Application of nested behavioral rules for anti-malware processing

US 8,850,579 B1
Filed: 11/13/2009
Issued: 09/30/2014
Est. Priority Date: 11/13/2009
Status: Active Grant

First Claim

Patent Images

1. A method for protecting against malware using heuristic analysis, the method being performed on a computer having a processor and a memory, the method comprising performing the following:

(a) creating a set of static behavioral rules;

(b) launching an executable component on the computer;

(c) detecting an attempt to launch a process from a file by the executable component;

(d) comparing the attempt against the static behavioral rules and allowing the attempt if the action does not match the rules;

(e) if the attempt matches at least one rule, generating a reaction directive;

(f) executing the reaction according to the directive;

(g) based on the attempt, generating a rule directive for additional dynamic rules;

(h) acquiring the dynamic rules corresponding to the rule directive and nesting the dynamic rules within the static rules,wherein the dynamic rules are a subset of the static rules that are inactive, and are introduced into a security system and are activated and nested within the static rules upon an occurrence of the attempt when an individual attempt is not malicious but a sequence of events is malicious, andwherein the dynamic rules have a finite lifetime and are enforced only during the finite lifetime, andwherein parameters of the dynamic rules depend on execution of the static rules; and

(i) repeating steps (d)-(h) for subsequent attempts,wherein steps (a) through (i) are performed on the computer.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, method and computer program product for implementing dynamic behavior rules for malware detection. A method of heuristic analysis of computer program execution is used. A behavior of a computer program is monitored, analyzed and blocked in runtime. Actions performed or triggered by each executable component are compared against a set of behavioral rules. The behavioral rules determine wherever the requested action is allowed or blocked, and which new behavioral rules are needed to be applied to future actions. Executed actions (allowed or blocked) introduce new dynamic behavioral rules to the computer system, which in turn can apply these rules for analyzing behavior of subsequent components executed on the computer system.

72 Citations

View as Search Results

18 Claims

1. A method for protecting against malware using heuristic analysis, the method being performed on a computer having a processor and a memory, the method comprising performing the following:
- (a) creating a set of static behavioral rules;
  
  (b) launching an executable component on the computer;
  
  (c) detecting an attempt to launch a process from a file by the executable component;
  
  (d) comparing the attempt against the static behavioral rules and allowing the attempt if the action does not match the rules;
  
  (e) if the attempt matches at least one rule, generating a reaction directive;
  
  (f) executing the reaction according to the directive;
  
  (g) based on the attempt, generating a rule directive for additional dynamic rules;
  
  (h) acquiring the dynamic rules corresponding to the rule directive and nesting the dynamic rules within the static rules,wherein the dynamic rules are a subset of the static rules that are inactive, and are introduced into a security system and are activated and nested within the static rules upon an occurrence of the attempt when an individual attempt is not malicious but a sequence of events is malicious, andwherein the dynamic rules have a finite lifetime and are enforced only during the finite lifetime, andwherein parameters of the dynamic rules depend on execution of the static rules; and
  
  (i) repeating steps (d)-(h) for subsequent attempts,wherein steps (a) through (i) are performed on the computer.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, further comprising instantiating a previously nested rule and applying it to the action.
  - 3. The method of claim 1, further comprising creating a security profile for executable components for checking subsequent components against the profile.
  - 4. The method of claim 3, further comprising adding the executable component to the profile if the component has a valid digital signature.
  - 5. The method of claim 4, further comprising running the executable component inside a sandbox.
  - 6. The method of claim 1, wherein the reaction is any of:
    - allowing the attempt; and
      
      blocking the attempt.
  - 7. The method of claim 1, wherein the static rules are instantiated at a startup.
  - 8. The method of claim 1, wherein the dynamic rules are acquired and instantiated at runtime.
  - 9. The method of claim 1, wherein the dynamic rules are selected from a plurality of inactive static rules.
  - 10. The method of claim 1, wherein the rule directive is generated based on a heuristic analysis of the executable component.
  - 11. The method of claim 1, wherein the reaction directive is generated based on the rules matched by the action.
  - 12. The method of claim 1, wherein each individual attempt is harmless and a sequence of attempts is malicious.

13. A system for protecting against malware, the system comprising:
- a driver installed on a computer system having a processor and a memory, for intercepting actions performed by components executed on the computer system;
  
  a service engine having a plurality of static rules coupled to the driver;
  
  a service database accessible by the service engine; and
  
  a management server connected to the service database,wherein;
  
  the management server generates a plurality of static rules and provides them to the service database;
  
  the driver detects actions performed by a component executing on the computer system and provides the actions for analysis to the service engine, wherein the actions include an attempt to launch a process from a file, and wherein;
  
  the service engine compares actions against static and currently instantiated dynamic rules and based on comparison acquires some dynamic rules from the database; and
  
  the dynamic rules are nested with the static rules and applied to the subsequent actions executed on the computer system,wherein the dynamic rules are a subset of the static rules that are inactive, and are introduced into the system and are activated and nested within the static rules upon an occurrence of the action when an individual action is not malicious but a sequence of events is malicious,wherein parameters of the dynamic rules depend on execution of the static rules, andwherein the dynamic rules have a finite lifetime and are enforced only during the finite lifetime.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The system of claim 13, wherein the static rules are instantiated at startup of the computer system.
  - 15. The system of claim 13, wherein the dynamic rules are acquired and instantiated in run-time.
  - 16. The system of claim 13, further comprising a sandbox, wherein the component is executed.
  - 17. The system of claim 13, wherein the actions are allowed if they do not match any rules.
  - 18. The system of claim 13, wherein the actions are blocked if they match at least one static rule or at least one dynamic rule.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Safe'N'Sec Corporation
Original Assignee
SNS Soft LLC
Inventors
Kalinichenko, Michael
Primary Examiner(s)
Kim, Tae

Application Number

US12/618,079
Time in Patent Office

1,782 Days
Field of Search

726 22- 26
US Class Current

726/23
CPC Class Codes

G06F 11/3003   Monitoring arrangements spe...

G06F 11/3093   Configuration details there...

G06F 21/53   by executing in a restricte...

G06F 21/566   Dynamic detection, i.e. det...

G06F 2201/865   Monitoring of software

Application of nested behavioral rules for anti-malware processing

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

72 Citations

18 Claims

Specification

Use Cases

Quick Links

Others

Application of nested behavioral rules for anti-malware processing

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

72 Citations

18 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others