Detecting malicious software

US 8,863,288 B1
Filed: 12/30/2011
Issued: 10/14/2014
Est. Priority Date: 12/30/2011
Status: Active Grant

First Claim

Patent Images

1. A method of detecting malicious software, comprising:

assembling by a source system a software agent comprising at least one scan module;

transferring the software agent to a target system;

establishing a connection to the software agent in response to a connection request from the software agent;

receiving a file of the target system from the software agent;

performing at the source system a static analysis on an internal file structure of the transferred file to generate a static threat score for the transferred file, wherein the static analysis further comprises at least one of a hash calculation, a string extraction, a file structure format parsing, a file structure compiler analysis, a file structure packer analysis, a binary similarity analysis, a file certificate analysis, a callout domain name and IP address analysis, a domain name analysis, a white list analysis, and a memory analysis, and wherein the static threat score further comprises a score assigned based on the static analysis;

performing at the source system a dynamic analysis on the transferred file to generate a dynamic threat score for the transferred file, wherein the dynamic analysis further comprises at least one of an emulated user interaction, an anti-virus range analysis, an evasion identification, a file and packet analysis, a running executable analysis, a service analysis, a process analysis, a registry analysis, a network activity analysis, and a memory analysis, and wherein the dynamic threat score further comprises a score assigned based on the dynamic analysis; and

generating an aggregate threat score for the transferred file based on the static threat score and the dynamic threat score.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In systems and methods of detecting malicious software, a software agent comprising at least one scan module is assembled by a source system and is transferred by the source system to a target system. In response to a connection request from the software agent a connection is established to the software agent and a file is received from the target system. At the source system, a static analysis is performed on the transferred file to generate a static threat score, and a dynamic analysis is performed to generate a dynamic threat score. Based on the static threat score and the dynamic threat score an aggregate threat score is generated for the transferred file.

58 Citations

View as Search Results

14 Claims

1. A method of detecting malicious software, comprising:
- assembling by a source system a software agent comprising at least one scan module;
  
  transferring the software agent to a target system;
  
  establishing a connection to the software agent in response to a connection request from the software agent;
  
  receiving a file of the target system from the software agent;
  
  performing at the source system a static analysis on an internal file structure of the transferred file to generate a static threat score for the transferred file, wherein the static analysis further comprises at least one of a hash calculation, a string extraction, a file structure format parsing, a file structure compiler analysis, a file structure packer analysis, a binary similarity analysis, a file certificate analysis, a callout domain name and IP address analysis, a domain name analysis, a white list analysis, and a memory analysis, and wherein the static threat score further comprises a score assigned based on the static analysis;
  
  performing at the source system a dynamic analysis on the transferred file to generate a dynamic threat score for the transferred file, wherein the dynamic analysis further comprises at least one of an emulated user interaction, an anti-virus range analysis, an evasion identification, a file and packet analysis, a running executable analysis, a service analysis, a process analysis, a registry analysis, a network activity analysis, and a memory analysis, and wherein the dynamic threat score further comprises a score assigned based on the dynamic analysis; and
  
  generating an aggregate threat score for the transferred file based on the static threat score and the dynamic threat score.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein establishing a connection further comprises establishing a connection by the source system to the software agent in response to a connection request by the software agent to provide additional commands which are queued at the source system to the software agent.
  - 3. The method of claim 1, wherein in receiving a file, the file further comprises information related to the file from the target system.
  - 4. The method of claim 1, wherein in receiving a file, the file further comprises a file identified by the software agent as meeting a deviation threshold.
  - 5. The method of claim 1, wherein the static analysis further comprises an analysis to identify that the file or information about the file meets a deviation threshold.
  - 6. The method of claim 1, wherein the software agent comprises one or more scan modules.
  - 7. The method of claim 1, wherein transferring the software agent further comprises executing the software agent in volatile memory of the target system without further installation in the target system.
  - 8. The method of claim 1, wherein establishing a connection further comprises determining that additional instructions from the source system are queued for the software agent.
  - 9. The method of claim 8, wherein the software agent comprises one or more scan modules, and at least one scan module is executed according to the additional instructions from the source system.
  - 10. The method of claim 8, wherein the software agent comprises one or more scan modules, and at least one scan module is canceled according to the additional instructions from the source system.

11. A system for detecting malicious software, comprising:
- a processing node, configured toassemble a software agent comprising at least one scan module;
  
  transfer the software agent to a target system;
  
  establish a connection to the software agent in response to a connection request from the software agent;
  
  receive a file of the target system from the software agent;
  
  perform a static analysis on an internal file structure of the transferred file to generate a static threat score for the transferred file, wherein the static analysis further comprises at least one of a hash calculation, a string extraction, a file structure format parsing, a file structure compiler analysis, a file structure packer analysis, a binary similarity analysis, a file certificate analysis, a callout domain name and IP address analysis, a domain name analysis, a white list analysis, and a memory analysis, and wherein the static threat score further comprises a score assigned based on the static analysis;
  
  perform a dynamic analysis on the transferred file to generate a dynamic threat score for the transferred file, wherein the dynamic analysis further comprises at least one of an emulated user interaction, an anti-virus range analysis, an evasion identification, a file and packet analysis, a running executable analysis, a service analysis, a process analysis, a registry analysis, a network activity analysis, and a memory analysis, and wherein the dynamic threat score further comprises a score assigned based on the dynamic analysis; and
  
  generate an aggregate threat score for the transferred file based on the static threat score and the dynamic threat score.
- View Dependent Claims (12, 13, 14)
- - 12. The system of claim 11, wherein the processing node is further configured to establish a connection to the software agent in response to a connection request by the software agent to provide additional commands which are queued at the processing node to the software agent.
  - 13. The system of claim 11, wherein the processing node is further configured to receiving a file identified by the software agent as meeting a deviation threshold.
  - 14. The system of claim 11, wherein the software agent executes in volatile memory of the target system without further installation in the target system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ManTech Advanced Systems International, Inc. (Mantech International Corporation)
Original Assignee
ManTech Advanced Systems International, Inc. (Mantech International Corporation)
Inventors
Savage, David R., Sharfuddin, Ateeq, Lin, Tsu-Yi, Dagana, Benjamin L.
Primary Examiner(s)
Tabor, Amare F

Application Number

US13/341,002
Time in Patent Office

1,019 Days
Field of Search

726 22- 26, 713/188
US Class Current

726/24
CPC Class Codes

G06F 21/56 Computer malware detection ...

G06F 21/567 using dedicated hardware

Detecting malicious software

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

58 Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting malicious software

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

58 Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links