System and method for malware detection

US 8,863,279 B2
Filed: 03/08/2010
Issued: 10/14/2014
Est. Priority Date: 03/08/2010
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for execution on one or more processors, the method comprising:

receiving a first file;

determining a file type of the first file;

determining, according to a first policy, a plurality of malware detection schemes to apply sequentially to the first file based on the determined file type of the first file;

scheduling an application of the determined plurality of malware detection schemes to the first file amongst a plurality of detection nodes according to a second policy including scheduling a first malware detection scheme of the plurality of malware detection schemes at first time and scheduling a second malware detection scheme of the plurality of malware detection schemes at a second time after the first time, wherein each of the plurality of detection nodes includes a virtual machine configured to run at least one of the plurality of malware detection schemes, wherein each virtual machine is configured to run on at least one hypervisor;

executing a first malware detection scheme of the plurality of malware detection schemes on the first file in a first virtual machine of the virtual machines at the first time, wherein the first virtual machine is configured to run the first malware detection scheme, wherein execution of processes of the first virtual machine associated with executing the first malware detection scheme comprise causing, using the hypervisor, the execution of the first malware detection scheme to skip a wait state associated with a guest operating system of the first virtual machine to speed up execution of the first malware detection scheme;

monitoring, using the at least one hypervisor, the applying of the first malware detection scheme without running a process in the one or more virtual machines to thwart attempts by malware to detect if the first malware detection scheme is being applied to the malware;

determining results of applying the first malware detection scheme;

in response to determining the results of applying the first malware detection scheme, determining whether the first file is malware;

in response to determining the first file is malware, indicating that the first file is malware and refraining from executing any more detection schemes of the plurality of detection schemes on the first file;

in response to determining the first file is not malware, applying the second malware detection scheme of the plurality of malware detection schemes in a second virtual machine of the virtual machines at the second time;

determining results of applying the second malware detection scheme;

in response to determining the results of applying the first and second malware detection schemes, determining that the first file is suspected malware or determining that the first file is malware according to a third policy and based on the results of applying the first and second malware detection schemes; and

wherein scheduling the application of the determined plurality of malware detection schemes includes prioritizing the application of the determined plurality of malware detection schemes to the first file when the first file is received as an e-mail attachment.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to one embodiment, a computer-implemented method for execution on one or more processors includes receiving a first file and determining a file type of the first file. The method also includes determining, according to a first policy, a plurality of malware detection schemes to apply to the first file based on the determined file type of the first file. In addition, the method includes scheduling the application of the determined plurality of malware detection schemes to the first file amongst a plurality of detection nodes according to a second policy. Further, the method includes determining, in response to determining the results of applying the plurality of malware detection schemes, that the first file is malware or determining that the first file is suspected malware according to a third policy.

Citations

30 Claims

1. A computer-implemented method for execution on one or more processors, the method comprising:
- receiving a first file;
  
  determining a file type of the first file;
  
  determining, according to a first policy, a plurality of malware detection schemes to apply sequentially to the first file based on the determined file type of the first file;
  
  scheduling an application of the determined plurality of malware detection schemes to the first file amongst a plurality of detection nodes according to a second policy including scheduling a first malware detection scheme of the plurality of malware detection schemes at first time and scheduling a second malware detection scheme of the plurality of malware detection schemes at a second time after the first time, wherein each of the plurality of detection nodes includes a virtual machine configured to run at least one of the plurality of malware detection schemes, wherein each virtual machine is configured to run on at least one hypervisor;
  
  executing a first malware detection scheme of the plurality of malware detection schemes on the first file in a first virtual machine of the virtual machines at the first time, wherein the first virtual machine is configured to run the first malware detection scheme, wherein execution of processes of the first virtual machine associated with executing the first malware detection scheme comprise causing, using the hypervisor, the execution of the first malware detection scheme to skip a wait state associated with a guest operating system of the first virtual machine to speed up execution of the first malware detection scheme;
  
  monitoring, using the at least one hypervisor, the applying of the first malware detection scheme without running a process in the one or more virtual machines to thwart attempts by malware to detect if the first malware detection scheme is being applied to the malware;
  
  determining results of applying the first malware detection scheme;
  
  in response to determining the results of applying the first malware detection scheme, determining whether the first file is malware;
  
  in response to determining the first file is malware, indicating that the first file is malware and refraining from executing any more detection schemes of the plurality of detection schemes on the first file;
  
  in response to determining the first file is not malware, applying the second malware detection scheme of the plurality of malware detection schemes in a second virtual machine of the virtual machines at the second time;
  
  determining results of applying the second malware detection scheme;
  
  in response to determining the results of applying the first and second malware detection schemes, determining that the first file is suspected malware or determining that the first file is malware according to a third policy and based on the results of applying the first and second malware detection schemes; and
  
  wherein scheduling the application of the determined plurality of malware detection schemes includes prioritizing the application of the determined plurality of malware detection schemes to the first file when the first file is received as an e-mail attachment.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, further comprising:
    - determining one or more actions to perform on a message in response to the results of applying the plurality of malware detection schemes to the first file and to a set of results from applying a second plurality of malware detection schemes to a second file;
      
      wherein the first and second files are attachments to the message.
  - 3. The method of claim 1, further comprising:
    - receiving a second file and a third file;
      
      determining that the second file and the third file have been previously analyzed for malware;
      
      determining the result of the previous analysis of the second file;
      
      determining the result of the previous analysis of the third file;
      
      determining that the second file is malware based on the result of the previous analysis of the second file; and
      
      determining that the third file is not malware based on the result of the previous analysis of the third file.
  - 4. The method of claim 1, further comprising:
    - increasing the priority of the first file in a queue associated with the second virtual machine applying the second malware detection scheme in response to receiving the response from the first virtual machine.
  - 5. The method of claim 1, wherein determining that the first file is malware or determining that the first file is suspected malware comprises:
    - determining a plurality of scores based on the results of applying the plurality of malware detection schemes; and
      
      determining that the sum of the plurality of scores is greater than a threshold.
  - 6. The method of claim 1, further comprising:
    - providing a first interface to add a new malware detection scheme to the first policy, the first interface comprising;
      
      at least one element for associating the new malware detection scheme with at least one file type; and
      
      at least one element for identifying a first detection node that implements the new malware detection scheme;
      
      providing a second interface to modify the second policy, the second interface comprising at least one element for adjusting the queue of files to be analyzed at a second detection node in response to determining a result from applying the new malware detection scheme at the first detection node;
      
      providing a third interface to modify the third policy, the third interface comprising at least one element for scoring the result from applying the new malware detection scheme;
      
      configuring at least one detection node of the plurality of detection nodes to receive files for applying the new malware detection scheme according to an interface standard of the plurality of detection nodes; and
      
      configuring the at least one detection node of the plurality of detection nodes to report results of applying the new malware detection scheme according to the interface standard of the plurality of detection nodes.
  - 7. The method of claim 1, wherein at least one of the plurality of malware detection schemes determined according to the first policy comprises accessing the first file from a plurality of different versions of an application.
  - 8. The method of claim 1, wherein at least one of the plurality of malware detection schemes determined according to the first policy comprises accessing the first file in a plurality of different operating systems.
  - 9. The method of claim 1, further comprising:
    - in response to determining the results of applying the plurality of malware detection schemes, automatically determining a set of tasks to be performed by a human analyst regarding the first file based on the results of applying the plurality of malware detection schemes; and
      
      sending the set of tasks to the human analyst.
  - 10. The method of claim 9, further comprising automatically executing at least one task of the set of tasks.
  - 11. The method of claim 1, further comprising:
    - performing a first determination of one or more processing loads of the plurality of detection nodes;
      
      receiving the first file from a messaging agent, wherein the first file is an attachment to a first message;
      
      in response to the first determination, preventing the delivery of the first message before receiving the results of applying the first malware detection scheme to the first file;
      
      performing a second determination of one or more processing loads of the plurality of detection nodes after preventing the delivery of the first message;
      
      receiving a second file from the messaging agent, wherein the second file is an attachment to a second message;
      
      determining a second plurality of malware detection schemes to apply to the second file according to the first policy;
      
      scheduling the application of the second plurality of malware detection schemes to the second file amongst a second plurality of detection nodes according to the second policy; and
      
      in response to the second determination, allowing the delivery of the second message before receiving the results of applying the second plurality of malware detection schemes to the second file.
  - 12. The method of claim 1, further comprising:
    - maintaining at least one baseline image of the guest operating system while applying the first malware detection scheme to the first file;
      
      tracking changes to the guest operating system in memory while applying the first malware detection scheme to the first file; and
      
      reverting the guest operating system to one of the at least one baseline images in response to completing the application of the first malware detection scheme to the first file using the tracked changes.
  - 13. The method of claim 1, wherein the first file comprises a Uniform Resource Locator (URL).

14. A computer-implemented method for execution on one or more processors, the method comprising:
- receiving a first file and a second file from a messaging agent, wherein the first file and the second file are attachments to a first message;
  
  scheduling a sequential application of a first plurality of malware detection schemes to the first file amongst a plurality of detection nodes according to a first policy including scheduling a first malware detection scheme of the plurality of malware detection schemes to execute at a first time and scheduling a second malware detection scheme of the plurality of malware detection schemes to execute at a second time after the first time, wherein each of the plurality of detection nodes includes a virtual machine configured to run at least one of the plurality of malware detection schemes, wherein each virtual machine is configured to run on a hypervisor;
  
  executing the first malware detection scheme of the plurality of malware detection schemes on the first file at a first detection node of the plurality of detection nodes using a first virtual machine of the first detection node, wherein the first virtual machine runs on the hypervisor, and wherein at least one of the first plurality of malware detection schemes includes accessing the first file in a plurality of different operating systems, wherein execution of processes of the first virtual machine associated with executing the first malware detection scheme comprise causing, using the hypervisor of the first virtual machine, the execution of the first malware detection scheme to skip a wait state associated with a guest operating system of the first virtual machine so as to speed up execution of the first malware detection scheme;
  
  monitoring, using the hypervisor, the applying of the first malware detection scheme without running a process in the first virtual machine so as to thwart attempts by malware to detect if the first malware detection scheme is being applied to the malware;
  
  determining the results of applying the first malware detection scheme to the first file;
  
  in response to determining the results of applying the first malware detection scheme, determining whether the first file is malware;
  
  in response to determining the first file is malware, indicating that the first file is malware and refraining from executing any more detection schemes of the first plurality of detection schemes on the first file;
  
  in response to determining the first file is not malware, applying the second malware detection scheme of the plurality of malware detection schemes in a second node of the plurality of nodes including a second virtual machine at the second time;
  
  determining results of applying the second malware detection scheme;
  
  increasing the priority of the second file in a queue associated with a detection node of the plurality of detection nodes, and applying a second plurality of malware detection schemes to the second file in response to determining results of applying the first plurality of malware detection schemes to the first file, wherein at least one of the second plurality of malware detection schemes includes accessing the first file from a plurality of applications, wherein each of the plurality of applications are different versions of the same application; and
  
  wherein scheduling the application of the determined plurality of malware detection schemes includes prioritizing the application of the determined plurality of malware detection schemes to the first file when the first file is received as an e-mail attachment.
- View Dependent Claims (15)
- - 15. The method of claim 14, wherein the first file comprises a Uniform Resource Locator (URL).

16. A computer-implemented method for execution on one or more processors, the method comprising:
- receiving a first file;
  
  determining a plurality of malware detection schemes to sequentially apply to the first file, wherein at least one of the plurality of malware detection schemes includes accessing the first file from a plurality of applications, wherein each of the plurality of applications are different versions of the same application, and wherein at least one of the plurality of malware detection schemes includes accessing the first file in a plurality of different operating systems;
  
  scheduling an application of the determined plurality of malware detection schemes to the first file amongst a plurality of detection nodes according to a second policy including scheduling a first malware detection scheme of the plurality of malware detection schemes at first time and scheduling a second malware detection scheme of the plurality of malware detection schemes at a second time after the first time, wherein each of the plurality of detection nodes includes a virtual machine configured to run at least one of the plurality of malware detection schemes, wherein each virtual machine is configured to run on at least one hypervisor;
  
  accessing the first file in a guest operating system of a first virtual machine of a first detection node in accordance with the determined plurality malware detection schemes;
  
  executing the first malware detection scheme of the plurality of malware detection schemes on the first file using the guest operating system of the first virtual machine, wherein the guest operating system is configured to run the first malware detection scheme, wherein execution of processes of the guest operating system associated with executing the first malware detection scheme comprise causing, using the hypervisor, the execution of the first malware detection scheme to skip a wait state associated with the guest operating system so as to speed up execution of the first malware detection scheme;
  
  monitoring, using the at least one hypervisor, the applying of the first malware detection scheme without running a process in the guest operating system so as to thwart attempts by malware to detect if the first malware detection scheme is being applied to the malware;
  
  determining the results of applying the first malware detection scheme to the first file;
  
  in response to determining the results of applying the first malware detection scheme, determining whether the first file is malware;
  
  in response to determining the first file is malware, indicating that the first file is malware and refraining from executing any more detection schemes of the plurality of detection schemes on the first file;
  
  in response to determining the first file is not malware, applying the second malware detection scheme of the plurality of malware detection schemes in a second virtual machine of the virtual machines at the second time;
  
  determining results of applying the second malware detection scheme;
  
  determining that the first file is malware or determining that the file is suspected malware in response to determining the results of applying the first and second malware detection schemes; and
  
  wherein scheduling the application of the determined plurality of malware detection schemes includes prioritizing the application of the determined plurality of malware detection schemes to the first file when the first file is received as an e-mail attachment.
- View Dependent Claims (17)
- - 17. The method of claim 16, wherein the first file comprises a Uniform Resource Locator (URL).

18. A system for malware detection comprising:
- at least one computer processor;
  
  an ingest module coupled to the at least one computer processor, the ingest module including instructions stored in a memory, which when executed by the at least one processor, cause the at least one processor to;
  
  receive a first file;
  
  determine a file type of the first file; and
  
  determine, according to a first policy, a plurality of malware detection schemes to apply to the first file based on the determined file type of the first file;
  
  a plurality of detection nodes, each of the plurality of detection nodes includes a virtual machine configured to run at least one of the plurality of malware detection schemes, the virtual machines configured to run on at least one hypervisor, the at least one hypervisor configured to monitor a malware detection scheme being run on at least one of the virtual machines without running a process in the one or more virtual machines so as to thwart attempts by malware to detect if a malware detection scheme of the plurality of malware detection schemes is being applied to the malware;
  
  a scheduling module coupled to the at least one computer processor, the scheduling module including instructions stored in the memory, which when executed by the at least one processor, cause the at least one processor to schedule an application of the determined plurality of malware detection schemes to the first file amongst the plurality of detection nodes according to a second policy including scheduling a first malware detection scheme of the plurality of malware detection schemes at first time and scheduling a second malware detection scheme of the plurality of malware detection schemes at a second time after the first time;
  
  wherein a first virtual machine of a first detection node of the plurality of detection nodes is configured to execute the first malware detection scheme of the plurality of malware detection schemes on the first file using a guest operating system of the first virtual machine, wherein execution of processes of the guest operating system associated with executing the first malware detection scheme comprise causing, using the hypervisor, the execution of the first malware detection scheme to skip a wait state associated with the guest operating system so as to speed up execution of the first malware detection scheme;
  
  wherein the processor is configured to determine results of applying the first malware detection scheme to the first file;
  
  an adjudication and disposition module coupled to the at least one computer processor, the adjudication and disposition module including instructions stored in the memory, which when executed by the at least one processor, cause the at least one processor to;
  
  determine, in response to determining the results of applying the first malware detection scheme, whether the first file is malware according to a third policy, andin response to determining the first file is malware, indicate that the first file is malware to cause the plurality of detection nodes to refrain from executing any more malware detection schemes of the plurality of malware detection schemes on the first file,wherein a second virtual machine of a second detection node of the plurality of detection nodes is configured to, in response to determining the first file is not malware, execute the second malware detection scheme of the plurality of malware detection schemes on the first file at the second time;
  
  wherein the processor is configured to determine results of applying the second malware detection scheme; and
  
  wherein scheduling the application of the determined plurality of malware detection schemes includes prioritizing the application of the determined plurality of malware detection schemes to the first file when the first file is received as an e-mail attachment.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 19. The system of claim 18, wherein the adjudication and disposition module includes instructions stored in the memory, which when executed by the at least one processor, cause the at least one computer processor to:
    - determine one or more actions to perform on a message in response to the results of applying the plurality of malware detection schemes to the first file and to a set of results from applying a second plurality of malware detection schemes to a second file; and
      
      wherein the first and second file are attachments to the message.
  - 20. The system of claim 18, wherein:
    - an ingest module includes instructions stored in the memory, which when executed by the at least one processor, cause the at least one computer processor to;
      
      receive a second file and a third file; and
      
      determine that the second file and the third file have been previously analyzed for malware; and
      
      the adjudication and disposition module is configured to;
      
      determine the result of the previous analysis of the second file;
      
      determine the result of the previous analysis of the third file;
      
      determine that the second file is malware based on the result of the previous analysis of the second file; and
      
      determine that the third file is not malware based on the result of the previous analysis of the second file.
  - 21. The system of claim 18, wherein the scheduling module includes instructions stored in the memory, which when executed by the at least one computer processor, cause the at least one processor to increase the priority of the first file in a queue of the second detection node of the plurality of detection nodes applying the second malware detection scheme in response to determining the results of executing a first malware detection scheme at the first detection node of the plurality of detection nodes on the first file.
  - 22. The system of claim 18, wherein the adjudication and disposition module includes instructions stored in the memory, which when executed by the at least one computer processor, cause the at least one processor to:
    - determine a plurality of scores based on the results of applying the plurality of malware detection schemes; and
      
      determine that the sum of the plurality of scores is greater than a threshold.
  - 23. The system of claim 18, further comprises:
    - a first interface configured to add a new malware detection scheme to the first policy, the first interface comprising;
      
      at least one element operable to associate the new malware detection scheme with at least one file type; and
      
      at least one element operable to identify a first detection node that implements the new malware detection scheme;
      
      a second interface configured to modify the second policy, the second interface comprising at least one element operable to adjust the queue of files to be analyzed at a second detection node in response to determining a result from applying the new malware detection scheme at the first detection node;
      
      a third interface configured to modify the third policy, the third interface comprising at least one element operable to score the result from applying the new malware detection scheme; and
      
      at least one detection node that is configured to;
      
      receive files for applying the new malware detection scheme according to an interface standard of the plurality of detection nodes; and
      
      report results of applying the new malware detection scheme according to an interface standard of the plurality of detection nodes.
  - 24. The system of claim 18, wherein at least one of the plurality of malware detection schemes determined according to the first policy comprises accessing the first file from a plurality of applications, wherein the applications are different versions of the same application.
  - 25. The system of claim 18, wherein at least one of the plurality of malware detection schemes determined according to the first policy comprises accessing the first file in a plurality of different operating systems.
  - 26. The system of claim 18, further comprising an analysis console that is configured to:
    - automatically determine a set of tasks to be performed by a human analyst regarding the first file in response to determining the results of applying the plurality of malware detection schemes; and
      
      send the set of tasks to the human analyst.
  - 27. The system of claim 26, wherein the analysis console is configured to automatically execute at least one task of the set of tasks.
  - 28. The system of claim 18, wherein the adjudication and disposition module includes instructions stored in the memory, which when executed by the at least one processor, cause the computer processor to:
    - perform a first determination of one or more processing loads of the plurality of detection nodes;
      
      prevent, in response to the first determination, the delivery of a first message before receiving the results of applying the plurality of malware detection schemes to the first file, wherein the first file is an attachment to a first message;
      
      perform a second determination of one or more processing loads of the plurality of detection nodes after preventing the delivery of the first message; and
      
      allow, in response to the second determination, the delivery of a second message before receiving the results of applying a second plurality of malware detection schemes to a second file, wherein the second file is an attachment to the second message.
  - 29. The system of claim 18, further comprising at least one detection node configured to:
    - maintain at least one baseline image of the guest operating system while executing the first malware detection scheme on the first file;
      
      track changes to each of the guest operating system while applying the first malware detection scheme to the first file; and
      
      revert the guest operating system to one of the at least one baseline images in response to completing the application of the first malware detection scheme to the first file using the tracked changes.
  - 30. The system of claim 18, wherein the first file comprises a Uniform Resource Locator (URL).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Forcepoint Federal Holdings LLC (Forcepoint LLC)
Original Assignee
Raytheon Company (Rtx Corporation)
Inventors
McDougal, Monty D., Jennings, Randy S., Brown, Jeffrey C., Lee, Jesse J., Smith, Brian N., De Rita, Darin J., Cariker, Kevin L., Sterns, William E., Daly, Michael K.
Primary Examiner(s)
Le, Chau
Assistant Examiner(s)
ZHAO, DON GORDON

Application Number

US12/719,535
Publication Number

US 20110219450A1
Time in Patent Office

1,681 Days
Field of Search

726 1- 36, 713150-194, 713/375
US Class Current

726/22
CPC Class Codes

G06F 21/56 Computer malware detection ...

H04L 63/1416 Event detection, e.g. attac...

System and method for malware detection

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for malware detection

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links