Dynamically adaptive framework and method for classifying malware using intelligent static, emulation, and dynamic analyses

US 9,171,160 B2
Filed: 09/30/2013
Issued: 10/27/2015
Est. Priority Date: 09/30/2013
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method of detecting malware in a specimen of computer content or network traffic, the method comprising:

responsive to receiving a specimen, determining, by a hardware controller, an analysis plan identifying an order for at least a first analysis and a second analysis to be performed, the first analysis comprises a static analysis and the second analysis comprises a dynamic analysis;

performing the first analysis in accordance with the analysis plan to identify one or more suspicious indicators associated with malware and one or more characteristics related to processing of the specimen;

performing the second analysis in accordance with the analysis plan, including processing of the specimen in a virtual environment including with one or more monitors to identify one or more unexpected behaviors each having one or more anomalies;

responsive to a result of one of the first analysis or the second analysis, unpacking an object determined to be present in the specimen and performing a third analysis, wherein the third analysis comprises a static analysis on the object and is different from the first analysis and the second analysis when the first analysis is conducted prior to the second analysis;

determining by a classifier whether the specimen should be classified as malicious based on at least one of (i) the one or more identified suspicious indicators, (ii) the one or more identified anomalies, or (iii) a result of the static analysis on the unpacked object; and

storing one or more of (a) the analysis plan, (b) the one or more identified indicators, (c) the one or more characteristics, or (d) the one or more identified anomalies in a persistent memory.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for malware detection are described herein. According to one aspect, control logic determines an analysis plan for analyzing whether a specimen should be classified as malware, where the analysis plan identifies at least first and second analyses to be performed. Each of the first and second analyses identified in the analysis plan including one or both of a static analysis and a dynamic analysis. The first analysis is performed based on the analysis plan to identify suspicious indicators characteristics related to processing of the specimen. The second analysis is performed based on the analysis plan to identify unexpected behaviors having processing or communications anomalies. A classifier determines whether the specimen should be classified as malicious based on the static and dynamic analyses. The analysis plan, the indicators, the characteristics, and the anomalies are stored in a persistent memory.

548 Citations

31 Claims

1. A computer implemented method of detecting malware in a specimen of computer content or network traffic, the method comprising:
- responsive to receiving a specimen, determining, by a hardware controller, an analysis plan identifying an order for at least a first analysis and a second analysis to be performed, the first analysis comprises a static analysis and the second analysis comprises a dynamic analysis;
  
  performing the first analysis in accordance with the analysis plan to identify one or more suspicious indicators associated with malware and one or more characteristics related to processing of the specimen;
  
  performing the second analysis in accordance with the analysis plan, including processing of the specimen in a virtual environment including with one or more monitors to identify one or more unexpected behaviors each having one or more anomalies;
  
  responsive to a result of one of the first analysis or the second analysis, unpacking an object determined to be present in the specimen and performing a third analysis, wherein the third analysis comprises a static analysis on the object and is different from the first analysis and the second analysis when the first analysis is conducted prior to the second analysis;
  
  determining by a classifier whether the specimen should be classified as malicious based on at least one of (i) the one or more identified suspicious indicators, (ii) the one or more identified anomalies, or (iii) a result of the static analysis on the unpacked object; and
  
  storing one or more of (a) the analysis plan, (b) the one or more identified indicators, (c) the one or more characteristics, or (d) the one or more identified anomalies in a persistent memory.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 2. The method of claim 1, wherein performing the second analysis is based in part on at least one of the identified suspicious indicators and characteristics identified in the first analysis.
  - 3. The method of claim 1, further comprising:
    - receiving by the controller, over a first feedback path, the identified suspicious indicators and characteristics, which include results of the first analysis;
      
      modifying the analysis plan in response to the results of the first analysis; and
      
      storing the modified analysis plan in the persistent memory.
  - 4. The method of claim 3, the third analysis is performed after the first analysis and the second analysis.
  - 5. The method of claim 3, wherein the first analysis comprises a static analysis;
    - the second analysis comprises a dynamic analysis; and
      
      wherein the modifying of the analysis plan comprises adding a third a fourth analysis that comprises comprising processing the specimen in an emulator.
  - 6. The method of claim 1, wherein the performing of the third analysis further comprising:
    - receiving, by the controllercontrol logic, the identified suspicious indicators and characteristics which comprise results of the first analysis;
      
      determining whether the third analysis should be performed; and
      
      if so determined, modifying the analysis plan to reflect the third analysis and initiating the third analysis in accordance with the modified analysis plan.
  - 7. The method of claim 1, further comprising:
    - receiving, by the controllercontrol logic, the identified suspicious indicators and characteristics which comprise results of the first analysis;
      
      storing a plurality of specimens to be analyzed;
      
      associating a priority to each of the specimens based on the number of specimens to be analyzed;
      
      setting an order of processing of the specimens to be analyzed based on their respective priority; and
      
      modifying the priority and order of processing in response to the first analysis.
  - 8. The method of claim 1, further comprising:
    - receiving, by the controllercontrol logic, the identified suspicious indicators and characteristics which comprise results of the first analysis;
      
      storing a plurality of specimens to be analyzed, associating a priority to each of the specimens;
      
      setting a time for analysis in at least one of the first analysis and the second analysis analyzes based on their respective priorities; and
      
      storing the time in the analysis plan.
  - 9. The method of claim 1, wherein the method further comprising selecting a runtime environment for the virtual environment based on the static analysis, wherein selecting the runtime environment comprises determining an operating system and version thereof, and an application and version thereof, to be processed with the specimen in the virtual environment, and modifying the analysis plan to reflect the selected runtime environment.
  - 10. The method of claim 9, further comprising the controllercontrol logicreceiving the identified suspicious indicators and characteristics which comprise results of the first analysis;
    - and wherein selecting the runtime environment for the virtual environment comprises selecting an initial state from which the application will be run based on the results of the first analysis.
  - 11. The method of claim 1, further comprising dispatching the specimen for both static and dynamic analysis to be run during a selected period of time by respective static analysis logic and dynamic analysis logic.
  - 12. The method of claim 1, wherein the static analysis comprises comparing the specimen with an identifier of known malware, and further comprising classifying the specimen as malicious based on the comparison.
  - 13. The method of claim 1, further comprising:
    - generating a malware identifier based on one or more of (i) the one or more suspicious indicators, (ii) the one or more identified anomalies, or (iii) the analysis plan; and
      
      using the malware identifier to identify one or more other specimens as malicious.
  - 14. The method of claim 1, further comprising accessing a database of intelligence regarding detection of malware in other specimens and determining the analysis plan based on the intelligence stored therein.
  - 15. The method of claim 14, wherein the virtual environment comprises a runtime environment, and the method further comprising tuning the runtime environment based on the intelligence stored in the database.
  - 16. The method of claim 1, further comprising:
    - capturing objects comprising the specimen;
      
      pre-filtering the captured objects to identify an object type, an object type comprising an executable, the characteristic of the specimen comprising the object type; and
      
      performing the first analysis after the pre-filtering step.
  - 17. The method of claim 1, further comprising performing the static analysis by a static analyzer, including:
    - extracting from the specimen an object type;
      
      determining, for the object type metadata for processing the specimen in the virtual environment, the characteristic of the specimen comprising the additional metadata; and
      
      extracting from the specimen a profile intelligence comprising a runtime software environment used for processing the specimen in the virtual environment, the characteristic of the specimen comprising the profile intelligence.
  - 18. The method of claim 1, wherein determining by the classifier whether the specimen should be classified as malicious comprises comparing the suspicious indicators from the static analysis conducted on the specimen, if any, and the identified anomalies from any dynamic analysis conducted on the specimen, if any, with a model of indicators and anomalies associated with known malware and known non-malware computer content and traffic.
  - 19. The method of claim 1, wherein the analysis plan further specifies one of reputation checking and malware source blacklist checking.
  - 20. The method of claim 1, wherein the static analysis on the object of the specimen is performed in response to the second analysis of the specimen and the object is unpacked during the second analysis.
  - 21. The method of claim 1, wherein the third analysis is part of the first analysis when the second analysis is conducted prior to the first analysis.

22. A system of detecting malware in a specimen of computer content or network traffic, the system comprising:
- control logic to receive a specimen and determine an analysis plan identifying an order for at least a first analysis and a second analysis to be performed on the specimen, the first analysis being a static analysis and the second analysis being a dynamic analysis;
  
  a first analysis module communicatively coupled to the control logic, the first analysis module to perform the first analysis in accordance with the analysis plan to identify one or more suspicious indicators associated with malware and one or more characteristics related to processing of the specimen;
  
  a second analysis module communicatively coupled to the control logic, the second analysis module to perform the second analysis in accordance with the analysis plan, including processing of the specimen in a virtual environment equipped with one or more monitors to identify one or more unexpected behaviors having one or more anomalies;
  
  a third analysis module communicatively coupled to the control logic, the third analysis module to perform a third analysis in response to either the first analysis or the second analysis, the third analysis being a static analysis performed on an object determined to be present in the specimen;
  
  a classifier communicatively coupled to the control logic, the classifier to determine whether the specimen should be classified as malicious based on at least one of (i) the one or more identified suspicious indicators and (ii) the one more identified anomalies; and
  
  a persistent storage device communicatively coupled to the control logic, the persistent storage device to store one or more of (a) the analysis plan, (b) the one or more identified indicators, (c) the one or more characteristics, or (d) the one or more identified anomalies.
- View Dependent Claims (23, 24, 25)
- - 23. The system of claim 22, wherein performing the second analysis is based in part on at least one of the identified suspicious indicators and characteristics identified in the first analysis.
  - 24. The system of claim 22, wherein the third analysis module to perform the third analysis that is different from the first analysis when the first analysis module is performing the first analysis prior to the second analysis module performing the second analysis.
  - 25. The system of claim 22, wherein the third analysis module to perform the third analysis as part of the first analysis when the second analysis module performing the second analysis prior to the first analysis module performing the first analysis.

26. A non-transitory machine-readable medium having instructions stored therein, which when executed by a processor, cause the processor to perform a method of detecting malware in a specimen of computer content or network traffic, the method comprising:
- receiving a specimen and determining, by control logic, an analysis plan identifying at least a first analysis and a second analysis to be performed on the specimen, the first analysis being a static analysis and the second analysis being a dynamic analysis;
  
  performing the first analysis on the specimen in accordance with the analysis plan, the first analysis on the specimen comprises identifying one or more suspicious indicators associated with malware and one or more characteristics related to processing of the specimen;
  
  performing the second analysis on the specimen in accordance with the analysis plan, the second analysis on the specimen comprises including processing of the specimen in a virtual environment equipped with one or more monitors to identify one or more unexpected behaviors having one or more anomalies;
  
  responsive to a result of one of the first analysis or the second analysis, unpacking an object determined to be present in the specimen and performing a third analysis on the object, the third analysis on the object comprises a static analysis on the object and the third analysis being different than the first analysis and the second analysis when the first analysis is conducted prior to the second analysis;
  
  determining by a classifier whether the specimen should be classified as malicious based on at least one of (i) the one or more identified suspicious indicators or (ii) the one or more identified anomalies; and
  
  storing one or more of (a) the analysis plan, (b) the one or more identified indicators, (c) the one or more characteristics, or (d) the one or more identified anomalies in a persistent memory.
- View Dependent Claims (27, 28)
- - 27. The non-transitory machine-readable medium of claim 26, wherein performing the second analysis is based in part on at least one of the identified suspicious indicators and characteristics identified in the first analysis.
  - 28. The non-transitory machine-readable medium of claim 26, wherein the third analysis is part of the first analysis when the second analysis is conducted prior to the first analysis.

29. A computer implemented method of detecting malware in a specimen of computer content or network traffic, the method comprising:
- responsive to receiving a specimen, determining, by a controller, an analysis plan that includes an order of operation for a plurality of analyses;
  
  performing a first static analysis in accordance with the analysis plan to identify one or more suspicious indicators associated with malware and one or more characteristics related to processing of the specimen;
  
  performing a dynamic analysis in accordance with the analysis plan, including processing of the specimen in a virtual environment including with one or more monitors to identify one or more unexpected behaviors each having one or more anomalies; and
  
  performing a second static analysis after the first static analysis and the dynamic analysis.
- View Dependent Claims (30, 31)
- - 30. The method of claim 29, wherein the dynamic analysis unpacks an object present in the specimen and the second static analysis is performed on the unpacked object.
  - 31. The method of claim 30, further comprising:
    - determining by a classifier whether the specimen should be classified as malicious based on at least one of (i) the one or more identified suspicious indicators, (ii) the one or more identified anomalies, or (iii) a result of the static analysis on the unpacked object; and
      
      storing one or more of (a) the analysis plan, (b) the one or more identified indicators, (c) the one or more characteristics, or (d) the one or more identified anomalies in a persistent memory.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Vincent, Michael, Mesdaq, Ali, Thioux, Emmanuel, Singh, Abhishek, Vashisht, Sai
Primary Examiner(s)
Chao, Michael
Assistant Examiner(s)
Gao, Shu Chun

Application Number

US14/042,420
Publication Number

US 20150096022A1
Time in Patent Office

757 Days
Field of Search

726 22- 26
US Class Current

1/1
CPC Class Codes

G06F 21/562   Static detection

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/034   Test or assess a computer o...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

Dynamically adaptive framework and method for classifying malware using intelligent static, emulation, and dynamic analyses

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

548 Citations

31 Claims

Specification

Solutions

Use Cases

Quick Links

Dynamically adaptive framework and method for classifying malware using intelligent static, emulation, and dynamic analyses

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

548 Citations

31 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links