Identifying an evasive malicious object based on a behavior delta

摘要

A security device may receive actual behavior information associated with an object. The actual behavior information may identify a first set of behaviors associated with executing the object in a live environment. The security device may determine test behavior information associated with the object. The test behavior information may identify a second set of behaviors associated with testing the object in a test environment. The security device may compare the first set of behaviors and the second set of behaviors to determine a difference between the first set of behaviors and the second set of behaviors. The security device may identify whether the object is an evasive malicious object based on the difference between the first set of behaviors and the second set of behaviors. The security device may an indication of whether the object is an evasive malicious object.

主权项

1. A device comprising:
one or more hardware processors to:
receive an object;execute the object in a test environment;perform a static analysis of the object including at least one of:
scanning the object with anti-virus software,performing a strings search of the object, ordisassembling the object;determine, based on executing the object in the test environment and performing the static analysis of the object, test behavior information associated with the object,
the test behavior information identifying a first behavior associated with testing the object in the test environment;determine actual behavior information associated with the object,
the actual behavior information identifying a second behavior exhibited by the object when the object is opened or executed on a user device;determine that the object is a malicious object based on the actual behavior information being different from the test behavior information; andprovide an indication that the object is the malicious object based on determining that the object is the malicious object.