Systems and methods for malware attack detection and identification
First Claim
Patent Images
1. A malware detection and identification system, comprising:
- a controller comprising an analysis environment including a virtual machine, the analysis environment being configured toreceive a copy of network data by the virtual machine of the analysis environment, flag input values associated with (i) the copy of the network data from one or more untrusted sources or (ii) the copy of the network data that comprises suspicious network data as determined prior to analysis by the virtual machine,monitor the flagged input values during execution by the virtual machine of one or more instructions that manipulate the flagged input values within the virtual machine,identify an outcome of the one or more instructions by tracking each of the one or more instructions, anddetermine whether the identified outcome of the one or more instructions comprises a redirection in control flow during execution by the virtual machine of the one or more instructions to (i) access a memory location containing the copy of the network data or (ii) a standard library function, the redirection in the control flow constituting an unauthorized activity.
5 Assignments
0 Petitions
Accused Products
Abstract
Exemplary systems and methods for malware attack detection and identification are provided. A malware detection and identification system can comprise a controller. The controller can comprise an analysis environment configured to transmit network data to a virtual machine, flag input values associated with the network data from untrusted sources, monitor the flagged input values within the virtual machine, identify an outcome of one or more instructions that manipulate the flagged input values, and determine if the outcome of the one or more instructions comprise an unauthorized activity.
597 Citations
66 Claims
-
1. A malware detection and identification system, comprising:
a controller comprising an analysis environment including a virtual machine, the analysis environment being configured to receive a copy of network data by the virtual machine of the analysis environment, flag input values associated with (i) the copy of the network data from one or more untrusted sources or (ii) the copy of the network data that comprises suspicious network data as determined prior to analysis by the virtual machine, monitor the flagged input values during execution by the virtual machine of one or more instructions that manipulate the flagged input values within the virtual machine, identify an outcome of the one or more instructions by tracking each of the one or more instructions, and determine whether the identified outcome of the one or more instructions comprises a redirection in control flow during execution by the virtual machine of the one or more instructions to (i) access a memory location containing the copy of the network data or (ii) a standard library function, the redirection in the control flow constituting an unauthorized activity. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
-
29. A malware detection and identification method comprising:
-
transmitting a copy of the network data to a virtual machine; flagging input values associated with (i) the copy of the network data from one or more untrusted sources or (ii) the copy of the network data that comprises suspicious network data as determined prior to analysis by the virtual machine; monitoring the flagged input values during execution of one or more instructions associated with the network data by the virtual machine to determine if execution of the one or more instructions manipulate the flagged input values; identifying an outcome of the one or more instructions that manipulate the flagged input values by tracking each of the one or more instructions; and determining whether the identified outcome of the one or more instructions comprises a redirection in control flow during execution by the virtual machine of the one or more instructions to (i) access a memory location containing the copy of the network data or (ii) a standard library function, the redirection in the control flow constituting an unauthorized activity. - View Dependent Claims (30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47)
-
-
48. A non-transitory machine readable medium having embodied thereon executable code, the executable code being executable by a processor for performing a malware determination and identification method of operation, comprising:
-
transmitting a copy of the network data to a virtual machine; flagging input values associated with (i) the copy of the network data from one or more trusted sources or (ii) the copy of the network data that comprises suspicious network data as determined prior to analysis by the virtual machine; monitoring the flagged input values during execution of one or more instructions associated with the network data by the virtual machine to determine if execution of the one or more instructions manipulate the flagged input values; identifying an outcome of the one or more instructions by tracking each of the one or more instructions; and determining whether the identified outcome of the one or more instructions comprises a redirection in control flow during execution by the virtual machine of the one or more instructions to (i) access a memory location containing the copy of the network data or (ii) a standard library function, the redirection in the control flow constituting an unauthorized activity. - View Dependent Claims (49, 50, 51, 52, 53, 54, 55, 56, 57, 58)
-
-
59. A non-transitory machine readable medium having embodied thereon executable code, the executable code being executable by a processor for performing a malware determination and identification method of operation comprising:
-
providing network data to a virtual machine, the network data including information associated with input values and one or more instructions; flagging input values associated with (i) the network data from one or more untrusted sources or (ii) the network data that comprises suspicious network data as determined prior to analysis by the virtual machine; monitoring the flagged input values during execution of the one or more instructions associated with the network data by the virtual machine to determine if execution of the one or more instructions alter the flagged input values; and determining whether execution of the one or more instructions within the virtual machine altered the flagged input values, and if so, whether the altered flagged input values indicate unauthorized activity by a redirection in control flow during execution by the virtual machine of the one or more instructions to (i) access a memory location containing the network data or (ii) a standard library function. - View Dependent Claims (60, 61, 62, 63, 64, 65, 66)
-
Specification