Document exploit detection using baseline comparison

US 9,239,922 B1
Filed: 03/11/2013
Issued: 01/19/2016
Est. Priority Date: 03/11/2013
Status: Active Grant

First Claim

Patent Images

1. A method of creating a pattern for document exploit detection, said method comprising:

executing a software application in a computer;

opening a document file using said executing software application, said document file known to include malware and being of a type corresponding to said software application;

executing computer code of said document file in a software application different from said executing software application, said computer code exploiting a vulnerability in said different software application wherein said execution of said computer code of said document file in said different software application is caused by a software object embedded in said document file;

recording behaviors in said computer caused by said computer code of said document file in a report file;

creating a first pattern file from said report file, said first pattern file exhibiting said behaviors of said document file, which include one or more malicious behaviors;

obtaining a second pattern file that indicates behaviors caused by execution of a different document file that is known to be normal and non-malicious; and

comparing the first and second pattern files to help identify an expression of said first pattern file that matches with a benign behavior.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An application document known to include malware (such as a document exploit) is opened and executed by its corresponding software application. Behaviors of this document (such as registry, file system, network and process) are monitored and recorded using internal software drivers and hook modules. A behavior report is generated and a baseline pattern is created including a number of regular expressions. A suspicious document of the same type as the monitored document is opened and executed by the same corresponding software application. Behaviors are monitored in the same way and a behavior report is generated. This behavior report is compared to the baseline pattern and a determination is made as to whether a document exploit is present. Known benign documents may also be opened, monitored and their behavior recorded, resulting in creation of a known benign pattern for the corresponding software application.

Citations

28 Claims

1. A method of creating a pattern for document exploit detection, said method comprising:
- executing a software application in a computer;
  
  opening a document file using said executing software application, said document file known to include malware and being of a type corresponding to said software application;
  
  executing computer code of said document file in a software application different from said executing software application, said computer code exploiting a vulnerability in said different software application wherein said execution of said computer code of said document file in said different software application is caused by a software object embedded in said document file;
  
  recording behaviors in said computer caused by said computer code of said document file in a report file;
  
  creating a first pattern file from said report file, said first pattern file exhibiting said behaviors of said document file, which include one or more malicious behaviors;
  
  obtaining a second pattern file that indicates behaviors caused by execution of a different document file that is known to be normal and non-malicious; and
  
  comparing the first and second pattern files to help identify an expression of said first pattern file that matches with a benign behavior.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 28)
- - 2. A method as recited in claim 1, said method further comprising:
    - installing software hooks in an operating system of said computer and executing at least one internal driver in said computer in order to perform said recording.
  - 3. A method as recited in claim 1, said method further comprising:
    - closing said document file before any interaction by a user of said computer with said document file, wherein said report file does not include any behaviors caused by human interaction.
  - 4. A method as recited in claim 1, said method comprising:
    - removing from said first pattern file said expression that matches with said benign behavior.
  - 5. A method as recited in claim 1, wherein said computer behaviors include registry behaviors, file system behaviors, network behaviors, and process behaviors.
  - 6. A method as recited in claim 2, wherein:
    - said recording of said computer behaviors uses said software hooks and said at least one internal driver.
  - 7. A method as recited in claim 1, further comprising:
    - executing a document file known to be normal and non-malicious;
      
      creating said second pattern file that indicates behaviors caused by said execution of said normal document file; and
      
      selecting one or more expressions in said first pattern file based on a comparison of said first pattern file and said second pattern file wherein said selected one or more expressions match expressions indicated in said second pattern file;
      
      modifying said first pattern file to indicate that said selected one or more expressions in said first pattern file are normal and non-malicious;
      
      opening a suspicious document file using a software application wherein it is unknown whether said suspicious document file is malicious;
      
      recording behaviors caused by execution of computer code of said suspicious document file;
      
      comparing said suspicious document file behaviors with behaviors indicated in said modified first pattern file;
      
      based on said comparison of said unknown document file behaviors with behaviors indicated in said modified first pattern file, determining whether said unknown document file is malicious; and
      
      displaying said determination.
  - 8. A method as recited in claim 7 wherein:
    - said modification of said first pattern file involves editing said first pattern file to remove said selected one or more expressions from said first pattern file.
  - 9. A method as recited in claim 8 wherein said removed expression indicates a behavior caused by execution of said document file that is known to include malware, said removed expression involving one selected from the group consisting of adding a registry, modifying a registry, adding a file, modifying a file, establishing a network connection and downloading an executable.
  - 28. A method as recited in claim 1, further comprising:
    - executing a software application in a computer;
      
      opening a document file using said executing software application, said document file known to include malware and being of a type corresponding to said software application;
      
      recording behaviors in said computer caused by computer code of said document file in a report file;
      
      creating a first pattern file from said report file, said first pattern file exhibiting said behaviors of said document file, which include one or more malicious behaviors;
      
      obtaining a second pattern file that indicates behaviors caused by execution of a different document file that is known to be normal and non-malicious;
      
      comparing the first and second pattern files to help identify an expression of said first pattern file that matches with a benign behavior;
      
      opening a suspicious document file using an executing software application;
      
      recording behaviors in a computer caused by computer code of said suspicious document file in a suspicious report file;
      
      comparing behaviors of said suspicious report file to said malicious behaviors exhibited by said first pattern file;
      
      assigning weights to behaviors that are indicative of malware and that are found in said suspicious report file and said first pattern file; and
      
      outputting a result indicating whether said suspicious document file is malicious wherein said result is based on said comparison of said behaviors of said suspicious report file to said malicious behaviors exhibited by said first pattern file and is further based on said assigned weights.

10. A method of detecting a document exploit in a suspicious document file, said method comprising:
- executing a software application in a computer;
  
  opening said suspicious document file using said executing software application, said suspicious document file not including any malware;
  
  recording behaviors in said computer caused by computer code of said suspicious document file in a suspicious report file;
  
  receiving a baseline pattern file, said baseline pattern file including behaviors from a document file of a same type as said suspicious document file, wherein said document file of said same type is known to include malware;
  
  comparing behaviors of said suspicious report file to behaviors of said baseline pattern file;
  
  based on said comparing operation, matching a subset of said behaviors in said suspicious report file with behaviors in said baseline pattern file, said subset including at least two behaviors;
  
  assigning a separate weight to each matched behavior in said subset, each weight indicating a likelihood that each matched behavior involves malware; and
  
  outputting a result of said comparison indicating that said suspicious document file does not include a document exploit wherein said result is based at least in part on said weights assigned to said behaviors.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 11. A method as recited in claim 10, said method further comprising:
    - installing software hooks in an operating system of said computer and executing at least one internal driver in said computer in order to perform said recording.
  - 12. A method as recited in claim 10, said method further comprising:
    - closing said suspicious document file before any interaction by a user of said computer with said suspicious document file, wherein said suspicious report file does not include any behaviors caused by human interaction.
  - 13. A method as recited in claim 10, wherein said suspicious document file is of a type corresponding to a type of said software application.
  - 14. A method as recited in claim 10, wherein said computer behaviors include registry behaviors, file system behaviors, network behaviors, and process behaviors.
  - 15. A method as recited in claim 11, wherein:
    - said recording of said computer behaviors uses said software hooks and said at least one internal driver.
  - 16. A method as recited in claim 10, further comprising:
    - executing said computer code of said suspicious document file in a software application different from said executing software application wherein said execution of said computer code of said suspicious document file in said different software application is caused by a software object embedded in said suspicious document file.
  - 17. A method as recited in claim 10, further comprising:
    - summing said weights of said behaviors that are found in said suspicious report file and said baseline pattern file; and
      
      determining that said suspicious document file does not include a document exploit based at least in part on whether said summed weights exceeds a predetermined threshold.
  - 18. A method as recited in claim 10 wherein each behavior of said baseline pattern is represented by one selected from the group consisting of a text string, a regular expression and a rule of said baseline pattern.
  - 19. A method as recited in claim 10 wherein the comparing operation involves using at least one selected from the group consisting of a string search algorithm and a regular expression match algorithm to help identify matching behaviors in said suspicious report file and said baseline pattern.

20. A method of detecting a document exploit in a suspicious document file, said method comprising:
- executing a software application in a computer;
  
  opening said suspicious document file using said executing software application, said suspicious document file including said document exploit;
  
  recording behaviors in said computer caused by computer code of said suspicious document file in a suspicious report file;
  
  receiving a baseline pattern file, said baseline pattern file including behaviors from a document file of a same type as said suspicious document file, wherein said document file of said same type is known to include malware;
  
  comparing behaviors of said suspicious report file to behaviors of said baseline pattern file;
  
  based on said comparing operation, matching a subset of said behaviors in said suspicious report file with behaviors in said baseline pattern file, said subset including at least two behaviors;
  
  assigning a separate weight to each matched behavior in said subset, each weight indicating a likelihood that each matched behavior involves malware; and
  
  outputting a result of said comparison indicating that said suspicious document file includes said document exploit wherein said result is based at least in part on said weights assigned to said behaviors.
- View Dependent Claims (21, 22, 23, 24, 25, 26)
- - 21. A method as recited in claim 20, said method further comprising:
    - installing software hooks in an operating system of said computer and executing at least one internal driver in said computer in order to perform said recording.
  - 22. A method as recited in claim 20, said method further comprising:
    - closing said suspicious document file before any interaction by a user of said computer with said suspicious document file, wherein said suspicious report file does not include any behaviors caused by human interaction.
  - 23. A method as recited in claim 20, wherein said suspicious document file is of a type corresponding to a type of said software application.
  - 24. A method as recited in claim 20, wherein said computer behaviors include registry behaviors, file system behaviors, network behaviors, and process behaviors.
  - 25. A method as recited in claim 21, wherein:
    - said recording of said computer behaviors uses said software hooks and said at least one internal driver.
  - 26. A method as recited in claim 20, further comprising:
    - summing said weights of said behaviors that are found in both said suspicious report file and said baseline pattern file; and
      
      determining that said suspicious document file includes said document exploit based at least in part on whether said summed weights exceed a predetermined threshold.

27. A method comprising:
- executing a software application in a computer;
  
  opening a document file using said executing software application, said document file known to include malware and being of a type corresponding to said software application;
  
  recording behaviors in said computer caused by computer code of said document file in a report file;
  
  creating a first pattern file from said report file, said first pattern file exhibiting said behaviors of said document file, which include one or more malicious behaviors;
  
  executing a document file known to be normal and non-malicious;
  
  creating a second pattern file that indicates behaviors caused by said execution of said known normal document file;
  
  obtaining said second pattern file that indicates said behaviors caused by said execution of said known normal document file;
  
  comparing said first and second pattern files to help identify an expression of said first pattern file that matches with a benign behavior;
  
  selecting one or more expressions in said first pattern file based on said comparing operation; and
  
  performing one selected from the group consisting of (1) removing said selected one or more expressions in said first pattern file without removing one or more other expressions in said first pattern file; and
  
  (2) assigning a value to said selected one or more expressions in said first pattern file that indicates that said selected one or more expressions are non-malicious wherein said assigned value is based on said comparing of said first pattern file and said second pattern file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trend Micro Inc.
Original Assignee
Trend Micro Inc.
Inventors
Zhu, Xuewen, Liu, Xinfeng, Chen, Xuebin, Huang, Qiang
Primary Examiner(s)
CHANG, KENNETH W

Application Number

US13/794,400
Time in Patent Office

1,044 Days
Field of Search

726/24
US Class Current

1/1
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/56   Computer malware detection ...

G06F 21/564   by virus signature recognition

Document exploit detection using baseline comparison

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Document exploit detection using baseline comparison

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links