Robust malware detector

US 9,372,989 B2
Filed: 02/13/2014
Issued: 06/21/2016
Est. Priority Date: 02/15/2013
Status: Active Grant

First Claim

Patent Images

1. A malware detection and diffusion system comprising:

at least one server side computer; and

at least one client side computer;

wherein;

at least one malware sample is processed in at least one server side computer by intercepting all of the malware'"'"'s system calls in kernel mode;

at least one signature is formed for each malware sample by a server side computer having at least one stop call at or prior to a fixing moment;

the signature is distributed by the server side computer to at least one client side computer,wherein;

a driver hooks all of the system calls at the kernel level of the operating system of the client side computer in real time, without use of emulation;

the systems calls are processed by a filter to remove trusted system calls;

the system calls not removed by the filter are accumulated on a per-thread basis and checked for a stop call;

a detector compares the thread associated with the stop call to the signature for a match with malware prior to the fixing moment; and

the thread that is matched with malware is addressed at the fixing moment.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, method and computer readable medium for detecting and diffusing malware on a computer. Malware is analyzed to generate signatures and determine a fixing moment. All of the system calls of the operating system of a client computer are hooked and processed without emulation or the need for unpackers or decrypters, and a multi-level filter removes all system calls that are not associated with malware. The resulting system calls are accumulated on a per-thread basis and scanned, and the relevant threads are compared with the signatures to match with malware. The threads associated with malware are addressed at the fixing moment before the malware can operate to cause undesirable effects on the client computer.

38 Citations

View as Search Results

30 Claims

1. A malware detection and diffusion system comprising:
- at least one server side computer; and
  
  at least one client side computer;
  
  wherein;
  
  at least one malware sample is processed in at least one server side computer by intercepting all of the malware'"'"'s system calls in kernel mode;
  
  at least one signature is formed for each malware sample by a server side computer having at least one stop call at or prior to a fixing moment;
  
  the signature is distributed by the server side computer to at least one client side computer,wherein;
  
  a driver hooks all of the system calls at the kernel level of the operating system of the client side computer in real time, without use of emulation;
  
  the systems calls are processed by a filter to remove trusted system calls;
  
  the system calls not removed by the filter are accumulated on a per-thread basis and checked for a stop call;
  
  a detector compares the thread associated with the stop call to the signature for a match with malware prior to the fixing moment; and
  
  the thread that is matched with malware is addressed at the fixing moment.
- View Dependent Claims (2, 3, 4, 5, 6, 19, 20, 21, 22)
- - 2. The malware detection and diffusion system of claim 1, wherein the signature contains at least one junk system call inserted in any position.
  - 3. The malware detection and diffusion system of claim 1, wherein the filter uses a multiplicity of filtering process levels.
  - 4. The malware detection and diffusion system of claim 3, wherein the filtering process levels comprise at least the following levels:
    - a filtering process level which identifies whether a system call is associated with a trusted process;
      
      a filtering process level which identifies whether a system call belongs to a trusted module;
      
      a filtering process level which identifies whether a system call is generated by an operating system loader;
      
      a filtering process level which identifies whether a system call has an invalid argument; and
      
      a filtering process level which identifies whether a system call is associated with low distribution N-gram.
  - 5. The malware detection and diffusion system of claim 1, wherein the detector compares the thread associated with the stop call to the signature by performing a similarity check between system calls history of the thread and the signature.
  - 6. The malware detection and diffusion system of claim 1, wherein the thread associated with the stop call that is matched with malware is addressed by terminating the process associated with the thread.
  - 19. The malware detection and diffusion system of claim 1, wherein the detector performs the per-thread system calls accumulation.
  - 20. The malware detection and diffusion system of claim 19, wherein the detector performs the per-thread system calls accumulation on a per-process basis.
  - 21. The malware detection and diffusion system of claim 20, wherein the detector performs the per-thread system calls accumulation on a per-process basis to allow for multi-threaded malware detection.
  - 22. The malware detection and diffusion system of claim 21, wherein the detector performs the per-thread system calls accumulation on a per-process basis to allow for detection of thread-spreading attempts.

7. A method for detecting and diffusing malware on a computer, the method comprising the steps of:
- processing at least one malware sample on at least one server side computer by intercepting all of the malware'"'"'s system calls in kernel mode;
  
  forming a signature for each malware sample having at least one stop call at or prior to a fixing moment;
  
  distributing the signature to at least one client side computer;
  
  hooking all of the system calls at the kernel level of the operating system of the client side computer in real time, without use of emulation;
  
  processing all of the hooked system calls through a filter to remove trusted system calls;
  
  accumulating the system calls not removed by the filter process on a per-thread basis;
  
  checking the system calls not removed by the filter for a stop call;
  
  comparing the thread associated with the stop call to the signature for a match with malware prior to the fixing moment; and
  
  addressing the thread matched with malware at the fixing moment.
- View Dependent Claims (8, 9, 10, 11, 12, 23, 24, 25, 26)
- - 8. The method of claim 7, wherein the signature contains at least one junk system call inserted in any position.
  - 9. The method of claim 7, wherein the filter uses a multiplicity of filtering process levels.
  - 10. The method of claim 9, wherein the filtering process levels comprise at least the following levels:
    - a filtering process level which identifies whether a system call is associated with a trusted process;
      
      a filtering process level which identifies whether a system call belongs to a trusted module;
      
      a filtering process level which identifies whether a system call is generated by an operating system loader;
      
      a filtering process level which identifies whether a system call has an invalid argument; and
      
      a filtering process level which identifies whether a system call is associated with low distribution N-gram.
  - 11. The method of claim 7, wherein a detector compares the thread associated with the stop call to the signature by performing a similarity check between system calls history of the thread and the signature.
  - 12. The method of claim 7, wherein the thread associated with the stop call that is matched with malware is addressed by terminating the process associated with the thread.
  - 23. The method of claim 7, wherein a detector performs the per-thread system calls accumulation.
  - 24. The method of claim 23, wherein a detector performs the per-thread system calls accumulation on a per-process basis.
  - 25. The method of claim 24, wherein a detector performs the per-thread system calls accumulation on a per-process basis to allow for multi-threaded malware detection.
  - 26. The method of claim 25, wherein a detector performs the per-thread system calls accumulation on a per-process basis to allow for detection of thread-spreading attempts.

13. A non-transitory computer readable medium comprising software comprising:
- code for processing at least one malware sample on at least one server side computer by intercepting all of the malware'"'"'s system calls in kernel mode;
  
  code for forming a signature for each malware sample having at least one stop call at or prior to a fixing moment;
  
  code for distributing the signature to at least one client side computer;
  
  code for hooking all of the system calls at the kernel level of the operating system of the client side computer in real time, without use of emulation;
  
  code for processing all of the hooked system calls through a filter to remove trusted system calls;
  
  code for accumulating the system calls not removed by the filter process on a per-thread basis;
  
  code for checking the system calls not removed by the filter for a stop call;
  
  code for comparing the threads associated with the stop call to the signature for a match with malware prior to the fixing moment; and
  
  code for addressing the thread matched with malware at the fixing moment.
- View Dependent Claims (14, 15, 16, 17, 18, 27, 28, 29, 30)
- - 14. The non-transitory computer readable medium of claim 13, further comprising code for the signature to contain at least one system call inserted in any position.
  - 15. The non-transitory computer readable medium of claim 13, further comprising code for the filter to use a multiplicity of filtering process levels.
  - 16. The non-transitory computer readable medium of claim 15, further comprising code for the filtering process levels to comprise at least the following levels:
    - a filtering process level which identifies whether a system call is associated with a trusted process;
      
      a filtering process level which identifies whether a system call belongs to a trusted module;
      
      a filtering process level which identifies whether a system call is generated by an operating system loader;
      
      a filtering process level which identifies whether a system call has an invalid argument; and
      
      a filtering process level which identifies whether a system call is associated with low distribution N-gram.
  - 17. The non-transitory computer readable medium of claim 13, further comprising code for a detector to compare the thread associated with the stop call to the signature by performing a similarity check between system calls history of the thread and the signature.
  - 18. The non-transitory computer readable medium of claim 13, further comprising code for addressing the thread associated with the stop call that is matched with malware by terminating the process associated with the thread.
  - 27. The non-transitory computer readable medium of claim 13, further comprising code for a detector to perform the per-thread system calls accumulation.
  - 28. The non-transitory computer readable medium of claim 27, further comprising code for a detector to perform the per-thread system calls accumulation on a per-process basis.
  - 29. The non-transitory computer readable medium of claim 28, further comprising code for a detector to perform the per-thread system calls accumulation on a per-process basis to allow for multi-threaded malware detection.
  - 30. The non-transitory computer readable medium of claim 29, further comprising code for a detector to perform the per-thread system calls accumulation on a per-process basis to allow for detection of thread-spreading attempts.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ROMAD Holding, Ltd.
Original Assignee
Systems Of Information Security 2012
Inventors
Grystan, Volodymyr, Evgenyevich, Rusin Dmitry, Tumoyan, Evgeny, Romanenko, Ivan, Kukoba, Anton, Sviridenkov, Anatolii
Primary Examiner(s)
Rahman, Shawnchoy

Application Number

US14/180,110
Publication Number

US 20140237596A1
Time in Patent Office

859 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/56 Computer malware detection ...

G06F 21/566 Dynamic detection, i.e. det...

Robust malware detector

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

38 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Robust malware detector

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

38 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links