Detection efficacy of virtual machine-based analysis with application specific events
First Claim
1. A computerized method for classifying an object based on detected process operations and associated process parameters that describe the context of the process operations, comprising:
- receiving an object to be examined for malware;
performing dynamic analysis on the object, wherein the dynamic analysis includes;
processing the object within a virtual machine,detecting, by a monitor, a process operation during the processing of the object within the virtual machine, andrecording the process operation and a corresponding set of process parameters associated with the process operation, wherein the set of process defines a context in which the process operation was performed within the virtual machine when the process operation was detected, wherein the recorded process operation and the set of process parameters comprise a behavior;
generating a probability the behavior is suspicious based on a comparison of the recorded process operation and the set of process parameters with at least one of (i) a set of expected process operations and process parameters, or (ii) a set of anomalous process operations and process parameters; and
responsive to the probability being equal to or above a first predefined level, classifying the object as malware.
5 Assignments
0 Petitions
Accused Products
Abstract
A computerized system and method is described for classifying objects as malicious by processing the objects in a virtual environment and monitoring behaviors during processing by one or more monitors. The monitors may monitor and record selected sets of process operations and capture associated process parameters, which describe the context in which the process operations were performed. By recording the context of process operations, the system and method described herein improves the intelligence of classifications and consequently reduces the likelihood of incorrectly identifying objects as malware or vice versa.
701 Citations
27 Claims
-
1. A computerized method for classifying an object based on detected process operations and associated process parameters that describe the context of the process operations, comprising:
-
receiving an object to be examined for malware; performing dynamic analysis on the object, wherein the dynamic analysis includes; processing the object within a virtual machine, detecting, by a monitor, a process operation during the processing of the object within the virtual machine, and recording the process operation and a corresponding set of process parameters associated with the process operation, wherein the set of process defines a context in which the process operation was performed within the virtual machine when the process operation was detected, wherein the recorded process operation and the set of process parameters comprise a behavior; generating a probability the behavior is suspicious based on a comparison of the recorded process operation and the set of process parameters with at least one of (i) a set of expected process operations and process parameters, or (ii) a set of anomalous process operations and process parameters; and responsive to the probability being equal to or above a first predefined level, classifying the object as malware. - View Dependent Claims (2, 3, 4, 5, 6, 19, 20, 21)
-
-
7. A non-transitory storage medium including instructions that, when executed by one or more hardware processors, perform a plurality of operations, comprising:
-
receiving, by a malware content detection system, an object to be examined for malware; performing dynamic analysis on the object, wherein the dynamic analysis includes; processing the object within a virtual machine, detecting, by a monitor, a process operation during the processing of the object within the virtual machine, and recording the process operation and a corresponding set of process parameters associated with the process operation, wherein the set of process of parameters defines a context in which the process operation was performed within the virtual machine when the process operation was detected, wherein the recorded process operation and the set of process parameters comprise a behavior, and generating a probability the behavior is suspicious based on a comparison of the recorded process operation and the set of process parameters with at least one of (i) a set of expected process operations and process parameters, or (ii) a set of anomalous process operations and process parameters; and responsive to the probability being equal to or above a first predefined level, classifying the object as malware. - View Dependent Claims (8, 9, 10, 11, 12, 22, 23, 24)
-
-
13. A system comprising:
-
one or more hardware processors; a memory including one or more software modules that, when executed by the one or more hardware processors; perform dynamic analysis on a received object, wherein the dynamic analysis includes; process the object within a virtual machine, detect, by a monitor, a process operation during the processing of the object within the virtual machine, record the process operation and a corresponding set of process parameters associated with the process operation, wherein the set of process parameters defines a context in which the process operation was performed within the virtual machine when the process operation was detected, wherein the recorded process operation and the set of process parameters comprise a behavior; generate a probability the behavior is suspicious based on a comparison of the recorded process operation and the set of process parameters with at least one of (i) a set of expected process operations and process parameters, or (ii) a set of anomalous process operations and process parameters; and responsive to the probability being equal to or above a first predefined level, classify the object as malware. - View Dependent Claims (14, 15, 16, 17, 18, 25, 26, 27)
-
Specification