Behavioral malware detection using an interpreter virtual machine

摘要

Described systems and methods allow protecting a computer system from computer security threats such as malware and spyware. In some embodiments, a security application executes a set of detection routines to determine whether a set of monitored entities (processes, threads, etc.) executing on the computer system comprise malicious software. The detection routines are formulated in bytecode and executed within a bytecode translation virtual machine. Execution of a detection routine comprises translating bytecode instructions of the respective routine into native processor instructions, for instance via interpretation or just-in-time compilation. Execution of the respective routines is triggered selectively, due to the occurrence of specific events within the protected client system. Detection routines may output a set of scores, which may be further used by the security application to determine whether a monitored entity is malicious.

主权项

1. A client system comprising at least one hardware processor configured to form a routine dispatcher, a bytecode translation virtual machine, and a behavioral assessment engine, wherein:
the routine dispatcher is configured, in response to detecting an occurrence of a trigger event, to select an anti-malware bytecode routine for execution from a plurality of anti-malware bytecode routines, the anti-malware bytecode routine selected according to the trigger event, wherein the occurrence of the trigger event is caused by a monitored process executing within the client system; the bytecode translation virtual machine is configured to execute the anti-malware bytecode routine to determine whether the occurrence of the trigger event is indicative of malware, wherein executing the anti-malware bytecode routine comprises:
translating a set of bytecode instructions of the anti-malware bytecode routine into a sequence of native processor instructions, andexecuting the sequence of native processor instructions; and the behavioral assessment engine is configured to determine whether the client system comprises malware according to a result of the bytecode translation virtual machine executing the anti-malware bytecode routine.