[특허]Application behavior based malware detection

Application behavior based malware detection 원문보기

IPC분류정보
국가/구분	United States(US) Patent 등록
국제특허분류(IPC7판)	G06F-021/00
출원번호	UP-0247349 (2005-10-11)
등록번호	US-7779472 (2010-09-06)
발명자 / 주소	Lou, Vic
출원인 / 주소	Trend Micro, Inc.
대리인 / 주소	Beyer Law Group LLP
인용정보	피인용 횟수 : 79 인용 특허 : 10

초록 ▼

An executable file is loaded into a virtual machine arranged to emulate the instructions of said executable file. The virtual machine keeps track of application programming interfaces (APIs) used by the executable file during emulation. The executable file is scanned to determine names of (APIs) used. Behavior flags are set if certain conditions occur within the executable file. The APIs determined during emulation and during scanning are compared with a set of known behaviors. A match of the APIs and the known behaviors indicates a high risk of malware. A determination of malware being present is based upon any matches and any behavior flags that are set.

대표청구항 ▼

I claim: 1. A method of detecting malware comprising: receiving a suspect executable computer file at a computer; loading said executable file into a virtual machine arranged to emulate instructions of said executable file; emulating said instructions of said executable file using said virtual machine, said emulating performed by said computer; keeping track of names of application programming interfaces (APIs) used by said executable file during said emulating, said APIs having different function, said names being stored in a memory of said computer; determining types of APIs used by said executable file based upon said determined names of APIs used, wherein each of said types of APIs represents a behavior of a group of said API names, and wherein said determining is executed by said computer; comparing said types of APIs used with a set of known behaviors, each known behavior including a list of API types used by malware; making a determination that said executable file is malware based upon said step of comparing, wherein said comparing and said determination are executed by said computer; and generating a malware alert when it is determined that said executable file is malware. 2. A method as recited in claim 1, further comprising: analyzing a header of said executable file to determine information useful in said step of keeping track. 3. A method as recited in claim 1 wherein said set of known behaviors includes a set of rules, each rule listing types of APIs used by kinds of malware. 4. A method as recited in claim 1 wherein said suspect executable computer file is an executable file in portable executable format (PEF). 5. A method as recited in claim 1 further comprising: setting a behavior flag if a suspect condition occurs during said emulating; and determining that said executable file is malware also based upon said behavior flag. 6. A method as recited in claim 1 wherein said virtual machine is implemented by a virus scan engine. 7. A method as recited in claim 1 wherein emulating said instructions of said executable file further comprises: monitoring API behavior; and analyzing memory addresses during said monitoring to determine if said memory addresses point to a dynamic link library such that said names of APIs can be determined. 8. A method as recited in claim 1 further comprising: examining an API list to determine an API type. 9. A method as recited in claim 1 wherein keeping track of names of APIs further comprises: utilizing an API behavior count variable to keep a running count of different types of APIs used by said executable file. 10. A method as recited in claim 9 further comprising: setting a bit in said API behavior count variable, wherein said bit corresponds to a specific API type. 11. A method as recited in claim 1 further comprising: categorizing said names of APIs into said types of API, wherein an API type represents an API group behavior and each API name in an API category has said group behavior. 12. A method of detecting malware comprising: receiving a suspect executable computer file at a computer; loading said executable file into a scan engine arranged to detect malware, said executable file being stored in a memory in said computer; setting a behavior flag if a suspect condition is present in said executable file; scanning said executable file to determine names of application programming interfaces (APIs) used by said executable file, said API in a group having different functions, said scanning performed by said computer; determining types of APIs used by said executable file based upon said determined names of APIs used, wherein each of said types of APIs represents a behavior of a group of API names and wherein said determining is executed by said computer; comparing said types of APIs used with a set of rules, each rule including a list of API types used by malware; making a determination that said executable file is malware based upon said behavior flag and said step of comparing, wherein said comparing and said determination are executed by said computer; and generating a malware alert when it is determined that said executable file is malware. 13. A method as recited in claim 12, further comprising: analyzing a header of said executable file to determine said names of said APIs. 14. A method as recited in claim 12 wherein said suspect executable computer file is an executable file in portable executable format (PEF). 15. A method as recited in claim 12 wherein said step of scanning scans an import table. 16. A method as recited in claim 12 further comprising: monitoring API behavior; and analyzing memory addresses during said monitoring to determine if said memory addresses point to a dynamic link library such that said names of APIs can be determined. 17. A method as recited in claim 12 further comprising: examining an API list to determine an API type. 18. A method as recited in claim 12 wherein scanning said executable file to determine names of APIs used by said executable file further comprises: utilizing an API behavior count variable to keep a running count of different types of APIs used by said executable file. 19. A method as recited in claim 18 further comprising: setting a bit in said API behavior count variable, wherein said bit corresponds to a specific API type. 20. A method as recited in claim 12 further comprising: categorizing said names of APIs into said types of API, wherein an API type represents an API group behavior and each API name in an API category has said group behavior. 21. A method of detecting malware comprising: receiving a suspect executable computer file at a computer; loading said executable file into a virtual machine arranged to emulate instructions of said executable file; emulating said instructions of said executable file using said virtual machine, said emulating performed by said computer; keeping track of names of application programming interfaces (APIs) used by said executable file during said emulating, said APIs having different functions, said names being stored in a memory of said computer; scanning said executable file to determine names of application programming interfaces (APIs) used by said executable file; determining types of APIs used by said executable file based upon said determined names of APIs used, wherein each of said types of APIs represents a behavior of a group of said API names, and wherein said determining is executed by said computer; comparing said types of APIs determined during said step of keeping track and during said step of scanning with a set of known behaviors, each known behavior including an indication of API types used by malware; making a determination that said executable file is malware based upon said step of comparing, wherein said comparing and said determination are executed by said computer; and generating a malware alert when it is determined that said executable file is malware. 22. A method as recited in claim 21, further comprising: analyzing a header of said executable file to determine information useful in said step of keeping track and in said step of scanning. 23. A method as recited in claim 21 further comprising: setting a behavior flag if a suspect condition occurs during said emulating; and determining that said executable file is malware also based upon said behavior flag. 24. A method as recited in claim 21 wherein said virtual machine is implemented by a virus scan engine. 25. A method as recited in claim 21 further comprising: monitoring API behavior; and analyzing memory addresses during said monitoring to determine if said memory addresses point to a dynamic link library such that said names of APIs can be determined. 26. A method as recited in claim 21 further comprising: examining an API list to determine an API type. 27. A method as recited in claim 21 wherein keeping track of names of APIs further comprises: utilizing an API behavior count variable to keep a running count of different types of APIs used by said executable file. 28. A method as recited in claim 27 further comprising: setting a bit in said API behavior count variable, wherein said bit corresponds to a specific API type. 29. A method as recited in claim 21 further comprising: categorizing said names of APIs into said types of API, wherein an API type represents an API group behavior and each API name in an API category has said group behavior.

이 특허에 인용된 특허 (10)

Qin,Simon, Backup/recovery system and methods for protecting a computer system.
상세보기
Arnold,William C.; Chess,David M.; Morar,John F.; Segal,Alla; Whalley,Ian N.; White,Steve R., Method and apparatus for determination of the non-replicative behavior of a malicious program.
상세보기
Saika,Nobuyuki, Method and program for creating a snapshot, and storage system.
상세보기
Kouznetsov,Victor; Libenzi,Davide; Fallenstedt,Martin; Palmer,David W.; Pak,Michael C., Platform abstraction layer for a wireless malware scanning engine.
상세보기
Kouznetsov, Victor, System and method for dynamically detecting computer viruses through associative behavioral analysis of runtime state.
상세보기
Fairweather,John, System and method for managing collections of data on a network.
상세보기
Marinescu,Adrian M., System and method for proactive computer virus protection.
상세보기
Ho,Chih Kun; Lo,Chien Ping, System and method having an antivirus virtual scanning processor with plug-in functionalities.
상세보기
Horvitz Eric ; Heckerman David E. ; Dumais Susan T. ; Sahami Mehran ; Platt John C., Technique which utilizes a probabilistic classifier to detect "junk" e-mail by automatically updating a training and re-training the classifier based on the updated training set.
상세보기
Moody,Joseph R.; Gaddini,Joseph D., Vertical fore grip with bipod.
상세보기

이 특허를 인용한 특허 (79)

Gnesda, Nicholas; Salunke, Abhay, Adaptive integrity validation for portable information handling systems.
상세보기
Kim, Hyun Joo; Kim, Jong Hyun; Kim, Ik Kyun, Apparatus and method for detecting malware code by generating and analyzing behavior pattern.
상세보기
Kureha, Toshinari; Nouri, Koorosh; Do, Arthur; Chess, Brian; Thornton, Roger, Apparatus and method for performing dynamic security testing using static analysis data.
상세보기
Kim, Yo Sik; Noh, Sang Kyun; Chung, Yoon Jung; Kim, Dong Soo; Kim, Won Ho; Han, Yu Jung; Yun, Young Tae; Sohn, Ki Wook; Lee, Cheol Won, Apparatus, system and method for detecting malicious code.
상세보기
Kalinichenko, Michael, Application of nested behavioral rules for anti-malware processing.
상세보기
Wysopal, Christopher J.; Moynahan, Matthew P.; Stevenson, Jon R., Assessment and analysis of software security flaws in virtual machines.
상세보기
Titonis, Theodora Heather; Manohar-Alers, Nelson Roberto; Wysopal, Christopher John, Automated behavioral and static analysis using an instrumented sandbox and machine learning classification for mobile security.
상세보기
Huang, Wayne; Idle, M. James, Behavior profiling for malware detection.
상세보기
Salsamendi, Ryan C.; Seger, Robert A., Collecting algorithmically generated domains.
상세보기
Salsamendi, Ryan C.; Xu, Wei, Deduplicating malware.
상세보기
Srivastava, Kumar S., Detecting a compromised online user account.
상세보기
Chen, Joseph H.; Chen, Zhongning, Detecting and remediating malware dropped by files.
상세보기
Chen, Joseph H.; Chen, Zhongning, Detecting and remediating malware dropped by files.
상세보기
Franklin, Douglas North, Detecting malicious software.
상세보기
Franklin, Douglas North, Detecting malicious software.
상세보기
Franklin, Douglas North, Detecting malicious software.
상세보기
Qu, Bo; Wang, Xinran; Sanders, Kyle, Detecting malware.
상세보기
Mann, Uriel, Detection of malicious script operations using statistical analysis.
상세보기
Lu, ChienHua; Qu, Bo, Detection of malware using an instrumented virtual machine environment.
상세보기
Liu, Jiangxia; Ouyang, Xin; Qu, Bo, Dynamic malware analysis of a URL using a browser executed in an instrumented virtual machine environment.
상세보기
Goodman, Robert F.; Gretzinger, Michael R.; Burkhardt, John R.; Schiff, Rachel R.; Claydon, Barnaby M.; Rae, Katherine W.; Sturtevant, Reed P., Email characterization.
상세보기
Wang, Xinran; Xie, Huagang, Evaluating malware in a virtual machine using copy-on-write.
상세보기
Wang, Xinran; Xie, Huagang, Evaluating malware in a virtual machine using dynamic patching.
상세보기
Wang, Xinran; Xie, Huagang, Evaluating malware in a virtual machine using dynamic patching.
상세보기
Thioux, Emmanuel; Amin, Muhammad; Ismael, Osman, File extraction from memory dump for malicious content analysis.
상세보기
Wang, Xinran; Xie, Huagang, Heuristic botnet detection.
상세보기
Sethumadhavan, Lakshminarasimhan; Waksman, Adam; Suozzo, Matthew, Identification of backdoors and backdoor triggers.
상세보기
Zuk, Nir; Lazzarato, Renzo; Xie, Huagang, Identification of malware sites using unknown URL sites and newly registered DNS addresses.
상세보기
Colvin, Ryan Charles; Haber, Elliott Jeb; Bhatawdekar, Ameya; Penta, Anthony P., Identifying application reputation based on resource accesses.
상세보기
Bettini, Anthony John; Watkins, Kevin; Guerra, Domingo J.; Price, Michael, In-line filtering of insecure or unwanted mobile device software components or communications.
상세보기
Suominen, Mikko, Malware detection.
상세보기
Wang, Xinran; Xie, Huagang; Sanders, Kyle, Malware detection based on traffic analysis.
상세보기
Osipkov, Ivan; Jiang, Wei; Davis, Malcolm Hollis; Hines, Douglas; Korb, Joshua, Message categorization.
상세보기
Osipkov, Ivan; Jiang, Wei; Davis, Malcolm Hollis; Hines, Douglas; Korb, Joshua, Message categorization.
상세보기
Osipkov, Ivan; Jiang, Wei; Davis, Malcolm Hollis; Hines, Douglas; Korb, Joshua, Message categorization.
상세보기
Abdel-Aziz, Bassem; Chow, Stanley Taihai; Chen, Shu-Lin, Method and apparatus for detecting malware.
상세보기
Li, Wei; Tong, Yongliang, Method and apparatus for determining malicious program.
상세보기
Krishnappa, Bhaskar, Method and system for minimizing the effects of rogue security software.
상세보기
Wang, Peng; Yun, Peng, Method, system, and apparatus for detecting malicious code.
상세보기
Kriegsman, Mark; Black, Brian, Methods and systems for providing feedback and suggested programming methods.
상세보기
Eskin, Eleazar; Arnold, Andrew; Prerau, Michael; Portnoy, Leonid; Stolfo, Salvatore J., Methods of unsupervised anomaly detection using a geometric framework.
상세보기
Bettini, Anthony John; Watkins, Kevin; Guerra, Domingo J.; Price, Michael, Off-device anti-malware protection for mobile devices.
상세보기
Bettini, Anthony John; Watkins, Kevin; Guerra, Domingo J.; Price, Michael, Off-device anti-malware protection for mobile devices.
상세보기
Sharma, Babita; Duer, Kristofer Alyn; Goldberg, Richard Myer; Teilhet, Stephen Darwin; Turnham, Jeffrey Charles; Wang, Shu; Xiao, Hua, Prioritizing security findings in a SAST tool based on historical security analysis.
상세보기
Bettini, Anthony John; Watkins, Kevin; Guerra, Domingo J.; Price, Michael, Quantifying the risks of applications for mobile devices.
상세보기
Bettini, Anthony John; Watkins, Kevin; Guerra, Domingo J.; Price, Michael, Quantifying the risks of applications for mobile devices.
상세보기
Zuo, Wei; Wu, Weimin; Shen, Tao, Reduction of false positives in malware detection using file property analysis.
상세보기
Grystan, Volodymyr; Tumoyan, Evgeny; Romanenko, Ivan; Kukoba, Anton; Sviridenkov, Anatolii; Evgenyevich, Rusin Dmitry, Robust malware detector.
상세보기
Rioux, Christien, Software analysis framework.
상세보기
Davis, Aaron R.; Aldrich, Timothy M.; Bialek, Matthew S.; Lemm, Timothy M.; Kospiah, Shaun, Software network behavior analysis and identification system.
상세보기
Martini, Paul Michael; Martini, Peter Anthony, Software program identification based on program behavior.
상세보기
Martini, Paul Michael; Martini, Peter Anthony, Software program identification based on program behavior.
상세보기
Thioux, Emmanuel; Amin, Muhammad; Ismael, Osman Abdoul, System and method for analysis of a memory dump associated with a potentially malicious content suspect.
상세보기
Kim, Tae Ghyoon; Choi, Young Han; Choi, Seok Jin; Lee, Cheol Won, System and method for detecting malicious script.
상세보기
Golovkin, Maxim Y., System and method for detecting unknown packers and cryptors.
상세보기
Monastyrsky, Alexey V.; Butuzov, Vitaly V.; Golovkin, Maxim Y.; Karasovsky, Dmitry V.; Pintiysky, Vladislav V.; Kobychev, Denis Y., System and method of performing an antivirus scan of a file on a virtual machine.
상세보기
Honig, Andrew; Howard, Andrew; Eskin, Eleazar; Stolfo, Salvatore J., System and methods for adaptive model generation for detecting intrusion in computer systems.
상세보기
Honig, Andrew; Howard, Andrew; Eskin, Eleazar; Stolfo, Salvatore J., System and methods for adaptive model generation for detecting intrusion in computer systems.
상세보기
Stolfo, Salvatore J.; Eskin, Eleazar; Herskop, Shlomo; Bhattacharyya, Manasi, System and methods for detecting malicious email transmission.
상세보기
Lomont, Chris C.; Jacobus, Charles J., System and methods for detecting software vulnerabilities and malicious code.
상세보기
Honig, Andrew; Howard, Andrew; Eskin, Eleazar; Stolfo, Salvatore J., Systems and methods for adaptive model generation for detecting intrusions in computer systems.
상세보기
Crofton, Teo Winton; Baker, Clark Marshall, Systems and methods for automatic detection of malicious activity via common files.
상세보기
Crofton, Teo Winton; Baker, Clark Marshall, Systems and methods for automatic snapshotting of backups based on malicious modification detection.
상세보기
Kane, David, Systems and methods for automatically blacklisting an internet domain based on the activities of an application.
상세보기
Mohaisen, Aziz; Alrawi, Omar; Larson, Matthew, Systems and methods for behavior-based automated malware analysis and classification.
상세보기
McCorkendale, Bruce; Gong, Sheng; Hu, Wei Guo Eric; Huang, Ge Hua; Mao, Jun; Meng, Qingchun; Tian, Xue Feng; Zhu, Xiaole, Systems and methods for combining static and dynamic code analysis.
상세보기
McCorkendale, Bruce; Tian, Xue Feng; Gong, Sheng; Zhu, Xiaole; Mao, Jun; Meng, Qingchun; Huang, Ge Hua; Hu, Wei Guo Eric, Systems and methods for combining static and dynamic code analysis.
상세보기
Zakorzhevsky, Vyacheslav V.; Vinogradov, Dmitry V.; Pintiysky, Vladislav V.; Kirsanov, Dmitry A., Systems and methods for detecting malicious executable files containing an interpreter by combining emulators.
상세보기
Ferrie, Peter, Systems and methods for identifying external functions called by untrusted applications.
상세보기
Pereira, Shane, Systems and methods for scanning packed programs in response to detecting suspicious behaviors.
상세보기
Zakorzhevsky, Vyacheslav V.; Vinogradov, Dmitry V.; Pintiysky, Vladislav V.; Kirsanov, Dmitry A., Systems and methods for switching emulation of an executable file.
상세보기
Kirk, Terrance J.; Bialek, Matthew S.; Kospiah, Shaun; Lemm, Timothy M.; Thompson, Scott G., Systems and methods of analyzing a software component.
상세보기
Kirk, Terrance J.; Bialek, Matthew S.; Kospiah, Shaun; Lemm, Timothy M.; Thompson, Scott G., Systems and methods of analyzing a software component.
상세보기
Kirk, Terrance J.; Bialek, Matthew S.; Kospiah, Shaun; Lemm, Timothy M.; Thompson, Scott G., Systems and methods of analyzing a software component.
상세보기
Kospiah, Shaun S.; Grubel, Brian C.; Snare, Brett W., Systems and methods of analyzing a software component.
상세보기
Field, Scott A, Tagging obtained content for white and black listing.
상세보기
Amit, Yair; Guy, Lotem; Kalman, Daniel; Segal, Ori; Weisman, Omri, Targeted security testing.
상세보기
Amit, Yair; Guy, Lotem; Kalman, Daniel; Segal, Ori; Weisman, Omri, Targeted security testing.
상세보기
Hsu, Ming-Fa; Kuo, Chen-Yu; Mahadevan, Hariharan; Yu, Ying-Hung, Techniques for managing security modes applied to application program execution.
상세보기

IPC	Description
A	생활필수품
A62	인명구조; 소방(사다리 E06C)
A62B	인명구조용의 기구, 장치 또는 방법(특히 의료용에 사용되는 밸브 A61M 39/00; 특히 물에서 쓰이는 인명구조 장치 또는 방법 B63C 9/00; 잠수장비 B63C 11/00; 특히 항공기에 쓰는 것, 예. 낙하산, 투출좌석 B64D; 특히 광산에서 쓰이는 구조장치 E21F 11/00)
A62B-1/08	.. 윈치 또는 풀리에 제동기구가 있는 것

내보내기 구분	파일저장 인쇄 메일전송
구성항목	기본정보 상세정보 관리번호, 국가코드, 자료구분, 상태, 출원번호, 출원일자, 공개번호, 공개일자, 등록번호, 등록일자, 발명명칭(한글), 발명명칭(영문), 출원인(한글), 출원인(영문), 출원인코드, 대표IPC 관리번호, 국가코드, 자료구분, 상태, 출원번호, 출원일자, 공개번호, 공개일자, 공고번호, 공고일자, 등록번호, 등록일자, 발명명칭(한글), 발명명칭(영문), 출원인(한글), 출원인(영문), 출원인코드, 대표출원인, 출원인국적, 출원인주소, 발명자, 발명자E, 발명자코드, 발명자주소, 발명자 우편번호, 발명자국적, 대표IPC, IPC코드, 요약, 미국특허분류, 대리인주소, 대리인코드, 대리인(한글), 대리인(영문), 국제공개일자, 국제공개번호, 국제출원일자, 국제출원번호, 우선권, 우선권주장일, 우선권국가, 우선권출원번호, 원출원일자, 원출원번호, 지정국, Citing Patents, Cited Patents
저장형식	Text(ASCII format) Excel format PIAS분석(.xls)
메일정보	받는사람 (필수) @ 보내는사람 (선택) @ 제목 내용 KISTI 검색결과 이메일 서비스
안내	총 건의 자료가 검색되었습니다. 다운받으실 자료의 인덱스를 입력하세요. (1-10,000) 검색결과의 순서대로 최대 10,000건 까지 다운로드가 가능합니다. 데이타가 많을 경우 속도가 느려질 수 있습니다.(최대 2~3분 소요) 다운로드 파일은 UTF-8 형태로 저장됩니다. 파일의 내용이 제대로 보이지 않을실 때는 웹브라우저 상단의 보기 -> 인코딩 -> 자동선택 여부를 확인하십시오. ~ Text(ASCII format) Excel format

연합인증

Application behavior based malware detection 원문보기

초록 ▼

대표청구항 ▼

연구과제 타임라인

이 특허에 인용된 특허 (10)

이 특허를 인용한 특허 (79)

관련 콘텐츠

특허 원문 보기

IPC 상위 출원인

AI-Helper ※ AI-Helper는 오픈소스 모델을 사용합니다.

선택된 텍스트

연합인증

Application behavior based malware detection 원문보기

초록 ▼

대표청구항 ▼

연구과제 타임라인

전체(0) 논문(0) 특허(0) 보고서(0)

전체(0) 논문(0) 특허(0) 보고서(0)

이 특허에 인용된 특허 (10)

이 특허를 인용한 특허 (79)

관련 콘텐츠

특허 원문 보기

IPC 상위 출원인

AI-Helper ※ AI-Helper는 오픈소스 모델을 사용합니다.

선택된 텍스트