DETECTION EFFICACY OF VIRTUAL MACHINE-BASED ANALYSIS WITH APPLICATION SPECIFIC EVENTS

摘要

A computerized system and method is described for classifying objects as malicious by processing the objects in a virtual environment and monitoring behaviors during processing by one or more monitors. The monitors may monitor and record selected sets of process operations and capture associated process parameters, which describe the context in which the process operations were performed. By recording the context of process operations, the system and method described herein improves the intelligence of classifications and consequently reduces the likelihood of incorrectly identifying objects as malware or vice versa.

主权项

1. A computerized method for classifying an object based on detected process operations and associated process parameters that describe the context of the process operations, comprising:
receiving, by a malware content detection system, an object to be examined for malware; and performing dynamic analysis on the object, wherein the dynamic analysis includes:
processing the object within a virtual machine, wherein a monitor for examining the object is located within a component of the virtual machine,capturing, by the monitor, a process operation and corresponding set of process parameters associated with the process operation, anddetermining whether the object is malware based on the captured process operation and the corresponding set of process parameters.