System and Method for Detecting Unknown Malware

US 20120174227A1
Filed: 07/26/2011
Published: 07/05/2012
Est. Priority Date: 12/30/2010
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for detecting unknown malware, the method comprising:

generating a hash of an unknown object;

comparing the hash of the unknown object with hashes of known clean and malicious objects;

if the hash of the unknown object matches one of the hashes of either known clean or malicious objects, terminating analysis of the unknown object;

if the hash of the unknown object does not match any hash of the known clean or malicious objects, selecting out of a plurality of different malware analysis methods at least two most effective malware analysis methods for further analysis of the unknown object for presence of malware, wherein the effectiveness of a malware analysis method is determined as a function of a level of successful malware detections of known malicious objects and a level of false positive detections of known clean objects by said malware analysis method;

generating a different object gene of the unknown object for each of the two selected malware analysis methods, wherein an object gene is a data structure containing a plurality of information elements retrieved from or associated with the unknown object, and wherein an object gene for each malware analysis method is selected from unique lines of code of the unknown object gene, operational areas of the unknown object gene, execution path of the unknown object gene, behavior pattern of the unknown object gene, program flowchart of the unknown object gene, or function call graph of the unknown object gene;

analyzing each generated object gene of the unknown object using the selected malware analysis methods; and

determining if the unknown object is clean or malicious based on the results of the analysis of the generated object genes using the selected malware analysis methods.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present disclosure relates generally to the field of computer security and, in particular, to systems for detecting unknown malware. A method comprises generating genes for known malicious and dean objects; analyzing object genes using different malware analysis methods; computing a level of successful detection of malicious objects by one or a combination of malware analysis methods based on analysis of genes of the known malicious objects; computing a level of false positive detections of malicious objects by one or a combination of malware analysis methods based on analysis of genes of known clean objects; measuring effectiveness of each one or the combination of malware analysis methods as a function of the level of successful detections and the level of fake positive detections; and selecting one or a combination of the most effective malware analysis methods for analyzing unknown object for malware.

76 Citations

View as Search Results

20 Claims

1. A computer-implemented method for detecting unknown malware, the method comprising:
- generating a hash of an unknown object;
  
  comparing the hash of the unknown object with hashes of known clean and malicious objects;
  
  if the hash of the unknown object matches one of the hashes of either known clean or malicious objects, terminating analysis of the unknown object;
  
  if the hash of the unknown object does not match any hash of the known clean or malicious objects, selecting out of a plurality of different malware analysis methods at least two most effective malware analysis methods for further analysis of the unknown object for presence of malware, wherein the effectiveness of a malware analysis method is determined as a function of a level of successful malware detections of known malicious objects and a level of false positive detections of known clean objects by said malware analysis method;
  
  generating a different object gene of the unknown object for each of the two selected malware analysis methods, wherein an object gene is a data structure containing a plurality of information elements retrieved from or associated with the unknown object, and wherein an object gene for each malware analysis method is selected from unique lines of code of the unknown object gene, operational areas of the unknown object gene, execution path of the unknown object gene, behavior pattern of the unknown object gene, program flowchart of the unknown object gene, or function call graph of the unknown object gene;
  
  analyzing each generated object gene of the unknown object using the selected malware analysis methods; and
  
  determining if the unknown object is clean or malicious based on the results of the analysis of the generated object genes using the selected malware analysis methods.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the object includes a file and wherein selecting at least two different malware analysis methods for further analysis of the unknown object for presence of malware further comprising:
    - identifying file type of the unknown object; and
      
      based on the file type of the object, selecting at least two most effective malware analysis methods out of the plurality of malware analysis methods.
  - 3. The method of claim 6, wherein the level of effectiveness of a malware analysis method is defined as the ratio of the level of successful malware detections of known malicious objects and the level of false positive detections of known clean objects, wherein the level of effectiveness is a value between 0 and 1.
  - 4. The method of claim 3, wherein the level successful detections of known malicious objects using a malware analysis method is defined as a ratio of a number of detected known malicious objects using said method and the total number of known malicious objects.
  - 5. The method of claim 3, wherein the level of false positive detections of known clean objects using a malware analysis method is defined as a ratio of a number of clean objects recognized as malicious using said method and the total number of known clean objects.
  - 6. The method of claim 2, wherein selecting at least two most effective malware analysis methods out of plurality of different malware analysis methods further comprises:
    - generating at least one object gene for each one of a plurality of known malicious and clean objects;
      
      analyzing each object gene using two or more malware analysis methods;
      
      computing a level of successful detection of malicious objects by one or more malware analysis methods based on analysis of genes of the known malicious objects by said methods;
      
      computing a level of false positive detections of malicious objects by one or more malware analysis methods based on analysis of genes of known clean objects by said malware analysis methods;
      
      measuring effectiveness of each of the two or more of malware analysis methods as a function of the level of successful detections of the known malicious objects and the level of false positive detections of the known clean objects; and
      
      selecting two or more of the most effective malware analysis methods for analyzing the unknown object of each file type for presence of malware.
  - 7. The method of claim 1, wherein analyzing an object gene using the malware analysis methods further comprises one or more of:
    - performing exact match analysis of a pattern of information elements of the object gene with patterns of information elements associated with known malicious or clean objects;
      
      performing an approximate string matching of the information elements of the object gene with patterns of information elements associated with known malicious or clean objects;
      
      performing security rating analysis of the information elements of the object gene by separately evaluating maliciousness of separate logical blocks of the information elements.

8. A computer-based system for detecting unknown malware, the system comprising:
- a memory configured to store an unknown object; and
  
  a processor coupled to the memory and configured to;
  
  generate a hash of an unknown object;
  
  compare the hash of the unknown object with hashes of known clean and malicious objects;
  
  if the hash of the unknown object matches one of the hashes of either known clean or malicious objects, terminate analysis of the unknown object;
  
  if the hash of the unknown object does not match any hash of the known clean or malicious objects, select out of a plurality of different malware analysis methods at least two most effective malware analysis methods for further analysis of the unknown object for presence of malware, wherein the effectiveness of a malware analysis method is determined as a function of a level of successful malware detections of known malicious objects and a level of false positive detections of known clean objects by said malware analysis method;
  
  generate a different object gene of the unknown object for each of the two selected malware analysis methods, wherein an object gene is a data structure containing a plurality of information elements retrieved from or associated with the unknown object, and wherein an object gene for each malware analysis method is selected from unique lines of code of the unknown object gene, operational areas of the unknown object gene, execution path of the unknown object gene, behavior pattern of the unknown object gene, program flowchart of the unknown object gene, or function call graph of the unknown object gene;
  
  analyze each generated object gene of the unknown object using the selected malware analysis methods; and
  
  determine if the unknown object is clean or malicious based on the results of the analysis of the generated object genes using the selected malware analysis methods.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein the object includes a file and wherein to select at least two most effective malware analysis methods for further analysis of the unknown object for presence of malware, the processor being further configured to:
    - identify file type of the unknown object; and
      
      based on the file type of the object, select at least two most effective malware analysis methods out of the plurality of malware analysis methods.
  - 10. The system of claim 13, wherein the level of effectiveness of a malware analysis method is defined as the ratio of the level of successful malware detections of known malicious objects and the level of false positive detections of known clean objects, wherein the level of effectiveness is a value between 0 and 1.
  - 11. The system of claim 10, wherein the level successful detections of known malicious objects using a malware analysis method is defined as a ratio of a number of detected known malicious objects using said method and the total number of known malicious objects.
  - 12. The system of claim 10, wherein the level of false positive detections of known clean objects using a malware analysis method is defined as a ratio of a number of clean objects recognized as malicious using said method and the total number of known clean objects.
  - 13. The system of claim 9, wherein to select at least two most effective malware analysis methods out of plurality of different malware analysis methods, the processor being further configured to:
    - generate at least one object gene for each one of a plurality of known malicious and clean objects;
      
      analyze each object gene using two or more malware analysis methods;
      
      compute a level of successful detection of malicious objects by one or more of malware analysis methods based on analysis of genes of the known malicious objects by said methods;
      
      compute a level of false positive detections of malicious objects by one or more malware analysis methods based on analysis of genes of known clean objects by said malware analysis methods;
      
      measure effectiveness of one or more malware analysis methods as a function of the level of successful detections of the known malicious objects and the level of false positive detections of the known clean objects; and
      
      select two or more of the most effective malware analysis methods for analyzing the unknown object of each file type for presence of malware.
  - 14. The system of claim 8, wherein to analyze an object gene using the malware analysis methods, the processor is further configure to perform one or more of:
    - an exact match analysis of a pattern of information elements of the object gene with patterns of information elements associated with known malicious or clean objects;
      
      an approximate string matching of the information elements of the object gene with patterns of information elements associated with known malicious or clean objects; and
      
      a security rating analysis of the information elements of the object gene by separately evaluating maliciousness of separate logical blocks of the information elements.

15. A computer program product embedded in a non-transitory computer-readable storage medium, the computer-readable storage medium comprising computer-executable instructions for detecting unknown malware, the medium comprises instructions for:
- generating a hash of an unknown object;
  
  comparing the hash of the unknown object with hashes of known clean and malicious objects;
  
  if the hash of the unknown object matches one of the hashes of either known clean or malicious objects terminating analysis of the unknown object;
  
  if the hash of the unknown object does not match any hash of the known clean or malicious objects, selecting out of a plurality of different malware analysis methods at least two most effective malware analysis methods for further analysis of the unknown object for presence of malware, wherein the effectiveness of a malware analysis method is determined as a function of a level of successful malware detections of known malicious objects and a level of false positive detections of known clean objects by said malware analysis method;
  
  generating a different object gene of the unknown object for each of the two selected malware analysis methods, wherein an object gene is a data structure containing a plurality of information elements retrieved from or associated with the unknown object, and wherein an object gene for each malware analysis method is selected from unique lines of code of the unknown object gene, operational areas of the unknown object gene, execution path of the unknown object gene, behavior pattern of the unknown object gene, program flowchart of the unknown object gene, or function call graph of the unknown object gene;
  
  analyzing each generated object gene of the unknown object using the selected malware analysis methods; and
  
  determining if the unknown object is clean or malicious based on the results of the analysis of the generated object genes using the selected malware analysis methods.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The product of claim 15, wherein the object includes a file and wherein instructions for selecting at least two most effective malware analysis methods for further analysis of the unknown object for presence of malware further include instructions for:
    - identifying file type of the unknown object; and
      
      based on the file type of the object, selecting at least two most effective malware analysis methods out of the plurality of different malware analysis methods.
  - 17. The product of claim 20, wherein the level of effectiveness of a malware analysis method is defined as the ratio of the level of successful malware detections of known malicious objects and the level of false positive detections of known clean objects, wherein the level of effectiveness is a value between 0 and 1.
  - 18. The product of claim 17, wherein the level successful detections of known malicious objects using a malware analysis method is defined as a ratio of a number of detected known malicious objects using said method and the total number of known malicious objects.
  - 19. The product of claim 17, wherein the level of false positive detections of known clean objects using a malware analysis method is defined as a ratio of a number of clean objects recognized as malicious using said method and the total number of known clean objects.
  - 20. The product of claim 16, wherein instructions for selecting at least two most effective malware analysis methods out of plurality of different malware analysis methods further include instructions for:
    - generating at least one object gene for each one of a plurality of known malicious and clean objects;
      
      analyzing each object gene using two or more malware analysis methods;
      
      computing a level of successful detection of malicious objects by one or more malware analysis methods based on analysis of genes of the known malicious objects by said methods;
      
      computing a level of false positive detections of malicious objects by one or more malware analysis methods based on analysis of genes of known clean objects by said malware analysis methods;
      
      measuring effectiveness of each of the two or more of malware analysis methods as a function of the level of successful detections of the known malicious objects and the level of false positive detections of the known clean objects; and
      
      selecting two or more of the most effective malware analysis methods for analyzing the unknown object of each file type for presence of malware.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kaspersky Lab ZAO
Original Assignee
Kaspersky Lab ZAO
Inventors
Mashevsky, Yury V., Vasilenko, Roman S.

Granted Patent

US 8,479,296 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 21/561   Virus type analysis

G06F 21/562   Static detection

H04L 63/145   the attack involving the pr...

System and Method for Detecting Unknown Malware

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

76 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and Method for Detecting Unknown Malware

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

76 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links