SYSTEM AND METHOD FOR DETECTING MALWARE IN A STREAM OF BYTES

US 20180025158A1
Filed: 07/25/2016
Published: 01/25/2018
Est. Priority Date: 07/25/2016
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a first unit configured to;

receive a stream of bytes,cause a second unit to execute the stream of bytes from a selected first offset, andmonitor an execution of the stream of bytes by the second unit; and

a second unit configured to;

execute the stream of bytes from the selected offset;

wherein the first unit is configured to determine, based on the execution of the stream of bytes, whether or not the stream of bytes includes a malware.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method may include a first unit configured to receive a stream of bytes, cause a second unit to execute the stream of bytes from a selected first offset, and monitor an execution of the stream of bytes by the second unit. A second unit may be configured to execute the stream of bytes from the selected offset. The first unit may be configured to determine, based on the execution of the stream of bytes, whether or not the stream of bytes includes a malware.

3 Citations

21 Claims

1. A system comprising:
- a first unit configured to;
  
  receive a stream of bytes,cause a second unit to execute the stream of bytes from a selected first offset, andmonitor an execution of the stream of bytes by the second unit; and
  
  a second unit configured to;
  
  execute the stream of bytes from the selected offset;
  
  wherein the first unit is configured to determine, based on the execution of the stream of bytes, whether or not the stream of bytes includes a malware.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 16)
- - 2. The system of claim 1, wherein the first unit is configured to:
    - if it is determined that the stream of bytes does not include a malware then;
      
      selecting a second offset in the stream of bytes; and
      
      causing the second unit to execute the stream of bytes from the selected second offset.
  - 3. The system of claim 1, wherein determining that the stream of bytes includes a malware includes identifying a behavior of a shellcode when executing the stream of bytes.
  - 4. The system of claim 1, wherein the second unit is configured to execute the stream of bytes directly on a hardware controller, at a native speed of the controller.
  - 5. The system of claim 4, wherein the first unit is configured to prevent the malware, when executed by the second unit, to take control of the hardware controller.
  - 6. The system of claim 2, wherein the units are configured to:
    - if the execution of the stream of bytes crashes, then;
      
      immediately recover and cause the second unit to execute the stream of bytes from the second offset.
  - 7. The system of claim 1, wherein the second unit is adapted to execute, on a first operating system (OS) and at a native speed of a controller, a shellcode included in the stream of bytes, wherein the shellcode is targeting a second, different OS.
  - 8. The system of claim 1, comprising a third unit configured to emulate an operating system application program interface (API) and to provide operating system services to the second unit.
  - 9. The system of claim 8, wherein the third unit is configured to provide operating system services to a plurality of units.
  - 10. The system of claim 8, wherein the third unit is configured to provide real-time interaction with a shellcode included in the stream of bytes.
  - 16. The method of claim 1, comprising, if the execution of the stream of bytes crashes, then immediately recovering and causing the second unit to execute the stream of bytes from the second offset.

11. A method comprising:
- receiving a stream of bytes by a first unit;
  
  selecting a first offset;
  
  causing, by the first unit, a second unit to execute the stream of bytes from a selected first offset;
  
  monitoring, by the first unit, an execution of the stream of bytes by the second unit; and
  
  determining, based on the execution of the stream of bytes, whether or not the stream of bytes includes a malware.
- View Dependent Claims (12, 13, 14, 15, 17, 18, 19, 20)
- - 12. The method of claim 11, comprising:
    - if it is determined that the stream of bytes does not include a malware, then;
      
      selecting a second offset in the stream of bytes; and
      
      causing the second unit to execute the stream of bytes from the selected second offset.
  - 13. The method of claim 11, wherein determining that the stream of bytes includes a malware includes identifying a behavior of a shellcode when executing the stream of bytes.
  - 14. The method of claim 11, comprising executing the stream of bytes directly on a hardware controller, at a native speed of the controller.
  - 15. The method of claim 14, comprising preventing the malware, when executed, to take control of the hardware controller.
  - 17. The method of claim 11, comprising executing, on a first operating system (OS) and at a native speed of a controller, a shellcode included in the stream of bytes, wherein the shellcode is targeting a second, different OS.
  - 18. The method of claim 11, comprising emulating an operating system application program interface (API) and provide operating system services to an execution of the stream of bytes.
  - 19. The method of claim 18, comprising providing, by a unit, operating system services to a plurality of units that execute a respective plurality of byte streams.
  - 20. The method of claim 18, comprising providing real-time interaction with a shellcode included in the stream of bytes.

21. A method comprising:
- selecting a first offset in a byte stream;
  
  causing a first unit to execute the byte stream from the selected first offset;
  
  monitoring, by a second unit, an execution of the byte stream; and
  
  determining, by the second unit and based on a result of the execution, whether or not the stream of bytes includes a malware.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CommVault Systems Incorporated
Original Assignee
Trap Data Security Ltd. (CommVault Systems Incorporated)
Inventors
MALACHI, Yuval, BENECH, Moris

Granted Patent

US 10,372,908 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/51   at application loading time...

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/033   Test or assess software

G06F 9/54   Interprogram communication

SYSTEM AND METHOD FOR DETECTING MALWARE IN A STREAM OF BYTES

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

3 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR DETECTING MALWARE IN A STREAM OF BYTES

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

3 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links