Loading...
Please wait, while we are loading the content...
Similar Documents
Application Phenotyping
| Content Provider | The Lens |
|---|---|
| Abstract | A collection of techniques is disclosed to allow for the detection of malware that leverages pattern recognition and machine learning to effectively provide “content-less” malware detection, i.e., detecting a process as being an ‘anomaly’ not based on its particular content, but instead based on comparisons of its behavior to known (and characterized) ‘trusted’ application behaviors, i.e., the trusted applications' “phenotypes” and/or the phenotypes of known malware applications. By analyzing the patterns of normal behavior performed by trusted applications as well as malware applications, one can build a set of sophisticated, content-agnostic behavioral models (i.e., “application phenotypes”)—and later compare the processes executed on a user device to the stored behavioral models to determine whether the actual measured behavior reflects a “good” application, or if it differs from the stored behavioral models to a sufficient degree and with a sufficient degree of confidence, thus indicating a potentially malicious application or behavior. |
| Related Links | https://www.lens.org/lens/patent/009-799-889-203-379/frontpage |
| Language | English |
| Publisher Date | 2017-03-30 |
| Access Restriction | Open |
| Content Type | Text |
| Resource Type | Patent |
| Jurisdiction | United States of America |
| Date Applied | 2015-09-25 |
| Applicant | Mcafee Inc |
| Application No. | 201514866459 |
| Claim | A malware detection system, comprising: a memory; a malware-microstep rule logic module, configured to: identify a plurality of regions to be monitored on a first device; identify one or more operations between the regions to be monitored; identify one or more microsteps, each microstep comprising an aggregation or sequence of operations that represent a higher-level function; identify one or more behaviors, each behavior comprising an aggregation or sequence of microsteps that represent a normal activity performed by a first application executing on the first device; identify a phenotype for the first application, the phenotype comprising each of the one or more behaviors identified for the first application; and store the identified phenotype in the memory; a processor configured to, based upon the malware-microstep rule logic, generate a notification that the first application has caused one or more of the operations to occur on the first device; and an anti-malware module configured, based on the notification and the one or more operations that the first application caused to occur, to: determine a first behavior performed by the first application; compare the first behavior to the phenotype for the first application; compare the first behavior to a phenotype for one or more trusted applications, wherein the phenotype for a trusted application comprises one or more behaviors identified for the respective trusted application, and wherein the one or more trusted applications are different applications from the first application; compare the first behavior to a phenotype for one or more known malware applications, wherein the phenotype for a known malware application comprises one or more behaviors identified for the respective known malware application, and wherein the one or more known malware applications are different applications from the first application; and determine whether the first behavior is indicative of malware based, at least in part, on the comparisons of the first behavior to: the phenotype for the first application, the phenotype for the one or more trusted applications, and the phenotype for the one or more known malware applications. The system of claim 1 , wherein the determination whether the first behavior is indicative of malware comprises determining a confidence score based on the comparisons of the first behavior to: the phenotype for the first application, the phenotype for the one or more trusted applications, and the phenotype for the one or more known malware applications. The system of claim 1 , wherein the malware detection system is located on the first device. The system of claim 1 , wherein the malware detection system is communicatively coupled to the first device over a network. The system of claim 1 , wherein the determination that a first behavior was performed by the first application further comprises: comparing the one or more operations that the first application caused to occur with one or more known behaviors using a confidence score; and determining that the confidence score associated with the comparison to the first behavior from among the one or more known behaviors is above a threshold amount. The system of claim 5 , wherein the determination that a first behavior was performed by the first application further comprises comparing the one or more operations that the first application caused to occur with: one or more known behaviors performed on the first device; one or more known behaviors performed on devices within the same enterprise as the first device; and one or more known behaviors performed on all devices monitored by the system. The system of claim 6 , wherein the confidence score is determined by independently weighting the comparisons to the one or more known behaviors performed on: the first device; devices within the same enterprise as the first device; and all devices monitored by the system. A method for performing malware detection, comprising: identifying a plurality of regions to be monitored on a first device; identifying one or more operations between the regions to be monitored; identifying one or more microsteps, each microstep comprising an aggregation or sequence of operations that represent a higher-level function; identifying one or more behaviors, each behavior comprising an aggregation or sequence of microsteps that represent a normal activity performed by a first application executing on the first device; identifying a phenotype for the first application, the phenotype comprising each of the one or more behaviors identified for the first application; storing the identified phenotype in a memory; generating a notification that the first application has caused one or more of the operations to occur on the first device; determining, based on the notification and the one or more operations that the first application caused to occur, that a first behavior was performed by the first application; comparing the first behavior to the phenotype for the first application; comparing the first behavior to a phenotype for one or more trusted applications, wherein the phenotype for a trusted application comprises one or more behaviors identified for the respective trusted application, and wherein the one or more trusted applications are different applications from the first application; comparing the first behavior to a phenotype for one or more known malware applications, wherein the phenotype for a known malware application comprises one or more behaviors identified for the respective known malware application, and wherein the one or more known malware applications are different applications from the first application; and determining whether the first behavior is indicative of malware based, at least in part, on the comparisons of the first behavior to: the phenotype for the first application, the phenotype for the one or more trusted applications, and the phenotype for the one or more known malware applications. The method of claim 8 , wherein the determination whether the first behavior is indicative of malware comprises determining a confidence score based on the comparisons of the first behavior to: the phenotype for the first application, the phenotype for the one or more trusted applications, and the phenotype for the one or more known malware applications. The method of claim 8 , wherein the determination that a first behavior was performed by the first application further comprises: comparing the one or more operations that the first application caused to occur with one or more known behaviors using a confidence score; and determining that the confidence score associated with the comparison to the first behavior from among the one or more known behaviors is above a threshold amount. The method of claim 10 , wherein the determination that a first behavior was performed by the first application further comprises comparing the one or more operations that the first application caused to occur with: one or more known behaviors performed on the first device; one or more known behaviors performed on devices within the same enterprise as the first device; and one or more known behaviors performed on all devices monitored by the system. The method of claim 11 , wherein the confidence score is determined by independently weighting the comparisons to the one or more known behaviors performed on: the first device; devices within the same enterprise as the first device; and all devices monitored by the system. The method of claim 8 , wherein a phenotype is identified each time an application is launched. The method of claim 8 , wherein the memory is in a location remote to the first device. At least one non-transitory machine-readable storage medium, comprising computer-executable instructions carried on the computer readable medium, the instructions readable by a processor, the instructions, when read and executed, for causing the processor to: determine, based on one or more operations that a first application caused to occur on a first device, that a first behavior was performed by the first application; compare the first behavior to a phenotype for the first application; compare the first behavior to a phenotype for one or more trusted applications, wherein the phenotype for a trusted application comprises one or more behaviors identified for the respective trusted application, and wherein the one or more trusted applications are different applications from the first application; compare the first behavior to a phenotype for one or more known malware applications, wherein the phenotype for a known malware application comprises one or more behaviors identified for the respective known malware application, and wherein the one or more known malware applications are different applications from the first application; and determine whether the first behavior is indicative of malware based, at least in part, on the comparisons of the first behavior to: the phenotype for the first application, the phenotype for the one or more trusted applications, and the phenotype for the one or more known malware applications. The medium of claim 15 , wherein the determination whether the first behavior is indicative of malware comprises determining a confidence score based on the comparisons of the first behavior to: the phenotype for the first application, the phenotype for the one or more trusted applications, and the phenotype for the one or more known malware applications. The medium of claim 15 , wherein the instructions to determine that a first behavior was performed by the first application further comprise instructions to: compare the one or more operations that the first application caused to occur with one or more known behaviors using a confidence score; and determine that the confidence score associated with the comparison to the first behavior from among the one or more known behaviors is above a threshold amount. The medium of claim 17 , wherein the instructions to determine that a first behavior was performed by the first application further comprise instructions to compare the one or more operations that the first application caused to occur with: one or more known behaviors performed on the first device; one or more known behaviors performed on devices within the same enterprise as the first device; and one or more known behaviors performed on all devices monitored by the system. The medium of claim 18 , wherein the confidence score is determined by executing instructions to independently weight the comparisons to the one or more known behaviors performed on: the first device; devices within the same enterprise as the first device; and all devices monitored by the system. The medium of claim 15 , wherein the instructions further comprise instruction to identify a phenotype each time an application is launched. The medium of claim 15 , wherein the memory is in a location remote to the first device. A device, comprising: a memory; one or more processors configured to execute instructions stored in the memory, the instructions comprising: an event processor module, configured to: receive a plurality of collected events; identify one or more microsteps from among the plurality of collected events, each microstep comprising an aggregation or sequence of collected events that represent a higher-level function; identify one or more behaviors, each behavior comprising an aggregation or sequence of microsteps that represent an activity performed by an application executing on the device; and determine whether each of the one or more identified behaviors are known or unknown; and a policy enforcer module, configured to: receive the one or more identified behaviors from the event processor module; and determine whether each of the one or more identified behaviors are indicative of malware based, at least in part, on: a phenotype of an application that caused the respective identified behavior to occur; a phenotype for one or more trusted applications; and a phenotype for one or more known malware applications, wherein the phenotype of an application comprises one or more normal behaviors for the respective application. The device of claim 22 , wherein the event processor module is further configured to store unknown identified behaviors in a secure storage location communicatively coupled to the device. The device of claim 22 , further comprising an event collector configured to monitor memory operations occurring on the device. The device of claim 22 , wherein the policy enforcer module is further configured to determine that an identified behavior is indicative of malware when: the phenotype of the application that caused the identified behavior to occur and the phenotype of the one or more trusted applications do not comprise the identified behavior; or the phenotype of the one or more known malware applications does comprise the identified behavior. |
| CPC Classification | TRANSMISSION OF DIGITAL INFORMATION; e.g. TELEGRAPHIC COMMUNICATION ELECTRIC DIGITAL DATA PROCESSING |
| Extended Family | 115-944-234-510-23X 021-062-282-852-223 046-772-444-891-617 009-799-889-203-379 047-957-981-189-476 |
| Patent ID | 20170093897 |
| Inventor/Author | Cochin Cedric Teddy John D Arkin Ofir Bean James Spurlock Joel R Woodward Carl |
| IPC | H04L29/06 G06F17/30 |
| Status | Active |
| Owner | Mcafee Llc |
| Simple Family | 115-944-234-510-23X 021-062-282-852-223 046-772-444-891-617 009-799-889-203-379 047-957-981-189-476 |
| CPC (with Group) | H04L63/1425 G06F16/334 G06F21/566 H04L63/1416 H04L63/145 |
| Issuing Authority | United States Patent and Trademark Office (USPTO) |
| Kind | Patent Application Publication |
