IPC분류정보
| 국가/구분 |
United States(US) Patent
등록
|
| 국제특허분류(IPC7판) |
|
| 출원번호 |
UP-0866287
(2007-10-02)
|
| 등록번호 |
US-7620992
(2009-11-27)
|
|
발명자
/ 주소 |
- Monastyrsky, Alexey V.
- Sobko, Andrey V.
- Pavlyushchik, Mikhail A.
|
| 출원인 / 주소 |
|
| 대리인 / 주소 |
|
| 인용정보 |
피인용 횟수 :
13 인용 특허 :
9 |
초록
▼
Malicious behavior of a computer program is detected using an emulation engine, an event detector and an event analyzer. The emulation engine includes a system emulator configured to emulate, in an isolated computer environment, at least a part of a computer system and a program emulator configured
Malicious behavior of a computer program is detected using an emulation engine, an event detector and an event analyzer. The emulation engine includes a system emulator configured to emulate, in an isolated computer environment, at least a part of a computer system and a program emulator configured to emulate in the isolated computer environment execution of the computer program, including execution of a plurality of executable components of the computer program, such as execution processes and threads. The event detector is configured to monitor events being generated by two or more of the executable components. The event analyzer is configured to determine, substantially in real time, based at least on one or more events generated by each of two or more of the plurality of executable components whether or not the computer program exhibits malicious behavior, wherein individually one or more of the plurality of executable components may exhibit benign behavior.
대표청구항
▼
What is claimed is: 1. A computer-implemented method for detecting malware, the method comprising: emulating a computer program; monitoring system calls of the emulated computer program; analyzing, substantially in real time, whether one or more system calls are potentially harmful to a computer sy
What is claimed is: 1. A computer-implemented method for detecting malware, the method comprising: emulating a computer program; monitoring system calls of the emulated computer program; analyzing, substantially in real time, whether one or more system calls are potentially harmful to a computer system; storing information about one or more potentially harmful system calls; comparing stored information about a plurality of potentially harmful system calls with one or more patterns of malicious program behavior; and identifying the emulated computer program as a malware if, based on the comparison, the information about a plurality of potentially harmful system calls at least in part corresponds to one of the patterns of malicious program behavior. 2. The method of claim 1, wherein emulating includes emulating the computer program in a virtual computer environment. 3. The method of claim 2, wherein the virtual computer environment includes at least a part of a multitasking computer system. 4. The method of claim 3, wherein the emulated computer program is a multi-component computer program including a plurality of executable components, each component including at least one of a process, a thread and a remote thread. 5. The method of claim 4, wherein emulating includes emulating two or more executable components of the computer program and monitoring includes monitoring system calls of the two or more executable components. 6. The method of claim 5, wherein emulating includes one or more of emulating two or more executable components in parallel and emulating two or more executable components in series. 7. The method of claim 5, wherein storing information about potentially harmful system calls includes storing potentially harmful system calls generated by two or more different executable components of the computer program. 8. A system for detecting malware, the system comprising: a system memory; and a processor operatively coupled to the system memory and configured to emulate a computer program in the system memory; monitor system calls of the emulated computer program; analyze, substantially in real time, whether one or more system calls are potentially harmful to a computer system; store in the system memory information about one or more potentially harmful system calls; compare stored information about a plurality of potentially harmful system calls with one or more patterns of malicious program behavior; and identify the emulated computer program as a malware if, based on the comparison, the information about a plurality of potentially harmful system calls at least in part corresponds to one of the patterns of malicious program behavior. 9. The system of claim 8, wherein the processor is configured to emulate the computer program in a virtual computer environment created in the system memory. 10. The system of claim 9, wherein the virtual computer environment includes at least a part of a multitasking computer system. 11. The system of claim 10, wherein the emulated computer program is a multi-component computer program including a plurality of executable components, each component including at least one of a process, a thread and a remote thread. 12. The system of claim 11, wherein the processor is configured to emulate two or more executable components of the computer program and monitor system calls of the two or more executable components. 13. The system of claim 12, wherein the processor is configured to emulate two or more executable components in parallel and two or more executable components in series. 14. The system of claim 12, wherein the processor is configured to analyze potentially harmful system calls generated by two or more different executable components of the computer program. 15. A computer-readable medium comprising computer-executable instructions for detecting malware, the computer-executable instructions include: instructions for emulating a computer program; instruction for monitoring system calls of the emulated computer program; instructions for analyzing, substantially in real time, whether one or more system calls are potentially harmful to a computer system; instructions for storing information about one or more potentially harmful system calls; instructions for comparing stored information about a plurality of potentially harmful system calls with one or more patterns of malicious program behavior; and instructions for identifying the emulated computer program as a malware if, based on the comparison, the information about a plurality of potentially harmful system calls at least in part corresponds to one of the patterns of malicious program behavior. 16. The computer-readable medium of claim 15, wherein instructions for emulating include instructions for emulating the computer program in a virtual computer environment. 17. The computer-readable medium of claim 16, wherein the virtual computer environment includes at least a part of a multitasking computer system. 18. The computer-readable medium of claim 17, wherein the emulated computer program is a multi-component computer program including a plurality of executable components, each component including at least one of a process, a thread and a remote thread. 19. The computer-readable medium of claim 18, further including instructions for emulating two or more executable components of the computer program and instructions for monitoring system calls of the two or more executable components. 20. The computer-readable medium of claim 19, wherein instructions for storing information about potentially harmful system calls include instructions for storing potentially harmful system calls generated by two or more different executable components of the computer program.
※ AI-Helper는 부적절한 답변을 할 수 있습니다.