Malware family identification using profile signatures
First Claim
Patent Images
1. A system for malware family identification using profile signatures, comprising:
- a processor configured to;
receive, from a security device, a potential malware sample, wherein the security device is configured to, in the event an unknown file is encountered by the security device, send the unknown file to the processor as the potential malware sample;
execute the potential malware sample in a virtual machine environment, including by monitoring interaction during execution in the virtual machine environment between;
(1) the potential malware sample and (2) an application programming interface (API) in order to obtain an API log which includes;
(a) one or more files created by the potential malware sample using the API during execution in the virtual machine environment and (b) one or more files registered in a run key by the potential malware sample using the API during execution in the virtual machine environment; and
determine whether the potential malware sample is associated with a known malware family based on a profile signature, including by;
comparing (1a) the files created by the potential malware in the API log against (1b) one or more files created by the known malware family in the profile signature and (2a) the files registered in the run key in the API log against (2b) one or more files registered in the run key by the known malware family in the profile signature; and
in the event (1a) matches (1b) and (2a) matches (2b), identifying the potential malware sample as being a member of the known malware family; and
a memory coupled to the processor and configured to provide the processor with instructions.
1 Assignment
0 Petitions
Accused Products
Abstract
Techniques for malware family identification using profile signatures are disclosed. In some embodiments, malware identification using profile signatures includes executing a potential malware sample in a virtual machine environment (e.g., a sandbox); and determining whether the potential malware sample is associated with a known malware family based on a profile signature. In some embodiments, the virtual machine environment is an instrumented virtual machine environment for monitoring potential malware samples during execution.
-
Citations
19 Claims
-
1. A system for malware family identification using profile signatures, comprising:
-
a processor configured to; receive, from a security device, a potential malware sample, wherein the security device is configured to, in the event an unknown file is encountered by the security device, send the unknown file to the processor as the potential malware sample; execute the potential malware sample in a virtual machine environment, including by monitoring interaction during execution in the virtual machine environment between;
(1) the potential malware sample and (2) an application programming interface (API) in order to obtain an API log which includes;
(a) one or more files created by the potential malware sample using the API during execution in the virtual machine environment and (b) one or more files registered in a run key by the potential malware sample using the API during execution in the virtual machine environment; anddetermine whether the potential malware sample is associated with a known malware family based on a profile signature, including by; comparing (1a) the files created by the potential malware in the API log against (1b) one or more files created by the known malware family in the profile signature and (2a) the files registered in the run key in the API log against (2b) one or more files registered in the run key by the known malware family in the profile signature; and in the event (1a) matches (1b) and (2a) matches (2b), identifying the potential malware sample as being a member of the known malware family; and a memory coupled to the processor and configured to provide the processor with instructions. - View Dependent Claims (2, 3, 4, 5, 6, 15)
-
-
7. A method of malware family identification using profile signatures, comprising:
-
receiving, from a security device, a potential malware sample, wherein the security device is configured to, in the event an unknown file is encountered by the security device, send the unknown file to a processor as the potential malware sample; using the processor to execute a potential malware sample in a virtual machine environment, including by monitoring interaction during execution in the virtual machine environment between;
(1) the potential malware sample and (2) an application programming interface (API) in order to obtain an API log which includes;
(a) one or more files created by the potential malware sample using the API during execution in the virtual machine environment and (b) one or more files registered in a run key by the potential malware sample using the API during execution in the virtual machine environment; anddetermining whether the potential malware sample is associated with a known malware family based on a profile signature, including by; comparing (1a) the files created by the potential malware in the API log against (1b) one or more files created by the known malware family in the profile signature and (2a) the files registered in the run key in the API log against (2b) one or more files registered in the run key by the known malware family in the profile signature; and in the event (1a) matches (1b) and (2a) matches (2b), identifying the potential malware sample as being a member of the known malware family. - View Dependent Claims (8, 9, 10, 16, 18)
-
-
11. A computer program product for malware family identification using profile signatures, the computer program product being embodied in a non-transitory computer readable storage medium and comprising computer instructions for:
-
receiving, from a security device, a potential malware sample, wherein the security device is configured to, in the event an unknown file is encountered by the security device, send the unknown file as the potential malware sample; executing a potential malware sample in a virtual machine environment, including by monitoring interaction during execution in the virtual machine environment between;
(1) the potential malware sample and (2) an application programming interface (API) in order to obtain an API log which includes;
(a) one or more files created by the potential malware sample using the API during execution in the virtual machine environment and (b) one or more files registered in a run key by the potential malware sample using the API during execution in the virtual machine environment; anddetermining whether the potential malware sample is associated with a known malware family based on a profile signature, including by; comparing (1a) the files created by the potential malware in the API log against (1b) one or more files created by the known malware family in the profile signature and (2a) the files registered in the run key in the API log against (2b) one or more files registered in the run key by the known malware family in the profile signature; and in the event (1a) matches (1b) and (2a) matches (2b), identifying the potential malware sample as being a member of the known malware family. - View Dependent Claims (12, 13, 14, 17, 19)
-
Specification