发明名称 |
Behavioral malware detection using an interpreter virtual machine |
摘要 |
Described systems and methods allow protecting a computer system from computer security threats such as malware and spyware. In some embodiments, a security application executes a set of detection routines to determine whether a set of monitored entities (processes, threads, etc.) executing on the computer system comprise malicious software. The detection routines are formulated in bytecode and executed within a bytecode translation virtual machine. Execution of a detection routine comprises translating bytecode instructions of the respective routine into native processor instructions, for instance via interpretation or just-in-time compilation. Execution of the respective routines is triggered selectively, due to the occurrence of specific events within the protected client system. Detection routines may output a set of scores, which may be further used by the security application to determine whether a monitored entity is malicious. |
申请公布号 |
US9460284(B1) |
申请公布日期 |
2016.10.04 |
申请号 |
US201514738548 |
申请日期 |
2015.06.12 |
申请人 |
Bitdefender IPR Management Ltd. |
发明人 |
Hajmasan Gheorghe F.;Lukacs Sandor;Fulop Botond |
分类号 |
G06F11/00;G06F21/56;G06F9/455 |
主分类号 |
G06F11/00 |
代理机构 |
Law Office of Andrei D Popovici, PC |
代理人 |
Law Office of Andrei D Popovici, PC |
主权项 |
1. A client system comprising at least one hardware processor configured to form a routine dispatcher, a bytecode translation virtual machine, and a behavioral assessment engine, wherein:
the routine dispatcher is configured, in response to detecting an occurrence of a trigger event, to select an anti-malware bytecode routine for execution from a plurality of anti-malware bytecode routines, the anti-malware bytecode routine selected according to the trigger event, wherein the occurrence of the trigger event is caused by a monitored process executing within the client system; the bytecode translation virtual machine is configured to execute the anti-malware bytecode routine to determine whether the occurrence of the trigger event is indicative of malware, wherein executing the anti-malware bytecode routine comprises:
translating a set of bytecode instructions of the anti-malware bytecode routine into a sequence of native processor instructions, andexecuting the sequence of native processor instructions; and the behavioral assessment engine is configured to determine whether the client system comprises malware according to a result of the bytecode translation virtual machine executing the anti-malware bytecode routine. |
地址 |
Nicosia CY |