CROSS-VIEW MALWARE DETECTION

摘要

In an example, a cross-view detection engine is disclosed for detecting malware behavior. Malware may attempt to avoid detection by remaining in volatile memory for as long as possible, and writing to disk only when necessary. To avoid detection, the malware may also provide a pseudo-driver at a file system level that performs legitimate-looking dummy operations. A firmware-level driver may simultaneously perform malicious operations. The cross-view detection engine detects this behavior by deconstructing call traces from the file system-level operations, and reconstructing call traces from firmware-level operations. If the traces do not match, the object may be flagged as suspicious.

主权项

1. A computing apparatus comprising:
a memory; and one or more hardware and/or software logic elements comprising a crossview detection engine operable for:
observing a first operation performed by an executable object on the memory at a first abstraction level;observing a substantially simultaneous second operation performed by the executable object on the memory at a second abstraction level;making a determination that the first operation does not substantially match the second operation; andacting on the determination.