Application of nested behavioral rules for anti-malware processing
First Claim
1. A method for protecting against malware using heuristic analysis, the method being performed on a computer having a processor and a memory, the method comprising performing the following:
- (a) creating a set of static behavioral rules;
(b) launching an executable component on the computer;
(c) detecting an attempt to launch a process from a file by the executable component;
(d) comparing the attempt against the static behavioral rules and allowing the attempt if the action does not match the rules;
(e) if the attempt matches at least one rule, generating a reaction directive;
(f) executing the reaction according to the directive;
(g) based on the attempt, generating a rule directive for additional dynamic rules;
(h) acquiring the dynamic rules corresponding to the rule directive and nesting the dynamic rules within the static rules,wherein the dynamic rules are a subset of the static rules that are inactive, and are introduced into a security system and are activated and nested within the static rules upon an occurrence of the attempt when an individual attempt is not malicious but a sequence of events is malicious, andwherein the dynamic rules have a finite lifetime and are enforced only during the finite lifetime, andwherein parameters of the dynamic rules depend on execution of the static rules; and
(i) repeating steps (d)-(h) for subsequent attempts,wherein steps (a) through (i) are performed on the computer.
1 Assignment
0 Petitions
Accused Products
Abstract
A system, method and computer program product for implementing dynamic behavior rules for malware detection. A method of heuristic analysis of computer program execution is used. A behavior of a computer program is monitored, analyzed and blocked in runtime. Actions performed or triggered by each executable component are compared against a set of behavioral rules. The behavioral rules determine wherever the requested action is allowed or blocked, and which new behavioral rules are needed to be applied to future actions. Executed actions (allowed or blocked) introduce new dynamic behavioral rules to the computer system, which in turn can apply these rules for analyzing behavior of subsequent components executed on the computer system.
72 Citations
18 Claims
-
1. A method for protecting against malware using heuristic analysis, the method being performed on a computer having a processor and a memory, the method comprising performing the following:
-
(a) creating a set of static behavioral rules; (b) launching an executable component on the computer; (c) detecting an attempt to launch a process from a file by the executable component; (d) comparing the attempt against the static behavioral rules and allowing the attempt if the action does not match the rules; (e) if the attempt matches at least one rule, generating a reaction directive; (f) executing the reaction according to the directive; (g) based on the attempt, generating a rule directive for additional dynamic rules; (h) acquiring the dynamic rules corresponding to the rule directive and nesting the dynamic rules within the static rules, wherein the dynamic rules are a subset of the static rules that are inactive, and are introduced into a security system and are activated and nested within the static rules upon an occurrence of the attempt when an individual attempt is not malicious but a sequence of events is malicious, and wherein the dynamic rules have a finite lifetime and are enforced only during the finite lifetime, and wherein parameters of the dynamic rules depend on execution of the static rules; and (i) repeating steps (d)-(h) for subsequent attempts, wherein steps (a) through (i) are performed on the computer. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A system for protecting against malware, the system comprising:
-
a driver installed on a computer system having a processor and a memory, for intercepting actions performed by components executed on the computer system; a service engine having a plurality of static rules coupled to the driver; a service database accessible by the service engine; and a management server connected to the service database, wherein; the management server generates a plurality of static rules and provides them to the service database; the driver detects actions performed by a component executing on the computer system and provides the actions for analysis to the service engine, wherein the actions include an attempt to launch a process from a file, and wherein; the service engine compares actions against static and currently instantiated dynamic rules and based on comparison acquires some dynamic rules from the database; and the dynamic rules are nested with the static rules and applied to the subsequent actions executed on the computer system, wherein the dynamic rules are a subset of the static rules that are inactive, and are introduced into the system and are activated and nested within the static rules upon an occurrence of the action when an individual action is not malicious but a sequence of events is malicious, wherein parameters of the dynamic rules depend on execution of the static rules, and wherein the dynamic rules have a finite lifetime and are enforced only during the finite lifetime. - View Dependent Claims (14, 15, 16, 17, 18)
-
Specification