Browse Prior Art Database

Eliminating False Malware Alerts with Actions-in-Context

IP.com Disclosure Number: IPCOM000035511D
Original Publication Date: 2005-Jan-21
Included in the Prior Art Database: 2005-Jan-21
Document File: 3 page(s) / 54K

Publishing Venue

IBM

Abstract

Current antivirus software identifies malware by recognizing code signature of malware executable. An alternative effective approach to identify malware is to track their activity and attach an identification trigger mechansim to this tracking process. This invention identifies a procedure to identify malware based on combination of its current activity and other actions that it has already taken.

This text was extracted from a PDF file.
At least one non-text object (such as an image or picture) has been suppressed.
This is the abbreviated version, containing approximately 56% of the total text.

Page 1 of 3

Eliminating False Malware Alerts with Actions -in-Context

The core idea of the invention is to model malware actions as a path in finite state machine that represents malware infection as taking a system from non-infected to infected state. A path is a sequence of tuples <state,operation> representing malware operations. Once paths of all known malware infection and propagation sequences are mapped, the invention finds the smallest intersecting subset of operations (or path) that can be monitored for identify malware.

An action is defined as a system operation. Each action in itself may or may not indicate of a malware activity in progress, but when actions of a process are put in context of other actions that it has already performed it leads to effective malware identification.

The invention analyzes behaviour of malware [ vector (infection), payload, and replication mechanisms] and represents them as collection of finite state machines. The goal is to identify patterns which characterize generic viral behavior, so as to catch evolving or modified malware.

Example state machine representing a particular infection mechansim (Vector).

1 is the start state (non-infected) 2 , 3, 4 are intermediate states. 5 = Malicious final state [ representing infected condition] 6 = Benign final state [ benign operation]

Example state machine representing a particular Replication mechansim

1

[This page contains 2 pictures or other non-text objects]

Page 2 of 3

1 = Start state 2 , 3 = intermediate states to catch benign program activities 4 = Final State triggering replication identification 5 = Benign final state

State machine representing a particular Payload

1 = Start state 2 , 3 = intermediate states to catch benign program activities 4 = Final State triggering payload delivary identification 5 = Benign final state

In general the following model can be used to represent malware:

Vector pattern: Payload Replication -------------------- ------------- -----------------
1 A e 2 B f 3 D g 4 h


. 5

This table tabulates three main components of a malw...