Malware analysis in accordance with an analysis plan

US 9,910,988 B1
Filed: 10/23/2015
Issued: 03/06/2018
Est. Priority Date: 09/30/2013
Status: Active Grant

First Claim

Patent Images

1. A system for detecting malware in a specimen received as input, the system comprising:

a memory device having a data store that stores an analysis plan, the analysis plan identifies at least an order of a plurality of analyses to be conducted on the specimen and the contents of the analysis plan that control the order of the plurality of analyses is modifiable based on results from a prior analysis or classification of a previously analyzed specimen;

a static analysis logic communicatively coupled to the data store, the static analysis logic being configured to conduct, in accordance with the analysis plan, one or more analysis of the specimen for characteristics that suggest the specimen includes malware;

a dynamic analysis logic communicatively coupled to the data store, the dynamic analysis logic being configured to conduct, in accordance with the analysis plan, one or more analysis of the specimen to detect at least one unexpected behavior that occurs during processing of the specimen within one or more virtual machines; and

a controller communicatively coupled to the data store, the first analysis logic, and the second analysis logic, the controller to coordinate at least the order of the plurality of analyses conducted by one or more of (i) the static analysis logic and (ii) the dynamic analysis logic in accordance with content of the analysis plan.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for malware detection are described. Herein, a system, which detects malware in a received specimen, comprises a processor and a memory. Communicatively coupled to the processor, the memory comprises a controller that controls analysis of the specimen for malware in accordance with an analysis plan. The memory further comprises (a) a static analysis module that performs at least a first static analysis to identify a suspicious indicator of malware and at least partially determine that the specimen includes a packed object; (b) an emulation analysis module that emulates operations associated with processing of the specimen by a software application or library, including unpacking an object of the specimen when the specimen is determined by the static analysis module to include the packed object, and monitors one or more behaviors of the specimen during the emulated operations; and a classifier that determines whether the specimen should be classified as malicious.

665 Citations

19 Claims

1. A system for detecting malware in a specimen received as input, the system comprising:
- a memory device having a data store that stores an analysis plan, the analysis plan identifies at least an order of a plurality of analyses to be conducted on the specimen and the contents of the analysis plan that control the order of the plurality of analyses is modifiable based on results from a prior analysis or classification of a previously analyzed specimen;
  
  a static analysis logic communicatively coupled to the data store, the static analysis logic being configured to conduct, in accordance with the analysis plan, one or more analysis of the specimen for characteristics that suggest the specimen includes malware;
  
  a dynamic analysis logic communicatively coupled to the data store, the dynamic analysis logic being configured to conduct, in accordance with the analysis plan, one or more analysis of the specimen to detect at least one unexpected behavior that occurs during processing of the specimen within one or more virtual machines; and
  
  a controller communicatively coupled to the data store, the first analysis logic, and the second analysis logic, the controller to coordinate at least the order of the plurality of analyses conducted by one or more of (i) the static analysis logic and (ii) the dynamic analysis logic in accordance with content of the analysis plan.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The system of claim 1, wherein the controller being configured to modify the content of the analysis plan that modifies at least the order of the plurality of analyses in response to receipt of feedback information based on the results from at least one of (i) the one or more analysis conducted by the static analysis logic and (ii) the one or more analysis conducted by the dynamic analysis logic.
  - 3. The system of claim 2, wherein the feedback information includes (i) results from the analysis of the specimen for at least one or more characteristics that suggest the specimen includes malware or results from the analysis of the specimen for the at least one unexpected behavior that occurs during processing of the specimen within one or more virtual machines.
  - 4. The system of claim 1, wherein the results from the prior analysis or classification of the previously analyzed specimen for either (i) at least one or more characteristics that suggest the specimen includes malware or (ii) the at least one unexpected behavior that occurs during processing of the specimen within one or more virtual machines alter a set of rules of the analysis plan that may alter parameters examined in the one or more analyses of the specimen.
  - 5. The system of claim 2, wherein the controller modifies the content of the analysis plan by including an additional analysis that is conducted by the static analysis logic between or after a first analysis and a second analysis, the first analysis being one of the one or more analysis conducted by the static analysis logic and the second analysis being one of the one or more analysis conducted by the dynamic analysis logic.
  - 6. The system of claim 2, wherein the controller modifies the content of the analysis plan by including an additional analysis that is conducted by the dynamic analysis logic between or after a first analysis and a second analysis, the first analysis being one of the one or more analysis conducted by the static analysis logic and the second analysis being one of the one or more analysis conducted by the dynamic analysis logic.
  - 7. The system of claim 2, wherein the controller modifies the content of the analysis plan by including an additional analysis that is conducted by one of the static analysis logic and the dynamic analysis logic after an analysis of the one or more analysis being conducted by the dynamic analysis logic.
  - 8. The system of claim 1, wherein the controller modifies the content of the analysis plan by including an additional analysis that is conducted by one of the static analysis logic and the dynamic analysis logic after an analysis of the one or more analysis being conducted by the static analysis logic.
  - 9. The system of claim 1, wherein the controller modifies the content of the analysis plan by modifying an operating environment of the one or more virtual machines for a next analysis in the analysis plan.
  - 10. The system of claim 1, wherein the controller being configured to modify the content of the analysis plan that modifies at least the order of the plurality of analyses in response to receipt of feedback information from the dynamic analysis logic, the feedback information includes results from the analysis of the specimen for the at least one unexpected behavior that occurs during processing of the specimen within one or more virtual machines.
  - 11. The system of claim 1, wherein the controller being configured to modify the content of the analysis plan that modifies at least the order of the plurality of analyses in response to feedback information from at least one of the static analysis logic and the dynamic analysis logic.
  - 12. The system of claim 1 further comprising:
    - a classifier communicatively coupled to the data store, the classifier being configured to determine whether the specimen should be classified as malicious based on results of at least one of the one or more analysis being conducted on the specimen by the static analysis logic and the one or more analysis being conducted on the specimen by the dynamic analysis logic.
  - 13. The system of claim 12, wherein the controller being configured to modify the analysis plan based on feedback information from the classifier, the feedback information includes a confidence score that indicates whether the specimen is malicious, non-malicious or no classification for the specimen is available based on the results of at least one of (i) the one or more analysis being conducted on the specimen by the static analysis logic and (ii) the one or more analysis being conducted on the specimen by the dynamic analysis logic.
  - 14. The system of claim 13, wherein the controller may modify the analysis plan by discontinuing further analysis in response to the confidence score indicating that the specimen is malicious or non-malicious.
  - 15. The system of claim 13, wherein the controller may modify the analysis plan by adding at least one additional analysis to the analysis plan in response to the confidence score indicating that no classification for the specimen is available.
  - 16. The system of claim 12 further comprising:
    - an emulation analysis logic coupled to the data store, the emulation analysis logic being configured to emulate operations associated with a processing of the specimen in context with an emulated computer application or in context with an emulated dynamic librarywherein the controller to further coordinate at least the order of the plurality of analyses conducted the emulation analysis logic in accordance with content of the analysis plan.
  - 17. The system of claim 16, wherein the emulation analysis logic to unpack the specimen, the specimen includes a file provided for analysis.

18. A non-transitory machine-readable medium having instructions stored therein, which when executed by a processor within an electronic device, cause the processor to perform operations for detecting malware in a specimen captured from content received by the electronic device, the non-transitory machine-readable medium comprising:
- a data store that stores an analysis plan, the analysis plan identifies at least an order of a plurality of analyses to be conducted on the specimen;
  
  a static analysis logic communicatively coupled to the data store, the static analysis logic being configured to conduct, in accordance with the analysis plan, one or more analysis of the specimen for characteristics that suggest the specimen includes malware;
  
  a dynamic analysis logic communicatively coupled to the data store, the dynamic analysis logic being configured to conduct, in accordance with the analysis plan, one or more analysis of the specimen to detect at least one unexpected behavior that occurs during processing of the specimen within one or more virtual machines; and
  
  a controller communicatively coupled to the data store, the first analysis logic, and the second analysis logic, the controller to coordinate at least the order of the plurality of analyses conducted by one or more of (i) the static analysis logic and (ii) the dynamic analysis logic in accordance with content of the analysis plan.

19. A computer implemented method of detecting malware in a specimen of computer content or network traffic, the method comprising:
- accessing, by a hardware processor, an analysis plan for analyzing whether a specimen should be classified as malware, the analysis plan identifies at least an order of a plurality of analyses to be conducted on the specimen, the plurality of analyses include a first analysis followed by a second analysis;
  
  performing, by the hardware processor, the first analysis according to the analysis plan to identify one or more suspicious indicators that identify the specimen may include malware;
  
  performing, by the hardware processor, the second analysis according to the analysis plan, the second analysis includes monitoring behaviors of the specimen during processing within at least one virtual machine to identify one or more unexpected behaviors that correspond to processing or communication anomalies;
  
  determining, by a classifier executed by the hardware processor, whether the specimen should be classified as malicious based the one or more suspicious indicators and the one or more unexpected behaviors; and
  
  altering the analysis plan, by the hardware processor, to either discontinue any further analyses within the analysis plan or continue with an additional analysis after at least the first analysis to determine if the specimen includes malware.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Vincent, Michael, Mesdaq, Ali, Thioux, Emmanuel, Singh, Abhishek, Vashisht, Sal
Primary Examiner(s)
Najjar, Saleh
Assistant Examiner(s)
Gao, Shu Chun

Application Number

US14/922,024
Time in Patent Office

865 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/562   Static detection

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/034   Test or assess a computer o...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

Malware analysis in accordance with an analysis plan

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

665 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Malware analysis in accordance with an analysis plan

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

665 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links