Exploration system and method for analyzing behavior of binary executable programs
First Claim
1. A computer-implemented method for automatically analyzing and predicting behavior of a binary executable program, the method comprising:
- receiving an uniform resource locator addressing the binary executable program to be analyzed;
identifying a plurality of testers based on one or more task requirements of the binary executable program, wherein each tester is associated with a unique task;
for each identified tester;
running an analysis virtual machine without the binary executable program being installed,taking a snapshot of the analysis virtual machine to generate a replay base case describing parameters of the analysis virtual machine once the analysis virtual machine is run without the binary executable program being installed in the analysis virtual machine,running the binary executable program installed in the analysis virtual machine to simulate interaction of the binary executable program with a computing device,automatically recording, by the identified tester, safety information describing interaction that occurred between the binary executable program and the analysis virtual machine when the binary executable program was run in the analysis virtual machine, anddetermining whether the binary executable program is unsafe based on the safety information generated by the analysis virtual machine by;
comparing the safety information of the binary executable program to be analyzed with the replay base case,identifying a scorer that is associated with the identified tester, andscoring, by the identified scorer, the safety information of the binary executable program to be analyzed based on the comparison,wherein the receiving, the running, the recording, and the determining are performed by one or more computing devices.
2 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods for automatically analyzing and predicting behavior of binary executable programs are provided. A virtual machine receives a URL or content based feature corresponding to a binary executable program and the virtual machine analyzes the behavior of the binary executable program. The safety information of the binary executable program is determined based on the analysis report generated by the virtual machine and its impact on the virtual machine. A binary explorer selects a URL or content based feature corresponding to the binary executable program to be analyzed. A binary analyzer automatically records the behavior of the binary executable program to generate a report containing safety information describing the interaction occurred between the binary executable program and the analysis virtual machine. A result interpreter determines and predicts whether the binary executable program is safe based on the information generated by the binary analyzer.
-
Citations
18 Claims
-
1. A computer-implemented method for automatically analyzing and predicting behavior of a binary executable program, the method comprising:
-
receiving an uniform resource locator addressing the binary executable program to be analyzed; identifying a plurality of testers based on one or more task requirements of the binary executable program, wherein each tester is associated with a unique task; for each identified tester; running an analysis virtual machine without the binary executable program being installed, taking a snapshot of the analysis virtual machine to generate a replay base case describing parameters of the analysis virtual machine once the analysis virtual machine is run without the binary executable program being installed in the analysis virtual machine, running the binary executable program installed in the analysis virtual machine to simulate interaction of the binary executable program with a computing device, automatically recording, by the identified tester, safety information describing interaction that occurred between the binary executable program and the analysis virtual machine when the binary executable program was run in the analysis virtual machine, and determining whether the binary executable program is unsafe based on the safety information generated by the analysis virtual machine by; comparing the safety information of the binary executable program to be analyzed with the replay base case, identifying a scorer that is associated with the identified tester, and scoring, by the identified scorer, the safety information of the binary executable program to be analyzed based on the comparison, wherein the receiving, the running, the recording, and the determining are performed by one or more computing devices. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A system for automatically analyzing and predicting behavior of a binary executable program, comprising:
-
a binary explorer, implemented by one or more computing devices, configured to receive an uniform resource locator addressing the binary executable program to be analyzed; a binary analyzer, implemented by one or more computing devices, configured to; run the binary executable program installed in an analysis virtual machine to simulate interaction of the binary executable program on a computing device, wherein the analysis virtual machine comprises a plurality of testers that are each associated with a unique task, automatically record, by each identified tester, safety information describing interaction that occurred between the binary executable program and the analysis virtual machine when the binary executable program was run in the analysis virtual machine; and a result interpreter, implemented by one or more computing devices, configured to determine whether the binary executable program is unsafe based on the safety information generated by the analysis virtual machine, wherein the result interpreter comprises a plurality of scorers, wherein each scorer is associated with one of the identified testers, implemented by one or more computing devices, configured to; take a snapshot of the analysis virtual machine to generate a replay base case describing parameters of the virtual machine without the binary executable program being installed in the analysis virtual machine; compare the safety information of the binary executable program to be analyzed with the replay base case of the analysis virtual machine; and score the information of the binary executable program to be analyzed based on the comparison. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. A non-transitory computer-readable medium storing software comprising instructions executable by one or more computers which, upon such execution, cause the one or more computers to perform operations comprising:
-
receiving an uniform resource locator addressing the binary executable program to be analyzed; identifying a plurality of testers based on one or more task requirements of the binary executable program, wherein each tester is associated with a unique task; for each identified tester; running an analysis virtual machine without the binary executable program being installed; taking a snapshot of the analysis virtual machine to generate a replay base case describing parameters of the analysis virtual machine once the analysis virtual machine is run without the binary executable program being installed in the analysis virtual machine; running the binary executable program installed in the analysis virtual machine to simulate interaction of the binary executable program with a computing device; automatically recording, by the identified tester, safety information describing interaction that occurred between the binary executable program and the analysis virtual machine when the binary executable program was run in the analysis virtual machine; and determining whether the binary executable program is unsafe based on the safety information generated by the analysis virtual machine by, for each of the identified testers; comparing the safety information of the binary executable program to be analyzed with the replay base case, identifying a scorer that is associated with the identified tester, and scoring, by the identified scorer, the safety information of the binary executable program to be analyzed based on the comparison.
-
Specification