User interface with real-time visual playback along with synchronous textual analysis log display and event/time index for anomalous behavior detection in applications

US 9,195,829 B1
Filed: 02/23/2013
Issued: 11/24/2015
Est. Priority Date: 02/23/2013
Status: Active Grant

First Claim

Patent Images

1. A method for detecting anomalous behavior by an application software under test that suggest a presence of malware, comprising:

conducting an analysis of operations of the application software for detecting an occurrence of one or more events;

generating a video of a display output produced by the operations of the application software; and

generating, for display on the electronic device contemporaneously with the video, a textual log including information associated with the one or more events,wherein display of the textual log is synchronized with display of successive display images of the video and illustrates the one or more events being monitored during the analysis of the operations of the application software and during display of the successive display images of the video.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to one embodiment, a method comprises conducting an analysis for anomalous behavior on application software and generating a video of a display output produced by the application software. The video is to be displayed on an electronic device contemporaneously with display of one or more events detected by the analysis being performed on the application software.

554 Citations

45 Claims

1. A method for detecting anomalous behavior by an application software under test that suggest a presence of malware, comprising:
- conducting an analysis of operations of the application software for detecting an occurrence of one or more events;
  
  generating a video of a display output produced by the operations of the application software; and
  
  generating, for display on the electronic device contemporaneously with the video, a textual log including information associated with the one or more events,wherein display of the textual log is synchronized with display of successive display images of the video and illustrates the one or more events being monitored during the analysis of the operations of the application software and during display of the successive display images of the video.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein conducting the analysis of operations of the application software for detecting the occurrence of the one or more events includes detecting whether one or more anomalous behaviors occur during the operations of the application software, and wherein generating of the video comprises capturing the display output of the application software during the operations.
  - 3. The method of claim 2, wherein the video comprises a plurality of display images having a sequence corresponding to a displayed sequence of the one or more events detected by the analysis.
  - 4. The method of claim 2, wherein the video comprises a plurality of display images having a sequence corresponding to an execution flow of the operations of the application software.
  - 5. The method of claim 4, wherein the plurality of display images correspond to images that would have been displayed were the software application executed natively.
  - 6. The method of claim 1, wherein the conducting of the analysis of operations of the application software for detecting the occurrence of the one or more events comprises:
    - setting the one or more events, each of the one or more events being a behavior to be monitored;
      
      performing operations of the application software on one or more virtual machines; and
      
      determining whether at least one of the one or more behaviors is detected during analysis of the operations of the application software performed on the one or more virtual machines.
  - 7. The method of claim 6, further comprising presenting a user interface to enable a user to customize at least one behavior to be monitored, and conducting the analysis based at least in part on the customized behavior.
  - 8. The method of claim 1, wherein the electronic device comprises a computer system and the software application is designed for native execution on a mobile electronic device.
  - 9. The method of claim 1 further comprising indexing the video so as to permit a user, by user interaction, to access a desired segment of video in accordance with at least one of a particular playback time in the video and a particular analyzed event of the one or more events.
  - 10. The method of claim 1, wherein the conducting of the analysis for the occurrence of the one or more events comprises monitoring for one or more anomalous behaviors including a malware-based behavior.
  - 11. The method of claim 1, wherein the conducting of the analysis for the occurrence of the one or more events comprises monitoring for one or more anomalous behaviors including an unexpected data transmission.
  - 12. The method of claim 1, wherein the generating of the video comprises indexing the video by corresponding a display time for each display image of the successive display images of the video with a behavior associated with an event of the one or more events being monitored during analysis of the application software.

13. A method for detecting anomalous behavior by an application software under test that suggest a presence of malware, comprising:
- conducting an analysis of operations of the application software for detecting an occurrence of one or more events, wherein each event corresponds to a test behavior;
  
  generating a video of a display output produced by the operations of the application software, the video comprises a plurality of display images having a sequence corresponding to an execution flow of the operations of the application software and being generated for display on an electronic device contemporaneously with display of the one or more events detected by the analysis; and
  
  generating, for display on the electronic device contemporaneously with the video, a textual log including a sequence of display objects,wherein each display object of the sequence of display objects represents a corresponding test behavior being analyzed to determine if the test behavior constitutes an anomalous behavior and the displayed sequence of display objects corresponds to the execution flow of the operations of the application software.
- View Dependent Claims (14)
- - 14. The method of claim 13, wherein an alteration in a display object of the textual log associated with a first test behavior occurs during play back of successive display images that are produced during the operations of the application software and during analysis as to whether the first test behavior constitutes an anomalous behavior.

15. A method for detecting anomalous behavior by an application software under test that suggest a presence of malware, comprising:
- conducting an analysis of operations of the application software for detecting an occurrence of one or more events;
  
  generating a video of a display output produced by the operations of the application software; and
  
  generating, for display on the electronic device contemporaneously with the video, a textual log that provides information as to when each event of the one or more events occurs within an execution flow of the operations of the application software, and, responsive to user input with respect to a select entry in the textual log, controlling the video so as to depict one or more display images for the video that corresponds to the select entry in the textual log.
- View Dependent Claims (16, 17)
- - 16. The method of claim 15 further comprising:
    - generating, for display on the electronic device contemporaneously with the video and the textual log, (i) a display image adjacent to a corresponding event of the one or more events to identify a state of analysis associated with the corresponding event, and (ii) a search field that, based on user interaction, enables a search to be conducted for a particular event at a particular point in a replay of the video.
  - 17. The method of claim 15, wherein the one or more events comprise at least one anomalous behavior detected during the analysis of operations of the application software within one or more virtual machines.

18. A method for detecting anomalous behavior by an application software under test that suggests a presence of malware, comprising:
- conducting an analysis of operations of the application software for detecting an occurrence of one or more behaviors, wherein the analysis comprises (i) providing a displayed listing of a plurality of behaviors to be monitored, (ii) altering, in response to user interaction, an order of the plurality of behaviors within the listing, (iii) defining the order of processing of the plurality of behaviors during the analysis based at least in part on the order of the plurality of behaviors as displayed, and (iv) determining whether at least one of the plurality of behaviors is detected during analysis of the operations of the application software performed on the one or more virtual machines; and
  
  generating a video of a display output produced by the operations of the application software, the video being generated for display on an electronic device contemporaneously with display of the one or more events detected by the analysis.
- View Dependent Claims (19)
- - 19. The method of claim 18, wherein the one or more events comprise at least one anomalous behavior detected during the analysis of operations of the application software within one or more virtual machines.

20. A method for detecting anomalous behavior by an application software under test that suggests a presence of malware, comprising:
- conducting an analysis of the application software for detecting an occurrence of one or more events during operations of the application software, wherein the conducting of the analysis for the occurrence of the one or more events comprises (i) performing operations of the application software on one or more virtual machines, and (ii) determining whether at least one of the one or more events is detected during analysis of the operations of the application software performed on the one or more virtual machines;
  
  generating a video of a display output produced by the operations of the application software; and
  
  generating, for display on the electronic device contemporaneously with the video, a textual log including a sequence of display objects, each display object corresponding to a particular event of the one or more events,wherein the video being indexed for play back, where playback of the video is controlled through user interaction starting at a segment of the video associated with an event of the one or more events selected by the user.
- View Dependent Claims (21)
- - 21. The method of claim 20, wherein the one or more events comprises at least one anomalous behavior detected during the analysis of operations of the application software within the one or more virtual machines.

22. An apparatus for detecting anomalous behavior by an application software under test that suggests a presence of malware, the apparatus comprising:
- a processor; and
  
  a first logic communicatively coupled to the processor, the first logic to (i) conduct an analysis of operations of the application software for an occurrence of one or more events, (ii) generate a video of a display output produced by the operations of the application software, and (iii) generate, for display contemporaneously with the video, a textual log synchronized with display of successive display images of the video to illustrate the one or more events being monitored during the analysis of the operations of the application software.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 43)
- - 23. The apparatus of claim 22, wherein first logic is stored in a persistent memory and is communicatively coupled to the processor so that the processor executes the first logic to conduct the analysis within one or more virtual machines.
  - 24. The apparatus of claim 22, wherein the first logic conducting of the analysis by (a) responsive at least in part to user input, setting one or more behaviors to be monitored, each of the one or more behaviors being an event of the one or more events;
    - (b) controlling the operations of the application software conducted on one or more virtual machines; and
      
      (c) determining whether at least one of the one or more behaviors is detected during analysis of the operations of the application software performed on the one or more virtual machines.
  - 25. The apparatus of claim 24, wherein each of the one or more behaviors representing an anomalous behavior.
  - 26. The apparatus of claim 22, wherein the first logic conducting the analysis of operations of the application software for the occurrence of the one or more events includes detecting whether one or more anomalous behaviors occur during operations of the application software.
  - 27. The apparatus of claim 22, wherein the first logic generates the textual log synchronized with display of the successive display images of the video so that a change in status of an event of the one or more events being monitored during the analysis of the operations of the application software occurs during display of the successive display images of the video.
  - 28. The apparatus of claim 22 being a computer system and the software application is designed for native execution on a mobile electronic device.
  - 29. The apparatus of claim 22, wherein the first logic further indexing the video so as to permit a user, by user interaction, to access a desired segment of the video in accordance with at least one of a particular playback time in the video and a particular analyzed event of the one or more events.
  - 30. The apparatus of claim 22, wherein the first logic, executed by the processor, conducts the analysis of operations of the application software processed within one or more virtual machines for the occurrence of the one or more events by monitoring for one or more anomalous behaviors responsive, at least in part, to user input, the one or more anomalous behaviors include a malware-based behavior.
  - 31. The apparatus of claim 22, wherein the first logic, executed by the processor, conducts the analysis of operations of the application software processed within one or more virtual machines for the occurrence of the one or more events by monitoring for one or more anomalous behaviors responsive, at least in part, to user input, the one or more anomalous behaviors include an unexpected data transmission.
  - 32. The apparatus of claim 22, wherein the first logic to conduct the analysis of operations of the application software for the occurrence of the one or more events that comprise at least one anomalous behavior detected during the analysis of operations of the application software within one or more virtual machines.
  - 43. The non-transitory storage medium of claim 30, wherein the electronic device comprises a computer system and the software application is designed for native execution on a mobile electronic device.

33. An apparatus for detecting anomalous behavior by an application software under test that suggests a presence of malware, the apparatus comprising:
- a processor; and
  
  a first logic communicatively coupled to the processor, the first logic to (i) conduct an analysis of operations of the application software for an occurrence of one or more events, (ii) generate a video of a display output produced by the operations of the application software, (iii) generate, for display contemporaneously with the video, a textual log including information associated with the one or more events, the textual log provides information as to when each event of the one or more events occurs within an execution flow of the operations of the application software, and provides, during playback of the video, reciprocal graphic interaction between the displayed video and the displayed textual log responsive to user input.
- View Dependent Claims (34)
- - 34. The apparatus of claim 33, wherein the first logic to conduct the analysis of operations of the application software for the occurrence of the one or more events that comprise at least one anomalous behavior detected during the analysis of operations of the application software within one or more virtual machines.

35. A non-transitory storage medium to contain software that is configured to detect anomalous behavior that suggests a presence of malware within application software under analysis by performing, when executed by a processor, a plurality of operations, comprising:
- conducting an analysis of operations of the application software for an occurrence of one or more events; and
  
  generating a video of a display output produced by the operations of the application software; and
  
  generating, for display on the electronic device contemporaneously with the video, a textual log including a sequence of display objects, each display object corresponding to a particular event of the one or more events,wherein the video being indexed for play back, where playback of the video is controlled through user interaction starting at a segment of the video associated with a behavior of the one or more behaviors selected by the user.
- View Dependent Claims (36, 37, 38, 39, 40, 41, 42)
- - 36. The non-transitory storage medium of claim 35, wherein the processor executes the software that generates the textual log that is displayed contemporaneously with the video and synchronized with the display of the successive display images of the video so that a change in status of an event of the one or more events being monitored during the analysis of the operations of the application software occurs during display of the successive display images of the video.
  - 37. The non-transitory storage medium of claim 35, wherein the processor executes the software that conducts the analysis of operations of the application software to detect an event of the one or more events that is an anomalous behavior.
  - 38. The non-transitory storage medium of claim 37, wherein the processor conducts the operations of the application software in a run-time environment where an instance of the application software is executed by a virtual machine.
  - 39. The non-transitory storage medium of claim 38, wherein the video comprises a plurality of display images having a sequence corresponding to an execution flow of the operations of the application software.
  - 40. The non-transitory storage medium of claim 39, wherein the plurality of display images correspond to images that would have been displayed were the software application executed natively.
  - 41. The non-transitory storage medium of claim 35, wherein the software, when executed by the processor,generating, for display on the electronic device contemporaneously with the video, the textual log that provides information as to when each event of the one or more events occurs within an execution flow of the operations of the application software.
  - 42. The non-transitory storage medium of claim 35, wherein the conducting of the analysis for the occurrence of the one or more events by execution of the software by the processor, comprises:
    - setting the one or more events, each of the one or more events being a behavior to be monitored;
      
      simulating operations of the application software on one or more virtual machines; and
      
      determining whether at least one of the one or more behaviors is detected during analysis of the simulated operations of the application software performed on the one or more virtual machines.

44. A non-transitory storage medium to contain software that, when executed by a processor, performs one or more operations, comprising:
- conducting an analysis of operations of the application software for an occurrence of one or more events;
  
  generating a video of a display output produced by the operations of the application software;
  
  generating, for display contemporaneously with the video, a textual log that provides information as to when each event of the one or more events occurs within an execution flow of the operations of the application software; and
  
  providing, during playback of the video, reciprocal graphic interaction between the displayed video and the displayed textual log responsive to user input.
- View Dependent Claims (45)
- - 45. The non-transitory storage medium of claim 44, wherein the software, when executed by the processor, further performs one or more operations, comprising:
    - indexing the video so as to permit a user, by user interaction, to access a desired segment of video in accordance with at least one of a particular playback time in the video and a particular analyzed event of the one or more events.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Goradia, Harnish, Ismael, Osman Abdoul, Johnson, Noah M., Mettler, Adrian, Aziz, Ashar
Primary Examiner(s)
Kim, Hee-Yong

Application Number

US13/775,174
Time in Patent Office

1,004 Days
Field of Search

348/154
US Class Current

1/1
CPC Class Codes

G06F 11/28   by checking the correct ord...

G06F 11/36   Preventing errors by testin...

G06F 11/3604   Software analysis for verif...

G06F 11/3608   using formal methods, e.g. ...

G06F 11/3612   by runtime analysis perform...

G06F 11/362   Software debugging

G06F 11/3664   Environments for testing or...

G06F 21/50   Monitoring users, programs ...

G06F 21/53   by executing in a restricte...

G06F 21/54   by adding security routines...

G06F 21/55   Detecting local intrusion o...

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 21/563   by source code analysis

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/033   Test or assess software

G06N 20/00   Machine learning

G06N 3/006   based on simulated virtual ...

G06N 5/04   Inference or reasoning models

H04L 63/12 : Applying verification of th...

H04L 63/14 : for detecting or protecting...

H04L 63/1416 : Event detection, e.g. attac...

H04L 63/1425 : Traffic logging, e.g. anoma...

H04L 63/1433 : Vulnerability analysis

H04L 63/145 : the attack involving the pr...

View All

User interface with real-time visual playback along with synchronous textual analysis log display and event/time index for anomalous behavior detection in applications

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

554 Citations

45 Claims

Specification

Solutions

Use Cases

Quick Links

User interface with real-time visual playback along with synchronous textual analysis log display and event/time index for anomalous behavior detection in applications

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

554 Citations

45 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links