Detection efficacy of virtual machine-based analysis with application specific events

US 9,262,635 B2
Filed: 02/05/2014
Issued: 02/16/2016
Est. Priority Date: 02/05/2014
Status: Active Grant

First Claim

Patent Images

1. A computerized method for classifying an object based on detected process operations and associated process parameters that describe the context of the process operations, comprising:

receiving an object to be examined for malware;

performing dynamic analysis on the object, wherein the dynamic analysis includes;

processing the object within a virtual machine,detecting, by a monitor, a process operation during the processing of the object within the virtual machine, andrecording the process operation and a corresponding set of process parameters associated with the process operation, wherein the set of process defines a context in which the process operation was performed within the virtual machine when the process operation was detected, wherein the recorded process operation and the set of process parameters comprise a behavior;

generating a probability the behavior is suspicious based on a comparison of the recorded process operation and the set of process parameters with at least one of (i) a set of expected process operations and process parameters, or (ii) a set of anomalous process operations and process parameters; and

responsive to the probability being equal to or above a first predefined level, classifying the object as malware.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computerized system and method is described for classifying objects as malicious by processing the objects in a virtual environment and monitoring behaviors during processing by one or more monitors. The monitors may monitor and record selected sets of process operations and capture associated process parameters, which describe the context in which the process operations were performed. By recording the context of process operations, the system and method described herein improves the intelligence of classifications and consequently reduces the likelihood of incorrectly identifying objects as malware or vice versa.

701 Citations

27 Claims

1. A computerized method for classifying an object based on detected process operations and associated process parameters that describe the context of the process operations, comprising:
- receiving an object to be examined for malware;
  
  performing dynamic analysis on the object, wherein the dynamic analysis includes;
  
  processing the object within a virtual machine,detecting, by a monitor, a process operation during the processing of the object within the virtual machine, andrecording the process operation and a corresponding set of process parameters associated with the process operation, wherein the set of process defines a context in which the process operation was performed within the virtual machine when the process operation was detected, wherein the recorded process operation and the set of process parameters comprise a behavior;
  
  generating a probability the behavior is suspicious based on a comparison of the recorded process operation and the set of process parameters with at least one of (i) a set of expected process operations and process parameters, or (ii) a set of anomalous process operations and process parameters; and
  
  responsive to the probability being equal to or above a first predefined level, classifying the object as malware.
- View Dependent Claims (2, 3, 4, 5, 6, 19, 20, 21)
- - 2. The computerized method of claim 1, wherein the process operation and the set of process parameters are pre-selected based on the location within the virtual machine in which the monitor is located.
  - 3. The computerized method of claim 1, wherein the process operation is a function call, a process/thread lifecycle operation, or a module operation.
  - 4. The computerized method of claim 1, wherein the set of process parameters define one or more of a state of modules within the virtual machine and a state of modules within a component of the virtual machine.
  - 5. The computerized method of claim 1, wherein a component in which the monitor is located is a process running within the virtual machine, a portion of an operating system running in the virtual machine, or a virtual machine manager (VMM) running outside the virtual machine.
  - 6. The computerized method of claim 1, wherein classifying the object as malware further comprises:
    - generating, upon the probability being equal or above the first predefined level, a confidence score that the object is malware based on behaviors of known malware and benign objects.
  - 19. The computerized method of claim 1, wherein the probability includes a weighted score.
  - 20. The computerized method of claim 1, wherein the monitor is injected into the object prior to detecting the process operation.
  - 21. The computerized method of claim 1 further comprising:
    - responsive to the probability being below the first predefined level and above a second predefined level, classifying the object as benign, wherein the second predefined level is lower than the first predefined level.

7. A non-transitory storage medium including instructions that, when executed by one or more hardware processors, perform a plurality of operations, comprising:
- receiving, by a malware content detection system, an object to be examined for malware;
  
  performing dynamic analysis on the object, wherein the dynamic analysis includes;
  
  processing the object within a virtual machine,detecting, by a monitor, a process operation during the processing of the object within the virtual machine, andrecording the process operation and a corresponding set of process parameters associated with the process operation, wherein the set of process of parameters defines a context in which the process operation was performed within the virtual machine when the process operation was detected, wherein the recorded process operation and the set of process parameters comprise a behavior, andgenerating a probability the behavior is suspicious based on a comparison of the recorded process operation and the set of process parameters with at least one of (i) a set of expected process operations and process parameters, or (ii) a set of anomalous process operations and process parameters; and
  
  responsive to the probability being equal to or above a first predefined level, classifying the object as malware.
- View Dependent Claims (8, 9, 10, 11, 12, 22, 23, 24)
- - 8. The non-transitory storage medium of claim 7, wherein the process operation and the set of process parameters are pre-selected based on the location within the virtual machine in which the monitor is located.
  - 9. The non-transitory storage medium of claim 7, wherein the process operation is a function call, a process/thread lifecycle operation, or a module operation.
  - 10. The non-transitory storage medium of claim 7, wherein the set of process parameters define one or more of a state of modules within the virtual machine and a state of modules within a component.
  - 11. The non-transitory storage medium of claim 7, wherein a component in which the monitor is located is a process running within the virtual machine, a portion of an operating system running in the virtual machine, or a virtual machine manager (VMM) running outside the virtual machine.
  - 12. The non-transitory storage medium of claim 7, wherein classifying the object as malware further comprises:
    - generating, upon the probability being equal or above the first predefined level, a confidence score that the object is malware based on behaviors of known malware and benign objects.
  - 22. The non-transitory storage medium of claim 7, wherein the probability includes a weighted score.
  - 23. The non-transitory storage medium of claim 7, wherein the monitor is injected into the object prior to detecting the process operation.
  - 24. The non-transitory storage medium of claim 7, wherein the plurality of operations further comprises:
    - responsive to the probability being below the first predefined level and above a second predefined level, classifying the object as benign, wherein the second predefined level is lower than the first predefined level.

13. A system comprising:
- one or more hardware processors;
  
  a memory including one or more software modules that, when executed by the one or more hardware processors;
  
  perform dynamic analysis on a received object, wherein the dynamic analysis includes;
  
  process the object within a virtual machine,detect, by a monitor, a process operation during the processing of the object within the virtual machine,record the process operation and a corresponding set of process parameters associated with the process operation, wherein the set of process parameters defines a context in which the process operation was performed within the virtual machine when the process operation was detected, wherein the recorded process operation and the set of process parameters comprise a behavior;
  
  generate a probability the behavior is suspicious based on a comparison of the recorded process operation and the set of process parameters with at least one of (i) a set of expected process operations and process parameters, or (ii) a set of anomalous process operations and process parameters; and
  
  responsive to the probability being equal to or above a first predefined level, classify the object as malware.
- View Dependent Claims (14, 15, 16, 17, 18, 25, 26, 27)
- - 14. The system of claim 13, wherein the process operation and the set of process parameters are pre-selected based on the location within the virtual machine in which the monitor is located.
  - 15. The system of claim 13, wherein the process operation is a function call, a process/thread lifecycle operation, or a module operation.
  - 16. The system of claim 13, wherein the set of process parameters defines one or more of a state of modules within the virtual machine and a state of modules within a component of the virtual machine.
  - 17. The system of claim 13, wherein a component in which the monitor is located is a process running within the virtual machine, a portion of an operating system running in the virtual machine, or a virtual machine manager (VMM) running outside the virtual machine.
  - 18. The system of claim 13, wherein classifying the object as malware further comprises:
    - generating, upon probability being equal or above the first predefined level, a confidence score that the object is malware based on behaviors of known malware and benign objects.
  - 25. The system of claim 13, wherein the probability includes a weighted score.
  - 26. The system of claim 13, wherein the monitor is injected into the object prior to detecting the process operation.
  - 27. The system of claim 13, wherein the memory further includes one or more software modules that, when executed by the one or more hardware processors:
    - responsive to the probability being below the first predefined level and above a second predefined level, classify the object as benign, wherein the second predefined level is lower than the first predefined level.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Paithane, Sushant, Vashisht, Sai
Primary Examiner(s)
Mehedi, Morshed

Application Number

US14/173,765
Publication Number

US 20150220735A1
Time in Patent Office

741 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 2009/45591   Monitoring or debugging sup...

G06F 21/53   by executing in a restricte...

G06F 21/552   involving long-term monitor...

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/033   Test or assess software

G06F 9/45558   Hypervisor-specific managem...

H04L 63/145   the attack involving the pr...

Detection efficacy of virtual machine-based analysis with application specific events

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

701 Citations

27 Claims

Specification

Use Cases

Quick Links

Others

Detection efficacy of virtual machine-based analysis with application specific events

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

701 Citations

27 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others