| 发明名称 |
MICROVISOR-BASED MALWARE DETECTION ENDPOINT ARCHITECTURE |
| 摘要 |
A threat-aware microvisor may be deployed in a malware detection endpoint architecture and execute on an endpoint to provide exploit and malware detection within a network environment. Exploit and malware detection on the endpoint may be performed in accordance with one or more processes embodied as software modules or engines configured to detect suspicious and/or malicious behaviors of an operating system process (object), and to correlate and classify the detected behaviors as indicative of malware. Detection of suspicious and/or malicious behaviors may be performed by static and dynamic analysis of the object. Static analysis may perform examination of the object to determine whether it is suspicious, while dynamic analysis may instrument the behavior of the object as the operating system process runs via capability violations of, e.g. operating system events. A behavioral analysis logic engine and a classifier may thereafter cooperate to perform correlation and classification of the detected behaviors. |
| 申请公布号 |
US2016191550(A1) |
申请公布日期 |
2016.06.30 |
| 申请号 |
US201514929821 |
申请日期 |
2015.11.02 |
| 申请人 |
FireEye, Inc. |
发明人 |
Ismael Osman Abdoul;Aziz Ashar |
| 分类号 |
H04L29/06;G06F21/56 |
主分类号 |
H04L29/06 |
| 代理机构 |
|
代理人 |
|
| 主权项 |
1. A system comprising:
a memory of an endpoint coupled to a network, the memory configured to store an operating system process, a plurality of user mode processes, and a microvisor deployed in a malware detection endpoint architecture of the endpoint; and a central processing unit (CPU) coupled to the memory and adapted to execute the operating system process, the user mode processes, and the microvisor, wherein the user mode processes and the microvisor when executed are operable to:
perform static analysis of an object of the operating system process to detect anomalous characteristics of the object as static analysis results;perform dynamic analysis of the object to observe behaviors of the object via one or more capability violations as the operating system process executes, wherein the behaviors are captured as dynamic analysis results;correlate the static analysis results and dynamic analysis results against correlation rules to generate correlation information pertaining to a level of risk used to arrive at a decision of maliciousness; andrender a decision of whether the object is malicious by classifying the correlation information of the object relative to known malware and benign content. |
| 地址 |
Milpitas CA US |
