Malicious content analysis using simulated user interaction without user involvement

US 9,912,698 B1
Filed: 07/20/2015
Issued: 03/06/2018
Est. Priority Date: 03/13/2013
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

detecting an event requesting a user action on a graphical user interface during processing of a malicious content suspect within a virtual machine;

in response to detection of the event requesting the user action on the graphical user interface, simulating a user interaction with a displayable feature of the graphic user interface without user intervention by at least registering with an operating system operating as part of the virtual machine to (i) intercept signaling to one or more graphics user interface (GUI) application programming interfaces (APIs) and (ii) send a command to the operating system to respond to the graphical user interface produced during processing of the malicious content suspect; and

analyzing behaviors of the malicious content suspect in response to the simulated user interaction to determine whether the malicious content suspect should be declared as malicious.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for detecting malicious content using simulated user interactions are described herein. In one embodiment, a monitoring module monitors activities of a malicious content suspect executed within a sandboxed operating environment. In response to detection of a predetermined event triggered by the malicious content suspect requesting a user action on a graphical user interface (GUI) presented by the malicious content suspect, simulating, a user interaction module simulates a user interaction with the GUI without user intervention. An analysis module analyzes activities of the malicious content suspect in response to the simulated user interaction to determine whether the malicious content suspect should be declared as malicious.

Citations

36 Claims

1. A computer-implemented method comprising:
- detecting an event requesting a user action on a graphical user interface during processing of a malicious content suspect within a virtual machine;
  
  in response to detection of the event requesting the user action on the graphical user interface, simulating a user interaction with a displayable feature of the graphic user interface without user intervention by at least registering with an operating system operating as part of the virtual machine to (i) intercept signaling to one or more graphics user interface (GUI) application programming interfaces (APIs) and (ii) send a command to the operating system to respond to the graphical user interface produced during processing of the malicious content suspect; and
  
  analyzing behaviors of the malicious content suspect in response to the simulated user interaction to determine whether the malicious content suspect should be declared as malicious.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the malicious content suspect is an executable that, when executed by a processor implemented within a data processing system, generates the graphic user interface.
  - 3. The method of claim 1, wherein the event requesting the user action on the graphical user interface is triggered by an application processing the malicious content suspect.
  - 4. The method of claim 1, wherein the sending of the command that simulates the user interaction that includes activation of a predetermined button presented by a dialog box that would cause execution or storage of an attached file.
  - 5. The method of claim 1, wherein the detecting an event requesting the user action on the graphical user interface is performed by intercepting a call initiated by the malicious content suspect to an Application Programming Interface (API) of the one or more GUI APIs.
  - 6. The method of claim 1, wherein the detecting an event requesting the user action on the graphical user interface is performed by registering a hook to an API of the one or more GUI APIs of the operating system.
  - 7. The method of claim 1, wherein prior to sending the command that is responsive to display of the graphic user interface, the method further comprises (i) building an internal data structure that represents content and layout of the dialog box, (ii) comparing the internal data structure to a library of dialogs stored in the memory, and (iii) upon matching one of the dialogs, obtaining information associated with a matched dialog to dismiss the dialog box.
  - 8. The method of claim 1, wherein the analyzing of the behaviors of the malicious content suspect is performed by at least analyzing information associated with the behaviors based on a set of rules to determine whether the malicious content suspect is considered to be malicious.
  - 9. The method of claim 1, wherein the simulating of the user interaction with the displayable feature is conducted without displaying the dialog box.

10. A system, comprising:
- a processor; and
  
  a memory coupled to the processor, the memory comprisesa monitoring module that, when executed by the processor, monitors for an event requesting a user action on a graphical user interface during processing of a malicious content suspect within a virtual machine,a user interaction module that, when executed by the processor and in response to detection of the event requesting the user action on the graphical user interface, simulates a user interaction with a displayable feature of the graphical user interface without user intervention, the user interaction module registers with an operating system deployed within the virtual machine to (i) intercept signaling to one or more application programming interfaces (APIs) that are directed to a graphics user interface (GUI) application and operate in cooperation with the operating system and (ii) send a command to the operating system to respond to the graphical user interface produced during processing of the malicious content suspect, andan analysis module to analyze behaviors of the malicious content suspect in response to the simulated user interaction to determine whether the malicious content suspect should be declared as malicious.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 11. The system of claim 10, wherein the malicious content suspect is an executable that, when executed by the processor, generates the graphic user interface.
  - 12. The system of claim 10, wherein the user interaction module is configured to:
    - detect a display of a message dialog box, andautomatically, without user intervention, send the command representing an activation of a predetermined button of the message dialog box to the operating system to respond to the message dialog box.
  - 13. The system of claim 12, wherein the predetermined button when activated is to dismiss the message dialog box.
  - 14. The system of claim 10, wherein the user interaction module is configured to:
    - detect a dialog box being configured to prompt a user for a confirmation of execution or storage of an attached file, andautomatically, without user intervention, send the command representing an activation of a predetermined button presented by the dialog box that would cause the execution or storage of the attached file.
  - 15. The system of claim 10, wherein the detection of the event by the monitoring module comprises intercepting a call initiated by the malicious content suspect to the one or more APIs.
  - 16. The system of claim 10, wherein the monitoring of the event requesting the user action by the monitoring module comprises registering a hook with the operating system to detect the signaling to the one or more APIs operating as a graphical user interface API of the operating system.
  - 17. The system of claim 16, wherein the detecting of the event by the monitoring module further comprises receiving a notification from the operating system of a communication from the malicious content suspect to the graphical user interface API to display a dialog box.
  - 18. The system of claim 10, wherein prior to sending the response, the user interaction module, when executed by the processor, further (i) builds an internal data structure that represents content and layout of a dialog box, (ii) compares the internal data structure to a library of dialogs stored in memory, and (iii) upon matching one of the dialogs, obtains information associated with a matched dialog to dismiss the dialog box.
  - 19. The system of claim 10, wherein the analysis module, when executed by the processor, analyzes the behaviors of the malicious content suspect by at least analyzing information associated with the behaviors based on a set of rules to determine whether the malicious content suspect is considered to be malicious.
  - 20. The system of claim 10, wherein the simulating of the user interaction with the displayable feature of the graphic user interface, which is operating as a dialog box, is conducted without displaying the dialog box.
  - 21. The system of claim 10, wherein the user interaction module is configured to:
    - detect a dialog box being configured to prompt a user for a confirmation of executing or storing an attached file; and
      
      automatically, without user intervention, send the command representing an activation of a prescribed button that is present in the dialog box to the operating system to allow the operating system to store the attached file.
  - 22. The system of claim 10, wherein the user interaction module is configured to:
    - detect a dialog box being configured to prompt a user for a confirmation of executing or storing an attached file; and
      
      automatically, without user intervention, send the command representing an activation of a prescribed button that is present in the dialog box to the operating system to allow the operating system to execute the attached file.

23. A system, comprising:
- a processor; and
  
  a memory coupled to the processor, the memory comprisesa user interaction module that, when executed by the processor and in response to detection of an event requesting a user action on a graphical user interface during processing of a malicious content suspect within a virtual machine, simulates a user interaction with a displayable feature of the graphic user interface without user intervention, the user interaction module registers with an operating system operating as part of the virtual machine to (i) intercept signaling to one or more graphics user interface (GUI) application programming interfaces (APIs) and (ii) send a command to the operating system to respond to the graphical user interface produced during processing of the malicious content suspect, andan analysis module to analyze behaviors of the malicious content suspect in response to the simulated user interaction to determine whether the malicious content suspect should be declared as malicious.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31)
- - 24. The system of claim 23, wherein the malicious content suspect is an executable that, when executed by the processor, generates the graphic user interface.
  - 25. The system of claim 24, wherein the user interaction module to send the command that simulates the user interaction including an activation of a predetermined button presented by a dialog box that would cause execution or storage of an attached file.
  - 26. The system of claim 25, wherein prior to sending the command that is responsive to display of the graphic user interface, the user interaction module, when executed by the processor, further (i) builds an internal data structure that represents content and layout of the dialog box, (ii) compares the internal data structure to a library of dialogs stored in the memory, and (iii) upon matching one of the dialogs, obtains information associated with a matched dialog to dismiss the dialog box.
  - 27. The system of claim 23, wherein the graphical user interface is triggered by an application processing the malicious content suspect.
  - 28. The system of claim 23, wherein the detection of the event is performed by a monitoring module that, when executed by the processor, intercepts a call initiated by the malicious content suspect to an Application Programming Interface (API) of the one or more GUI APIs.
  - 29. The system of claim 28, wherein the monitoring module, when executed by the processor, to monitor for the event requesting the user action on the graphic user interface by registering a hook to an API of the one or more GUI APIs of the operating system.
  - 30. The system of claim 23, wherein the analysis module, when executed by the processor, analyzes the behaviors of the malicious content suspect by at least analyzing information associated with the behaviors based on a set of rules to determine whether the malicious content suspect is considered to be malicious.
  - 31. The system of claim 23, wherein the user interaction module simulates the user interaction with the displayable feature of the graphic user interface operating as a dialog box is conducted without displaying the dialog box.

32. A system, comprising:
- a processor configured to (i) monitor for an event requesting a user action on a graphical user interface produced by a malicious content suspect, (ii) simulate a user interaction with a displayable feature of the graphic user interface without user intervention in response to a detection of the event requesting the user action on the graphical user interface, and (iii) analyze behaviors of a malicious content suspect in response to the simulated user interaction to determine whether the malicious content suspect should be declared as malicious; and
  
  a memory coupled to the processor, the memory comprises a set of rules to determine whether the malicious content suspect is considered to be malicious,wherein the processor simulates the user interaction by at least registering with an operating system of the virtual machine to (i) intercept signaling directed to a graphics user interface (GUI) application programming interfaces (API) of the operating system and (ii) send a command to the operating system to respond to the graphical user interface produced during processing of the malicious content suspect.
- View Dependent Claims (33, 34, 35)
- - 33. The system of claim 32, wherein the processor is configured to detect the event by intercepting a call initiated by the malicious content suspect to the GUI API.
  - 34. The system of claim 32, wherein the processor to simulate the user interaction with the graphic user interface operating as a dialog box without displaying the dialog box.
  - 35. The system of claim 32, wherein the malicious content suspect is an executable that, when executed by the processor, generates the graphic user interface.

36. A non-transitory computer readable medium executable by a processor, comprising:
- a user interaction module that, when executed by the processor and in response to detection of an event requesting a user action on a graphical user interface during processing of a malicious content suspect within a virtual machine, simulates a user interaction with a displayable feature of the graphic user interface without user intervention, the user interaction module registers with an operating system operating as part of the virtual machine to (i) intercept signaling to one or more graphics user interface (GUI) application programming interfaces (APIs) and (ii) send a command to the operating system to respond to the graphical user interface produced during processing of the malicious content suspect, andan analysis module to analyze behaviors of the malicious content suspect in response to the simulated user interaction to determine whether the malicious content suspect should be declared as malicious.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
FireEye, Inc. (Alphabet Inc.)
Inventors
Thioux, Emmanuel, Amin, Muhammad, Kindlund, Darien, Pilipenko, Alex, Vincent, Michael
Primary Examiner(s)
Song, Hosuk
Assistant Examiner(s)
Murphy, J. Brant

Application Number

US14/804,086
Time in Patent Office

960 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/56   Computer malware detection ...

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/20   for managing network securi...

Malicious content analysis using simulated user interaction without user involvement

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

36 Claims

Specification

Solutions

Use Cases

Quick Links

Malicious content analysis using simulated user interaction without user involvement

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

36 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links