Malware analysis in accordance with an analysis plan
First Claim
1. A system for detecting malware in a specimen received as input, the system comprising:
- a memory device having a data store that stores an analysis plan, the analysis plan identifies at least an order of a plurality of analyses to be conducted on the specimen and the contents of the analysis plan that control the order of the plurality of analyses is modifiable based on results from a prior analysis or classification of a previously analyzed specimen;
a static analysis logic communicatively coupled to the data store, the static analysis logic being configured to conduct, in accordance with the analysis plan, one or more analysis of the specimen for characteristics that suggest the specimen includes malware;
a dynamic analysis logic communicatively coupled to the data store, the dynamic analysis logic being configured to conduct, in accordance with the analysis plan, one or more analysis of the specimen to detect at least one unexpected behavior that occurs during processing of the specimen within one or more virtual machines; and
a controller communicatively coupled to the data store, the first analysis logic, and the second analysis logic, the controller to coordinate at least the order of the plurality of analyses conducted by one or more of (i) the static analysis logic and (ii) the dynamic analysis logic in accordance with content of the analysis plan.
5 Assignments
0 Petitions
Accused Products
Abstract
Techniques for malware detection are described. Herein, a system, which detects malware in a received specimen, comprises a processor and a memory. Communicatively coupled to the processor, the memory comprises a controller that controls analysis of the specimen for malware in accordance with an analysis plan. The memory further comprises (a) a static analysis module that performs at least a first static analysis to identify a suspicious indicator of malware and at least partially determine that the specimen includes a packed object; (b) an emulation analysis module that emulates operations associated with processing of the specimen by a software application or library, including unpacking an object of the specimen when the specimen is determined by the static analysis module to include the packed object, and monitors one or more behaviors of the specimen during the emulated operations; and a classifier that determines whether the specimen should be classified as malicious.
665 Citations
19 Claims
-
1. A system for detecting malware in a specimen received as input, the system comprising:
-
a memory device having a data store that stores an analysis plan, the analysis plan identifies at least an order of a plurality of analyses to be conducted on the specimen and the contents of the analysis plan that control the order of the plurality of analyses is modifiable based on results from a prior analysis or classification of a previously analyzed specimen; a static analysis logic communicatively coupled to the data store, the static analysis logic being configured to conduct, in accordance with the analysis plan, one or more analysis of the specimen for characteristics that suggest the specimen includes malware; a dynamic analysis logic communicatively coupled to the data store, the dynamic analysis logic being configured to conduct, in accordance with the analysis plan, one or more analysis of the specimen to detect at least one unexpected behavior that occurs during processing of the specimen within one or more virtual machines; and a controller communicatively coupled to the data store, the first analysis logic, and the second analysis logic, the controller to coordinate at least the order of the plurality of analyses conducted by one or more of (i) the static analysis logic and (ii) the dynamic analysis logic in accordance with content of the analysis plan. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. A non-transitory machine-readable medium having instructions stored therein, which when executed by a processor within an electronic device, cause the processor to perform operations for detecting malware in a specimen captured from content received by the electronic device, the non-transitory machine-readable medium comprising:
-
a data store that stores an analysis plan, the analysis plan identifies at least an order of a plurality of analyses to be conducted on the specimen; a static analysis logic communicatively coupled to the data store, the static analysis logic being configured to conduct, in accordance with the analysis plan, one or more analysis of the specimen for characteristics that suggest the specimen includes malware; a dynamic analysis logic communicatively coupled to the data store, the dynamic analysis logic being configured to conduct, in accordance with the analysis plan, one or more analysis of the specimen to detect at least one unexpected behavior that occurs during processing of the specimen within one or more virtual machines; and a controller communicatively coupled to the data store, the first analysis logic, and the second analysis logic, the controller to coordinate at least the order of the plurality of analyses conducted by one or more of (i) the static analysis logic and (ii) the dynamic analysis logic in accordance with content of the analysis plan.
-
-
19. A computer implemented method of detecting malware in a specimen of computer content or network traffic, the method comprising:
-
accessing, by a hardware processor, an analysis plan for analyzing whether a specimen should be classified as malware, the analysis plan identifies at least an order of a plurality of analyses to be conducted on the specimen, the plurality of analyses include a first analysis followed by a second analysis; performing, by the hardware processor, the first analysis according to the analysis plan to identify one or more suspicious indicators that identify the specimen may include malware; performing, by the hardware processor, the second analysis according to the analysis plan, the second analysis includes monitoring behaviors of the specimen during processing within at least one virtual machine to identify one or more unexpected behaviors that correspond to processing or communication anomalies; determining, by a classifier executed by the hardware processor, whether the specimen should be classified as malicious based the one or more suspicious indicators and the one or more unexpected behaviors; and altering the analysis plan, by the hardware processor, to either discontinue any further analyses within the analysis plan or continue with an additional analysis after at least the first analysis to determine if the specimen includes malware.
-
Specification