METHOD OF MALWARE DETECTION AND SYSTEM THEREOF

US 20170286676A1
Filed: 06/15/2017
Published: 10/05/2017
Est. Priority Date: 08/11/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of detecting malware in real time in an operating system of a live environment, the method implemented on a computer that performs each step of the method, the method comprising:

monitoring a sequence of linked operations performed by at least one program concurrently running in the operating system of the live environment, and generating an event data characterizing each monitored operation, wherein said event data includes at least the following attributes of said monitored operation;

operation type, and source of the operation;

building a stateful model in accordance with the event data characterizing each monitored operation, wherein the stateful model is a data structure representing a real time updated system state resulting from the sequence of linked operations, and wherein the step of building the stateful model comprises;

for each said event data characterizing a monitored operation;

i) retrieving one or more objects from the event data, each of said objects representing an entity involved in the monitored operation, at least one of said objects representing the source of the operation;

ii) identifying one or more relationships among the one or more objects in accordance with the event data, the identified relationships including type of the monitored operation and interconnections between the one or more objects;

giving rise to an event context comprising the one or more objects and the identified relationships thereof; and

iii) in case of said event being a first event of a stateful model, generating a stateful model including said event context;

otherwise updating a previous stateful model based on the event context, said previous stateful model corresponding to at least one previous operation that precedes the monitored operation, said updating including adding any new object of the one or more objects that is not included in said previous stateful model and parameters indicative of the identified relationships to the previous stateful model;

thereby giving rise to an updated stateful model representing a hierarchical structure comprising the entities involved in said sequence of linked operations and interconnections between the entities which are resulted from the linked operations;

analyzing the updated stateful model in accordance with one or more predefined behavioral logics, wherein said one or more predefined behavior logics are indicative of specific behavioral patterns; and

determining that at least one malicious behavior is present if any of said one or more predefined behavioral logics is met, and determining a program or part thereof related to the at least one malicious behavior to be malicious.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

There is provided a system and a computer-implemented method of detecting malware in real time in a live environment. The method comprises: monitoring one or more operations of at least one program concurrently running in the live environment, building at least one stateful model in accordance with the one or more operations, analyzing the at least one stateful model to identify one or more behaviors, and determining the presence of malware based on the identified one or more behaviors.

57 Citations

View as Search Results

29 Claims

1. A computer-implemented method of detecting malware in real time in an operating system of a live environment, the method implemented on a computer that performs each step of the method, the method comprising:
- monitoring a sequence of linked operations performed by at least one program concurrently running in the operating system of the live environment, and generating an event data characterizing each monitored operation, wherein said event data includes at least the following attributes of said monitored operation;
  
  operation type, and source of the operation;
  
  building a stateful model in accordance with the event data characterizing each monitored operation, wherein the stateful model is a data structure representing a real time updated system state resulting from the sequence of linked operations, and wherein the step of building the stateful model comprises;
  
  for each said event data characterizing a monitored operation;
  
  i) retrieving one or more objects from the event data, each of said objects representing an entity involved in the monitored operation, at least one of said objects representing the source of the operation;
  
  ii) identifying one or more relationships among the one or more objects in accordance with the event data, the identified relationships including type of the monitored operation and interconnections between the one or more objects;
  
  giving rise to an event context comprising the one or more objects and the identified relationships thereof; and
  
  iii) in case of said event being a first event of a stateful model, generating a stateful model including said event context;
  
  otherwise updating a previous stateful model based on the event context, said previous stateful model corresponding to at least one previous operation that precedes the monitored operation, said updating including adding any new object of the one or more objects that is not included in said previous stateful model and parameters indicative of the identified relationships to the previous stateful model;
  
  thereby giving rise to an updated stateful model representing a hierarchical structure comprising the entities involved in said sequence of linked operations and interconnections between the entities which are resulted from the linked operations;
  
  analyzing the updated stateful model in accordance with one or more predefined behavioral logics, wherein said one or more predefined behavior logics are indicative of specific behavioral patterns; and
  
  determining that at least one malicious behavior is present if any of said one or more predefined behavioral logics is met, and determining a program or part thereof related to the at least one malicious behavior to be malicious.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The computer-implemented method of claim 1, wherein the identifying further comprises:
    - for each object of the one or more objects, generating one or more parameters characterizing said object, the one or more parameters indicative of objects related thereto and identified relationships between the object and the related objects;
      
      giving rise to an event context comprising the one or more objects each associated with one or more parameters.
  - 3. The computer-implemented method of claim 1, wherein each of the specific behavioral patterns represents one or more entities having specific interconnections therein resulted from a specific sequence of operations performed thereupon, and wherein said analyzing includes matching the hierarchical structure represented in the updated stateful model with said one or more predefined behavior logics.
  - 4. The computer-implemented method of claim 2, wherein each of the specific behavioral patterns represents one or more entities having specific interconnections therein resulted from a specific sequence of operations performed thereupon, and wherein said analyzing includes matching the hierarchical structure represented in the updated stateful model with said one or more predefined behavior logics.
  - 5. The computer-implemented method of claim 1, wherein each of said one or more objects is of a type selected from a group including:
    - process object, file object, network object, registry object and windows object.
  - 6. The computer-implemented method of claim 1, wherein said updating including:
    - in case said previous stateful model includes said one or more objects, adding the identified relationships in said event context to said previous stateful model;
      
      otherwise in case of at least one object of said one or more objects being a new object that is not included in said previous stateful model, adding said new object and the identified relationships in said event context to the previous stateful model.
  - 7. The computer-implemented method of claim 2, wherein said updating including:
    - in case said previous stateful model includes said one or more objects, adding the identified relationships indicated in said event context to said previous stateful model;
      
      otherwise in case of at least one object of said one or more objects being a new object that is not included in said previous stateful model, adding said new object and the identified relationships indicated in said event context to the previous stateful model.
  - 8. The computer-implemented method of claim 4, wherein said updating including:
    - in case said previous stateful model includes said one or more objects, adding the identified relationships indicated in said event context to said previous stateful model;
      
      otherwise in case of at least one object of said one or more objects being a new object that is not included in said previous stateful model, adding said new object and the identified relationships indicated in said event context to the previous stateful model.
  - 9. The computer-implemented method of claim 3, wherein the one or more predefined behavioral logics include determining a behavior of self-execution when the following condition is met:
    - a target of an execution event is identical to one of the following;
      
      an originating process of the execution event, a child process of the originating process, and a parent process of the originating process.
  - 10. The computer-implemented method of claim 3, wherein the one or more predefined behavioral logics include determining a behavior of self-deletion when the following condition is met:
    - a source file of a targeting process of a deletion event is identical to one of the following;
      
      a source file of an originating process of the deletion event, and a source file of a parent process of the originating process.
  - 11. The computer-implemented method of claim 3, wherein the one or more predefined behavioral logics include determining a behavior of code injection when the following condition is met:
    - associated operations of memory write, memory execution permission, and code execution are included in the stateful model.
  - 12. The computer-implemented method of claim 1, wherein the stateful model is a program-level stateful model that represents entities and interconnections thereof involved in a sequence of linked operations related to a given program of said at least one program.
  - 13. The computer-implemented method of claim 1, wherein the stateful model is a system-level stateful model that represents entities and interconnections thereof involved in operations related to all programs that run concurrently in the live environment, the system-level stateful model including one or more program-level stateful models each representing entities and interconnections thereof involved in a sequence of linked operations related to a given program of said all programs.
  - 14. The computer-implemented method of claim 1, wherein the sequence of linked operations include one or more in-process operations and kernel related operations, and the kernel related operations include one or more of the following:
    - file system operations, process and memory operations, registry operations, and network operations.

15. A system for detecting malware in real time in an operating system of a live environment, the system comprising a computer configured and operable to perform at least the following:
- monitoring a sequence of linked operations performed by at least one program concurrently running in the operating system of the live environment, and generating an event data characterizing each monitored operation, wherein said event data includes at least the following attributes of said monitored operation;
  
  operation type, and source of the operation;
  
  building a stateful model in accordance with the event data characterizing each monitored operation, wherein the stateful model is a data structure representing a real time updated system state resulting from the sequence of linked operations, and wherein the step of building the stateful model comprises;
  
  for each said event data characterizing a monitored operation;
  
  i) retrieving one or more objects from the event data, each of said objects representing an entity involved in the monitored operation, at least one of said objects representing the source of the operation;
  
  ii) identifying one or more relationships among the one or more objects in accordance with the event data, the identified relationships including type of the monitored operation and interconnections between the one or more objects;
  
  giving rise to an event context comprising the one or more objects and the identified relationships thereof; and
  
  iii) in case of said event being a first event of a stateful model, generating a stateful model including said event context;
  
  otherwise updating a previous stateful model based on the event context, said previous stateful model corresponding to at least one previous operation that precedes the monitored operation, said updating including adding any new object of the one or more objects that is not included in said previous stateful model and parameters indicative of the identified relationships to the previous stateful model;
  
  thereby giving rise to an updated stateful model representing a hierarchical structure comprising the entities involved in said sequence of linked operations and interconnections between the entities which are resulted from the linked operations;
  
  analyzing the updated stateful model in accordance with one or more predefined behavioral logics, wherein said one or more predefined behavior logics are indicative of specific behavioral patterns; and
  
  determining that at least one malicious behavior is present if any of said one or more predefined behavioral logics is met, and determining a program or part thereof related to the at least one malicious behavior to be malicious.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The system of claim 15, wherein the identifying further comprises:
    - for each object of the one or more objects, generating one or more parameters characterizing said object, the one or more parameters indicative of objects related thereto and identified relationships between the object and the related objects;
      
      giving rise to an event context comprising the one or more objects each associated with one or more parameters.
  - 17. The system of claim 15, wherein each of the specific behavioral patterns represents one or more entities having specific interconnections therein resulted from a specific sequence of operations performed thereupon, and wherein said analyzing includes matching the hierarchical structure represented in the updated stateful model with said one or more predefined behavior logics.
  - 18. The system of claim 15, wherein said updating including:
    - in case said previous stateful model includes said one or more objects, adding the identified relationships in said event context to said previous stateful model;
      
      otherwise in case of at least one object of said one or more objects being a new object that is not included in said previous stateful model, adding said new object and the identified relationships in said event context to the previous stateful model.
  - 19. The system of claim 17, wherein the one or more predefined behavioral logics include determining a behavior of self-execution when the following condition is met:
    - a target of an execution event is identical to one of the following;
      
      an originating process of the execution event, a child process of the originating process, and a parent process of the originating process.
  - 20. The system of claim 17, wherein the one or more predefined behavioral logics include determining a behavior of self-deletion when the following condition is met:
    - a source file of a targeting process of a deletion event is identical to one of the following;
      
      a source file of an originating process of the deletion event, and a source file of a parent process of the originating process.
  - 21. The system of claim 17, wherein the one or more predefined behavioral logics include determining a behavior of code injection when the following condition is met:
    - associated operations of memory write, memory execution permission, and code execution are included in the stateful model.

22. A non-transitory program storage device readable by computer, tangibly embodying a program of instructions executable by the computer to perform method steps for detecting malware in real time in an operating system of a live environment, the method comprising:
- monitoring a sequence of linked operations performed by at least one program concurrently running in the operating system of the live environment, and generating an event data characterizing each monitored operation, wherein said event data includes at least the following attributes of said monitored operation;
  
  operation type, and source of the operation;
  
  building a stateful model in accordance with the event data characterizing each monitored operation, wherein the stateful model is a data structure representing a real time updated system state resulting from the sequence of linked operations, and wherein the step of building the stateful model comprises;
  
  for each said event data characterizing a monitored operation;
  
  i) retrieving one or more objects from the event data, each of said objects representing an entity involved in the monitored operation, at least one of said objects representing the source of the operation;
  
  ii) identifying one or more relationships among the one or more objects in accordance with the event data, the identified relationships including type of the monitored operation and interconnections between the one or more objects;
  
  giving rise to an event context comprising the one or more objects and the identified relationships thereof; and
  
  iii) in case of said event being a first event of a stateful model, generating a stateful model including said event context;
  
  otherwise updating a previous stateful model based on the event context, said previous stateful model corresponding to at least one previous operation that precedes the monitored operation, said updating including adding any new object of the one or more objects that is not included in said previous stateful model and parameters indicative of the identified relationships to the previous stateful model;
  
  thereby giving rise to an updated stateful model representing a hierarchical structure comprising the entities involved in said sequence of linked operations and interconnections between the entities which are resulted from the linked operations;
  
  analyzing the updated stateful model in accordance with one or more predefined behavioral logics, wherein said one or more predefined behavior logics are indicative of specific behavioral patterns; and
  
  determining that at least one malicious behavior is present if any of said one or more predefined behavioral logics is met, and determining a program or part thereof related to the at least one malicious behavior to be malicious.

23. A computer-implemented method of generating a stateful model representing a real time updated system state of an operating system in a live environment, the method implemented on a computer that performs each step of the method, the method comprising:
- monitoring a sequence of linked operations performed by at least one program concurrently running in the operating system in the live environment, and generating an event data characterizing each monitored operation, wherein said event data includes at least the following attributes of said monitored operation;
  
  operation type, and source of the operation;
  
  building a stateful model in accordance with the event data characterizing each monitored operation, comprising;
  
  for each said event data characterizing a monitored operation;
  
  i) retrieving one or more objects from the event data, each of said objects representing an entity involved in the monitored operation, at least one of said objects representing the source of the operation;
  
  ii) identifying one or more relationships among the one or more objects in accordance with the event data, the identified relationships including type of the monitored operation and interconnections between the one or more objects;
  
  giving rise to an event context comprising the one or more objects and the identified relationships thereof; and
  
  iii) in case of said event being a first event of a stateful model, generating a stateful model including said event context;
  
  otherwise updating a previous stateful model based on the event context, said previous stateful model corresponding to at least one previous operation that precedes the monitored operation, said updating including adding any new object of the one or more objects that is not included in said previous stateful model and parameters indicative of the identified relationships to the previous stateful model;
  
  thereby giving rise to an updated stateful model representing a hierarchical structure comprising the entities involved in said sequence of linked operations and interconnections between the entities which are resulted from the linked operations, the updated stateful model representing a real time updated system state resulting from the sequence of linked operations.
- View Dependent Claims (24, 25, 26, 27, 28)
- - 24. The computer-implemented method of claim 23, wherein the identifying further comprises:
    - for each object of the one or more objects, generating one or more parameters characterizing said object, the one or more parameters indicative of objects related thereto and identified relationships between the object and the related objects;
      
      giving rise to an event context comprising the one or more objects each associated with one or more parameters.
  - 25. The computer-implemented method of claim 23, wherein each of said one or more objects is of a type selected from a group including:
    - process object, file object, network object, registry object and windows object.
  - 26. The computer-implemented method of claim 23, wherein said updating including:
    - in case said previous stateful model includes said one or more objects, adding the identified relationships in said event context to said previous stateful model;
      
      otherwise in case of at least one object of said one or more objects being a new object that is not included in said previous stateful model, adding said new object and the identified relationships in said event context to the previous stateful model.
  - 27. The computer-implemented method of claim 23, wherein the stateful model is a program-level stateful model that represents entities and interconnections thereof involved in a sequence of linked operations related to a given program of said at least one program.
  - 28. The computer-implemented method of claim 23, wherein the stateful model is a system-level stateful model that represents entities and interconnections thereof involved in operations related to all programs that run concurrently in the live environment, the system-level stateful model including one or more program-level stateful models each representing entities and interconnections thereof involved in a sequence of linked operations related to a given program of said all programs.

29. A system for generating a stateful model representing a real time updated system state of an operating system in a live environment, the system comprising a computer configured and operable to perform at least the following:
- monitoring a sequence of linked operations performed by at least one program concurrently running in the operating system in the live environment, and generating an event data characterizing each monitored operation, wherein said event data includes at least the following attributes of said monitored operation;
  
  operation type, and source of the operation;
  
  building a stateful model in accordance with the event data characterizing each monitored operation, comprising;
  
  for each said event data characterizing a monitored operation;
  
  i) retrieving one or more objects from the event data, each of said objects representing an entity involved in the monitored operation, at least one of said objects representing the source of the operation;
  
  ii) identifying one or more relationships among the one or more objects in accordance with the event data, the identified relationships including type of the monitored operation and interconnections between the one or more objects;
  
  giving rise to an event context comprising the one or more objects and the identified relationships thereof; and
  
  iii) in case of said event being a first event of a stateful model, generating a stateful model including said event context;
  
  otherwise updating a previous stateful model based on the event context, said previous stateful model corresponding to at least one previous operation that precedes the monitored operation, said updating including adding any new object of the one or more objects that is not included in said previous stateful model and parameters indicative of the identified relationships to the previous stateful model;
  
  thereby giving rise to an updated stateful model representing a hierarchical structure comprising the entities involved in said sequence of linked operations and interconnections between the entities which are resulted from the linked operations, the updated stateful model representing a real time updated system state resulting from the sequence of linked operations.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sentinel Labs Israel, Ltd. (SentinelOne Inc.)
Original Assignee
Sentinel Labs Israel, Ltd. (SentinelOne Inc.)
Inventors
WEINGARTEN, Tomer, COHEN, Almog, SHAMIR, Udi, MOTIL, Kirill

Granted Patent

US 10,664,596 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/56 Computer malware detection ...

G06F 21/566 Dynamic detection, i.e. det...

METHOD OF MALWARE DETECTION AND SYSTEM THEREOF

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

57 Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD OF MALWARE DETECTION AND SYSTEM THEREOF

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

57 Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links