Document exploit detection using baseline comparison
First Claim
1. A method of creating a pattern for document exploit detection, said method comprising:
- executing a software application in a computer;
opening a document file using said executing software application, said document file known to include malware and being of a type corresponding to said software application;
executing computer code of said document file in a software application different from said executing software application, said computer code exploiting a vulnerability in said different software application wherein said execution of said computer code of said document file in said different software application is caused by a software object embedded in said document file;
recording behaviors in said computer caused by said computer code of said document file in a report file;
creating a first pattern file from said report file, said first pattern file exhibiting said behaviors of said document file, which include one or more malicious behaviors;
obtaining a second pattern file that indicates behaviors caused by execution of a different document file that is known to be normal and non-malicious; and
comparing the first and second pattern files to help identify an expression of said first pattern file that matches with a benign behavior.
1 Assignment
0 Petitions
Accused Products
Abstract
An application document known to include malware (such as a document exploit) is opened and executed by its corresponding software application. Behaviors of this document (such as registry, file system, network and process) are monitored and recorded using internal software drivers and hook modules. A behavior report is generated and a baseline pattern is created including a number of regular expressions. A suspicious document of the same type as the monitored document is opened and executed by the same corresponding software application. Behaviors are monitored in the same way and a behavior report is generated. This behavior report is compared to the baseline pattern and a determination is made as to whether a document exploit is present. Known benign documents may also be opened, monitored and their behavior recorded, resulting in creation of a known benign pattern for the corresponding software application.
-
Citations
28 Claims
-
1. A method of creating a pattern for document exploit detection, said method comprising:
-
executing a software application in a computer; opening a document file using said executing software application, said document file known to include malware and being of a type corresponding to said software application; executing computer code of said document file in a software application different from said executing software application, said computer code exploiting a vulnerability in said different software application wherein said execution of said computer code of said document file in said different software application is caused by a software object embedded in said document file; recording behaviors in said computer caused by said computer code of said document file in a report file; creating a first pattern file from said report file, said first pattern file exhibiting said behaviors of said document file, which include one or more malicious behaviors; obtaining a second pattern file that indicates behaviors caused by execution of a different document file that is known to be normal and non-malicious; and comparing the first and second pattern files to help identify an expression of said first pattern file that matches with a benign behavior. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 28)
-
-
10. A method of detecting a document exploit in a suspicious document file, said method comprising:
-
executing a software application in a computer; opening said suspicious document file using said executing software application, said suspicious document file not including any malware; recording behaviors in said computer caused by computer code of said suspicious document file in a suspicious report file; receiving a baseline pattern file, said baseline pattern file including behaviors from a document file of a same type as said suspicious document file, wherein said document file of said same type is known to include malware; comparing behaviors of said suspicious report file to behaviors of said baseline pattern file; based on said comparing operation, matching a subset of said behaviors in said suspicious report file with behaviors in said baseline pattern file, said subset including at least two behaviors; assigning a separate weight to each matched behavior in said subset, each weight indicating a likelihood that each matched behavior involves malware; and outputting a result of said comparison indicating that said suspicious document file does not include a document exploit wherein said result is based at least in part on said weights assigned to said behaviors. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A method of detecting a document exploit in a suspicious document file, said method comprising:
-
executing a software application in a computer; opening said suspicious document file using said executing software application, said suspicious document file including said document exploit; recording behaviors in said computer caused by computer code of said suspicious document file in a suspicious report file; receiving a baseline pattern file, said baseline pattern file including behaviors from a document file of a same type as said suspicious document file, wherein said document file of said same type is known to include malware; comparing behaviors of said suspicious report file to behaviors of said baseline pattern file; based on said comparing operation, matching a subset of said behaviors in said suspicious report file with behaviors in said baseline pattern file, said subset including at least two behaviors; assigning a separate weight to each matched behavior in said subset, each weight indicating a likelihood that each matched behavior involves malware; and outputting a result of said comparison indicating that said suspicious document file includes said document exploit wherein said result is based at least in part on said weights assigned to said behaviors. - View Dependent Claims (21, 22, 23, 24, 25, 26)
-
-
27. A method comprising:
-
executing a software application in a computer; opening a document file using said executing software application, said document file known to include malware and being of a type corresponding to said software application; recording behaviors in said computer caused by computer code of said document file in a report file; creating a first pattern file from said report file, said first pattern file exhibiting said behaviors of said document file, which include one or more malicious behaviors; executing a document file known to be normal and non-malicious; creating a second pattern file that indicates behaviors caused by said execution of said known normal document file; obtaining said second pattern file that indicates said behaviors caused by said execution of said known normal document file; comparing said first and second pattern files to help identify an expression of said first pattern file that matches with a benign behavior; selecting one or more expressions in said first pattern file based on said comparing operation; and performing one selected from the group consisting of (1) removing said selected one or more expressions in said first pattern file without removing one or more other expressions in said first pattern file; and
(2) assigning a value to said selected one or more expressions in said first pattern file that indicates that said selected one or more expressions are non-malicious wherein said assigned value is based on said comparing of said first pattern file and said second pattern file.
-
Specification