Statistical fingerprinting for malware detection and classification
First Claim
1. A system that determines if malware exists in a computing architecture with an unknown pedigree comprising:
- a first computing device having a known pedigree and operating free of malware, the first computing device operating a known software application that comprises a series of instrumented functions that, when executed, provide a statistical baseline time that is representative of the time it takes the software application to run on a computing device having a known pedigree and operating free of malware; and
a second computing device having an unknown pedigree and with the potential of operating with malware, the second computing device operating the known software application that further comprises a series of instrumented functions that, when executed, provides an actual time that is representative of the time the known software application runs on the second computing device having an unknown pedigree and operating with the potential of operating with malware;
where the instrumented functions are injected into the known software application through a code injection that facilitates accessing a plurality of subroutines that is shared by a plurality of software applications; and
where the difference in times between the statistical baseline time and the actual time identifies a malware status of the second machine.
2 Assignments
0 Petitions
Accused Products
Abstract
A system detects malware in a computing architecture with an unknown pedigree. The system includes a first computing device having a known pedigree and operating free of malware. The first computing device executes a series of instrumented functions that, when executed, provide a statistical baseline that is representative of the time it takes the software application to run on a computing device having a known pedigree. A second computing device executes a second series of instrumented functions that, when executed, provides an actual time that is representative of the time the known software application runs on the second computing device. The system detects malware when there is a difference in execution times between the first and the second computing devices.
-
Citations
9 Claims
-
1. A system that determines if malware exists in a computing architecture with an unknown pedigree comprising:
-
a first computing device having a known pedigree and operating free of malware, the first computing device operating a known software application that comprises a series of instrumented functions that, when executed, provide a statistical baseline time that is representative of the time it takes the software application to run on a computing device having a known pedigree and operating free of malware; and a second computing device having an unknown pedigree and with the potential of operating with malware, the second computing device operating the known software application that further comprises a series of instrumented functions that, when executed, provides an actual time that is representative of the time the known software application runs on the second computing device having an unknown pedigree and operating with the potential of operating with malware; where the instrumented functions are injected into the known software application through a code injection that facilitates accessing a plurality of subroutines that is shared by a plurality of software applications; and where the difference in times between the statistical baseline time and the actual time identifies a malware status of the second machine. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method for determining if malware exists in a computing device with unknown pedigree and with the potential of operating with malware comprising:
-
a. identifying one or more functions in a software application; b. instrumenting the functions by injecting code into the software application to that measures the execution time of the functions; c. executing the software application on a first computing device with a known pedigree and that is known to be free of malware; d. establishing a statistical baseline time that the software application takes to execute on a computing device with a known pedigree and that is known to be free of malware; e. executing the software application on a second computing device that does not have a known pedigree and with the potential of having malware; f. measuring the actual time that the software application takes to execute; and g. comparing the actual time of execution with the statistical baseline time of execution where the injecting code facilitates accessing a plurality of subroutines that is shared by a plurality of software applications. - View Dependent Claims (9)
-
Specification