Detecting malicious software
First Claim
Patent Images
1. A method of detecting malicious software, comprising:
- assembling by a source system a software agent comprising at least one scan module;
transferring the software agent to a target system;
establishing a connection to the software agent in response to a connection request from the software agent;
receiving a file of the target system from the software agent;
performing at the source system a static analysis on an internal file structure of the transferred file to generate a static threat score for the transferred file, wherein the static analysis further comprises at least one of a hash calculation, a string extraction, a file structure format parsing, a file structure compiler analysis, a file structure packer analysis, a binary similarity analysis, a file certificate analysis, a callout domain name and IP address analysis, a domain name analysis, a white list analysis, and a memory analysis, and wherein the static threat score further comprises a score assigned based on the static analysis;
performing at the source system a dynamic analysis on the transferred file to generate a dynamic threat score for the transferred file, wherein the dynamic analysis further comprises at least one of an emulated user interaction, an anti-virus range analysis, an evasion identification, a file and packet analysis, a running executable analysis, a service analysis, a process analysis, a registry analysis, a network activity analysis, and a memory analysis, and wherein the dynamic threat score further comprises a score assigned based on the dynamic analysis; and
generating an aggregate threat score for the transferred file based on the static threat score and the dynamic threat score.
3 Assignments
0 Petitions
Accused Products
Abstract
In systems and methods of detecting malicious software, a software agent comprising at least one scan module is assembled by a source system and is transferred by the source system to a target system. In response to a connection request from the software agent a connection is established to the software agent and a file is received from the target system. At the source system, a static analysis is performed on the transferred file to generate a static threat score, and a dynamic analysis is performed to generate a dynamic threat score. Based on the static threat score and the dynamic threat score an aggregate threat score is generated for the transferred file.
58 Citations
14 Claims
-
1. A method of detecting malicious software, comprising:
-
assembling by a source system a software agent comprising at least one scan module; transferring the software agent to a target system; establishing a connection to the software agent in response to a connection request from the software agent; receiving a file of the target system from the software agent; performing at the source system a static analysis on an internal file structure of the transferred file to generate a static threat score for the transferred file, wherein the static analysis further comprises at least one of a hash calculation, a string extraction, a file structure format parsing, a file structure compiler analysis, a file structure packer analysis, a binary similarity analysis, a file certificate analysis, a callout domain name and IP address analysis, a domain name analysis, a white list analysis, and a memory analysis, and wherein the static threat score further comprises a score assigned based on the static analysis; performing at the source system a dynamic analysis on the transferred file to generate a dynamic threat score for the transferred file, wherein the dynamic analysis further comprises at least one of an emulated user interaction, an anti-virus range analysis, an evasion identification, a file and packet analysis, a running executable analysis, a service analysis, a process analysis, a registry analysis, a network activity analysis, and a memory analysis, and wherein the dynamic threat score further comprises a score assigned based on the dynamic analysis; and generating an aggregate threat score for the transferred file based on the static threat score and the dynamic threat score. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A system for detecting malicious software, comprising:
-
a processing node, configured to assemble a software agent comprising at least one scan module; transfer the software agent to a target system; establish a connection to the software agent in response to a connection request from the software agent; receive a file of the target system from the software agent; perform a static analysis on an internal file structure of the transferred file to generate a static threat score for the transferred file, wherein the static analysis further comprises at least one of a hash calculation, a string extraction, a file structure format parsing, a file structure compiler analysis, a file structure packer analysis, a binary similarity analysis, a file certificate analysis, a callout domain name and IP address analysis, a domain name analysis, a white list analysis, and a memory analysis, and wherein the static threat score further comprises a score assigned based on the static analysis; perform a dynamic analysis on the transferred file to generate a dynamic threat score for the transferred file, wherein the dynamic analysis further comprises at least one of an emulated user interaction, an anti-virus range analysis, an evasion identification, a file and packet analysis, a running executable analysis, a service analysis, a process analysis, a registry analysis, a network activity analysis, and a memory analysis, and wherein the dynamic threat score further comprises a score assigned based on the dynamic analysis; and generate an aggregate threat score for the transferred file based on the static threat score and the dynamic threat score. - View Dependent Claims (12, 13, 14)
-
Specification