Malicious content analysis using simulated user interaction without user involvement
First Claim
1. A computer-implemented method comprising:
- detecting an event requesting a user action on a graphical user interface during processing of a malicious content suspect within a virtual machine;
in response to detection of the event requesting the user action on the graphical user interface, simulating a user interaction with a displayable feature of the graphic user interface without user intervention by at least registering with an operating system operating as part of the virtual machine to (i) intercept signaling to one or more graphics user interface (GUI) application programming interfaces (APIs) and (ii) send a command to the operating system to respond to the graphical user interface produced during processing of the malicious content suspect; and
analyzing behaviors of the malicious content suspect in response to the simulated user interaction to determine whether the malicious content suspect should be declared as malicious.
7 Assignments
0 Petitions
Accused Products
Abstract
Techniques for detecting malicious content using simulated user interactions are described herein. In one embodiment, a monitoring module monitors activities of a malicious content suspect executed within a sandboxed operating environment. In response to detection of a predetermined event triggered by the malicious content suspect requesting a user action on a graphical user interface (GUI) presented by the malicious content suspect, simulating, a user interaction module simulates a user interaction with the GUI without user intervention. An analysis module analyzes activities of the malicious content suspect in response to the simulated user interaction to determine whether the malicious content suspect should be declared as malicious.
-
Citations
36 Claims
-
1. A computer-implemented method comprising:
-
detecting an event requesting a user action on a graphical user interface during processing of a malicious content suspect within a virtual machine; in response to detection of the event requesting the user action on the graphical user interface, simulating a user interaction with a displayable feature of the graphic user interface without user intervention by at least registering with an operating system operating as part of the virtual machine to (i) intercept signaling to one or more graphics user interface (GUI) application programming interfaces (APIs) and (ii) send a command to the operating system to respond to the graphical user interface produced during processing of the malicious content suspect; and analyzing behaviors of the malicious content suspect in response to the simulated user interaction to determine whether the malicious content suspect should be declared as malicious. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A system, comprising:
-
a processor; and a memory coupled to the processor, the memory comprises a monitoring module that, when executed by the processor, monitors for an event requesting a user action on a graphical user interface during processing of a malicious content suspect within a virtual machine, a user interaction module that, when executed by the processor and in response to detection of the event requesting the user action on the graphical user interface, simulates a user interaction with a displayable feature of the graphical user interface without user intervention, the user interaction module registers with an operating system deployed within the virtual machine to (i) intercept signaling to one or more application programming interfaces (APIs) that are directed to a graphics user interface (GUI) application and operate in cooperation with the operating system and (ii) send a command to the operating system to respond to the graphical user interface produced during processing of the malicious content suspect, and an analysis module to analyze behaviors of the malicious content suspect in response to the simulated user interaction to determine whether the malicious content suspect should be declared as malicious. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
-
23. A system, comprising:
-
a processor; and a memory coupled to the processor, the memory comprises a user interaction module that, when executed by the processor and in response to detection of an event requesting a user action on a graphical user interface during processing of a malicious content suspect within a virtual machine, simulates a user interaction with a displayable feature of the graphic user interface without user intervention, the user interaction module registers with an operating system operating as part of the virtual machine to (i) intercept signaling to one or more graphics user interface (GUI) application programming interfaces (APIs) and (ii) send a command to the operating system to respond to the graphical user interface produced during processing of the malicious content suspect, and an analysis module to analyze behaviors of the malicious content suspect in response to the simulated user interaction to determine whether the malicious content suspect should be declared as malicious. - View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31)
-
-
32. A system, comprising:
-
a processor configured to (i) monitor for an event requesting a user action on a graphical user interface produced by a malicious content suspect, (ii) simulate a user interaction with a displayable feature of the graphic user interface without user intervention in response to a detection of the event requesting the user action on the graphical user interface, and (iii) analyze behaviors of a malicious content suspect in response to the simulated user interaction to determine whether the malicious content suspect should be declared as malicious; and a memory coupled to the processor, the memory comprises a set of rules to determine whether the malicious content suspect is considered to be malicious, wherein the processor simulates the user interaction by at least registering with an operating system of the virtual machine to (i) intercept signaling directed to a graphics user interface (GUI) application programming interfaces (API) of the operating system and (ii) send a command to the operating system to respond to the graphical user interface produced during processing of the malicious content suspect. - View Dependent Claims (33, 34, 35)
-
-
36. A non-transitory computer readable medium executable by a processor, comprising:
-
a user interaction module that, when executed by the processor and in response to detection of an event requesting a user action on a graphical user interface during processing of a malicious content suspect within a virtual machine, simulates a user interaction with a displayable feature of the graphic user interface without user intervention, the user interaction module registers with an operating system operating as part of the virtual machine to (i) intercept signaling to one or more graphics user interface (GUI) application programming interfaces (APIs) and (ii) send a command to the operating system to respond to the graphical user interface produced during processing of the malicious content suspect, and an analysis module to analyze behaviors of the malicious content suspect in response to the simulated user interaction to determine whether the malicious content suspect should be declared as malicious.
-
Specification