Eliminating False Malware Alerts with Actions-in-Context
Original Publication Date: 2005-Jan-21
Included in the Prior Art Database: 2005-Jan-21
Current antivirus software identifies malware by recognizing code signature of malware executable. An alternative effective approach to identify malware is to track their activity and attach an identification trigger mechansim to this tracking process. This invention identifies a procedure to identify malware based on combination of its current activity and other actions that it has already taken.
Eliminating False Malware Alerts with Actions -in-Context
The core idea of the invention is to model malware actions as a path in finite state machine that represents malware infection as taking a system from non-infected to infected state. A path is a sequence of tuples <state,operation> representing malware operations. Once paths of all known malware infection and propagation sequences are mapped, the invention finds the smallest intersecting subset of operations (or path) that can be monitored for identify malware.
An action is defined as a system operation. Each action in itself may or may not indicate of a malware activity in progress, but when actions of a process are put in context of other actions that it has already performed it leads to effective malware identification.
The invention analyzes behaviour of malware [ vector (infection), payload, and replication mechanisms] and represents them as collection of finite state machines. The goal is to identify patterns which characterize generic viral behavior, so as to catch evolving or modified malware.
Example state machine representing a particular infection mechansim (Vector).
1 is the start state (non-infected) 2 , 3, 4 are intermediate states. 5 = Malicious final state [ representing infected condition] 6 = Benign final state [ benign operation]
Example state machine representing a particular Replication mechansim
1 = Start state 2 , 3 = intermediate states to catch benign program activities 4 = Final State triggering replication identification 5 = Benign final state
State machine representing a particular Payload
1 = Start state 2 , 3 = intermediate states to catch benign program activities 4 = Final State triggering payload delivary identification 5 = Benign final state
In general the following model can be used to represent malware:
Vector pattern: Payload Replication
-------------------- ------------- -----------------
1 A e 2 B f 3 D g 4 h
This table tabulates three main components of a malw...