Malware family identification using profile signatures

US 9,165,142 B1
Filed: 01/30/2013
Issued: 10/20/2015
Est. Priority Date: 01/30/2013
Status: Active Grant

First Claim

Patent Images

1. A system for malware family identification using profile signatures, comprising:

a processor configured to;

receive, from a security device, a potential malware sample, wherein the security device is configured to, in the event an unknown file is encountered by the security device, send the unknown file to the processor as the potential malware sample;

execute the potential malware sample in a virtual machine environment, including by monitoring interaction during execution in the virtual machine environment between;

(1) the potential malware sample and (2) an application programming interface (API) in order to obtain an API log which includes;

(a) one or more files created by the potential malware sample using the API during execution in the virtual machine environment and (b) one or more files registered in a run key by the potential malware sample using the API during execution in the virtual machine environment; and

determine whether the potential malware sample is associated with a known malware family based on a profile signature, including by;

comparing (1a) the files created by the potential malware in the API log against (1b) one or more files created by the known malware family in the profile signature and (2a) the files registered in the run key in the API log against (2b) one or more files registered in the run key by the known malware family in the profile signature; and

in the event (1a) matches (1b) and (2a) matches (2b), identifying the potential malware sample as being a member of the known malware family; and

a memory coupled to the processor and configured to provide the processor with instructions.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for malware family identification using profile signatures are disclosed. In some embodiments, malware identification using profile signatures includes executing a potential malware sample in a virtual machine environment (e.g., a sandbox); and determining whether the potential malware sample is associated with a known malware family based on a profile signature. In some embodiments, the virtual machine environment is an instrumented virtual machine environment for monitoring potential malware samples during execution.

Citations

19 Claims

1. A system for malware family identification using profile signatures, comprising:
- a processor configured to;
  
  receive, from a security device, a potential malware sample, wherein the security device is configured to, in the event an unknown file is encountered by the security device, send the unknown file to the processor as the potential malware sample;
  
  execute the potential malware sample in a virtual machine environment, including by monitoring interaction during execution in the virtual machine environment between;
  
  (1) the potential malware sample and (2) an application programming interface (API) in order to obtain an API log which includes;
  
  (a) one or more files created by the potential malware sample using the API during execution in the virtual machine environment and (b) one or more files registered in a run key by the potential malware sample using the API during execution in the virtual machine environment; and
  
  determine whether the potential malware sample is associated with a known malware family based on a profile signature, including by;
  
  comparing (1a) the files created by the potential malware in the API log against (1b) one or more files created by the known malware family in the profile signature and (2a) the files registered in the run key in the API log against (2b) one or more files registered in the run key by the known malware family in the profile signature; and
  
  in the event (1a) matches (1b) and (2a) matches (2b), identifying the potential malware sample as being a member of the known malware family; and
  
  a memory coupled to the processor and configured to provide the processor with instructions.
- View Dependent Claims (2, 3, 4, 5, 6, 15)
- - 2. The system recited in claim 1, wherein the virtual machine environment includes an instrumented virtual machine environment for monitoring potential malware samples during execution.
  - 3. The system recited in claim 1, wherein the processor is configured to determine whether the potential malware sample is associated with the known malware family, further including by:
    - performing a static analysis of the potential malware sample.
  - 4. The system recited in claim 1, wherein the profile signature includes an intrusion prevention system (IPS) signature.
  - 5. The system recited in claim 1, wherein the processor is configured to determine whether the potential malware sample is associated with the known malware family, further including by:
    - monitoring network activities performed by the potential malware sample during execution time in the virtual machine environment.
  - 6. The system recited in claim 1, wherein the profile signature includes an intrusion prevention system (IPS) signature, and wherein the processor is configured to determine whether the potential malware sample is associated with the known malware family, further including by:
    - monitoring network activities performed by the potential malware sample during execution time in the virtual machine environment.
  - 15. The system recited in claim 1, wherein the security device includes one or more of the following:
    - a gateway based firewall, an appliance based firewall, or a server based firewall.

7. A method of malware family identification using profile signatures, comprising:
- receiving, from a security device, a potential malware sample, wherein the security device is configured to, in the event an unknown file is encountered by the security device, send the unknown file to a processor as the potential malware sample;
  
  using the processor to execute a potential malware sample in a virtual machine environment, including by monitoring interaction during execution in the virtual machine environment between;
  
  (1) the potential malware sample and (2) an application programming interface (API) in order to obtain an API log which includes;
  
  (a) one or more files created by the potential malware sample using the API during execution in the virtual machine environment and (b) one or more files registered in a run key by the potential malware sample using the API during execution in the virtual machine environment; and
  
  determining whether the potential malware sample is associated with a known malware family based on a profile signature, including by;
  
  comparing (1a) the files created by the potential malware in the API log against (1b) one or more files created by the known malware family in the profile signature and (2a) the files registered in the run key in the API log against (2b) one or more files registered in the run key by the known malware family in the profile signature; and
  
  in the event (1a) matches (1b) and (2a) matches (2b), identifying the potential malware sample as being a member of the known malware family.
- View Dependent Claims (8, 9, 10, 16, 18)
- - 8. The method of claim 7, wherein the virtual machine environment includes an instrumented virtual machine environment for monitoring potential malware samples during execution.
  - 9. The method of claim 7, wherein determining whether the potential malware sample is associated with the known malware family further includes:
    - monitoring network activities performed by the potential malware sample during execution time in the virtual machine environment.
  - 10. The method of claim 7, wherein the profile signature includes an intrusion prevention system (IPS) signature, and determining whether the potential malware sample is associated with the known malware family further includes:
    - monitoring network activities performed by the potential malware sample during execution time in the virtual machine environment.
  - 16. The method recited in claim 7, wherein the security device includes one or more of the following:
    - a gateway based firewall, an appliance based firewall, or a server based firewall.
  - 18. The method of claim 7, wherein determining whether the potential malware sample is associated with the known malware family further includes:
    - performing a static analysis of the potential malware sample.

11. A computer program product for malware family identification using profile signatures, the computer program product being embodied in a non-transitory computer readable storage medium and comprising computer instructions for:
- receiving, from a security device, a potential malware sample, wherein the security device is configured to, in the event an unknown file is encountered by the security device, send the unknown file as the potential malware sample;
  
  executing a potential malware sample in a virtual machine environment, including by monitoring interaction during execution in the virtual machine environment between;
  
  (1) the potential malware sample and (2) an application programming interface (API) in order to obtain an API log which includes;
  
  (a) one or more files created by the potential malware sample using the API during execution in the virtual machine environment and (b) one or more files registered in a run key by the potential malware sample using the API during execution in the virtual machine environment; and
  
  determining whether the potential malware sample is associated with a known malware family based on a profile signature, including by;
  
  comparing (1a) the files created by the potential malware in the API log against (1b) one or more files created by the known malware family in the profile signature and (2a) the files registered in the run key in the API log against (2b) one or more files registered in the run key by the known malware family in the profile signature; and
  
  in the event (1a) matches (1b) and (2a) matches (2b), identifying the potential malware sample as being a member of the known malware family.
- View Dependent Claims (12, 13, 14, 17, 19)
- - 12. The computer program product recited in claim 11, wherein the virtual machine environment includes an instrumented virtual machine environment for monitoring potential malware samples during execution.
  - 13. The computer program product recited in claim 11, wherein the computer instructions for determining whether the potential malware sample is associated with the known malware family further include computer instructions for:
    - monitoring network activities performed by the potential malware sample during execution time in the virtual machine environment.
  - 14. The computer program product recited in claim 11, wherein the profile signature includes an intrusion prevention system (IPS) signature, and the computer instructions for determining whether the potential malware sample is associated with the known malware family further include computer instructions for:
    - monitoring network activities performed by the potential malware sample during execution time in the virtual machine environment.
  - 17. The computer program product recited in claim 11, wherein the security device includes one or more of the following:
    - a gateway based firewall, an appliance based firewall, or a server based firewall.
  - 19. The computer program product recited in claim 11, wherein the computer instructions for determining whether the potential malware sample is associated with the known malware family further include computer instructions for:
    - performing a static analysis of the potential malware sample.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palo Alto Networks Incorporated
Original Assignee
Palo Alto Networks Incorporated
Inventors
Sanders, Kyle, Wang, Xinran
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Tran, Tongoc

Application Number

US13/754,789
Time in Patent Office

993 Days
Field of Search

726 23- 25, 726/11
US Class Current

1/1
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/567   using dedicated hardware

G06F 2221/033   Test or assess software

H04L 63/02   for separating internal fro...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

Malware family identification using profile signatures

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Malware family identification using profile signatures

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links