System and method for run-time object classification

US 9,747,446 B1
Filed: 03/27/2014
Issued: 08/29/2017
Est. Priority Date: 12/26/2013
Status: Active Grant

First Claim

Patent Images

1. A computerized method for identifying and classifying an object as belonging to a malware family, comprising:

receiving one or more anomalous behaviors after processing of the object; and

determining if the object is malware by performing a first analysis on the one or more anomalous behaviors and a pre-stored identifier identifying the malware family, the pre-stored identifier is a collection of data associated with anomalous behaviors that identify the malware family, the performing of the first analysis comprises determining a level of correlation between the one or more anomalous behaviors and the anomalous behaviors associated with the pre-stored identifier that are determined by (i) obtaining a plurality of anomalous behaviors, and (ii) removing one or more anomalous behaviors from the plurality of anomalous behaviors when the one or more anomalous behaviors exhibit (a) a first rate of occurrence in the malware family that is less than a first threshold and (b) a second rate of occurrence in one or more malware families other than the malware family that is greater than a second threshold to produce a subset of the plurality of anomalous behaviors that constitute the anomalous behaviors associated with the pre-stored identifier.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

One embodiment of an electronic device comprises a processor and a memory accessible by the processor. The memory comprises virtual execution logic and run-time classifier logic. The virtual execution logic includes at least one virtual machine that is configured to virtually process content within an object under analysis and monitor for anomalous behaviors during the virtual processing that are indicative of malware. The run-time classifier logic performs, during run-time, a first analysis on the monitored anomalous behaviors and a pre-stored identifier to determine if the monitored anomalous behaviors indicate that the object is malware belonging to a classified malware family. The pre-stored identifier is a collection of data associated with anomalous behaviors that uniquely identify the malware family.

663 Citations

32 Claims

1. A computerized method for identifying and classifying an object as belonging to a malware family, comprising:
- receiving one or more anomalous behaviors after processing of the object; and
  
  determining if the object is malware by performing a first analysis on the one or more anomalous behaviors and a pre-stored identifier identifying the malware family, the pre-stored identifier is a collection of data associated with anomalous behaviors that identify the malware family, the performing of the first analysis comprises determining a level of correlation between the one or more anomalous behaviors and the anomalous behaviors associated with the pre-stored identifier that are determined by (i) obtaining a plurality of anomalous behaviors, and (ii) removing one or more anomalous behaviors from the plurality of anomalous behaviors when the one or more anomalous behaviors exhibit (a) a first rate of occurrence in the malware family that is less than a first threshold and (b) a second rate of occurrence in one or more malware families other than the malware family that is greater than a second threshold to produce a subset of the plurality of anomalous behaviors that constitute the anomalous behaviors associated with the pre-stored identifier.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The computerized method of claim 1, wherein the malware family is an advanced persistent threat (APT) family.
  - 3. The computerized method of claim 2, wherein the performing of the first analysis comprises performing a statistical comparison between the one or more anomalous behaviors and the anomalous behaviors associated with the pre-stored identifier that uniquely identify the APT family.
  - 4. The computerized method of claim 3, wherein the performing of the first analysis further comprises determining that the one or more anomalous behaviors statistically match the anomalous behaviors associated with the pre-stored identifier that uniquely identify the APT family.
  - 5. The computerized method of claim 1, wherein the removing of the one or more anomalous behaviors from the plurality of anomalous behaviors that exhibit the first rate of occurrence in the malware family comprises filtering at least one anomalous behavior having a count value less than a first count threshold from the plurality of anomalous behaviors to produce a first subset of anomalous behaviors, and the removing of the one or more anomalous behaviors from the plurality of anomalous behaviors that exhibit the second rate of occurrence in malware families other than the malware family comprises filtering at least one anomalous behavior having a count value greater than a second count value for a malware family other than the malware family from the first subset of anomalous behaviors to produce the subset of the plurality of anomalous behaviors, the subset of the plurality of anomalous behaviors being the pre-stored identifier.
  - 6. The computerized method of claim 1, wherein the anomalous behaviors associated with the pre-stored identifier being a filtered subset of the plurality of anomalous behaviors associated with malware belonging to the malware family, the plurality of anomalous behaviors including the anomalous behaviors and at least one additional anomalous behavior different from any of the anomalous behaviors.
  - 7. The computerized method of claim 1 further comprising performing a second analysis of the one or more anomalous behaviors subsequent to the first analysis upon failing to detect the level of correlation that includes conducting a statistical match after comparison of the one or more anomalous behaviors to any of a plurality of pre-stored identifiers each representing a different malware family, the plurality of pre-stored identifiers including the first pre-stored identifier.
  - 8. The computerized method of claim 7, wherein the second analysis is conducted to determine if the object is a member of an advanced persistent threat (APT) family.
  - 9. The computerized method of claim 8 further comprising:
    - reporting results of the second analysis to a targeted destination, the results including information identifying one or more of an identifier for the APT family, a name of the APT family, or the one or more anomalous behaviors of the second analysis characteristic of the APT family.
  - 10. The computerized method of claim 1, wherein the object is a flow comprising a plurality of related packets that are either received, transmitted, or exchanged during a communication session.
  - 11. The computerized method of claim 1 further comprising:
    - reporting results of the first analysis to a targeted destination, the results including information identifying one or more of (i) a family name of the malware family, (ii) the object, or (iii) the subset of the plurality of anomalous behaviors.
  - 12. The computerized method of claim 11, wherein each of the subset of the plurality of anomalous behaviors is an indicator of compromise.
  - 13. The computerized method of claim 1, wherein the pre-stored identifier includes a first plurality of indicators of compromise (IOCs) that are filtered from a second plurality of IOCs, where the first plurality of IOCs having a frequency of occurrence within the malware family substantially greater than an occurrence of any of the second plurality of IOCs excluding the first plurality of IOCs within the malware family.
  - 14. The computerized method of claim 13, wherein the first plurality of IOCs are a combination unique to the malware family.
  - 15. The computerized method of claim 1, wherein the first analysis on the one or more anomalous behaviors is conducted during run-time being a time that is contemporaneous with the processing of the object by one or more virtual machines and monitoring of the one or more anomalous behaviors.

16. An electronic device, comprising:
- a processor; and
  
  a memory communicatively coupled to the processor, the memory comprisesvirtual execution logic including at least one virtual machine configured to process content within an object under analysis and monitor for anomalous behaviors during the processing that are indicative of malware, andrun-time classifier logic that, when executed by the processor, performs a first analysis on the monitored anomalous behaviors and a pre-stored identifier to determine if the monitored anomalous behaviors indicate that the object is malware belonging to a classified malware family, the first analysis includes determining a level of correlation between the monitored anomalous behaviors and one or more anomalous behaviors associated with the pre-stored identifier that uniquely identify the classified malware family, the one or more anomalous behaviors being selected by (i) obtaining a first plurality of anomalous behaviors associated with malware belonging to the malware family, (ii) filtering at least one anomalous behavior having a count value less than a first count threshold from the first plurality of anomalous behaviors to produce a first subset of anomalous behaviors, (iii) filtering at least one anomalous behavior having a count value greater than a second count value for a malware family other than the malware family from the first subset of anomalous behaviors to produce a second subset of anomalous behaviors, the second subset of anomalous behaviors being the one or more anomalous behaviors associated with the pre-stored identifier.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 17. The electronic device of claim 16, wherein the malware family is an advanced persistent threat (APT) family.
  - 18. The electronic device of claim 17, wherein the first analysis performed by the run-time classifier logic comprises performing a statistical comparison between the monitored anomalous-behaviors and the anomalous behaviors associated with the pre-stored identifier that uniquely identify the APT family.
  - 19. The electronic device of claim 16, wherein the first analysis performed by the run-time classifier logic comprises performing a statistical comparison between the monitored anomalous behaviors and the anomalous behaviors associated with the pre-stored identifier, the anomalous behaviors being a filtered subset of a plurality of anomalous behaviors associated with malware belonging to the malware family, the plurality of anomalous behaviors including the anomalous behaviors and at least one additional anomalous behavior different from any of the anomalous behaviors.
  - 20. The electronic device of claim 16, wherein the determining of the level of correlation between the monitored anomalous behaviors and the one or more anomalous behaviors associated with the pre-stored identifier comprises performing a statistical comparison between the anomalous monitored behaviors and the one or more anomalous behaviors associated with the pre-stored identifier.
  - 21. The electronic device of claim 16, wherein the memory further comprises a classifier that performs a second analysis of the monitored anomalous behaviors upon the run-time classifier failing to detect a statistical match upon comparing the monitored anomalous behaviors to any anomalous behaviors of a plurality of pre-stored identifiers each representing a different malware family, the plurality of pre-stored identifiers including the first pre-stored identifier.
  - 22. The electronic device of claim 21, wherein the classifier conducts the second analysis by comparing the monitored anomalous behaviors operating as indicators of compromise to one or more anomalous behaviors associated with previously classified malware families.
  - 23. The electronic device of claim 16, wherein the memory further comprises:
    - reporting logic that, when executed by the processor, is configured to send results of the first analysis to a targeted destination, the results including information identifying one or more of (i) a family name of the malware family, (ii) the object, or (iii) the subset of the plurality of anomalous behaviors.
  - 24. The electronic device of claim 23, wherein each of the subset of the plurality of anomalous behaviors is an indicator of compromise.
  - 25. The electronic device of claim 16, wherein the memory further comprises:
    - reporting logic that, when executed by the processor, is configured to send results of the second analysis to a targeted destination, the results including information identifying one or more of an identifier for an advanced persistent threat (APT) family, a name of the APT family, or the one or more anomalous behaviors of the second analysis characteristic of the APT family.
  - 26. The electronic device of claim 16, wherein the first analysis on the monitored anomalous behaviors is conducted during run-time being a time that is contemporaneous with processing of the content within the object under analysis by the at least one virtual machine.

27. An electronic device, comprising:
- run-time classifier logic configured to perform a first analysis on (i) anomalous behaviors detected during processing of an object suspected of being malware and (ii) at least one pre-stored identifier being a collection of data associated with anomalous behaviors that uniquely identify a malware family, the first analysis to (1) determine if the anomalous behaviors indicate that the object is malware belonging to the malware family and (2) generate a score that represents a level of probability of the object being malware; and
  
  score determination logic that is configured to use the score in determining whether the suspect object is to be classified as malware or not,wherein the anomalous behaviors of the at least one pre-stored identifier are selected by (i) obtaining a plurality of anomalous behaviors associated with malware belonging to the malware family, (ii) filtering at least one anomalous behavior from the plurality of anomalous behaviors when the at least one anomalous behavior has a count value less than a first count threshold to produce a first subset of anomalous behaviors, (iii) filtering at least one anomalous behavior from the first subset of anomalous behaviors when the at least one anomalous behavior has a count value greater than a second count value for a malware family other than the malware family to produce a second subset of anomalous behaviors, the second subset of anomalous behaviors being the anomalous behaviors associated with the at least one pre-stored identifier.
- View Dependent Claims (28, 29, 30, 31, 32)
- - 28. The electronic device of claim 27 further comprising:
    - virtual execution logic including at least one virtual machine configured to process content within the object and monitors for the anomalous behaviors during processing of the object that are indicative of malware.
  - 29. The electronic device of claim 28 further comprising:
    - a static analysis engine adapted to (i) filter a first subset of objects having characteristics that are indicative of malware from a plurality of incoming objects and (ii) output the first subset of objects including the object to the virtual execution logic.
  - 30. The electronic device of claim 27 further comprising:
    - reporting logic configured to send results of the first analysis to a targeted destination, the results including information identifying one or more of (i) a family name of the malware family, (ii) the object, or (iii) the second subset of the plurality of anomalous behaviors.
  - 31. The electronic device of claim 30, wherein each of the second subset of the plurality of anomalous behaviors is an indicator of compromise.
  - 32. The electronic device of claim 27, wherein the first analysis on the anomalous behaviors is contemporaneous with the processing of the object by one or more virtual machines and monitoring of behaviors of the object during the processing of the object.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Pidathala, Vinay K., Bu, Zheng, Aziz, Ashar
Primary Examiner(s)
Eskandarnia, Arvin

Application Number

US14/228,094
Time in Patent Office

1,251 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/56 Computer malware detection ...

G06F 21/566 Dynamic detection, i.e. det...

System and method for run-time object classification

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

663 Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for run-time object classification

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

663 Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links