Robust malware detector
First Claim
1. A malware detection and diffusion system comprising:
- at least one server side computer; and
at least one client side computer;
wherein;
at least one malware sample is processed in at least one server side computer by intercepting all of the malware'"'"'s system calls in kernel mode;
at least one signature is formed for each malware sample by a server side computer having at least one stop call at or prior to a fixing moment;
the signature is distributed by the server side computer to at least one client side computer,wherein;
a driver hooks all of the system calls at the kernel level of the operating system of the client side computer in real time, without use of emulation;
the systems calls are processed by a filter to remove trusted system calls;
the system calls not removed by the filter are accumulated on a per-thread basis and checked for a stop call;
a detector compares the thread associated with the stop call to the signature for a match with malware prior to the fixing moment; and
the thread that is matched with malware is addressed at the fixing moment.
3 Assignments
0 Petitions
Accused Products
Abstract
A system, method and computer readable medium for detecting and diffusing malware on a computer. Malware is analyzed to generate signatures and determine a fixing moment. All of the system calls of the operating system of a client computer are hooked and processed without emulation or the need for unpackers or decrypters, and a multi-level filter removes all system calls that are not associated with malware. The resulting system calls are accumulated on a per-thread basis and scanned, and the relevant threads are compared with the signatures to match with malware. The threads associated with malware are addressed at the fixing moment before the malware can operate to cause undesirable effects on the client computer.
38 Citations
30 Claims
-
1. A malware detection and diffusion system comprising:
-
at least one server side computer; and at least one client side computer; wherein; at least one malware sample is processed in at least one server side computer by intercepting all of the malware'"'"'s system calls in kernel mode; at least one signature is formed for each malware sample by a server side computer having at least one stop call at or prior to a fixing moment; the signature is distributed by the server side computer to at least one client side computer, wherein; a driver hooks all of the system calls at the kernel level of the operating system of the client side computer in real time, without use of emulation; the systems calls are processed by a filter to remove trusted system calls; the system calls not removed by the filter are accumulated on a per-thread basis and checked for a stop call; a detector compares the thread associated with the stop call to the signature for a match with malware prior to the fixing moment; and the thread that is matched with malware is addressed at the fixing moment. - View Dependent Claims (2, 3, 4, 5, 6, 19, 20, 21, 22)
-
-
7. A method for detecting and diffusing malware on a computer, the method comprising the steps of:
-
processing at least one malware sample on at least one server side computer by intercepting all of the malware'"'"'s system calls in kernel mode; forming a signature for each malware sample having at least one stop call at or prior to a fixing moment; distributing the signature to at least one client side computer; hooking all of the system calls at the kernel level of the operating system of the client side computer in real time, without use of emulation; processing all of the hooked system calls through a filter to remove trusted system calls; accumulating the system calls not removed by the filter process on a per-thread basis; checking the system calls not removed by the filter for a stop call; comparing the thread associated with the stop call to the signature for a match with malware prior to the fixing moment; and addressing the thread matched with malware at the fixing moment. - View Dependent Claims (8, 9, 10, 11, 12, 23, 24, 25, 26)
-
-
13. A non-transitory computer readable medium comprising software comprising:
-
code for processing at least one malware sample on at least one server side computer by intercepting all of the malware'"'"'s system calls in kernel mode; code for forming a signature for each malware sample having at least one stop call at or prior to a fixing moment; code for distributing the signature to at least one client side computer; code for hooking all of the system calls at the kernel level of the operating system of the client side computer in real time, without use of emulation; code for processing all of the hooked system calls through a filter to remove trusted system calls; code for accumulating the system calls not removed by the filter process on a per-thread basis; code for checking the system calls not removed by the filter for a stop call; code for comparing the threads associated with the stop call to the signature for a match with malware prior to the fixing moment; and code for addressing the thread matched with malware at the fixing moment. - View Dependent Claims (14, 15, 16, 17, 18, 27, 28, 29, 30)
-
Specification