Cross-view malware detection
First Claim
Patent Images
1. A computing apparatus comprising:
- a processor;
a memory; and
one or more hardware and/or software logic elements comprising a crossview detection engine operable for;
observing a first operation performed by an executable object on the memory at a first computational abstraction level;
observing a substantially simultaneous second operation performed by the executable object on the memory at a second computational abstraction level, wherein the second abstraction level is different from the first abstraction level;
determining that the first operation does not substantially have the same computational effect as the second operation, comprising converting the first operation and the second operation into a comparable format; and
designating the executable object as suspect.
10 Assignments
0 Petitions
Accused Products
Abstract
In an example, a cross-view detection engine is disclosed for detecting malware behavior. Malware may attempt to avoid detection by remaining in volatile memory for as long as possible, and writing to disk only when necessary. To avoid detection, the malware may also provide a pseudo-driver at a file system level that performs legitimate-looking dummy operations. A firmware-level driver may simultaneously perform malicious operations. The cross-view detection engine detects this behavior by deconstructing call traces from the file system-level operations, and reconstructing call traces from firmware-level operations. If the traces do not match, the object may be flagged as suspicious.
13 Citations
25 Claims
-
1. A computing apparatus comprising:
-
a processor; a memory; and one or more hardware and/or software logic elements comprising a crossview detection engine operable for; observing a first operation performed by an executable object on the memory at a first computational abstraction level; observing a substantially simultaneous second operation performed by the executable object on the memory at a second computational abstraction level, wherein the second abstraction level is different from the first abstraction level; determining that the first operation does not substantially have the same computational effect as the second operation, comprising converting the first operation and the second operation into a comparable format; and designating the executable object as suspect. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. One or more non-transitory computer-readable mediums having stored thereon executable instructions for providing a cross-view detection engine operable for:
-
observing a first operation performed by an executable object on a memory at a first computational abstraction level; observing a substantially simultaneous second operation performed by the executable object on the memory at a second computational abstraction level, wherein the second abstraction level is different from the first abstraction level; determining that the first operation does not substantially have the same computational effect as the second operation, comprising converting the first operation and the second operation into a comparable format; and designating the executable object as suspicious. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23)
-
-
24. A computer-implemented method of providing a cross-view detection engine, comprising:
-
observing a first operation performed by an executable object on the memory at a first computational abstraction level; observing a substantially simultaneous second operation performed by the executable object on the memory at a second computational abstraction level, wherein the second abstraction level is different from the first abstraction level; determining that the first operation does not substantially have the same computational effect as the second operation, comprising converting the first operation and the second operation into a comparable format; and designating the executable object as suspicious. - View Dependent Claims (25)
-
Specification