Cross-view malware detection

US 9,609,005 B2
Filed: 09/25/2014
Issued: 03/28/2017
Est. Priority Date: 09/25/2014
Status: Active Grant

First Claim

Patent Images

1. A computing apparatus comprising:

a processor;

a memory; and

one or more hardware and/or software logic elements comprising a crossview detection engine operable for;

observing a first operation performed by an executable object on the memory at a first computational abstraction level;

observing a substantially simultaneous second operation performed by the executable object on the memory at a second computational abstraction level, wherein the second abstraction level is different from the first abstraction level;

determining that the first operation does not substantially have the same computational effect as the second operation, comprising converting the first operation and the second operation into a comparable format; and

designating the executable object as suspect.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In an example, a cross-view detection engine is disclosed for detecting malware behavior. Malware may attempt to avoid detection by remaining in volatile memory for as long as possible, and writing to disk only when necessary. To avoid detection, the malware may also provide a pseudo-driver at a file system level that performs legitimate-looking dummy operations. A firmware-level driver may simultaneously perform malicious operations. The cross-view detection engine detects this behavior by deconstructing call traces from the file system-level operations, and reconstructing call traces from firmware-level operations. If the traces do not match, the object may be flagged as suspicious.

13 Citations

View as Search Results

25 Claims

1. A computing apparatus comprising:
- a processor;
  
  a memory; and
  
  one or more hardware and/or software logic elements comprising a crossview detection engine operable for;
  
  observing a first operation performed by an executable object on the memory at a first computational abstraction level;
  
  observing a substantially simultaneous second operation performed by the executable object on the memory at a second computational abstraction level, wherein the second abstraction level is different from the first abstraction level;
  
  determining that the first operation does not substantially have the same computational effect as the second operation, comprising converting the first operation and the second operation into a comparable format; and
  
  designating the executable object as suspect.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The computing apparatus of claim 1, wherein the first abstraction level is a file system driver level.
  - 3. The computing apparatus of claim 1, wherein the second abstraction level is a firmware level.
  - 4. The computing apparatus of claim 1, wherein the second abstraction level is a lower abstraction level than the first abstraction level.
  - 5. The computing apparatus of claim 1, wherein the second operation is a write operation.
  - 6. The computing apparatus of claim 1, wherein acting on the determination comprises designating the executable object as malware.
  - 7. The computing apparatus of claim 1, wherein acting on the determination comprises designating the executable object as suspicious and reporting the executable object to a server.
  - 8. The computing apparatus of claim 1, wherein making a determination that the first operation does not substantially match the second operation comprises reconstructing one or more call traces from the second operation.
  - 9. The computing apparatus of claim 1, wherein making a determination that the first operation does not substantially match the second operation comprises deconstructing one or more call traces from the first operation.
  - 10. The computing apparatus of claim 1, wherein making a determination that the first operation does not substantially match the second operation comprises:
    - reconstructing one or more call traces from the second operation;
      
      deconstructing one or more call traces from the first operation; and
      
      comparing the reconstructed call traces to the deconstructed call traces.
  - 11. The computing apparatus of claim 1, wherein observing the first operation performed by the executable object on the memory at the first abstraction level comprises performing dynamic analysis of system-level call tracing.
  - 12. The computing apparatus of claim 11, wherein observing the first operation performed by the executable object on the memory at the first abstraction level further comprises real-time analysis of call traces.
  - 13. The computing apparatus of claim 1, wherein observing the substantially simultaneous second operation performed by the executable object on the memory at a second abstraction level comprises intercepting disk access information from disk protocols.

14. One or more non-transitory computer-readable mediums having stored thereon executable instructions for providing a cross-view detection engine operable for:
- observing a first operation performed by an executable object on a memory at a first computational abstraction level;
  
  observing a substantially simultaneous second operation performed by the executable object on the memory at a second computational abstraction level, wherein the second abstraction level is different from the first abstraction level;
  
  determining that the first operation does not substantially have the same computational effect as the second operation, comprising converting the first operation and the second operation into a comparable format; and
  
  designating the executable object as suspicious.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 15. The one or more computer-readable mediums of claim 14, wherein the first abstraction level is a file system driver level.
  - 16. The one or more computer-readable mediums of claim 14, wherein the second abstraction level is a firmware level.
  - 17. The one or more computer-readable mediums of claim 14, wherein the second abstraction level is a lower abstraction level than the first abstraction level.
  - 18. The one or more computer-readable mediums of claim 14, wherein the second operation is a write operation.
  - 19. The one or more computer-readable mediums of claim 14, wherein acting on the determination comprises designating the executable object as malware.
  - 20. The one or more computer-readable mediums of claim 14, wherein acting on the determination comprises designating the executable object as suspicious and reporting the executable object to a server.
  - 21. The one or more computer-readable mediums of claim 14, wherein making a determination that the first operation does not substantially match the second operation comprises:
    - reconstructing one or more call traces from the second operation;
      
      deconstructing one or more call traces from the first operation; and
      
      comparing the reconstructed call traces to the deconstructed call traces.
  - 22. The one or more computer-readable mediums of claim 14, wherein observing the first operation performed by the executable object on the memory at the first abstraction level comprises performing real-time dynamic analysis of system-level call tracing.
  - 23. The one or more computer-readable mediums of claim 14, wherein observing the substantially simultaneous second operation performed by the executable object on the memory at a second abstraction level comprises intercepting disk access information from disk protocols.

24. A computer-implemented method of providing a cross-view detection engine, comprising:
- observing a first operation performed by an executable object on the memory at a first computational abstraction level;
  
  observing a substantially simultaneous second operation performed by the executable object on the memory at a second computational abstraction level, wherein the second abstraction level is different from the first abstraction level;
  
  determining that the first operation does not substantially have the same computational effect as the second operation, comprising converting the first operation and the second operation into a comparable format; and
  
  designating the executable object as suspicious.
- View Dependent Claims (25)
- - 25. The method of claim 24, wherein making a determination that the first operation does not substantially match the second operation comprises:
    - reconstructing one or more call traces from the second operation;
      
      deconstructing one or more call traces from the first operation; and
      
      comparing the reconstructed call traces to the deconstructed call traces.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Hunt, Simon, Mankin, Jennifer, Zimmerman, Jeffrey
Primary Examiner(s)
Siddiqi, Mohammad A

Application Number

US14/496,860
Publication Number

US 20160094570A1
Time in Patent Office

915 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

H04L 63/1491   using deception as counterm...

Cross-view malware detection

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

13 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Cross-view malware detection

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

13 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links