Dynamically adaptive framework and method for classifying malware using intelligent static, emulation, and dynamic analyses
First Claim
1. A computer implemented method of detecting malware in a specimen of computer content or network traffic, the method comprising:
- responsive to receiving a specimen, determining, by a hardware controller, an analysis plan identifying an order for at least a first analysis and a second analysis to be performed, the first analysis comprises a static analysis and the second analysis comprises a dynamic analysis;
performing the first analysis in accordance with the analysis plan to identify one or more suspicious indicators associated with malware and one or more characteristics related to processing of the specimen;
performing the second analysis in accordance with the analysis plan, including processing of the specimen in a virtual environment including with one or more monitors to identify one or more unexpected behaviors each having one or more anomalies;
responsive to a result of one of the first analysis or the second analysis, unpacking an object determined to be present in the specimen and performing a third analysis, wherein the third analysis comprises a static analysis on the object and is different from the first analysis and the second analysis when the first analysis is conducted prior to the second analysis;
determining by a classifier whether the specimen should be classified as malicious based on at least one of (i) the one or more identified suspicious indicators, (ii) the one or more identified anomalies, or (iii) a result of the static analysis on the unpacked object; and
storing one or more of (a) the analysis plan, (b) the one or more identified indicators, (c) the one or more characteristics, or (d) the one or more identified anomalies in a persistent memory.
5 Assignments
0 Petitions
Accused Products
Abstract
Techniques for malware detection are described herein. According to one aspect, control logic determines an analysis plan for analyzing whether a specimen should be classified as malware, where the analysis plan identifies at least first and second analyses to be performed. Each of the first and second analyses identified in the analysis plan including one or both of a static analysis and a dynamic analysis. The first analysis is performed based on the analysis plan to identify suspicious indicators characteristics related to processing of the specimen. The second analysis is performed based on the analysis plan to identify unexpected behaviors having processing or communications anomalies. A classifier determines whether the specimen should be classified as malicious based on the static and dynamic analyses. The analysis plan, the indicators, the characteristics, and the anomalies are stored in a persistent memory.
548 Citations
31 Claims
-
1. A computer implemented method of detecting malware in a specimen of computer content or network traffic, the method comprising:
-
responsive to receiving a specimen, determining, by a hardware controller, an analysis plan identifying an order for at least a first analysis and a second analysis to be performed, the first analysis comprises a static analysis and the second analysis comprises a dynamic analysis; performing the first analysis in accordance with the analysis plan to identify one or more suspicious indicators associated with malware and one or more characteristics related to processing of the specimen; performing the second analysis in accordance with the analysis plan, including processing of the specimen in a virtual environment including with one or more monitors to identify one or more unexpected behaviors each having one or more anomalies; responsive to a result of one of the first analysis or the second analysis, unpacking an object determined to be present in the specimen and performing a third analysis, wherein the third analysis comprises a static analysis on the object and is different from the first analysis and the second analysis when the first analysis is conducted prior to the second analysis; determining by a classifier whether the specimen should be classified as malicious based on at least one of (i) the one or more identified suspicious indicators, (ii) the one or more identified anomalies, or (iii) a result of the static analysis on the unpacked object; and storing one or more of (a) the analysis plan, (b) the one or more identified indicators, (c) the one or more characteristics, or (d) the one or more identified anomalies in a persistent memory. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
-
-
22. A system of detecting malware in a specimen of computer content or network traffic, the system comprising:
-
control logic to receive a specimen and determine an analysis plan identifying an order for at least a first analysis and a second analysis to be performed on the specimen, the first analysis being a static analysis and the second analysis being a dynamic analysis; a first analysis module communicatively coupled to the control logic, the first analysis module to perform the first analysis in accordance with the analysis plan to identify one or more suspicious indicators associated with malware and one or more characteristics related to processing of the specimen; a second analysis module communicatively coupled to the control logic, the second analysis module to perform the second analysis in accordance with the analysis plan, including processing of the specimen in a virtual environment equipped with one or more monitors to identify one or more unexpected behaviors having one or more anomalies; a third analysis module communicatively coupled to the control logic, the third analysis module to perform a third analysis in response to either the first analysis or the second analysis, the third analysis being a static analysis performed on an object determined to be present in the specimen; a classifier communicatively coupled to the control logic, the classifier to determine whether the specimen should be classified as malicious based on at least one of (i) the one or more identified suspicious indicators and (ii) the one more identified anomalies; and a persistent storage device communicatively coupled to the control logic, the persistent storage device to store one or more of (a) the analysis plan, (b) the one or more identified indicators, (c) the one or more characteristics, or (d) the one or more identified anomalies. - View Dependent Claims (23, 24, 25)
-
-
26. A non-transitory machine-readable medium having instructions stored therein, which when executed by a processor, cause the processor to perform a method of detecting malware in a specimen of computer content or network traffic, the method comprising:
-
receiving a specimen and determining, by control logic, an analysis plan identifying at least a first analysis and a second analysis to be performed on the specimen, the first analysis being a static analysis and the second analysis being a dynamic analysis; performing the first analysis on the specimen in accordance with the analysis plan, the first analysis on the specimen comprises identifying one or more suspicious indicators associated with malware and one or more characteristics related to processing of the specimen; performing the second analysis on the specimen in accordance with the analysis plan, the second analysis on the specimen comprises including processing of the specimen in a virtual environment equipped with one or more monitors to identify one or more unexpected behaviors having one or more anomalies; responsive to a result of one of the first analysis or the second analysis, unpacking an object determined to be present in the specimen and performing a third analysis on the object, the third analysis on the object comprises a static analysis on the object and the third analysis being different than the first analysis and the second analysis when the first analysis is conducted prior to the second analysis; determining by a classifier whether the specimen should be classified as malicious based on at least one of (i) the one or more identified suspicious indicators or (ii) the one or more identified anomalies; and storing one or more of (a) the analysis plan, (b) the one or more identified indicators, (c) the one or more characteristics, or (d) the one or more identified anomalies in a persistent memory. - View Dependent Claims (27, 28)
-
-
29. A computer implemented method of detecting malware in a specimen of computer content or network traffic, the method comprising:
-
responsive to receiving a specimen, determining, by a controller, an analysis plan that includes an order of operation for a plurality of analyses; performing a first static analysis in accordance with the analysis plan to identify one or more suspicious indicators associated with malware and one or more characteristics related to processing of the specimen; performing a dynamic analysis in accordance with the analysis plan, including processing of the specimen in a virtual environment including with one or more monitors to identify one or more unexpected behaviors each having one or more anomalies; and performing a second static analysis after the first static analysis and the dynamic analysis. - View Dependent Claims (30, 31)
-
Specification