System and method for run-time object classification
First Claim
1. A computerized method for identifying and classifying an object as belonging to a malware family, comprising:
- receiving one or more anomalous behaviors after processing of the object; and
determining if the object is malware by performing a first analysis on the one or more anomalous behaviors and a pre-stored identifier identifying the malware family, the pre-stored identifier is a collection of data associated with anomalous behaviors that identify the malware family, the performing of the first analysis comprises determining a level of correlation between the one or more anomalous behaviors and the anomalous behaviors associated with the pre-stored identifier that are determined by (i) obtaining a plurality of anomalous behaviors, and (ii) removing one or more anomalous behaviors from the plurality of anomalous behaviors when the one or more anomalous behaviors exhibit (a) a first rate of occurrence in the malware family that is less than a first threshold and (b) a second rate of occurrence in one or more malware families other than the malware family that is greater than a second threshold to produce a subset of the plurality of anomalous behaviors that constitute the anomalous behaviors associated with the pre-stored identifier.
5 Assignments
0 Petitions
Accused Products
Abstract
One embodiment of an electronic device comprises a processor and a memory accessible by the processor. The memory comprises virtual execution logic and run-time classifier logic. The virtual execution logic includes at least one virtual machine that is configured to virtually process content within an object under analysis and monitor for anomalous behaviors during the virtual processing that are indicative of malware. The run-time classifier logic performs, during run-time, a first analysis on the monitored anomalous behaviors and a pre-stored identifier to determine if the monitored anomalous behaviors indicate that the object is malware belonging to a classified malware family. The pre-stored identifier is a collection of data associated with anomalous behaviors that uniquely identify the malware family.
663 Citations
32 Claims
-
1. A computerized method for identifying and classifying an object as belonging to a malware family, comprising:
-
receiving one or more anomalous behaviors after processing of the object; and determining if the object is malware by performing a first analysis on the one or more anomalous behaviors and a pre-stored identifier identifying the malware family, the pre-stored identifier is a collection of data associated with anomalous behaviors that identify the malware family, the performing of the first analysis comprises determining a level of correlation between the one or more anomalous behaviors and the anomalous behaviors associated with the pre-stored identifier that are determined by (i) obtaining a plurality of anomalous behaviors, and (ii) removing one or more anomalous behaviors from the plurality of anomalous behaviors when the one or more anomalous behaviors exhibit (a) a first rate of occurrence in the malware family that is less than a first threshold and (b) a second rate of occurrence in one or more malware families other than the malware family that is greater than a second threshold to produce a subset of the plurality of anomalous behaviors that constitute the anomalous behaviors associated with the pre-stored identifier. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. An electronic device, comprising:
-
a processor; and a memory communicatively coupled to the processor, the memory comprises virtual execution logic including at least one virtual machine configured to process content within an object under analysis and monitor for anomalous behaviors during the processing that are indicative of malware, and run-time classifier logic that, when executed by the processor, performs a first analysis on the monitored anomalous behaviors and a pre-stored identifier to determine if the monitored anomalous behaviors indicate that the object is malware belonging to a classified malware family, the first analysis includes determining a level of correlation between the monitored anomalous behaviors and one or more anomalous behaviors associated with the pre-stored identifier that uniquely identify the classified malware family, the one or more anomalous behaviors being selected by (i) obtaining a first plurality of anomalous behaviors associated with malware belonging to the malware family, (ii) filtering at least one anomalous behavior having a count value less than a first count threshold from the first plurality of anomalous behaviors to produce a first subset of anomalous behaviors, (iii) filtering at least one anomalous behavior having a count value greater than a second count value for a malware family other than the malware family from the first subset of anomalous behaviors to produce a second subset of anomalous behaviors, the second subset of anomalous behaviors being the one or more anomalous behaviors associated with the pre-stored identifier. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
-
-
27. An electronic device, comprising:
-
run-time classifier logic configured to perform a first analysis on (i) anomalous behaviors detected during processing of an object suspected of being malware and (ii) at least one pre-stored identifier being a collection of data associated with anomalous behaviors that uniquely identify a malware family, the first analysis to (1) determine if the anomalous behaviors indicate that the object is malware belonging to the malware family and (2) generate a score that represents a level of probability of the object being malware; and score determination logic that is configured to use the score in determining whether the suspect object is to be classified as malware or not, wherein the anomalous behaviors of the at least one pre-stored identifier are selected by (i) obtaining a plurality of anomalous behaviors associated with malware belonging to the malware family, (ii) filtering at least one anomalous behavior from the plurality of anomalous behaviors when the at least one anomalous behavior has a count value less than a first count threshold to produce a first subset of anomalous behaviors, (iii) filtering at least one anomalous behavior from the first subset of anomalous behaviors when the at least one anomalous behavior has a count value greater than a second count value for a malware family other than the malware family to produce a second subset of anomalous behaviors, the second subset of anomalous behaviors being the anomalous behaviors associated with the at least one pre-stored identifier. - View Dependent Claims (28, 29, 30, 31, 32)
-
Specification