| 摘要 |
A collection of techniques is disclosed to allow for the detection of malware that leverages pattern recognition and machine learning to effectively provide “content-less” malware detection, i.e., detecting a process as being an ‘anomaly’ not based on its particular content, but instead based on comparisons of its behavior to known (and characterized) ‘trusted’ application behaviors, i.e., the trusted applications' “phenotypes” and/or the phenotypes of known malware applications. By analyzing the patterns of normal behavior performed by trusted applications as well as malware applications, one can build a set of sophisticated, content-agnostic behavioral models (i.e., “application phenotypes”)—and later compare the processes executed on a user device to the stored behavioral models to determine whether the actual measured behavior reflects a “good” application, or if it differs from the stored behavioral models to a sufficient degree and with a sufficient degree of confidence, thus indicating a potentially malicious application or behavior. |
| 主权项 |
1. A malware detection system, comprising:
a memory; a malware-microstep rule logic module, configured to:
identify a plurality of regions to be monitored on a first device;identify one or more operations between the regions to be monitored;identify one or more microsteps, each microstep comprising an aggregation or sequence of operations that represent a higher-level function;identify one or more behaviors, each behavior comprising an aggregation or sequence of microsteps that represent a normal activity performed by a first application executing on the first device;identify a phenotype for the first application, the phenotype comprising each of the one or more behaviors identified for the first application; andstore the identified phenotype in the memory; a processor configured to, based upon the malware-microstep rule logic, generate a notification that the first application has caused one or more of the operations to occur on the first device; and an anti-malware module configured, based on the notification and the one or more operations that the first application caused to occur, to:
determine a first behavior performed by the first application;compare the first behavior to the phenotype for the first application;compare the first behavior to a phenotype for one or more trusted applications, wherein the phenotype for a trusted application comprises one or more behaviors identified for the respective trusted application, and wherein the one or more trusted applications are different applications from the first application;compare the first behavior to a phenotype for one or more known malware applications, wherein the phenotype for a known malware application comprises one or more behaviors identified for the respective known malware application, and wherein the one or more known malware applications are different applications from the first application; anddetermine whether the first behavior is indicative of malware based, at least in part, on the comparisons of the first behavior to: the phenotype for the first application, the phenotype for the one or more trusted applications, and the phenotype for the one or more known malware applications. |
