Methods and systems for malware detection based on environment-dependent behavior
First Claim
1. A method of classifying malicious computer code, the method comprising:
- monitoring, by one or more computing processors, execution in a computing environment of a computer program comprising suspicious computer code;
detecting, by at least one of the one or more computing processors, access by the computer program of an item of environmental information for the computing environment;
identifying a branch in the computer program where the branch is based on a value of the accessed item of environmental information;
identifying a plurality of execution paths in the computer program stemming from the identified branch in the computer program;
causing execution of the plurality of execution paths by;
creating a snapshot of the computing environment;
monitoring execution of the computer program in the computing environment consistent with the snapshot;
restoring the computing environment to the snapshot;
altering the accessed item of environmental information in the restored computing environment; and
monitoring execution of the computer program in the restored computing environment consistent with the altered item of environmental information;
determining, based on the execution of the plurality of execution paths, that a first execution path in the plurality of execution paths results in benign behavior and that a second execution path in the plurality of execution paths results in malicious behavior; and
classifying the computer program as evasive malware responsive to the determining.
3 Assignments
0 Petitions
Accused Products
Abstract
The present disclosure is directed to methods and systems for malware detection based on environment-dependent behavior. Generally, an analysis environment is used to determine how input collected from an execution environment is used by suspicious software. The methods and systems described identify use of environmental information to decide between execution paths leading to malicious behavior or benign activity. In one aspect, one embodiment of the invention relates to a method comprising monitoring execution of suspect computer instructions; recognizing access by the instructions of an item of environmental information; identifying a plurality of execution paths in the instructions dependant on a branch in the instructions based on a value of the accessed item of environmental information; and determining that a first execution path results in benign behavior and that a second execution path results in malicious behavior. The method comprises classifying the computer instructions as evasive malware responsive to the determination.
15 Citations
20 Claims
-
1. A method of classifying malicious computer code, the method comprising:
-
monitoring, by one or more computing processors, execution in a computing environment of a computer program comprising suspicious computer code; detecting, by at least one of the one or more computing processors, access by the computer program of an item of environmental information for the computing environment; identifying a branch in the computer program where the branch is based on a value of the accessed item of environmental information; identifying a plurality of execution paths in the computer program stemming from the identified branch in the computer program; causing execution of the plurality of execution paths by; creating a snapshot of the computing environment; monitoring execution of the computer program in the computing environment consistent with the snapshot; restoring the computing environment to the snapshot; altering the accessed item of environmental information in the restored computing environment; and monitoring execution of the computer program in the restored computing environment consistent with the altered item of environmental information; determining, based on the execution of the plurality of execution paths, that a first execution path in the plurality of execution paths results in benign behavior and that a second execution path in the plurality of execution paths results in malicious behavior; and classifying the computer program as evasive malware responsive to the determining. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A system for classifying malicious computer code, the system comprising one or more computing processors configured to:
-
monitor execution in a computing environment of a computer program comprising suspicious computer code; detect access by the computer program of an item of environmental information for the computing environment; identify a branch in the computer program where the branch is based on a value of the accessed item of environmental information; identify a plurality of execution paths in the computer program stemming from the identified branch in the computer program; cause execution of the plurality of execution paths by; creating a snapshot of the computing environment; monitoring execution of the computer program in the computing environment consistent with the snapshot; restoring the computing environment to the snapshot; altering the accessed item of environmental information in the restored computing environment; and monitoring execution of the computer program in the restored computing environment consistent with the altered item of environmental information; determine, based on the execution of the plurality of execution paths, that a first execution path in the plurality of execution paths results in benign behavior and that a second execution path in the plurality of execution paths results in malicious behavior; and classify the computer program as evasive malware responsive to the determining. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
-
Specification