System and Method for Detecting Unknown Malware
First Claim
1. A computer-implemented method for detecting unknown malware, the method comprising:
- generating a hash of an unknown object;
comparing the hash of the unknown object with hashes of known clean and malicious objects;
if the hash of the unknown object matches one of the hashes of either known clean or malicious objects, terminating analysis of the unknown object;
if the hash of the unknown object does not match any hash of the known clean or malicious objects, selecting out of a plurality of different malware analysis methods at least two most effective malware analysis methods for further analysis of the unknown object for presence of malware, wherein the effectiveness of a malware analysis method is determined as a function of a level of successful malware detections of known malicious objects and a level of false positive detections of known clean objects by said malware analysis method;
generating a different object gene of the unknown object for each of the two selected malware analysis methods, wherein an object gene is a data structure containing a plurality of information elements retrieved from or associated with the unknown object, and wherein an object gene for each malware analysis method is selected from unique lines of code of the unknown object gene, operational areas of the unknown object gene, execution path of the unknown object gene, behavior pattern of the unknown object gene, program flowchart of the unknown object gene, or function call graph of the unknown object gene;
analyzing each generated object gene of the unknown object using the selected malware analysis methods; and
determining if the unknown object is clean or malicious based on the results of the analysis of the generated object genes using the selected malware analysis methods.
1 Assignment
0 Petitions
Accused Products
Abstract
The present disclosure relates generally to the field of computer security and, in particular, to systems for detecting unknown malware. A method comprises generating genes for known malicious and dean objects; analyzing object genes using different malware analysis methods; computing a level of successful detection of malicious objects by one or a combination of malware analysis methods based on analysis of genes of the known malicious objects; computing a level of false positive detections of malicious objects by one or a combination of malware analysis methods based on analysis of genes of known clean objects; measuring effectiveness of each one or the combination of malware analysis methods as a function of the level of successful detections and the level of fake positive detections; and selecting one or a combination of the most effective malware analysis methods for analyzing unknown object for malware.
76 Citations
20 Claims
-
1. A computer-implemented method for detecting unknown malware, the method comprising:
-
generating a hash of an unknown object; comparing the hash of the unknown object with hashes of known clean and malicious objects; if the hash of the unknown object matches one of the hashes of either known clean or malicious objects, terminating analysis of the unknown object; if the hash of the unknown object does not match any hash of the known clean or malicious objects, selecting out of a plurality of different malware analysis methods at least two most effective malware analysis methods for further analysis of the unknown object for presence of malware, wherein the effectiveness of a malware analysis method is determined as a function of a level of successful malware detections of known malicious objects and a level of false positive detections of known clean objects by said malware analysis method; generating a different object gene of the unknown object for each of the two selected malware analysis methods, wherein an object gene is a data structure containing a plurality of information elements retrieved from or associated with the unknown object, and wherein an object gene for each malware analysis method is selected from unique lines of code of the unknown object gene, operational areas of the unknown object gene, execution path of the unknown object gene, behavior pattern of the unknown object gene, program flowchart of the unknown object gene, or function call graph of the unknown object gene; analyzing each generated object gene of the unknown object using the selected malware analysis methods; and determining if the unknown object is clean or malicious based on the results of the analysis of the generated object genes using the selected malware analysis methods. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computer-based system for detecting unknown malware, the system comprising:
-
a memory configured to store an unknown object; and a processor coupled to the memory and configured to; generate a hash of an unknown object; compare the hash of the unknown object with hashes of known clean and malicious objects; if the hash of the unknown object matches one of the hashes of either known clean or malicious objects, terminate analysis of the unknown object; if the hash of the unknown object does not match any hash of the known clean or malicious objects, select out of a plurality of different malware analysis methods at least two most effective malware analysis methods for further analysis of the unknown object for presence of malware, wherein the effectiveness of a malware analysis method is determined as a function of a level of successful malware detections of known malicious objects and a level of false positive detections of known clean objects by said malware analysis method; generate a different object gene of the unknown object for each of the two selected malware analysis methods, wherein an object gene is a data structure containing a plurality of information elements retrieved from or associated with the unknown object, and wherein an object gene for each malware analysis method is selected from unique lines of code of the unknown object gene, operational areas of the unknown object gene, execution path of the unknown object gene, behavior pattern of the unknown object gene, program flowchart of the unknown object gene, or function call graph of the unknown object gene; analyze each generated object gene of the unknown object using the selected malware analysis methods; and determine if the unknown object is clean or malicious based on the results of the analysis of the generated object genes using the selected malware analysis methods. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A computer program product embedded in a non-transitory computer-readable storage medium, the computer-readable storage medium comprising computer-executable instructions for detecting unknown malware, the medium comprises instructions for:
-
generating a hash of an unknown object; comparing the hash of the unknown object with hashes of known clean and malicious objects; if the hash of the unknown object matches one of the hashes of either known clean or malicious objects terminating analysis of the unknown object; if the hash of the unknown object does not match any hash of the known clean or malicious objects, selecting out of a plurality of different malware analysis methods at least two most effective malware analysis methods for further analysis of the unknown object for presence of malware, wherein the effectiveness of a malware analysis method is determined as a function of a level of successful malware detections of known malicious objects and a level of false positive detections of known clean objects by said malware analysis method; generating a different object gene of the unknown object for each of the two selected malware analysis methods, wherein an object gene is a data structure containing a plurality of information elements retrieved from or associated with the unknown object, and wherein an object gene for each malware analysis method is selected from unique lines of code of the unknown object gene, operational areas of the unknown object gene, execution path of the unknown object gene, behavior pattern of the unknown object gene, program flowchart of the unknown object gene, or function call graph of the unknown object gene; analyzing each generated object gene of the unknown object using the selected malware analysis methods; and determining if the unknown object is clean or malicious based on the results of the analysis of the generated object genes using the selected malware analysis methods. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification