Malware detection and analysis
First Claim
1. A non-transitory computer readable storage medium including instructions that, when executed by a processor, cause the processor to perform a method comprising:
- receiving a binary executable comprising obfuscated malware on a host device;
recording incident data indicating a time when the binary executable was received and identifying processes operating on the host device at the time;
analyzing the binary executable via a scalable plurality of execution environments, including one or more non-virtual execution environments and one or more virtual execution environments, to execute a plurality of malware analysis modules and to generate runtime data based on execution of the obfuscated malware and deobfuscation data attributable to the binary executable, wherein the deobfuscation data is generated based on an identification of a simplified version of the obfuscated malware;
storing the runtime data and deobfuscation data attributable to the binary executable in a shared database;
storing the incident data in a private, non-shared database other than the shared database, wherein, of the shared database and the private, non-shared database, the incident data is available only via the private, non-shared database; and
increasing the scalable plurality of execution environments to execute the plurality of malware analysis modules, the increasing based, at least in part, on the generated runtime data.
3 Assignments
0 Petitions
Accused Products
Abstract
Embodiments of the invention describe systems and methods for malicious software detection and analysis. A binary executable comprising obfuscated malware on a host device may be received, and incident data indicating a time when the binary executable was received and identifying processes operating on the host device may be recorded. The binary executable is analyzed via a scalable plurality of execution environments, including one or more non-virtual execution environments and one or more virtual execution environments, to generate runtime data and deobfuscation data attributable to the binary executable. At least some of the runtime data and deobfuscation data attributable to the binary executable is stored in a shared database, while at least some of the incident data is stored in a private, non-shared database.
122 Citations
19 Claims
-
1. A non-transitory computer readable storage medium including instructions that, when executed by a processor, cause the processor to perform a method comprising:
-
receiving a binary executable comprising obfuscated malware on a host device; recording incident data indicating a time when the binary executable was received and identifying processes operating on the host device at the time; analyzing the binary executable via a scalable plurality of execution environments, including one or more non-virtual execution environments and one or more virtual execution environments, to execute a plurality of malware analysis modules and to generate runtime data based on execution of the obfuscated malware and deobfuscation data attributable to the binary executable, wherein the deobfuscation data is generated based on an identification of a simplified version of the obfuscated malware; storing the runtime data and deobfuscation data attributable to the binary executable in a shared database; storing the incident data in a private, non-shared database other than the shared database, wherein, of the shared database and the private, non-shared database, the incident data is available only via the private, non-shared database; and increasing the scalable plurality of execution environments to execute the plurality of malware analysis modules, the increasing based, at least in part, on the generated runtime data. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A system comprising:
-
a host device to receive a binary executable comprising obfuscated malware; malware detection logic to record incident data indicating a time when the binary executable was received and identifying processes operating on the host device at the time; a network interface; and malware analysis logic to; send requests, via the network interface, to a scalable plurality of execution environments to analyze the received binary executable via a plurality of malware analysis modules for generating runtime data based on execution of the obfuscated malware and deobfuscation data attributable to the binary executable, wherein the plurality of execution environments includes one or more non-virtual execution environments and one or more virtual execution environments, wherein the deobfuscation data is generated based on an identification of a simplified version of the obfuscated malware; store the incident data in a private, non-shared database; transmit the runtime data and deobfuscation data attributable to the binary executable to a shared database other than the private, non-shared database via the network interface, wherein, of the shared database and the private, non-shared database, the incident data is available only via the private, non-shared database; and increase the scalable plurality of execution environments to execute the plurality of malware analysis modules, the increasing based, at least in part, on the generated runtime data. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
-
Specification