| 发明名称 | Malware detection and analysis | ||
| 摘要 | Embodiments of the invention describe systems and methods for malicious software detection and analysis. A binary executable comprising obfuscated malware on a host device may be received, and incident data indicating a time when the binary executable was received and identifying processes operating on the host device may be recorded. The binary executable is analyzed via a scalable plurality of execution environments, including one or more non-virtual execution environments and one or more virtual execution environments, to generate runtime data and deobfuscation data attributable to the binary executable. At least some of the runtime data and deobfuscation data attributable to the binary executable is stored in a shared database, while at least some of the incident data is stored in a private, non-shared database. | ||
| 申请公布号 | US9294486(B1) | 申请公布日期 | 2016.03.22 |
| 申请号 | US201414198366 | 申请日期 | 2014.03.05 |
| 申请人 | Sandia Corporation | 发明人 | Chiang Ken;Lloyd Levi;Crussell Jonathan;Sanders Benjamin;Erickson Jeremy Lee;Fritz David Jakob |
| 分类号 | H04L29/06 | 主分类号 | H04L29/06 |
| 代理机构 | Blakely, Sokoloff, Taylor & Zafman LLP | 代理人 | Blakely, Sokoloff, Taylor & Zafman LLP |
| 主权项 | 1. A non-transitory computer readable storage medium including instructions that, when executed by a processor, cause the processor to perform a method comprising: receiving a binary executable comprising obfuscated malware on a host device; recording incident data indicating a time when the binary executable was received and identifying processes operating on the host device at the time; analyzing the binary executable via a scalable plurality of execution environments, including one or more non-virtual execution environments and one or more virtual execution environments, to execute a plurality of malware analysis modules and to generate runtime data based on execution of the obfuscated malware and deobfuscation data attributable to the binary executable, wherein the deobfuscation data is generated based on an identification of a simplified version of the obfuscated malware; storing the runtime data and deobfuscation data attributable to the binary executable in a shared database; storing the incident data in a private, non-shared database other than the shared database, wherein, of the shared database and the private, non-shared database, the incident data is available only via the private, non-shared database; and increasing the scalable plurality of execution environments to execute the plurality of malware analysis modules, the increasing based, at least in part, on the generated runtime data. | ||
| 地址 | Albuquerque NM US | ||