Method of malware detection and system thereof

US 9,710,648 B2
Filed: 08/11/2014
Issued: 07/18/2017
Est. Priority Date: 08/11/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of detecting malware in real time in a live environment, the method implemented on a computer that performs each step of the method, the method comprising:

monitoring one or more operations of at least one program concurrently running in the live environment, wherein the step of monitoring further comprises;

for each monitored operation of the one or more operations, generating an event data characterizing an event representing the monitored operation,wherein said event data includes at least the following attributes of said event;

operation type, and source of the event;

building at least one stateful model in accordance with the one or more operations, wherein the stateful model is a data structure representing information indicative of a real time updated system state resulting from a sequence of linked operations performed in the live environment, wherein the step of building the at least one stateful model comprises;

for each said event data;

i) normalizing the event data giving rise to an abstract event, wherein the abstract event comprises formatted and parsed event data;

ii) retrieving one or more objects from the abstract event, each of said objects representing an entity involved in a corresponding operation and being of a type selected from a group that includes;

process object, file object, network object, registry object and windows object, at least one of said objects representing the source of the event;

iii) identifying one or more relationships among the one or more objects in accordance with said abstract event, the identified relationships including type of the corresponding operation and connections between the objects retrieved from the corresponding operation, and for each object of the one or more objects, generating one or more parameters characterizing said object, the parameters indicative of objects related thereto and identified relationships between the object and the related objects;

giving rise to an event context comprising the one or more objects and the relationships therein; and

iv) in case of said event being a first event of a stateful model, generating a stateful model including said event context;

otherwise updating a previous stateful model based on the event context, said previous stateful model corresponding to at least one previous event that precedes the event, said updating including;

in case said previous stateful model includes said one or more objects, adding the identified relationships in said event context to said previous stateful model;

otherwise in case of at least one object of said one or more objects being a new object that is not included in said previous stateful model, adding said new object and the identified relationships in said event context to the previous stateful model;

thereby giving rise to an updated stateful model representing a hierarchical structure comprising the entities involved in said linked operations and interconnections between the entities which are resulted from the linked operations;

analyzing the at least one stateful model to identify one or more behaviors, wherein the step of analyzing the at least one stateful model comprises;

analyzing the event context in view of the updated stateful model in accordance with one or more predefined behavioral logics, wherein said one or more predefined behavior logics are indicative of behavioral patterns each representing entities having specific interconnections therein resulted from a specific sequence of operations performed thereupon, said analyzing including matching the hierarchical structure represented in the updated stateful model with said one or more predefined behavior logics;

determining that at least one behavior of said one or more behaviors is present if any of said one or more predefined behavioral logics are met, anddetermining the presence of malware based on the identified one or more behaviors.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

There is provided a system and a computer-implemented method of detecting malware in real time in a live environment. The method comprises: monitoring one or more operations of at least one program concurrently running in the live environment, building at least one stateful model in accordance with the one or more operations, analyzing the at least one stateful model to identify one or more behaviors, and determining the presence of malware based on the identified one or more behaviors.

84 Citations

View as Search Results

33 Claims

1. A computer-implemented method of detecting malware in real time in a live environment, the method implemented on a computer that performs each step of the method, the method comprising:
- monitoring one or more operations of at least one program concurrently running in the live environment, wherein the step of monitoring further comprises;
  
  for each monitored operation of the one or more operations, generating an event data characterizing an event representing the monitored operation,wherein said event data includes at least the following attributes of said event;
  
  operation type, and source of the event;
  
  building at least one stateful model in accordance with the one or more operations, wherein the stateful model is a data structure representing information indicative of a real time updated system state resulting from a sequence of linked operations performed in the live environment, wherein the step of building the at least one stateful model comprises;
  
  for each said event data;
  
  i) normalizing the event data giving rise to an abstract event, wherein the abstract event comprises formatted and parsed event data;
  
  ii) retrieving one or more objects from the abstract event, each of said objects representing an entity involved in a corresponding operation and being of a type selected from a group that includes;
  
  process object, file object, network object, registry object and windows object, at least one of said objects representing the source of the event;
  
  iii) identifying one or more relationships among the one or more objects in accordance with said abstract event, the identified relationships including type of the corresponding operation and connections between the objects retrieved from the corresponding operation, and for each object of the one or more objects, generating one or more parameters characterizing said object, the parameters indicative of objects related thereto and identified relationships between the object and the related objects;
  
  giving rise to an event context comprising the one or more objects and the relationships therein; and
  
  iv) in case of said event being a first event of a stateful model, generating a stateful model including said event context;
  
  otherwise updating a previous stateful model based on the event context, said previous stateful model corresponding to at least one previous event that precedes the event, said updating including;
  
  in case said previous stateful model includes said one or more objects, adding the identified relationships in said event context to said previous stateful model;
  
  otherwise in case of at least one object of said one or more objects being a new object that is not included in said previous stateful model, adding said new object and the identified relationships in said event context to the previous stateful model;
  
  thereby giving rise to an updated stateful model representing a hierarchical structure comprising the entities involved in said linked operations and interconnections between the entities which are resulted from the linked operations;
  
  analyzing the at least one stateful model to identify one or more behaviors, wherein the step of analyzing the at least one stateful model comprises;
  
  analyzing the event context in view of the updated stateful model in accordance with one or more predefined behavioral logics, wherein said one or more predefined behavior logics are indicative of behavioral patterns each representing entities having specific interconnections therein resulted from a specific sequence of operations performed thereupon, said analyzing including matching the hierarchical structure represented in the updated stateful model with said one or more predefined behavior logics;
  
  determining that at least one behavior of said one or more behaviors is present if any of said one or more predefined behavioral logics are met, anddetermining the presence of malware based on the identified one or more behaviors.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 2. The computer-implemented method of claim 1, wherein the monitoring the one or more operations further includes:
    - selecting at least one operation of interest from the one or more operations, and monitoring the selected at least one operation of interest.
  - 3. The computer-implemented method of claim 2, wherein the at least one operation of interest includes one or more in-process operations and/or one or more kernel related operations.
  - 4. The computer-implemented method of claim 3, wherein the kernel related operations include one or more of the following:
    - file system operations, process and memory operations, registry operations, and network operations.
  - 5. The computer-implemented method of claim 3, wherein the in-process operations are monitored by intercepting one or more library calls representing said in-process operations.
  - 6. The computer-implemented method of claim 3, wherein the kernel related operations are monitored by intercepting one or more system calls representing said kernel related operations.
  - 7. The computer-implemented method of claim 3, wherein the kernel related operations are monitored by registering one or more kernel filter drivers for said kernel related operations via one or more callback functions.
  - 8. The computer-implemented method of claim 1, wherein each of said at least one stateful model is a program-level stateful model that represents a sequence of linked operations related to a given program of said at least one program.
  - 9. The computer-implemented method of claim 1, wherein said at least one stateful model is a system-level stateful model that represents operations related to all programs that run concurrently in the live environment.
  - 10. The computer-implemented method of claim 9, wherein said system-level stateful model includes one or more program-level stateful models each representing a sequence of linked operations related to a given program of said all programs.
  - 11. The computer-implemented method of claim 1 further comprising:
    - monitoring one or more kernel related operations of said at least one program;
      
      building at least one stateful model based on said monitored kernel related operations;
      
      analyzing the at least one stateful model to identify one or more behaviors; and
      
      determining the presence of malware based on a behavioral score of said stateful model.
  - 12. The computer-implemented method of claim 11 wherein said at least one stateful model includes one or more objects derived from said one or more operations and one or more relationships identified among said objects in accordance with said operations.
  - 13. The computer-implemented method of claim 11 wherein the kernel related operations include one or more of the following:
    - file system operations, process and memory operations, registry operations, and network operations.
  - 14. The computer-implemented method of claim 11 further comprising monitoring the one or more kernel related operations by registering one or more kernel filter drivers for said kernel related operations via one or more callback functions.
  - 15. The computer-implemented method of claim 1, further comprising selecting selected event data associated with events of interest from said event data based on one or more predefined filtering rules and applying said normalizing of the event data with respect to said selected event data.
  - 16. The computer-implemented method of claim 15, wherein the one or more predefined filtering rules include filtering out event data associated with the following events:
    - uncompleted events, memory related events in which a targeting process is not a remote process, and events in which a targeting process does not exist.
  - 17. The computer-implemented method of claim 1, wherein the step of normalizing the event data includes:
    - formatting the event data; and
      
      parsing the formatted event data giving rise to the abstract event.
  - 18. The computer-implemented method of claim 1, wherein the predefined behavioral logics include determining a behavior of self-execution when the following condition is met:
    - a target of an execution event identical to one of the following;
      
      an originating process of the execution event, a child process of the originating process, and a parent process of the originating process.
  - 19. The computer-implemented method of claim 1, wherein each of the at least one behavior is assigned with a respective behavioral score.
  - 20. The computer-implemented method of claim 19, wherein the step of determining the presence of malware further includes:
    - in case of said at least one behavior being determined;
      
      searching if there is a previous stateful model score associated with the previous stateful model, the previous stateful model score being an aggregated behavioral score of all previous behavioral scores assigned for respective previous determined behaviors, said previous determined behaviors being related to the at least one previous event of the previous stateful model,if not, determining a sum of said respective behavioral score assigned for each of the at least one behavior as the stateful model score associated with the stateful model;
      
      otherwise increasing the previous stateful model score with the sum, giving rise to the stateful model score;
      
      comparing the stateful model score with a predefined threshold; and
      
      determining the presence of malware if the stateful model score passes the predefined threshold.
  - 21. The computer-implemented method of claim 20, wherein the respective behavioral score is assigned with a corresponding weight factor if a condition is met, and the step of increasing comprises applying the corresponding weight factor to the respective behavioral score giving rise to a respective weighted behavioral score, and increasing the previous stateful model score with a sum of the respective weighted behavioral score assigned for each of the at least one behavior.
  - 22. The computer-implemented method of claim 21, wherein the condition includes that a source of an event is a remote process and a target of the event is a system process.
  - 23. The computer-implemented method of claim 1, wherein the method further comprises:
    - eliminating determined malware by remediating the one or more operations indicated by the stateful model.
  - 24. The computer-implemented method of claim 1, wherein the predefined behavioral logics include determining a behavior of self-deletion when the following condition is met:
    - a source file of a targeting process of a deletion event is identical to one of the following;
      
      a source file of an originating process of the deletion event, and a source file of a parent process of the originating process.
  - 25. The computer-implemented method of claim 1, wherein the predefined behavioral logics include determining a behavior of code injection when the following condition is met:
    - associated operations of memory write, memory execution permission, and code execution are an objects included in the stateful model.

26. A system for detecting malware in real time in a live environment, the system comprising a computer configured and operable to perform at least the following:
- monitoring one or more operations of at least one program concurrently running in the live environment wherein the monitoring comprises;
  
  for each monitored operation of the one or more operations, generating an event data characterizing an event representing the monitored operationwherein said event data includes at least the following attributes of said event;
  
  operation type, and source of the event;
  
  building at least one stateful model in accordance with the one or more operations, wherein the building the at least one stateful model comprises;
  
  for each said event data;
  
  i) normalizing the event data giving rise to an abstract event, wherein the abstract event comprises formatted and parsed event data;
  
  ii) retrieving one or more objects from the abstract event, each of said objects representing an entity involved in a corresponding operation and being of a type selected from a group that includes;
  
  process object, file object, network object, registry object and windows object, at least one of said objects representing the source of the event;
  
  iii) identifying one or more relationships among the one or more objects in accordance with said abstract event, the identified relationships including type of the corresponding operation and connections between the objects retrieved from the corresponding operation, and for each object of the one or more objects, generating one or more parameters characterizing said object, the parameters indicative of objects related thereto and identified relationships between the object and the related objects;
  
  giving rise to an event context comprising the one or more objects and the relationships therein; and
  
  iv) in case of said event being a first event of a stateful model, generating a stateful model including said event context;
  
  otherwise updating a previous stateful model based on the event context, said previous stateful model corresponding to at least one previous event that precedes the event, said updating including;
  
  in case said previous stateful model includes said one or more objects, adding the identified relationships in said event context to said previous stateful model;
  
  otherwise in case of at least one object of said one or more objects being a new object that is not included in said previous stateful model, adding said new object and the identified relationships in said event context to the previous stateful model;
  
  thereby giving rise to an updated stateful model representing a hierarchical structure comprising the entities involved in said linked operations and interconnections between the entities which are resulted from the linked operations;
  
  analyzing the at least one stateful model to identify one or more behaviors, wherein the step of analyzing the at least one stateful model comprises;
  
  analyzing the event context in view of the updated stateful model in accordance with one or more predefined behavioral logics, wherein said one or more predefined behavior logics are indicative of behavioral patterns each representing entities having specific interconnections therein resulted from a specific sequence of operations performed thereupon, said analyzing including matching the hierarchical structure represented in the updated stateful model with said one or more predefined behavior logics;
  
  determining that at least one behavior of said one or more behaviors is present if any of said one or more predefined behavioral logics are met, anddetermining the presence of malware based on the identified one or more behaviors.
- View Dependent Claims (27, 28, 29, 30, 31, 32)
- - 27. The system of claim 26, wherein each of said at least one stateful model is a program-level stateful model that represents a sequence of linked operations related to a given program of said at least one program.
  - 28. The system of claim 26, wherein said at least one stateful model is a system-level stateful model that represents operations related to all programs that run concurrently in the live environment.
  - 29. The system of claim 28, wherein said system-level stateful model includes one or more program-level stateful models each representing a sequence of linked operations related to a given program of said all programs.
  - 30. The system of claim 26, wherein the processor is further configured and operable to perform the following:
    - monitoring one or more kernel related operations of said at least one program;
      
      building at least one stateful model based on said monitored kernel related operations;
      
      analyzing the at least one stateful model to identify one or more behaviors; and
      
      determining the presence of malware based on a behavioral score of said stateful model.
  - 31. The system of claim 30, wherein the kernel related operations include one or more of the following:
    - file system operations, process and memory operations, registry operations, and network operations.
  - 32. The system of claim 30, wherein the computer is further configured and operable to monitor the one or more kernel related operations by registering one or more kernel filter drivers for said kernel related operations via one or more callback functions.

33. A non-transitory program storage device readable by computer, tangibly embodying a program of instructions executable by the computer to perform method steps for detecting malware in real time in a live environment, the method comprising:
- monitoring one or more operations of at least one program concurrently running in the live environment, wherein the step of monitoring further comprises;
  
  for each monitored operation of the one or more operations, generating an event data characterizing an event representing the monitored operationwherein said event data includes at least the following attributes of said event;
  
  operation type, and source of the event;
  
  building at least one stateful model in accordance with the one or more operations, wherein the stateful model is a data structure representing information indicative of a real time updated system state resulting from a sequence of linked operations performed in the live environment, wherein the step of building the at least one stateful model comprises;
  
  for each said event data;
  
  i) normalizing the event data giving rise to an abstract event, wherein the abstract event comprises formatted and parsed event data;
  
  ii) retrieving one or more objects from the abstract event, each of said objects representing an entity involved in a corresponding operation and being of a type selected from a group that includes;
  
  process object, file object, network object, registry object and windows object, at least one of said objects representing the source of the event;
  
  iii) identifying one or more relationships among the one or more objects in accordance with said abstract event, the identified relationships including type of the corresponding operation and connections between the objects retrieved from the corresponding operation, and for each object of the one or more objects, generating one or more parameters characterizing said object, the parameters indicative of objects related thereto and identified between the object and the related objects;
  
  giving rise to an event context comprising the one or more objects and the relationships therein; and
  
  iv) in case of said event being a first event of a stateful model, generating a stateful model including said event context;
  
  otherwise updating a previous stateful model based on the event context, said previous stateful model corresponding to at least one previous event that precedes the event, said updating including;
  
  in case said previous stateful model includes said one or more objects, adding the identified relationships in said event context to said previous stateful model;
  
  otherwise in case of at least one object of said one or more objects being a new object that is not included in said previous stateful model, adding said new object and the identified relationships in said event context to the previous stateful model;
  
  thereby giving rise to an updated stateful model representing a hierarchical structure comprising the entities involved in said linked operations and interconnections between the entities which are resulted from the linked operations, andanalyzing the at least one stateful model to identify one or more behaviors, wherein the step of analyzing the at least one stateful model comprises;
  
  analyzing the event context in view of the updated stateful model in accordance with one or more predefined behavioral logics, wherein said one or more predefined behavior logics are indicative of behavioral patterns each representing entities having specific interconnections therein resulted from a specific sequence of operations performed thereupon, said analyzing including matching the hierarchical structure represented in the updated stateful model with said one or more predefined behavior logics; and
  
  determining that at least one behavior of said one or more behaviors is present if any of said one or more predefined behavioral logics are met, anddetermining the presence of malware based on the identified one or more behaviors.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sentinel Labs Israel, Ltd. (SentinelOne Inc.)
Original Assignee
Sentinel Labs Israel, Ltd. (SentinelOne Inc.)
Inventors
Cohen, Almog, Shamir, Udi, Motil, Kirill, Weingarten, Tomer
Primary Examiner(s)
LESNIEWSKI, VICTOR D

Application Number

US14/456,127
Publication Number

US 20160042179A1
Time in Patent Office

1,072 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/56 Computer malware detection ...

G06F 21/566 Dynamic detection, i.e. det...

Method of malware detection and system thereof

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

84 Citations

33 Claims

Specification

Use Cases

Quick Links

Others

Method of malware detection and system thereof

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

84 Citations

33 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others