ROBUST MALWARE DETECTOR

US 20140237596A1
Filed: 02/13/2014
Published: 08/21/2014
Est. Priority Date: 02/15/2013
Status: Active Grant

First Claim

Patent Images

1. A malware detection and diffusion system comprising:

at least one server side computer; and

at least one client side computer;

wherein;

at least one malware sample is processed in at least one server side computer;

at least one signature is formed for each malware sample by a server side computer having at least one stop call at a fixing moment;

the signature is distributed by the server side computer to at least one client side computer,wherein;

a driver hooks all of the system calls of the operating system of the client side computer;

the systems calls are processed by a filter to remove system calls not associated with malware;

the system calls not removed by the filter are accumulated on a per-thread basis and checked for a stop call;

the thread associated with the stop call is compared to the signature for a match with malware; and

the thread that is matched with malware is addressed at the fixing moment.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, method and computer readable medium for detecting and diffusing malware on a computer. Malware is analysed to generate signatures and determine a fixing moment. All of the system calls of the operating system of a client computer are hooked and processed without emulation or the need for unpackers or decrypters, and a multi-level filter removes all system calls that are not associated with malware. The resulting system calls are accumulated on a per-thread basis and scanned, and the relevant threads are compared with the signatures to match with malware. The threads associated with malware are addressed at the fixing moment before the malware can operate to cause undesirable effects on the client computer.

33 Citations

View as Search Results

30 Claims

1. A malware detection and diffusion system comprising:
- at least one server side computer; and
  
  at least one client side computer;
  
  wherein;
  
  at least one malware sample is processed in at least one server side computer;
  
  at least one signature is formed for each malware sample by a server side computer having at least one stop call at a fixing moment;
  
  the signature is distributed by the server side computer to at least one client side computer,wherein;
  
  a driver hooks all of the system calls of the operating system of the client side computer;
  
  the systems calls are processed by a filter to remove system calls not associated with malware;
  
  the system calls not removed by the filter are accumulated on a per-thread basis and checked for a stop call;
  
  the thread associated with the stop call is compared to the signature for a match with malware; and
  
  the thread that is matched with malware is addressed at the fixing moment.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The malware detection and diffusion system of claim 1, wherein the malware is processed by the server side computer by intercepting all of the malware'"'"'s system calls in kernel mode.
  - 3. The malware detection and diffusion system of claim 2, wherein the signature is formed from at least one system call occurring prior to the fixing moment.
  - 4. The malware detection and diffusion system of claim 3, wherein the signature contains at least one junk call.
  - 5. The malware detection and diffusion system of claim 3, wherein each system call within the signature is bound to a thread identifier.
  - 6. The malware detection and diffusion system of claim 5, wherein the driver hooks all of the system calls of the operating system of the client side computer in real time, without the use of emulation.
  - 7. The malware detection and diffusion system of claim 6, wherein the filter uses a multiplicity of filtering process levels.
  - 8. The malware detection and diffusion system of claim 7, wherein the filtering process levels comprise at least the following levels:
    - a filtering process level which identifies whether a system call is associated with a trusted process;
      
      a filtering process level which identifies whether a system call belongs to a trusted module;
      
      a filtering process level which identifies whether a system call is generated by an operating system loader;
      
      a filtering process level which identifies whether a system call has an invalid argument;
      
      a filtering process level which identifies whether a system call is absent in the signature database; and
      
      a filtering process level which identifies whether a system call is associated with low distribution N-gram.
  - 9. The malware detection and diffusion system of claim 7, wherein the thread associated with the stop call is compared to the signature by performing a similarity check between system calls history of the thread and the signature.
  - 10. The malware detection and diffusion system of claim 9, wherein the thread associated with the stop call that is matched with malware is addressed by terminating the software associated with the thread.

11. A method for detecting and diffusing malware on a computer, the method comprising the steps of:
- processing at least one malware sample on at least one server side computer;
  
  forming a signature for each malware sample having at least one stop call at a fixing moment;
  
  distributing the signature to at least one client side computer;
  
  hooking all of the system calls of the operating system of the client side computer;
  
  processing all of the hooked system calls through a filter to remove system calls not associated with malware;
  
  accumulating the system calls not removed by the filter process on a per-thread basis;
  
  checking the system calls not removed by the filter for a stop call;
  
  comparing the thread associated with the stop call to the signature for a match with malware; and
  
  addressing the thread matched with malware at the fixing moment.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The method of claim 11, wherein the malware sample is processed by intercepting all of the malware'"'"'s system calls in kernel mode.
  - 13. The method of claim 12, wherein the signature is formed from system calls occurring prior to the fixing moment.
  - 14. The method of claim 13, wherein the signature contains at least one junk call.
  - 15. The method of claim 13, wherein each system call is bound to a thread identifier.
  - 16. The method of claim 15, wherein a driver hooks all of the system calls in real time, without the use of emulation.
  - 17. The method of claim 16, wherein the filter uses a multiplicity of filtering process levels.
  - 18. The method of claim 17, wherein the filtering process levels comprise at least the following levels:
    - a filtering process level which identifies whether a system call is associated with a trusted process;
      
      a filtering process level which identifies whether a system call belongs to a trusted module;
      
      a filtering process level which identifies whether a system call is generated by an operating system loader;
      
      a filtering process level which identifies whether a system call has an invalid argument;
      
      a filtering process level which identifies whether a system call is absent in the signature database; and
      
      a filtering process level which identifies whether a system call is associated with low distribution N-gram.
  - 19. The method of claim 17, wherein the thread associated with the stop call is compared to the signature by performing a similarity check between system calls history of the thread and the signature.
  - 20. The method of claim 19, wherein the thread associated with the stop call that is matched with malware is addressed by terminating the software associated with the thread.

21. A non-transitory computer readable medium comprising software comprising:
- code for processing at least one malware sample on at least one server side computer;
  
  code for forming a signature for each malware sample having at least one stop call at a fixing moment;
  
  code for distributing the signature to at least one client side computer;
  
  code for hooking all of the system calls of the operating system of the client side computer;
  
  code for processing all of the hooked system calls through a filter to remove system calls not associated with malware;
  
  code for accumulating the system calls not removed by the filter process on a per-thread basis;
  
  code for checking the system calls not removed by the filter for a stop call;
  
  code for comparing the threads associated with the stop call to the signature for a match with malware; and
  
  code for addressing the thread matched with malware at the fixing moment.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 22. The non-transitory computer readable medium of claim 21, further comprising code for the malware sample to intercept all of the malware'"'"'s system calls in kernel mode.
  - 23. The non-transitory computer readable medium of claim 22, further comprising code for the signature to be formed from system calls occurring prior to the fixing moment.
  - 24. The non-transitory computer readable medium of claim 23, further comprising code for the signature to contain at least one junk call.
  - 25. The non-transitory computer readable medium of claim 23, further comprising code for each system call to be bound to a thread identifier.
  - 26. The non-transitory computer readable medium of claim 25, further comprising code for a driver to hook all of the system calls in real time, without the use of emulation.
  - 27. The non-transitory computer readable medium of claim 26, further comprising code for the filter to use a multiplicity of filtering process levels.
  - 28. The non-transitory computer readable medium of claim 27, further comprising code for the filtering process levels to comprise at least the following levels:
    - a filtering process level which identifies whether a system call is associated with a trusted process;
      
      a filtering process level which identifies whether a system call belongs to a trusted module;
      
      a filtering process level which identifies whether a system call is generated by an operating system loader;
      
      a filtering process level which identifies whether a system call has an invalid argument;
      
      a filtering process level which identifies whether a system call is absent in the signature database; and
      
      a filtering process level which identifies whether a system call is associated with low distribution N-gram.
  - 29. The non-transitory computer readable medium of claim 27, further comprising code for the thread associated with the stop call to be compared to the signature by performing a similarity check between system calls history of the thread and the signature.
  - 30. The non-transitory computer readable medium of claim 29, further comprising code for the thread associated with the stop call that is matched with malware to be addressed by terminating the software associated with the thread.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ROMAD Holding, Ltd.
Original Assignee
Systems Of Information Security 2012
Inventors
Grytsan, Volodymyr, Tumoyan, Evgeny, Romanenko, Ivan, Kukoba, Anton, Sviridenkov, Anatolii

Granted Patent

US 9,372,989 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/56 Computer malware detection ...

G06F 21/566 Dynamic detection, i.e. det...

ROBUST MALWARE DETECTOR

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

33 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

ROBUST MALWARE DETECTOR

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

33 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links