Method and product for providing a predictive security product and evaluating existing security products

US 9,838,406 B2
Filed: 02/19/2016
Issued: 12/05/2017
Est. Priority Date: 02/10/2013
Status: Active Grant

First Claim

Patent Images

1. A malware evaluator system, comprising:

a non-transitory memory storing a first variant of a malware specimen and a second variant of the malware specimen; and

one or more hardware processors coupled to the non-transitory memory and configured to read instructions from the non-transitory memory to cause the system to perform operations comprising;

scanning the first variant and the second variant with one or more malware detectors to determine a first evasiveness characteristic of the first variant and a first maliciousness characteristic of the first variant and to determine a second evasiveness characteristic of the second variant and a second maliciousness characteristic of the second variant;

determining a first likelihood that the first variant meets one or more criteria based at least on the first evasiveness characteristic and the first maliciousness characteristic;

determining a second likelihood that the second variant meets the one or more criteria based at least on the second evasiveness characteristic and the second maliciousness characteristic;

based on determining that the first likelihood is greater than the second likelihood, selecting the first variant for mutation; and

mutating the first variant to generate one or more successive variants.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, product and computer program product for evaluating a generation of malware variants, the method including the steps of: scanning, with one or more malware detectors, a variant of a malware specimen; determining an evasiveness characteristic of the variant and a maliciousness characteristic of the variant; determining a likelihood that the variant meets one or more criteria based at least on the evasiveness characteristic of the variant and the maliciousness characteristic of the variant; and based on the determined likelihood, selecting the variant for propagation.

24 Citations

18 Claims

1. A malware evaluator system, comprising:
- a non-transitory memory storing a first variant of a malware specimen and a second variant of the malware specimen; and
  
  one or more hardware processors coupled to the non-transitory memory and configured to read instructions from the non-transitory memory to cause the system to perform operations comprising;
  
  scanning the first variant and the second variant with one or more malware detectors to determine a first evasiveness characteristic of the first variant and a first maliciousness characteristic of the first variant and to determine a second evasiveness characteristic of the second variant and a second maliciousness characteristic of the second variant;
  
  determining a first likelihood that the first variant meets one or more criteria based at least on the first evasiveness characteristic and the first maliciousness characteristic;
  
  determining a second likelihood that the second variant meets the one or more criteria based at least on the second evasiveness characteristic and the second maliciousness characteristic;
  
  based on determining that the first likelihood is greater than the second likelihood, selecting the first variant for mutation; and
  
  mutating the first variant to generate one or more successive variants.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1, wherein determining the first evasiveness characteristic of the first variant comprises assigning the first variant a value corresponding to the first evasiveness characteristic, andwherein determining the first maliciousness characteristic of the first variant comprises assigning the first variant a value corresponding to the first maliciousness characteristic.
  - 3. The system of claim 1, wherein the determining of the first evasiveness characteristic is based on at least one of (i) an amount of the one or more malware detectors that are unable to detect the first variant and (ii) a quality of the one or more malware detectors that are unable to detect the first variant.
  - 4. The system of claim 1, wherein the operations further comprise:
    - storing the first variant in a database; and
      
      training at least one malware detector using the first variant.
  - 5. The system of claim 1, wherein the operations further comprise:
    - comparing a first trace corresponding to virtual machine execution of the first variant with a second trace corresponding to non-virtual machine execution of the first variant.
  - 6. The system of claim 1, wherein the operations further comprise:
    - identifying code regions of the first variant that are not executed.
  - 7. The system of claim 1, wherein the operations further comprise:
    - determining an amount of divergence between the first variant and the malware specimen, first variant being generated from the malware specimen.

8. A non-transitory machine-readable medium having stored thereon machine-readable instructions executable to cause a machine to perform operations comprising:
- scanning, with one or more malware detectors, a first variant of a malware specimen and a second variant of the malware specimen;
  
  determining a first evasiveness characteristic corresponding to the first variant and a first maliciousness characteristic corresponding to the first variant;
  
  determining a second evasiveness characteristic corresponding to the second variant and a second maliciousness characteristic corresponding to the second variant;
  
  determining a first likelihood that the first variant meets one or more criteria based at least on the first evasiveness characteristic and the first maliciousness characteristic;
  
  determining a second likelihood that the second variant meets one or more criteria based at least on the second evasiveness characteristic and the second maliciousness characteristic; and
  
  based on determining that the first likelihood is greater than the second likelihood, selecting the first variant for mutation.
- View Dependent Claims (9, 10, 11, 12)
- - 9. The non-transitory machine-readable medium of claim 8, wherein determining the first evasiveness characteristic corresponding to the first variant comprises assigning the first variant a value based on the first evasiveness characteristic, andwherein determining the first maliciousness characteristic corresponding to the first variant comprises assigning the first variant a value based on the first maliciousness characteristic.
  - 10. The non-transitory machine-readable medium of claim 8, wherein the first evasiveness characteristic is determined based on at least one of (i) an amount of the one or more malware detectors that are unable to detect the first variant and (ii) a quality of the one or more malware detectors that are unable to detect the first variant.
  - 11. The non-transitory machine-readable medium of claim 8, wherein the operations further comprise:
    - storing the first variant in a database; and
      
      training at least one malware detector using the first variant.
  - 12. The non-transitory machine-readable medium of claim 8, wherein the determined likelihood comprises a value that indicates evasiveness and maliciousness corresponding to the first variant.

13. A method for evaluating a generation of malware variants comprising:
- scanning, with one or more malware detectors, a first variant of a malware specimen and a second variant of the malware specimen;
  
  determining a first evasiveness characteristic of the first variant and a first maliciousness characteristic of the first variant;
  
  determining a second evasiveness characteristic corresponding to the second variant and a second maliciousness characteristic corresponding to the second variant;
  
  determining a first likelihood that the first variant meets one or more criteria based at least on the first evasiveness characteristic and the first maliciousness characteristic;
  
  determining a second likelihood that the second variant meets one or more criteria based at least on the second evasiveness characteristic and the second maliciousness characteristic; and
  
  based on determining that the first likelihood is greater than the second likelihood, selecting the first variant for mutation.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The method of claim 13, wherein determining the first evasiveness characteristic of the first variant comprises assigning the first variant a value corresponding to the first evasiveness characteristic, andwherein determining the first maliciousness characteristic of the first variant comprises assigning the first variant a value corresponding to the first maliciousness characteristic.
  - 15. The method of claim 13, wherein the first evasiveness characteristic is determined based on at least one of (i) an amount of the one or more malware detectors that are unable to detect the first variant and (ii) a quality of the one or more malware detectors that are unable to detect the first variant.
  - 16. The method of claim 13, further comprising:
    - storing the first variant in a database; and
      
      training at least one malware detector using the first variant.
  - 17. The method of claim 13, wherein the determined likelihood comprises a value that indicates evasiveness and maliciousness of the first variant.

18. A method for evaluating a generation of malware variants comprising:
- scanning, with one or more malware detectors, two or more variants of a malware specimen;
  
  determining an evasiveness characteristic and a maliciousness characteristic of each of the two or more variants;
  
  determining a likelihood that each of the two or more variants meets one or more criteria based at least on the evasiveness characteristic and the maliciousness characteristic of each of the two or more variants;
  
  selecting a first variant of the two or more variants based on a first determined likelihood of the first variant meeting the one or more criteria, the selecting further comprising;
  
  comparing the first determined likelihood with a second determined likelihood of a second variant of the two or more variants meeting the one or more criteria; and
  
  determining that the first determined likelihood is greater than the second determined likelihood; and
  
  mutating the first variant to generate one or more successive variants.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
PayPal, Inc. (PayPal Holdings, Inc.)
Original Assignee
PayPal, Inc. (PayPal Holdings, Inc.)
Inventors
Boutnaru, Shlomi, Tancman, Liran, Markzon, Michael
Primary Examiner(s)
CHANG, KENNETH W

Application Number

US15/047,745
Publication Number

US 20160173515A1
Time in Patent Office

655 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/564   by virus signature recognition

G06F 21/567   using dedicated hardware

G06F 2221/033   Test or assess software

G06F 2221/2145   Inheriting rights or proper...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

Method and product for providing a predictive security product and evaluating existing security products

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

24 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Method and product for providing a predictive security product and evaluating existing security products

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

24 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links