Exploration system and method for analyzing behavior of binary executable programs

US 9,215,245 B1
Filed: 08/23/2012
Issued: 12/15/2015
Est. Priority Date: 11/10/2011
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for automatically analyzing and predicting behavior of a binary executable program, the method comprising:

receiving an uniform resource locator addressing the binary executable program to be analyzed;

identifying a plurality of testers based on one or more task requirements of the binary executable program, wherein each tester is associated with a unique task;

for each identified tester;

running an analysis virtual machine without the binary executable program being installed,taking a snapshot of the analysis virtual machine to generate a replay base case describing parameters of the analysis virtual machine once the analysis virtual machine is run without the binary executable program being installed in the analysis virtual machine,running the binary executable program installed in the analysis virtual machine to simulate interaction of the binary executable program with a computing device,automatically recording, by the identified tester, safety information describing interaction that occurred between the binary executable program and the analysis virtual machine when the binary executable program was run in the analysis virtual machine, anddetermining whether the binary executable program is unsafe based on the safety information generated by the analysis virtual machine by;

comparing the safety information of the binary executable program to be analyzed with the replay base case,identifying a scorer that is associated with the identified tester, andscoring, by the identified scorer, the safety information of the binary executable program to be analyzed based on the comparison,wherein the receiving, the running, the recording, and the determining are performed by one or more computing devices.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for automatically analyzing and predicting behavior of binary executable programs are provided. A virtual machine receives a URL or content based feature corresponding to a binary executable program and the virtual machine analyzes the behavior of the binary executable program. The safety information of the binary executable program is determined based on the analysis report generated by the virtual machine and its impact on the virtual machine. A binary explorer selects a URL or content based feature corresponding to the binary executable program to be analyzed. A binary analyzer automatically records the behavior of the binary executable program to generate a report containing safety information describing the interaction occurred between the binary executable program and the analysis virtual machine. A result interpreter determines and predicts whether the binary executable program is safe based on the information generated by the binary analyzer.

Citations

18 Claims

1. A computer-implemented method for automatically analyzing and predicting behavior of a binary executable program, the method comprising:
- receiving an uniform resource locator addressing the binary executable program to be analyzed;
  
  identifying a plurality of testers based on one or more task requirements of the binary executable program, wherein each tester is associated with a unique task;
  
  for each identified tester;
  
  running an analysis virtual machine without the binary executable program being installed,taking a snapshot of the analysis virtual machine to generate a replay base case describing parameters of the analysis virtual machine once the analysis virtual machine is run without the binary executable program being installed in the analysis virtual machine,running the binary executable program installed in the analysis virtual machine to simulate interaction of the binary executable program with a computing device,automatically recording, by the identified tester, safety information describing interaction that occurred between the binary executable program and the analysis virtual machine when the binary executable program was run in the analysis virtual machine, anddetermining whether the binary executable program is unsafe based on the safety information generated by the analysis virtual machine by;
  
  comparing the safety information of the binary executable program to be analyzed with the replay base case,identifying a scorer that is associated with the identified tester, andscoring, by the identified scorer, the safety information of the binary executable program to be analyzed based on the comparison,wherein the receiving, the running, the recording, and the determining are performed by one or more computing devices.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computer-implemented method of claim 1, further comprising:
    - maintaining a binary database including safety information for each of a plurality of known executable programs; and
      
      wherein the determining whether the binary executable program is unsafe further comprises comparing the binary executable program to be analyzed with the known executable programs in the binary databases.
  - 3. The computer-implemented method of claim 1, wherein the recording further comprises:
    - recording safety information of describing an impact of the binary executable program on search result executed by the analysis virtual machine.
  - 4. The computer-implemented method of claim 1, further comprising:
    - installing the binary executable program to the analysis virtual machine; and
      
      taking a snapshot of the analysis virtual machine after the installation of the binary executable program.
  - 5. The computer-implemented method of claim 4, wherein the recording further comprises:
    - recording safety information describing changes on parameters of the analysis virtual machine attributed to spying activities.
  - 6. The computer-implemented method of claim 4, further comprising:
    - uninstalling the binary executable program from the analysis virtual machine; and
      
      taking a snapshot of the analysis virtual machine after the uninstallation of the binary executable program.
  - 7. The computer-implemented method of claim 1, further comprising:
    - simulating and automating interaction of a human user with the analysis virtual machine via an auto-user.
  - 8. The computer-implemented method of claim 1, further comprising:
    - selecting the binary executable program to be analyzed based on a content based feature of the binary executable program.

9. A system for automatically analyzing and predicting behavior of a binary executable program, comprising:
- a binary explorer, implemented by one or more computing devices, configured to receive an uniform resource locator addressing the binary executable program to be analyzed;
  
  a binary analyzer, implemented by one or more computing devices, configured to;
  
  run the binary executable program installed in an analysis virtual machine to simulate interaction of the binary executable program on a computing device, wherein the analysis virtual machine comprises a plurality of testers that are each associated with a unique task,automatically record, by each identified tester, safety information describing interaction that occurred between the binary executable program and the analysis virtual machine when the binary executable program was run in the analysis virtual machine; and
  
  a result interpreter, implemented by one or more computing devices, configured to determine whether the binary executable program is unsafe based on the safety information generated by the analysis virtual machine, wherein the result interpreter comprises a plurality of scorers, wherein each scorer is associated with one of the identified testers, implemented by one or more computing devices, configured to;
  
  take a snapshot of the analysis virtual machine to generate a replay base case describing parameters of the virtual machine without the binary executable program being installed in the analysis virtual machine;
  
  compare the safety information of the binary executable program to be analyzed with the replay base case of the analysis virtual machine; and
  
  score the information of the binary executable program to be analyzed based on the comparison.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
- - 10. The system of claim 9, wherein the result interpreter is further configured to:
    - compare the binary executable program to be analyzed with each of a plurality of known executable programs in a binary database, wherein the binary database contains safety information describing the interaction of the known executable programs with a computing device.
  - 11. The system of claim 9, further comprising:
    - a data reporter, implemented by one or more computing devices, configured to present the safety information to a user to trigger a warning message based on a match between the binary executable program to be analyzed and an entry of known executable programs in a binary database, wherein the binary database contains safety information describing the interaction of the known executable programs with a computing device.
  - 12. The system of claim 9, wherein the plurality of testers comprises a binary installation tester, configured to:
    - install the binary executable program to the analysis virtual machine; and
      
      take a snapshot of the analysis virtual machine after the installation of the binary executable program.
  - 13. The system of claim 9, wherein the plurality of testers comprises a search tester, configured to record safety information describing an impact of the binary executable program on search result executed in the analysis virtual machine.
  - 14. The system of claim 9, wherein the plurality of testers comprises a spyware tester, configured record safety information describing changes on parameters of the analysis virtual machine attributed to spying activities.
  - 15. The system of claim 9, wherein the plurality of testers comprises an uninstallation tester, configured to:
    - uninstall the binary executable program from the analysis virtual machine; and
      
      take a snapshot of the analysis virtual machine after the uninstallation of the binary executable programs.
  - 16. The system of claim 9, wherein the analysis virtual machine comprises an auto-user, configured to simulate and automate interaction of a human user with the analysis virtual machine.
  - 17. The system of claim 9, further comprising:
    - a pre-filter, implemented by one or more computing devices, configured to filter the binary executable program to be analyzed based on a content based feature of the binary executable program;
      
      a content fetcher, implemented by one or more computing devices, configured to fetch content of the binary executable program; and
      
      to store as a record in a binary database; and
      
      a task submitter, implemented by one or more computing devices, configured to submit and prioritize tasks associated with the fetched content to the analysis virtual machine to be analyzed based on a metadata of the record.

18. A non-transitory computer-readable medium storing software comprising instructions executable by one or more computers which, upon such execution, cause the one or more computers to perform operations comprising:
- receiving an uniform resource locator addressing the binary executable program to be analyzed;
  
  identifying a plurality of testers based on one or more task requirements of the binary executable program, wherein each tester is associated with a unique task;
  
  for each identified tester;
  
  running an analysis virtual machine without the binary executable program being installed;
  
  taking a snapshot of the analysis virtual machine to generate a replay base case describing parameters of the analysis virtual machine once the analysis virtual machine is run without the binary executable program being installed in the analysis virtual machine;
  
  running the binary executable program installed in the analysis virtual machine to simulate interaction of the binary executable program with a computing device;
  
  automatically recording, by the identified tester, safety information describing interaction that occurred between the binary executable program and the analysis virtual machine when the binary executable program was run in the analysis virtual machine; and
  
  determining whether the binary executable program is unsafe based on the safety information generated by the analysis virtual machine by, for each of the identified testers;
  
  comparing the safety information of the binary executable program to be analyzed with the replay base case,identifying a scorer that is associated with the identified tester, andscoring, by the identified scorer, the safety information of the binary executable program to be analyzed based on the comparison.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google LLC (Alphabet Inc.)
Original Assignee
Google Inc. (Alphabet Inc.)
Inventors
Provos, Niels, Rajab, Moheeb Abu, Zhao, Xin
Primary Examiner(s)
Pyzocha, Michael

Application Number

US13/593,064
Time in Patent Office

1,209 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/50   Monitoring users, programs ...

G06F 21/552   involving long-term monitor...

G06F 21/56   Computer malware detection ...

G06F 21/57   Certifying or maintaining t...

G06F 21/577   Assessing vulnerabilities a...

H04L 63/1433   Vulnerability analysis

H04L 63/145   the attack involving the pr...

H04L 63/1491   using deception as counterm...

Exploration system and method for analyzing behavior of binary executable programs

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Exploration system and method for analyzing behavior of binary executable programs

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links