Detecting malicious behaviour on a network
US-9003526-B2 · Apr 7, 2015 · US
Detecting malware
US9104870B1 · US · B1
| Field | Value |
|---|---|
| Publication number | US-9104870-B1 |
| Application number | US-201213631654-A |
| Country | US |
| Kind code | B1 |
| Filing date | Sep 28, 2012 |
| Priority date | Sep 28, 2012 |
| Publication date | Aug 11, 2015 |
| Grant date | Aug 11, 2015 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
An example of candidate malware is data that potentially includes one or more malicious elements. Candidate malware is received. The received candidate malware is analyzed using a virtual machine. A determination is made that the candidate malware has attempted to perform an anti-virtual machine action. Output that indicates that the candidate malware is malicious is generated.
First claim
Opening claim text (preview).
What is claimed is: 1. A system, comprising: a processor configured to: receive a candidate malware potentially including one or more malicious elements; analyze the candidate malware using a virtual machine, including by: evaluating one or more actions taken by the candidate malware, when executing in the virtual machine, to determine whether the candidate malware is attempting to take an anti-virtual machine action; determine that at least one action taken by the candidate malware when executing in the virtual machine is an anti-virtual machine action, comprising an attempt to check that the candidate malware is running in a virtualized environment; and in response to the determination, generate as output an alert that the candidate malware is malicious; and a memory coupled to the processor and configured to provide the processor with instructions. 2. The system of claim 1 wherein generating the alert includes generating a signature associated with the candidate malware that indicates that the candidate malware is malicious. 3. The system of claim 1 wherein the anti-virtual machine action comprises an attempt by the candidate malware to ascertain a product identifier of an operating system. 4. The system of claim 1 wherein the processor is further configured to generate a random product identifier for use by the virtual machine. 5. The system of claim 1 wherein the anti-virtual machine action comprises an attempt by the candidate malware to ascertain a computer name. 6. The system of claim 1 wherein the processor is further configured to generate a random computer name for use by the virtual machine. 7. The system of claim 1 wherein the anti-virtual machine action comprises an attempt by the candidate malware to ascertain an identifier of a hard drive. 8. The system of claim 1 wherein the processor is further configured to generate a random hard drive identifier for use by the virtual machine. 9. The system of claim 1 wherein the anti-virtual machine action comprises an attempt by the candidate malware to ascertain a MAC address. 10. The system of claim 1 wherein the processor is further configured to generate a random MAC address for use by the virtual machine. 11. The system of claim 1 wherein the processor is further configured to determine whether the candidate malware includes at least one virtualized environment-specific opcode. 12. The system of claim 1 wherein the processor is further configured to apply one or more hotpatches. 13. The system of claim 1 wherein the anti-virtual machine action comprises an attempt to detect hotpatching. 14. The system of claim 1 wherein the anti-virtual machine action comprises an attempt to revert a hotpatch. 15. The system of claim 1 wherein the processor is further configured to confirm that a previously applied hotpatch is still in effect. 16. The system of claim 1 wherein the anti-virtual machine action comprises one or more sleep actions. 17. A method, comprising: receiving a candidate malware potentially including one or more malicious elements; analyzing the candidate malware using a virtual machine, including by: evaluating one or more actions taken by the candidate malware, when executing in the virtual machine, to determine whether the candidate malware is attempting to take an anti-virtual machine action; determining, that at least one action taken by the candidate malware when executing in the virtual machine is an anti-virtual machine action, comprising an attempt to check that the candidate malware is running in a virtualized environment; and in response to the determination, generating as output an alert that the candidate malware is malicious. 18. A computer program product embodied in a non-transitory computer readable medium and comprising computer instructions for: receiving a candidate malware potentially including one or more malicious elements; analyzing the candidate malware using a virtual machine, including by: evaluating one or more actions taken by the candidate malware, when executing in the virtual machine, to determine whether the candidate malware is attempting to take an anti-virtual machine action; determining, that at least one action taken by the candidate malware when executing in the virtual machine is an anti-virtual machine action, comprising an attempt to check that the candidate malware is running in a virtualized environment; and in response to the determination, generating as output an alert that the candidate malware is malicious. 19. The method of claim 17 wherein the anti-virtual machine action comprises an attempt by the candidate malware to ascertain a product identifier of an operating system. 20. The method of claim 17 wherein the anti-virtual machine action comprises an attempt by the candidate malware to ascertain a computer name.
Assignees
Inventors
Classifications
- G06F21/53Primary
by executing in a restricted environment, e.g. sandbox or secure virtual machine · CPC title
- G06F21/563Primary
by source code analysis · CPC title
- H04L63/1441Primary
Countermeasures against malicious traffic (countermeasures against attacks on cryptographic mechanisms H04L9/002) · CPC title
Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities · CPC title
in which an application is distributed across nodes in the network (software deployment G06F8/60; multiprogramming arrangements G06F9/46) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9104870B1 cover?
- An example of candidate malware is data that potentially includes one or more malicious elements. Candidate malware is received. The received candidate malware is analyzed using a virtual machine. A determination is made that the candidate malware has attempted to perform an anti-virtual machine action. Output that indicates that the candidate malware is malicious is generated.
- Who is the assignee on this patent?
- Palo Alto Networks Inc
- What technology area does this patent fall under?
- Primary CPC classification G06F21/53. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Aug 11 2015 00:00:00 GMT+0000 (Coordinated Universal Time) (B1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).