Intelligent context aware user interaction for malware detection

US 9,838,417 B1
Filed: 12/30/2014
Issued: 12/05/2017
Est. Priority Date: 12/30/2014
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer readable storage medium having stored thereon logic that, upon execution by one or more processors implemented within a network device, performs operations comprising:

launching, by an actuation logic, an object within a virtual run-time environment to detect a presence of malware or the object is part of a malicious attack; and

selecting, by a control logic, one or more simulated user interactions with the object based on, at least in part, data within metadata associated with the object, the data identifying at least an object type corresponding to the object launched by the actuation logic.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to one embodiment, a malware detection system is integrated with at least a static analysis engine and a dynamic analysis engine. The static analysis engine is configured to automatically determine an object type of a received object. The dynamic analysis engine is configured to automatically launch the object after selecting an action profile based on the object type. The dynamic analysis engine is further configured to, provide simulated user interaction to the object based on the selected action profile either in response to detecting a request for human interaction or as a result of a lapse of time since a previous simulated human interaction was provided.

656 Citations

34 Claims

1. A non-transitory computer readable storage medium having stored thereon logic that, upon execution by one or more processors implemented within a network device, performs operations comprising:
- launching, by an actuation logic, an object within a virtual run-time environment to detect a presence of malware or the object is part of a malicious attack; and
  
  selecting, by a control logic, one or more simulated user interactions with the object based on, at least in part, data within metadata associated with the object, the data identifying at least an object type corresponding to the object launched by the actuation logic.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The non-transitory computer readable storage medium of claim 1, wherein the launching of the object further comprises selecting the actuation logic based on the metadata, the actuation logic includes a software component implemented as part of a software profile that provisions one or more virtual machines operating within the virtual run-time environment.
  - 3. The non-transitory computer readable storage medium of claim 2 further comprising:
    - responsive to determining a first user interaction is being requested by the object, triggering a first simulated human interaction to occur, the first simulated human interaction being part of the one or more simulated user interactions;
      
      responsive to determining no user interaction is being requested by the object, resuming a second simulated human interaction, the second simulated human interaction having been previously triggered and paused upon determining the first user interaction is being requested.
  - 4. The computer readable storage medium of claim 3, wherein the first simulated human interaction comprises a simulated action that is responsive to a behavior by the object having been launched by the actuation logic in the one or more virtual machines, the behavior represents an operating state of the object where the object is actively waiting for user input.
  - 5. The computer readable storage medium of claim 4, wherein the first simulated human interaction comprises at least one of (i) a simulated action of closing a window or a dialog box, (ii) a simulated action of selecting a particular radio button, or (iii) a simulated action of entering one or more characters into a text box.
  - 6. The computer readable storage medium of claim 4, wherein the second simulated human interaction comprises a simulated action that is initiated by a user during virtual analysis of the launched object.
  - 7. The computer readable storage medium of claim 6, wherein the second simulated human interaction comprises at least one of (i) a simulated action of scrolling a page of a document corresponding to the object, (ii) a simulated action of selecting a certain tab of a spreadsheet corresponding to the object, (iii) a simulated action of selecting a particular page of the document, or (iv) a simulated action of accessing one or more menu options.
  - 8. The computer readable storage medium of claim 4, wherein the second simulated human interaction comprises simulated device control for an input device that controls operations of an endpoint targeted to receive data including the object.
  - 9. The computer readable storage medium of claim 8, wherein the simulated device control comprises at least one of (i) a simulated action of a keystroke for a keyboard corresponding to the input device, (ii) a simulated action of a movement of a mouse corresponding to the input device, (iii) a simulated action of a click of a button on the mouse, or (iv) a simulated action of an area of a touch screen corresponding to the input device.
  - 10. The computer readable storage medium of claim 3, wherein the first simulated human interaction is controlled by a first user interaction (UI) simulation logic and the second simulated human interaction is controlled by a second UI simulation logic, the second UI simulation logic is aware of the first simulated human interaction being performed by the first UI simulation logic and pauses the second simulated human interaction in favor of the first simulated human interaction for later resumption of the second simulated human interaction.
  - 11. The computer readable storage medium of claim 1 further comprising:
    - prior to launching the object within the virtual run-time environment, selecting an action profile by a profile selector based on the received metadata associated with the object, the action profile comprises a plurality of rules that dynamically control the one or more simulated user interactions.
  - 12. The computer readable storage medium of claim 11, wherein the action profile is selected by either (i) the profile selector provisioned within one or more virtual machines operating within the virtual run-time environment or (ii) the profile selector implemented within a virtual machine monitor (VMM) communicatively coupled to one or more virtual machines operating within the virtual run-time environment.
  - 13. The computer readable storage medium of claim 1, wherein the selecting of the one or more simulated user interactions with the object is further based on, at least in part, at least one of (i) data identifying whether the object is encrypted and a type of encryption, (ii) data identifying whether the object is or contains an embedded object, or (iii) data identifying whether the object includes password-protected fields.

14. An apparatus for detecting malware with an object, the apparatus comprising:
- one or more processors; and
  
  a storage device communicatively coupled to the one or more processors, the storage device comprisesone or more action profiles, each action profile of the one or more action profiles being a collection of instructions or commands that performs user interaction (UI) activity in accordance with a set of rules prescribed for the corresponding action profile,a profile selector for selecting an action profile from the one or more action profiles based on metadata associated with the object, the metadata includes data identifying a type of the object, anda UI framework logic that, in response to the object being launched within a virtual machine, performs simulated user interactions with the object in accordance with the set of rules prescribed in the selected action profile, the UI framework logic including (i) an actuation logic to launch the object, and (ii) simulation logic to dynamically control the simulated user interactions conducted on the launched object.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22)
- - 15. The apparatus of claim 14, wherein the simulation logic comprises (i) an active UI simulation logic, (ii) a passive UI simulation logic, and (iii) a device control simulation logic.
  - 16. The apparatus of claim 15, wherein the active UI simulation logic is configured to:
    - detect an input request initiated by the launched object, andresponsive to detecting the input request initiated by the launched object, determine a response based on contents of the selected action profile.
  - 17. The apparatus of claim 16, wherein the input request includes an attempted display of a dialog box.
  - 18. The apparatus of claim 17, wherein the response comprises at least one of (i) a simulated action of closing the dialog box, and (ii) a simulated action of selecting a particular radio button associated with the dialog box.
  - 19. The apparatus of claim 15, wherein the passive UI simulation logic is configured to provide a simulated human interaction during virtual analysis of the launched object, the simulated human interaction represents user-initiated simulated actions.
  - 20. The apparatus of claim 15, wherein the device control simulation logic is configured to simulate device control interactions that are object-type agnostic.
  - 21. The apparatus of claim 14, wherein the storage device further comprising a log including data so that, when the launched object is classified as malware, the data is used to update the one or more action profiles by indicating a set of simulated user interactions that lead to successful triggering of malicious behavior by the launched object.
  - 22. The apparatus of claim 14, wherein the storage device further comprising logic to transmit the data within the log to a cloud infrastructure when the launched object is classified as suspicious as a result of virtual analysis, wherein the one or more action profiles are updated based on a lack of detonation of malware within the launched object or an obstruction of the detonation of malware within the launched object.

23. A computerized method implemented with a network device for detecting malware, comprising:
- launching, by an actuation logic within the network device, an object within a virtual run-time environment to detect a presence of malware or the object is part of a malicious attack; and
  
  selecting, by a profile selector, an action profile based on metadata associated with the object, wherein the metadata comprises data identifying an object type corresponding to the object and the action profile comprises a set of rules that dynamic control one or more simulated user interactions with the launched object.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34)
- - 24. The method of claim 23, wherein the launching of the object further comprises selecting the actuation logic based on the metadata.
  - 25. The method of claim 23, wherein the simulated user interactions comprising:
    - responsive to determining a first user interaction is being requested by the launched object, triggering a first simulated human interaction to occur, the first simulated human interaction being part of the one or more simulated user interactions;
      
      responsive to determining no user interaction is being requested by the object, resuming a second simulated human interaction, the second simulated human interaction having been previously triggered and paused upon determining the first user interaction is being requested.
  - 26. The method of claim 25, wherein the first simulated human interaction comprises a simulated action that is responsive to a behavior by the launched object in one or more virtual machines that are part of the run-time virtual environment, the behavior represents an operating state of the launched object where the launched object is actively waiting for user input.
  - 27. The method of claim 25, wherein the second simulated human interaction comprises a simulated action that is initiated by a user during virtual analysis of the launched object.
  - 28. The method of claim 25, wherein the second simulated human interaction comprises simulated device control for an input device that controls operations of an endpoint targeted to receive data including the object.
  - 29. The method of claim 25, wherein the first simulated human interaction is controlled by a first user interaction (UI) simulation logic and the second simulated human interaction is controlled by a second UI simulation logic, the second UI simulation logic is aware of the first simulated human interaction being performed by the first UI simulation logic and pauses the second simulated human interaction in favor of the first simulated human interaction for later resumption of the second simulated human interaction.
  - 30. The method of claim 23, wherein the action profile is selected from a plurality of action profiles by the profile selector provisioned within one or more virtual machines operating within the virtual run-time environment.
  - 31. The method of claim 30, wherein the plurality of action profiles are updated via network delivered updates to modify instructions, parameters or rules within an action profile to be updated.
  - 32. The method of claim 23, wherein the action profile is selected from a plurality of action profiles by the profile selector implemented within a virtual machine monitor (VMM) communicatively coupled to one or more virtual machines operating within the virtual run-time environment.
  - 33. The method of claim 25 further comprising:
    - recording, in a log, selection of the action profile, determination of the first user interaction requested by the object, triggering of the first simulated human interaction, and triggering of the second simulated human interaction.
  - 34. The method of claim 33, wherein data stored within the log is subsequently used to update a plurality of action profiles including the selected action profile by indicating whether certain simulated user interactions detonated malware within the object.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Khalid, Yasir, Paithane, Sushant, Vashisht, Sai
Primary Examiner(s)
Revak, Christopher

Application Number

US14/586,233
Time in Patent Office

1,071 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/566   Dynamic detection, i.e. det...

G06F 9/45533   Hypervisors; Virtual machin...

H04L 63/145   the attack involving the pr...

Intelligent context aware user interaction for malware detection

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

656 Citations

34 Claims

Specification

Solutions

Use Cases

Quick Links

Intelligent context aware user interaction for malware detection

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

656 Citations

34 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links