Method, electronic device, and user interface for on-demand detecting malware

US 9,313,222 B2
Filed: 06/27/2014
Issued: 04/12/2016
Est. Priority Date: 04/30/2014
Status: Active Grant

First Claim

Patent Images

1. A method for on-demand detecting a malware, adapted for estimating whether an application has vulnerabilities or malicious behaviors, and the method comprising:

receiving the application;

decompiling the application, to generate a compiled code related to the application;

creating multiple compilation paths according to the compiled code and an association analysis, wherein the compilation paths correspond to multiple instruction paths of the application, respectively;

predicting a risk level and a test time of each of the compilation paths which has vulnerabilities or malicious behaviors, and classifying the compilation paths as multiple test items correspondingly;

receiving a detection command, to select at least one of the test items and a detectable time; and

selecting the corresponding compilation paths according to selection of the test items and the detectable time, to execute the instruction paths corresponding to the selected compilation paths, and to generate a detection result indicating whether the application has the vulnerabilities or the malicious behaviors;

wherein each of the compilation paths has at least one element instruction, at least one program code instruction, or combination thereof, and during prediction of the risk level and the test time of each of the compilation paths which has the vulnerabilities or the malicious behaviors, risk data of the element instruction and risk data of the program code instruction are used for prediction to correspondingly generate an element risk value and an element execution time of the element instruction of each of the compilation paths, and to generate a program code risk value and a program code execution time of the program code instruction, so as to predict the risk level and the test time of each of the compilation paths which has the vulnerabilities or the malicious behaviors.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, an electronic device, and a user interface for on-demand detecting a malware are provided and adapted for estimating whether an application has vulnerabilities or malicious behaviors. The method includes the following steps. Firstly, evaluating a risk level and a test time of the application which has vulnerabilities or malicious behaviors. Next, detecting the application by selection of user to estimate the risk level of the application which has vulnerabilities or malicious behaviors and then correspondingly generating a detection result. Therefore, the method, the electronic device, and the user interface for on-demand detecting the malware can detect the risk level of the application which has vulnerabilities or malicious behaviors before getting virus pattern of the variant or new malware.

Citations

18 Claims

1. A method for on-demand detecting a malware, adapted for estimating whether an application has vulnerabilities or malicious behaviors, and the method comprising:
- receiving the application;
  
  decompiling the application, to generate a compiled code related to the application;
  
  creating multiple compilation paths according to the compiled code and an association analysis, wherein the compilation paths correspond to multiple instruction paths of the application, respectively;
  
  predicting a risk level and a test time of each of the compilation paths which has vulnerabilities or malicious behaviors, and classifying the compilation paths as multiple test items correspondingly;
  
  receiving a detection command, to select at least one of the test items and a detectable time; and
  
  selecting the corresponding compilation paths according to selection of the test items and the detectable time, to execute the instruction paths corresponding to the selected compilation paths, and to generate a detection result indicating whether the application has the vulnerabilities or the malicious behaviors;
  
  wherein each of the compilation paths has at least one element instruction, at least one program code instruction, or combination thereof, and during prediction of the risk level and the test time of each of the compilation paths which has the vulnerabilities or the malicious behaviors, risk data of the element instruction and risk data of the program code instruction are used for prediction to correspondingly generate an element risk value and an element execution time of the element instruction of each of the compilation paths, and to generate a program code risk value and a program code execution time of the program code instruction, so as to predict the risk level and the test time of each of the compilation paths which has the vulnerabilities or the malicious behaviors.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method according to claim 1, wherein the risk data of the element instruction comprises a behavior description, a predicted risk value and a predicted execution time for each of the element instructions, so as to edit the element risk value and the element execution time of the element instruction.
  - 3. The method according to claim 1, wherein the risk data of the program code instruction comprises a behavior description, a predicted risk value and a predicted execution time for each of program code instructions, so as to edit the program code risk value and the program code execution time of the program code instruction.
  - 4. The method according to claim 1, wherein in the step of selecting at least one of the test items and the detectable time, when the detectable time is less than the test time, executing the detectable time for the instruction paths corresponding to the compilation paths, and generating the detection result which estimates whether the application has the vulnerabilities or the malicious behaviors.
  - 5. The method according to claim 1, wherein, before the step of receiving the application, the method further comprises a step of:
    - creating a detection interface according to at least one application to be detected, to provide a user selecting the application to be detected, and generating the application correspondingly.
  - 6. The method according to claim 1, wherein after the compilation paths are classified as the test items, the method further comprises a step of:
    - creating a detection interface according to the test items, to provide a user selecting the test item of the risk and the detectable time to be executed, and generating the detection command correspondingly.
  - 7. The method according to claim 1, wherein, before the step of generating the detection result, the method further comprises a step of:
    - creating a detection interface according to the detection result to display the detection result.
  - 8. The method according to claim 1, wherein the risk level is made according to an Open Web Application Security Project, a NIST security guideline, or the combination thereof when the compilation paths are classified as the test items according to the risk level and the test time.

9. An electronic device for on-demand detecting a malware, adapted for estimating whether an application has vulnerabilities or malicious behaviors, and the electronic device comprising:
- a display unit, configured for displaying a detection interface;
  
  a storage unit, configured for storing the application; and
  
  a computing processing unit, configured for executing following steps;
  
  receiving the application by operating the detection interface;
  
  decompiling the application, to generate a compiled code related to the application;
  
  creating multiple compilation paths according to the compiled code and an association analysis, wherein the compilation paths correspond to multiple instruction paths of the application, respectively;
  
  predicting a risk level and a test time of each of the compilation paths which has the vulnerabilities or the malicious behaviors, and classifying the compilation paths as multiple test items correspondingly;
  
  receiving a detection command by operating the detection interface, to select at least one of the test items and a detectable time; and
  
  selecting the corresponding compilation paths according to selection of the test items and the detectable time, to execute the instruction paths corresponding to the selected compilation paths, to generate a detection result indicating whether the application has the vulnerabilities or the malicious behaviors;
  
  wherein each of the compilation paths has one of at least one element instruction and at least one program code instruction, or the combination thereof, and when the computing processing unit predicts the risk level and the test time of each of the compilation paths which has the vulnerabilities or the malicious behaviors, the computing processing unit uses risk data of the element instruction and risk data of the program code instruction for prediction to correspondingly generate an element risk value and an element execution time of the element instruction of each of the compilation paths, and generate a program code risk value and a program code execution time of the program code instruction, so as to predict the risk level and the test time of each of the compilation paths which has vulnerabilities or malicious behaviors.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
- - 10. The electronic device according to claim 9, wherein the store unit is configured for storing the risk data of the element instruction and the risk data of the program code instruction.
  - 11. The electronic device according to claim 9, wherein the risk data of the element instruction comprises a behavior description, a predicted risk value and a predicted execution time for each of the element instructions, so as to edit the element risk value and the element execution time of the element instruction.
  - 12. The electronic device according to claim 9, wherein the risk data of the program code instruction comprises a behavior description, a predicted risk value and a predicted execution time for each of program code instructions, so as to edit the program code risk value and the program code execution time of the program code instruction.
  - 13. The electronic device according to claim 9, wherein when the detectable time is less than the test time, the computing processing unit executes the detectable time for the instruction paths corresponding to the compilation paths, and generates the detection result which estimates whether the application has vulnerabilities or malicious behaviors.
  - 14. The electronic device according to claim 9, wherein the risk level is made according to an Open Web Application Security Project, a NIST security guideline, or the combination thereof.
  - 15. The electronic device according to claim 9, wherein the detection interface displays at least one application to be detected, and provides a detecting selection to enable the computing processing unit receiving the application according to the detecting selection.
  - 16. The electronic device according to claim 9, wherein the detection interface displays at least one of the test items and the detectable time of the application, and provides a requirement selection to enable the computing processing unit receiving the detection command according to the requirement selection.
  - 17. The electronic device according to claim 9, wherein the detection interface displays the detection result.

18. A non-transitory computer-readable recording medium, wherein the non-transitory computer-readable recording medium records a computer executable program, and when the non-transitory computer-readable recording medium is accessed by a processor, the processor executes the computer executable program comprising:
- receiving the application;
  
  decompiling the application, to generate a compiled code related to the application;
  
  creating multiple compilation paths according to the compiled code and an association analysis, wherein the compilation paths correspond to multiple instruction paths of the application, respectively;
  
  predicting a risk level and a test time of each of the compilation paths which has vulnerabilities or malicious behaviors, and classifying the compilation paths as multiple test items correspondingly;
  
  receiving a detection command, to select at least one of the test items and a detectable time; and
  
  selecting the corresponding compilation paths according to selection of the test items and the detectable time, to execute the instruction paths corresponding to the selected compilation paths, and to generate a detection result indicating whether the application has the vulnerabilities or the malicious behaviors;
  
  wherein each of the compilation paths has at least one element instruction, at least one program code instruction, or combination thereof, and during prediction of the risk level and the test time of each of the compilation paths which has the vulnerabilities or the malicious behaviors, risk data of the element instruction and risk data of the program code instruction are used for prediction to correspondingly generate an element risk value and an element execution time of the element instruction of each of the compilation paths, and to generate a program code risk value and a program code execution time of the program code instruction, so as to predict the risk level and the test time of each of the compilation paths which has the vulnerabilities or the malicious behaviors.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Institute For Information Industry
Original Assignee
Institute For Information Industry
Inventors
Huang, Pei-Wen, Mao, Ching-Hao, Wen, Hsiang-An, Chen, Yu-Te, Chen, Pei Te
Primary Examiner(s)
Armouche, Hadi
Assistant Examiner(s)
Shayanfar, Ali

Application Number

US14/317,100
Publication Number

US 20150319187A1
Time in Patent Office

655 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/033   Test or assess software

G06F 3/0481   based on specific propertie...

G06F 3/04842   Selection of displayed obje...

G06F 3/0488   using a touch-screen or dig...

H04L 63/1433   Vulnerability analysis

Method, electronic device, and user interface for on-demand detecting malware

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Method, electronic device, and user interface for on-demand detecting malware

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links