Intelligent context aware user interaction for malware detection
First Claim
1. A non-transitory computer readable storage medium having stored thereon logic that, upon execution by one or more processors implemented within a network device, performs operations comprising:
- launching, by an actuation logic, an object within a virtual run-time environment to detect a presence of malware or the object is part of a malicious attack; and
selecting, by a control logic, one or more simulated user interactions with the object based on, at least in part, data within metadata associated with the object, the data identifying at least an object type corresponding to the object launched by the actuation logic.
5 Assignments
0 Petitions
Accused Products
Abstract
According to one embodiment, a malware detection system is integrated with at least a static analysis engine and a dynamic analysis engine. The static analysis engine is configured to automatically determine an object type of a received object. The dynamic analysis engine is configured to automatically launch the object after selecting an action profile based on the object type. The dynamic analysis engine is further configured to, provide simulated user interaction to the object based on the selected action profile either in response to detecting a request for human interaction or as a result of a lapse of time since a previous simulated human interaction was provided.
656 Citations
34 Claims
-
1. A non-transitory computer readable storage medium having stored thereon logic that, upon execution by one or more processors implemented within a network device, performs operations comprising:
-
launching, by an actuation logic, an object within a virtual run-time environment to detect a presence of malware or the object is part of a malicious attack; and selecting, by a control logic, one or more simulated user interactions with the object based on, at least in part, data within metadata associated with the object, the data identifying at least an object type corresponding to the object launched by the actuation logic. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. An apparatus for detecting malware with an object, the apparatus comprising:
-
one or more processors; and a storage device communicatively coupled to the one or more processors, the storage device comprises one or more action profiles, each action profile of the one or more action profiles being a collection of instructions or commands that performs user interaction (UI) activity in accordance with a set of rules prescribed for the corresponding action profile, a profile selector for selecting an action profile from the one or more action profiles based on metadata associated with the object, the metadata includes data identifying a type of the object, and a UI framework logic that, in response to the object being launched within a virtual machine, performs simulated user interactions with the object in accordance with the set of rules prescribed in the selected action profile, the UI framework logic including (i) an actuation logic to launch the object, and (ii) simulation logic to dynamically control the simulated user interactions conducted on the launched object. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22)
-
-
23. A computerized method implemented with a network device for detecting malware, comprising:
-
launching, by an actuation logic within the network device, an object within a virtual run-time environment to detect a presence of malware or the object is part of a malicious attack; and selecting, by a profile selector, an action profile based on metadata associated with the object, wherein the metadata comprises data identifying an object type corresponding to the object and the action profile comprises a set of rules that dynamic control one or more simulated user interactions with the launched object. - View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34)
-
Specification