Systems and methods for behavior-based automated malware analysis and classification
First Claim
1. A method of identifying malware, comprising:
- accessing a set of samples, the set of samples comprising samples of different types of malware;
running the set of samples on one or more computer systems;
extracting, based on running the set of samples, a set of artifacts from the set of samples, wherein the set of artifacts includes information associated with a registry or a memory;
determining a set of features from the set of artifacts for at least one sample in the set of samples;
selecting one of a set of algorithms based on one or more selection features or parameters;
analyzing the set of features using the one of the set of algorithms; and
identifying, based at least partially on analyzing the set of features, malware in the set of samples by at least one of classifying or clustering samples in the set of samples into the different types of malware.
2 Assignments
0 Petitions
Accused Products
Abstract
Embodiments relate to systems and methods for behavior-based automated malware analysis and classification. Aspects relate to platforms and techniques which access a set of samples of malware, and extract or capture a set of low-level behavioral artifacts produced by those samples. The low-level artifacts can be used to organize or identify a set of features, based upon which the sample can be classified and/or clustered into different labels, groups, or categories. The artifacts and/or features can be analyzed by one or more selectable algorithms, whose accuracy, efficiency, and other characteristics can be compared to one another for purposes of performing a classification or clustering task. The algorithm(s) can be selected by a user to achieve desired run times, accuracy levels, and/or other effects.
91 Citations
23 Claims
-
1. A method of identifying malware, comprising:
-
accessing a set of samples, the set of samples comprising samples of different types of malware; running the set of samples on one or more computer systems; extracting, based on running the set of samples, a set of artifacts from the set of samples, wherein the set of artifacts includes information associated with a registry or a memory; determining a set of features from the set of artifacts for at least one sample in the set of samples; selecting one of a set of algorithms based on one or more selection features or parameters; analyzing the set of features using the one of the set of algorithms; and identifying, based at least partially on analyzing the set of features, malware in the set of samples by at least one of classifying or clustering samples in the set of samples into the different types of malware. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A malware analysis system, comprising:
-
an interface to a data store storing a set of samples of malware, the set of samples comprising samples of different types of malware; and a processor, communicating with the data store via the interface, the processor being configured to; access the set of samples, run the set of samples on one or more computer systems, extract, based on running the set of samples, a set of artifacts from the set of samples wherein the set of artifacts includes information associated with a registry or a memory, determine a set of features from the set of artifacts for at least one sample in the set of samples, select one of a set of algorithms based on one or more selection features or parameters, analyze the set of features using the one of the set of algorithms, and identify, based at least partially on analyzing the set of features, malware in the set of samples by at least one of classifying or clustering samples in the set of samples into the different types of malware. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23)
-
Specification