System and method for establishing rules for filtering insignificant events for analysis of software program
First Claim
1. A system for generating a set of event filtering rules for filtering events being produced in response to emulation of a program, the system comprising:
- computing hardware, including a processor, a data store, and input/output facilities;
an operating system executable on the computing hardware;
a sample program creation module executable on the computing hardware and configured to automatically construct a plurality of sample programs based on a plurality of known program development tools, wherein the plurality of sample programs are free of malware;
an emulator module executable on the computing hardware and configured to perform emulated execution of the plurality of sample programs in an isolated virtual machine environment and record events occurring in the virtual machine environment as a result of the emulated execution of the plurality of sample programs in an event log;
a rule generator module executable on the computing hardware and configured to automatically formulate a set of insignificant event filtering rules for distinguishing events from among the event log that are determined to be insignificant with respect to malware detection processing to be performed.
2 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods for generating a set of event filtering rules for filtering events being produced in response to emulation of a program. A plurality of sample programs is constructed based on a plurality of known program development tools. Emulated execution of the plurality of sample programs is carried out in an isolated virtual machine environment and events occurring in the virtual machine environment as a result of the emulated execution of the plurality of sample programs are recorded in an event log. A set of rules is formulated for distinguishing events from among the event log that are determined to be insignificant with respect to malware detection processing to be performed.
72 Citations
26 Claims
-
1. A system for generating a set of event filtering rules for filtering events being produced in response to emulation of a program, the system comprising:
-
computing hardware, including a processor, a data store, and input/output facilities; an operating system executable on the computing hardware; a sample program creation module executable on the computing hardware and configured to automatically construct a plurality of sample programs based on a plurality of known program development tools, wherein the plurality of sample programs are free of malware; an emulator module executable on the computing hardware and configured to perform emulated execution of the plurality of sample programs in an isolated virtual machine environment and record events occurring in the virtual machine environment as a result of the emulated execution of the plurality of sample programs in an event log; a rule generator module executable on the computing hardware and configured to automatically formulate a set of insignificant event filtering rules for distinguishing events from among the event log that are determined to be insignificant with respect to malware detection processing to be performed. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A computer-implemented method for generating a set of event filtering rules for filtering events being produced in response to emulation of a program, the method being executed by a computer system having computing resources including
a processor, a data store, input/output facilities, and an operating system executable on the processor, the method comprising: -
constructing a plurality of sample programs based on a plurality of known program development tools, wherein the plurality of sample programs are free of malware; performing emulated execution of the plurality of sample programs in an isolated virtual machine environment and recording events occurring in the virtual machine environment as a result of the emulated execution of the plurality of sample programs in an event log; and formulating a set of rules for distinguishing events from among the event log that are determined to be insignificant with respect to malware detection processing to be performed. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21)
-
-
22. A security arrangement for detecting a presence of malware in an unknown program stored in a computer system, the security arrangement comprising:
-
computing hardware, including a processor, a data store, and input/output facilities; an operating system executable on the computing hardware; a tracing module executable on the computing hardware and configured to perform assessment of the unknown program and record, in a local event log, events occurring as a result of the analysis of the unknown program; an event filtering module executable on the computing hardware and configured to filter the local event log, based on event filtering rules, to produce a filtered event log that excludes events determined to be insignificant with respect to malware detection processing to be performed; an event filtering rules database implemented in the data store that contains the event filtering rules usable by the event filtering module to identify the insignificant events to be excluded, the event filtering rules being defined based on previous analysis of events produced from emulation of a plurality of sample programs carried out by a remote service, wherein the remote service constructs a plurality of sample programs based on a plurality of known program development tools, performs automated assessment of the plurality of sample programs and records events occurring as a result of the assessment in a remote service event log, and formulates a set of rules for distinguishing events from among the event log that are determined to be insignificant with respect to malware detection processing to be performed. - View Dependent Claims (23, 24, 25, 26)
-
Specification