Methods, systems, and media for detecting covert malware

US 9,971,891 B2
Filed: 08/13/2013
Issued: 05/15/2018
Est. Priority Date: 12/31/2009
Status: Active Grant

First Claim

Patent Images

1. A method for detecting covert malware in a computing environment, the method comprising:

receiving, using a hardware processor, a first set of user actions;

automatically generating, without receiving user input, using the hardware processor, a second set of user actions that is similar to the first set of user actions based on the first set of user actions and using a model of user activity, wherein the first set of user actions is modified using the model of user activity to generate the second set of user actions in the form of simulated user actions;

replaying, using the hardware processor, the second set of user actions to an application inside the computing environment;

determining, using the hardware processor, whether state information of the application matches an expected state in response to the second set of user actions is being replayed to the application inside the computing environment;

determining, using the hardware processor, whether covert malware is present in the computing environment based at least in part on the determination of whether the state information matches the expected state; and

transmitting, using the hardware processor, an alert to a computing device in response to determining that covert malware is present in the computing environment.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and media for detecting covert malware are provided. In accordance with some embodiments, a method for detecting covert malware in a computing environment is provided, the method comprising: receiving a first set of user actions; generating a second set of user actions based on the first set of user actions and a model of user activity; conveying the second set of user actions to an application inside the computing environment; determining whether state information of the application matches an expected state after the second set of user actions is conveyed to the application; and determining whether covert malware is present in the computing environment based at least in part on the determination.

107 Citations

View as Search Results

23 Claims

1. A method for detecting covert malware in a computing environment, the method comprising:
- receiving, using a hardware processor, a first set of user actions;
  
  automatically generating, without receiving user input, using the hardware processor, a second set of user actions that is similar to the first set of user actions based on the first set of user actions and using a model of user activity, wherein the first set of user actions is modified using the model of user activity to generate the second set of user actions in the form of simulated user actions;
  
  replaying, using the hardware processor, the second set of user actions to an application inside the computing environment;
  
  determining, using the hardware processor, whether state information of the application matches an expected state in response to the second set of user actions is being replayed to the application inside the computing environment;
  
  determining, using the hardware processor, whether covert malware is present in the computing environment based at least in part on the determination of whether the state information matches the expected state; and
  
  transmitting, using the hardware processor, an alert to a computing device in response to determining that covert malware is present in the computing environment.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the second set of user actions is generated outside of the computing environment.
  - 3. The method of claim 1, further comprises:
    - determining whether a decoy corresponding to the second set of user actions has been accessed by an unauthorized entity; and
      
      in response to determining that the decoy has been accessed by the unauthorized entity, determining that covert malware is present in the computing environment.
  - 4. The method of claim 1, wherein the first set of user actions comprises mouse and keyboard events.
  - 5. The method of claim 4, further comprising replaying at least a portion of the first set of user actions along with conveying the second set of user actions.
  - 6. The method of claim 4, wherein generating the second set of user actions further comprises recording, modifying, and replaying the mouse and keyboard events based on the first set of user actions.
  - 7. The method of claim 1, wherein the second set of user actions is generated by modifying the first set of user actions and translating the first set of user actions using a wireless protocol.
  - 8. The method of claim 1, further comprising defining the second set of user actions by a formal language, wherein the first set of user actions is mapped to constructs of the formal language and wherein the formal language comprises carry actions for the simulation and the conveyance of the decoy and cover actions that support believability of the second set of user actions and the decoy.
  - 9. The method of claim 1, wherein the model of user activity includes a model of at least one of:
    - keystroke speed, mouse speed, mouse distance, keystroke error rate, and frequency of errors made during typing.
  - 10. The method of claim 1, wherein determining the state information further comprises performing a visual verification that determines whether a screen output changed as expected in response to the second set of user actions.
  - 11. The method of claim 1, wherein determining the state information further comprises:
    - analyzing network traffic to determine message characteristics that include at least one of;
      
      a number of conversations, a number of messages exchanged, and a number of bytes in each message; and
      
      comparing the state information that includes current message characteristics with the analyzed network traffic that includes determined message characteristics.

12. A system for detecting covert malware in a computing environment, the system comprising:
- a hardware processor that is configured to;
  
  receive a first set of user actions;
  
  automatically generate, without receiving user input, a second set of user actions that is similar to the first set of user actions based on the first set of user actions and using a model of user activity, wherein the first set of user actions is modified using the model of user activity to generate the second set of user actions in the form of simulated user actions;
  
  replay the second set of user actions to an application inside the computing environment;
  
  determine whether state information of the application matches an expected state in response to the second set of user actions is being replayed to the application inside the computing environment;
  
  determine whether covert malware is present in the computing environment based at least in part on the determination of whether the state information matches the expected state; and
  
  transmit an alert to a computing device in response to determining that covert malware is present in the computing environment.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The system of claim 12, wherein the second set of user actions is generated outside of the computing environment.
  - 14. The system of claim 12, wherein the hardware processor is further configured to:
    - determine whether a decoy corresponding to the second set of user actions has been accessed by an unauthorized entity, andin response to determining that the decoy has been accessed by the unauthorized entity, determine that covert malware is present in the computing environment.
  - 15. The system of claim 12, wherein the first set of user actions comprises mouse and keyboard events.
  - 16. The system of claim 15, wherein the hardware processor is further configured to replay at least a portion of the first set of user actions along with conveying the second set of user actions.
  - 17. The system of claim 15, wherein the hardware processor is further configured to record, modify, and replay the mouse and keyboard events based on the first set of user actions.
  - 18. The system of claim 12, wherein the second set of user actions is generated by modifying the first set of user actions and translating the first set of user actions using a wireless protocol.
  - 19. The system of claim 12, wherein the hardware processor is further configured to define the second set of user actions by a formal language, wherein the first set of user actions is mapped to constructs of the formal language and wherein the formal language comprises carry actions for the simulation and the conveyance of the decoy and cover actions that support believability of the second set of user actions and the decoy.
  - 20. The system of claim 12, wherein the model of user activity includes a model of at least one of:
    - keystroke speed, mouse speed, mouse distance, keystroke error rate, and frequency of errors made during typing.
  - 21. The system of claim 12, wherein the hardware processor is further configured to perform a visual verification that determines whether a screen output changed as expected in response to the second set of user actions.
  - 22. The system of claim 13, wherein the hardware processor is further configured to:
    - analyze network traffic to determine message characteristics that include at least one of;
      
      a number of conversations, a number of messages exchanged, and a number of bytes in each message; and
      
      compare the state information that includes current message characteristics with the analyzed network traffic that includes determined message characteristics.

23. A non-transitory computer-readable medium containing computer-executable instructions that, when executed by a processor, cause the processor to perform a method for detecting covert malware in a computing environment, the method comprising:
- receiving a first set of user actions;
  
  automatically generating, without receiving user input, a second set of user actions that is similar to the first set of user actions based on the first set of user actions and using a model of user activity, wherein the first set of user actions is modified using the model of user activity to generate the second set of user actions in the form of simulated user actions;
  
  replaying the second set of user actions to an application inside the computing environment;
  
  determining whether state information of the application matches an expected state in response to the second set of user actions is being replayed to the application inside the computing environment;
  
  determining whether covert malware is present in the computing environment based at least in part on the determination of whether the state information matches the expected state; and
  
  transmitting an alert to a computing device in response to determining that covert malware is present in the computing environment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trustees Of Columbia University In The City Of New York (Columbia University)
Original Assignee
Trustees Of Columbia University In The City Of New York (Columbia University)
Inventors
Bowen, Brian M., Prabhu, Pratap V., Kemerlis, Vasileios P., Sidiroglou, Stylianos, Stolfo, Salvatore J., Keromytis, Angelos D.
Primary Examiner(s)
Gergiso, Techane

Application Number

US13/965,619
Publication Number

US 20130333037A1
Time in Patent Office

1,736 Days
Field of Search

726 23
US Class Current
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/577   Assessing vulnerabilities a...

H04L 63/1441   Countermeasures against mal...

H04L 63/1491   using deception as counterm...

Methods, systems, and media for detecting covert malware

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

107 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Methods, systems, and media for detecting covert malware

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

107 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links