Detecting malware based on reflection
First Claim
1. A computerized method comprising:
- receiving, by a network device, an object for analysis;
conducting, by the network device, a first analysis to determine whether the object is configured to invoke reflection operations at run-time; and
responsive to the network device determining that the object is configured to invoke reflection operations at run-time, conducting a second analysis within one or more virtual machines to determine whether the object is deemed to be malicious.
7 Assignments
0 Petitions
Accused Products
Abstract
According to one embodiment of the disclosure, a computerized method is described to detect a malicious object through its attempt to utilize reflection. The computerized method comprises receiving, by a network device, an object for analysis. Thereafter, the network device conducts a first analysis within a sandboxed environment. The first analysis determines whether the object is configured to utilize reflection. According to one embodiment, the first analysis involves analysis of the content of the object by a static analysis engine. Alternatively, or in addition to this analysis, the behavior of the object by an attempt to access a reflection API may determine that the object is utilizing reflection. Responsive to the network device determining that the object utilizes reflection, a second analysis is conducted to determine whether the object is malicious.
-
Citations
25 Claims
-
1. A computerized method comprising:
-
receiving, by a network device, an object for analysis; conducting, by the network device, a first analysis to determine whether the object is configured to invoke reflection operations at run-time; and responsive to the network device determining that the object is configured to invoke reflection operations at run-time, conducting a second analysis within one or more virtual machines to determine whether the object is deemed to be malicious. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A computerized method comprising:
-
receiving, by a network device, an object for analysis; conducting, by the network device, a first analysis to determine whether, during processing of the object within a virtual machine, the object is issuing one or more function calls that invoke reflection operations; and responsive to the network device determining that the object is issuing calls that invoke reflection operations, conducting a second analysis to determine whether the object is malicious. - View Dependent Claims (13, 14, 15, 16, 17)
-
-
18. A network device comprising:
-
a communication interface configured to receive an incoming object, the communication interface includes a connector adapted for coupling to a wired communication medium; a static analysis engine communicatively coupled to the communication interface, the static analysis engine to receive the object and perform a first analysis of the object, the first analysis determines whether the object is configured to invoke reflection operations at run-time; and a classification system communicatively coupled to the static analysis engine, the classification system, in response to the static analysis engine determining that the object is configured to invoke reflection operations at run-time, conducts a second analysis by processing the object within one or more virtual machines to determine whether the object is malicious. - View Dependent Claims (19, 20, 21, 22, 23)
-
-
24. A network device comprising:
-
a communication interface configured to receive an incoming object, the communication interface includes one of (i) a connector adapted for coupling to a wired communication medium or (ii) a radio unit with one or more antennas for wireless connectivity for receiving the incoming object; a dynamic analysis engine communicatively coupled to the communication interface, the dynamic analysis engine to receive the object and perform a first analysis of the object, the first analysis determines, during processing of the object within a virtual machine, whether the object is invoking reflection operations based on one or more function calls; and a classification system communicatively coupled to the static analysis engine, the classification system, in response to the static analysis engine determining that the object invoking reflection operations, conducts a second analysis to determine whether the object is malicious.
-
-
25. A non-transitory storage medium including software that, when executed by a processor implemented with a network device, causes the network device to detect within an object under analysis is associated with a malicious attack by performing operations comprising:
-
conducting at least one of (1) a first analysis to determine whether an object received for analysis is configured to invoke reflection operations at run-time and (2) a second analysis to determine, during processing of the object within a virtual machine, whether the object is issuing one or more function calls that invoke reflection operations; and responsive to the network device determining that the object is configured to invoke reflection operations at run-time, conducting a third analysis to determine whether the object is malicious.
-
Specification