quick Links

Others

System and method for establishing rules for filtering insignificant events for analysis of software program

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

72 Citations

26 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others