Methods and systems for malware analysis

US 9,350,747 B2
Filed: 10/31/2013
Issued: 05/24/2016
Est. Priority Date: 10/31/2013
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method executed by one or more processors, the method comprising:

training a particular analyzer using machine learning to classify data samples as including malware or not including malware;

providing data for generating a graphical user interface at a user device, the graphical user interface being configured to receive, through user selectable options, configuration data that (i) defines a user-defined workflow to control one or more analyzers for analyzing malware having a particular malware attribute and (ii) specifies whether one or more virtual machines are to be supported by the user-defined workflow;

receiving, from the user device, the configuration data through the graphical user interface;

storing the configuration data in a workflow definition database, the workflow definition database including workflow definitions for a plurality of workflows respectively associated with a plurality of malware attributes;

receiving a sample including a potential malware;

determining, by the one or more processors at a server, at least one malware attribute of the sample;

determining that the at least one malware attribute of the sample includes the particular malware attribute;

selecting, from the plurality of workflows, the user-defined workflow for analyzing the sample;

causing, by the one or more processors at the server, one or more analyzers to analyze the sample according to the user-defined workflow to obtain an analysis result, the one or more analyzers including the particular analyzer that is trained using machine learning; and

providing (I) the analysis result in a colloquial language format, and (II) data for generating a second graphical user interface at the user device, the second graphical user interface being configured to display, at the user device, the analysis result and an action control interface that receives a selection of one or more remedial actions based on the analysis result.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, system, and media for analyzing a potential malware sample are disclosed. A sample for malware analysis may be received. The sample may be received through a web interface. The sample may be analyzed using a plurality of analyzers implemented on one or more computing devices. The analyzers may perform a sequence of configurable analytic steps to extract information about the sample. The extracted information may be displayed to a user through the web interface.

Citations

36 Claims

1. A computer-implemented method executed by one or more processors, the method comprising:
- training a particular analyzer using machine learning to classify data samples as including malware or not including malware;
  
  providing data for generating a graphical user interface at a user device, the graphical user interface being configured to receive, through user selectable options, configuration data that (i) defines a user-defined workflow to control one or more analyzers for analyzing malware having a particular malware attribute and (ii) specifies whether one or more virtual machines are to be supported by the user-defined workflow;
  
  receiving, from the user device, the configuration data through the graphical user interface;
  
  storing the configuration data in a workflow definition database, the workflow definition database including workflow definitions for a plurality of workflows respectively associated with a plurality of malware attributes;
  
  receiving a sample including a potential malware;
  
  determining, by the one or more processors at a server, at least one malware attribute of the sample;
  
  determining that the at least one malware attribute of the sample includes the particular malware attribute;
  
  selecting, from the plurality of workflows, the user-defined workflow for analyzing the sample;
  
  causing, by the one or more processors at the server, one or more analyzers to analyze the sample according to the user-defined workflow to obtain an analysis result, the one or more analyzers including the particular analyzer that is trained using machine learning; and
  
  providing (I) the analysis result in a colloquial language format, and (II) data for generating a second graphical user interface at the user device, the second graphical user interface being configured to display, at the user device, the analysis result and an action control interface that receives a selection of one or more remedial actions based on the analysis result.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The computer-implemented method of claim 1, wherein the user-defined workflow designates an order in which to run each of the one or more analyzers.
  - 3. The computer-implemented method of claim 2, wherein the order includes running at least two of the one or more analyzers concurrently.
  - 4. The computer-implemented method of claim 1, further comprising providing a summary including at least one user-readable description of the analysis result to be displayed using the second graphical user interface.
  - 5. The computer-implemented method of claim 4, wherein the summary includes a confidence level associated with the at least one user-readable description.
  - 6. The computer-implemented method of claim 4, wherein the summary includes at least one recommendation for remediating malware in the sample.
  - 7. The computer-implemented method of claim 1, further comprising:
    - determining, by the one or more processors and based, at least in part, on the analysis result, a modified workflow for continued analysis of the sample by the one or more analyzers according to the modified workflow,wherein the modified workflow includes one or more of (i) designating one or more additional analyzers, (ii) altering an order in which to run each of the one or more analyzers, (iii) re-analyzing the analysis result by at least one of the one or more analyzers, and (iv) re-analyzing the analysis result by a particular analyzer that produced the analysis result.
  - 8. The computer-implemented method of claim 7, further comprising receiving an indication of a user input,wherein determining the modified workflow for continued analysis of the sample by the one or more analyzers according to the modified workflow is based on the indication of the user input.
  - 9. The computer-implemented method of claim 7, wherein the modified workflow is determined by applying at least one rule to the analysis result.
  - 10. The computer-implemented method of claim 1, wherein the one or more remedial actions include (i) a removal action to remove malware associated with the sample, (ii) an alert action to alert a designated entity of the analysis result, and (iii) an analytics action to execute an additional analysis of the sample.
  - 11. The computer-implemented method of claim 1, wherein the sample including the potential malware is received after storing the configuration data in the workflow definition database.
  - 12. The computer-implemented method of claim 1, wherein the configuration data includes a selection of the one or more analyzers from among a plurality of analyzers and a chronological order of applying the one or more analyzers.

13. A system comprising:
- one or more processors; and
  
  a non-transitory computer-readable storage medium coupled to the one or more processors having instructions stored thereon which, when executed by the one or more processors, causes the one or more processors to perform operations comprising;
  
  training a particular analyzer using machine learning to classify data samples as including malware or not including malware;
  
  providing data for generating a graphical user interface at a user device, the graphical user interface being configured to receive, through user selectable options, configuration data that (i) defines a user-defined workflow to control one or more analyzers for analyzing malware having a particular malware attribute and (ii) specifies whether one or more virtual machines are to be supported by the user-defined workflow;
  
  receiving, from the user device, the configuration data through the graphical user interface;
  
  storing the configuration data in a workflow definition database, the workflow definition database including workflow definitions for a plurality of workflows respectively associated with a plurality of malware attributes;
  
  receiving a sample including a potential malware;
  
  determining, at a server, at least one malware attribute of the sample;
  
  determining that the at least one malware attribute of the sample includes the particular malware attribute;
  
  selecting, from the plurality of workflows, the user-defined workflow for analyzing the sample;
  
  causing, at the server, one or more analyzers to analyze the sample according to the user-defined workflow to obtain an analysis result, the one or more analyzers including the particular analyzer that is trained using machine learning; and
  
  providing (I) the analysis result in a colloquial language format and (II) data for generating a second graphical user interface at the user device, the second graphical user interface being configured to display, at the user device, the analysis result and an action control interface that receives a selection of one or more remedial actions based on the analysis result.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 14. The system of claim 13, wherein the user-defined workflow designates an order in which to run each of the one or more analyzers.
  - 15. The system of claim 14, wherein the order includes running at least two of the one or more analyzers concurrently.
  - 16. The system of claim 13, further comprising providing a summary including at least one user-readable description of the analysis result to be displayed using the second graphical user interface.
  - 17. The system of claim 16, wherein the summary includes a confidence level associated with the at least one user-readable description.
  - 18. The system of claim 16, wherein the summary includes at least one recommendation for remediating malware in the sample.
  - 19. The system of claim 13, wherein the one or more processors perform operations further comprising:
    - determining, based, at least in part, on the analysis result, a modified workflow for continued analysis of the sample by the one or more analyzers according to the modified workflow,wherein the modified workflow includes one or more of (i) designating one or more additional analyzers, (ii) altering an order in which to run each of the one or more analyzers, (iii) re-analyzing the analysis result by at least one of the one or more analyzers, and (iv) re-analyzing the analysis result by a particular analyzer that produced the analysis result.
  - 20. The system of claim 19, wherein the one or more processors perform operations further comprising receiving an indication of a user input,wherein determining the modified workflow for continued analysis of the sample by the one or more analyzers according to the modified workflow is based on the indication of the user input.
  - 21. The system of claim 19, wherein the modified workflow is determined by applying at least one rule to the analysis result.
  - 22. The system of claim 13, wherein the one or more remedial actions include (i) a removal action to remove malware associated with the sample, (ii) an alert action to alert a designated entity of the analysis result, and (iii) an analytics action to execute an additional analysis of the sample.
  - 23. The system of claim 13, wherein the sample including the potential malware is received after storing the configuration data in the workflow definition database.
  - 24. The system of claim 13, wherein the configuration data includes a selection of the one or more analyzers from among a plurality of analyzers and a chronological order of applying the one or more analyzers.

25. A non-transitory computer-readable storage medium encoded with a computer program comprising instructions that, when executed, operate to cause one or more processors to perform operations comprising:
- training a particular analyzer using machine learning to classify data samples as including malware or not including malware;
  
  providing data for generating a graphical user interface at a user device, the graphical user interface being configured to receive, through user selectable options, configuration data that (i) defines a user-defined workflow to control one or more analyzers for analyzing malware having a particular malware attribute and (ii) specifies whether one or more virtual machines are to be supported by the user-defined workflow;
  
  receiving, from the user device, the configuration data through the graphical user interface;
  
  storing the configuration data in a workflow definition database, the workflow definition database including workflow definitions for a plurality of workflows respectively associated with a plurality of malware attributes;
  
  receiving a sample including a potential malware;
  
  determining, at a server, at least one malware attribute of the sample;
  
  determining that the at least one malware attribute of the sample includes the particular malware attribute;
  
  selecting, from the plurality of workflows, the user-defined workflow for analyzing the sample;
  
  causing, at the server, one or more analyzers to analyze the sample according to the user-defined workflow to obtain an analysis result, the one or more analyzers including the particular analyzer that is trained using machine learning; and
  
  providing (I) the analysis result in a colloquial language format and (II) data for generating a second graphical user interface at the user device, the second graphical user interface being configured to display, at the user device, the analysis result and an action control interface that receives a selection of one or more remedial actions based on the analysis result.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
- - 26. The non-transitory computer-readable storage medium of claim 25, wherein the user-defined workflow designates an order in which to run each of the one or more analyzers.
  - 27. The non-transitory computer-readable storage medium of claim 26, wherein the order includes running at least two of the one or more analyzers concurrently.
  - 28. The non-transitory computer-readable storage medium of claim 25, further comprising providing a summary including at least one user-readable description of the analysis result to be displayed using the second graphical user interface.
  - 29. The non-transitory computer-readable storage medium of claim 28, wherein the summary includes a confidence level associated with the at least one user-readable description.
  - 30. The non-transitory computer-readable storage medium of claim 28, wherein the summary includes at least one recommendation for remediating malware in the sample.
  - 31. The non-transitory computer-readable storage medium of claim 25, wherein the one or more processors perform operations further comprising:
    - determining, based, at least in part, on the analysis result, a modified workflow for continued analysis of the sample by the one or more analyzers according to the modified workflow,wherein the modified workflow includes one or more of (i) designating one or more additional analyzers, (ii) altering an order in which to run each of the one or more analyzers, (iii) re-analyzing the analysis result by at least one of the one or more analyzers, and (iv) re-analyzing the analysis result by a particular analyzer that produced the analysis result.
  - 32. The non-transitory computer-readable storage medium of claim 31, wherein the one or more processors perform operations further comprising receiving an indication of a user input,wherein determining the modified workflow for continued analysis of the sample by the one or more analyzers according to the modified workflow is based on the indication of the user input.
  - 33. The non-transitory computer-readable storage medium of claim 31, wherein the modified workflow is determined by applying at least one rule to the analysis result.
  - 34. The non-transitory computer-readable storage medium of claim 25, wherein the one or more remedial actions include (i) a removal action to remove malware associated with the sample, (ii) an alert action to alert a designated entity of the analysis result, and (iii) an analytics action to execute an additional analysis of the sample.
  - 35. The non-transitory computer-readable storage medium of claim 25, wherein the sample including the potential malware is received after storing the configuration data in the workflow definition database.
  - 36. The non-transitory computer-readable storage medium of claim 25, wherein the configuration data includes a selection of the one or more analyzers from among a plurality of analyzers and a chronological order of applying the one or more analyzers.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CyberPoint International, LLC
Original Assignee
CyberPoint International, LLC
Inventors
McLarnon, Mark, Raugas, Mark V., Fisher, Ryan, Rogers, Nate, Kolodny, Mike
Primary Examiner(s)
Gelagay, Shewaye
Assistant Examiner(s)
NGUYEN, TRONG H

Application Number

US14/068,605
Publication Number

US 20150121526A1
Time in Patent Office

936 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 16/955   using information identifie...

G06F 21/56   Computer malware detection ...

G06F 3/0482   Interaction with lists of s...

G06N 20/00   Machine learning

H04L 63/14   for detecting or protecting...

H04L 63/1433   Vulnerability analysis

H04L 63/145   the attack involving the pr...

H04L 63/1491   using deception as counterm...

H04L 63/20   for managing network securi...

Methods and systems for malware analysis

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

36 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and systems for malware analysis

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

36 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links