Methods, systems, and media for detecting covert malware

US 8,528,091 B2
Filed: 12/31/2010
Issued: 09/03/2013
Est. Priority Date: 12/31/2009
Status: Active Grant

First Claim

Patent Images

1. A method for detecting covert malware in a computing environment, the method comprising:

generating simulated user activity outside of the computing environment;

conveying the simulated user activity to an application inside the computing environment;

determining whether state information of the application matches an expected state after the simulated user activity is conveyed to the application;

determining whether a decoy corresponding to the simulated user activity has been accessed by an unauthorized entity, wherein the decoy includes at least part of the simulated user activity and wherein the decoy is inside the computing environment; and

in response to determining that the decoy has been accessed by the unauthorized entity, determining that covert malware is present in the computing environment.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and media for detecting covert malware are provided. In accordance with some embodiments, a method for detecting covert malware in a computing environment is provided, the method comprising: generating simulated user activity outside of the computing environment; conveying the simulated user activity to an application inside the computing environment; and determining whether a decoy corresponding to the simulated user activity has been accessed by an unauthorized entity.

157 Citations

View as Search Results

32 Claims

1. A method for detecting covert malware in a computing environment, the method comprising:
- generating simulated user activity outside of the computing environment;
  
  conveying the simulated user activity to an application inside the computing environment;
  
  determining whether state information of the application matches an expected state after the simulated user activity is conveyed to the application;
  
  determining whether a decoy corresponding to the simulated user activity has been accessed by an unauthorized entity, wherein the decoy includes at least part of the simulated user activity and wherein the decoy is inside the computing environment; and
  
  in response to determining that the decoy has been accessed by the unauthorized entity, determining that covert malware is present in the computing environment.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 15)
- - 2. The method of claim 1, further comprising monitoring the actual user activity, wherein the actual user activity comprises mouse and keyboard events.
  - 3. The method of claim 2, further comprising replaying at least a portion of the monitored user activity along with conveying the simulated user activity.
  - 4. The method of claim 2, wherein generating the simulated user activity further comprises recording, modifying, and replaying the mouse and keyboard events based on the monitored user activity.
  - 5. The method of claim 1, further comprising monitoring network traffic that comprises conversation summaries to determine the actual user activity over a network.
  - 6. The method of claim 1. wherein the simulated user activity is generated outside of a virtual environment and wherein the simulated user activity is conveyed from outside of the virtual environment to the application inside the virtual environment.
  - 7. The method of claim 1. wherein the simulated user activity is generated by modifying the actual user activity and translating the modified user activity using a wireless protocol.
  - 8. The method of claim 1, wherein the simulated user activity is conveyed to the computing environment using a remote access protocol.
  - 9. The method of claim 1, further comprising monitoring a response of the application to the simulated user activity to determine the presence of covert malware in the application.
  - 10. The method of claim 1, wherein determining the state information further comprises performing a visual verification that determines whether a screen output changed as expected in response to the simulated user activity.
  - 11. The method of claim 1, wherein determining the state information further comprises:
    - analyzing network traffic to determine message characteristics that include at least one of;
      
      a number of conversations, a number of messages exchanged, and a number of bytes in each message; and
      
      comparing the state information that includes current message characteristics with the analyzed network traffic that includes determined message characteristics.
  - 12. The method of claim 1, further comprising determining whether traffic indicates the presence of covert malware in the application subsequent to conveying the simulated user activity.
  - 13. The method of claim 12, further comprising;
    - monitoring account activity relating to the decoy to determine whether the decoy has been accessed by the unauthorized entity; and
      
      transmitting an alert in response to determining that the decoy has been accessed and determining that the traffic indicates the presence of covert malware and originates from the computing environment.
  - 15. The method of claim 1, further comprising generating the simulated user activity using a model of actual user activity, wherein the model of actual user activity includes a model of at least one of:
    - keystroke speed, mouse speed, mouse distance, keystroke error rate, and frequency of errors made during typing.

14. A method for detecting covert malware in a computing environment, the method comprising:
- defining simulated user activity by a formal language, wherein actual user activity is mapped to constructs of the formal language and wherein the formal language comprises carry actions for the simulation and the conveyance of a decoy and cover actions that support believability of the simulated user activity and the decoy;
  
  generating the simulated user activity outside of the computing environment;
  
  conveying the simulated user activity to an application inside the computing environment; and
  
  determining whether the decoy correspondig to the simulated user activity has been accessed by an unauthorized entity.

16. A system for detecting covert malware in a computing environment, the system comprising:
- a hardware processor that;
  
  generates simulated user activity outside of the computing environment;
  
  conveys the simulated user activity to an application inside the computing environment;
  
  determines whether state information 0f the application matches an expected state after the simulated user activity is conveyed to the application;
  
  determines whether a decoy corresponding to the simulated user activity has been accessed by an unauthorized entity, wherein the decoy includes at least part of the simulated user activity and wherein the decoy is inside the computing environment; and
  
  in response to determining that the decoy has been accessed by the unauthorized entity, determines that covert malware is present in the computing environment.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
- - 17. The system of claim 16, wherein the processor is further configured to monitor the actual user activity, wherein the actual user activity comprises mouse and keyboard events.
  - 18. The system of claim 17, wherein the processor is further configured to replay at least a portion of the monitored user activity along, with conveying the simulated user activity.
  - 19. The system of claim 17, wherein the processor is further configured to record, modify, and replay the mouse and keyboard events based on the monitored user activity.
  - 20. The system of claim 16, wherein the processor is further configured to monitor network traffic that comprises conversation summaries to determine the actual user activity over a network.
  - 21. The system of claim 16, wherein the simulated user activity is generated outside of a virtual environment and wherein the simulated user activity is conveyed from outside of the virtual environment to the application inside the virtual environment.
  - 22. The system of claim 16, wherein the simulated user activity is generated by modifying the actual user activity and translating the modified user activity using a wireless protocol.
  - 23. The system of claim 16, wherein the simulated user activity is conveyed to the computing environment using a remote access protocol.
  - 24. The system of claim 16, wherein the processor is further configured to generate the simulated user activity using a model of actual user activity, wherein the model of actual user activity includes a model of at least one of:
    - keystroke speed., mouse speed, mouse distance, keystroke error rate, and frequency of errors made during typing.
  - 25. The system of claim 16, wherein the processor is further configured to monitor a response of the application to the simulated user activity to determine the presence of covert malware in the application.
  - 26. The system of claim 16, wherein the processor is further configured to perform a visual verification that determines whether a screen output changed as expected in response to the simulated user activity.
  - 27. The system of claim 16, wherein the processor is further configured to:
    - analyze network traffic to determine message characteristics that include at least one of;
      
      a number of conversations, a number of messages exchanged, and a number of bytes M each message; and
      
      compare the state information that includes current message characteristics with the analyzed network traffic that includes determined message characteristics.
  - 28. The system of claim 16, wherein the processor is further configured to determine whether traffic indicates the presence of covert malware in the application subsequent to conveying the simulated user activity.
  - 29. The system of claim 28, wherein the processor is further configured to:
    - monitor account activity relating to the decoy to determine whether the decoy has been accessed by the unauthorized entity; and
      
      transmit an alert in response to determining that the decoy has been accessed and determining that the traffic indicates the presence of covert malware and originates from the computing environment.

30. A system for detecting covert malware in a computing environment, the system comprising:
- a hardware processor that;
  
  defines simulated user activity by a formal language, wherein actual user activity is mapped to constructs of the formal language and wherein the formal language comprises carry actions for the simulation and the conveyance of a decoy and cover actions that support believability of the simulated user activity and the decoy;
  
  generates the simulated user activity outside of the computing environment;
  
  conveys the simulated user activity to an application inside the computing environment; and
  
  determines whether the decoy corresponding to the simulated user activity has been accessed by an unauthorized entity.

31. A non-transitory computer-readable medium containing computer-executable instructions that, when executed by a processor, cause the processor to perform a method for detecting covert malware in a computing environment, the method comprising:
- generating simulated user activity outside of the computing environment;
  
  conveying the simulated user activity to an application inside the computing environment;
  
  determining whether state information of the application matches an expected state after the simulated user activity is conveyed to the application;
  
  determining whether a decoy corresponding to the simulated user activity has been accessed by an unauthorized entity, wherein the decoy includes at least part of the simulated user activity and wherein the decoy is inside the computing environment; and
  
  in response to determining that the decoy has been accessed by the unauthorized entity, determining that covert malware is present in the computing environment.

32. A non-transitory computer-readable medium containing computer-executable instructions that, when executed by a processor, cause the processor to perform a method for detecting covert malware in a computing environment, the method comprising:
- defining simulated user activity by a formal language, wherein actual user activity is mapped to constructs of the formal language and wherein the formal language comprises carry actions for the simulation and the conveyance of a decoy and cover actions that support believability of the simulated user activity and the decoy;
  
  generating the simulated user activity outside of the computing environment;
  
  conveying the simulated user activity to an application inside the computing environment; and
  
  determining whether the decoy corresponding to the simulated user activity has been accessed by an unauthorized entity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trustees Of Columbia University In The City Of New York (Columbia University)
Original Assignee
Trustees Of Columbia University In The City Of New York (Columbia University)
Inventors
Bowen, Brian M., Prabhu, Pratap V., Kemerlis, Vasileios P., Sidiroglou, Stylianos, Stolfo, Salvatore J., Keromytis, Angelos D.
Primary Examiner(s)
Gergiso, Techane

Application Number

US12/982,984
Publication Number

US 20110167494A1
Time in Patent Office

977 Days
Field of Search

726/24, 713/168
US Class Current

726/24
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/577   Assessing vulnerabilities a...

H04L 63/1441   Countermeasures against mal...

H04L 63/1491   using deception as counterm...

Methods, systems, and media for detecting covert malware

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

157 Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

Methods, systems, and media for detecting covert malware

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

157 Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links