US2016269423A1PendingUtilityA1

Methods and systems for malware analysis

36
Assignee: CYBERPOINT INT LLCPriority: Oct 31, 2013Filed: Apr 26, 2016Published: Sep 15, 2016
Est. expiryOct 31, 2033(~7.3 yrs left)· nominal 20-yr term from priority
H04L 63/1433H04L 63/20G06F 17/30876G06F 3/0482H04L 63/1491G06N 99/005H04L 63/145H04L 63/14G06F 16/955G06N 20/00G06F 21/56
36
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

Methods, system, and media for analyzing a potential malware sample are disclosed. A sample for malware analysis may be received. The sample may be received through a web interface. The sample may be analyzed using a plurality of analyzers implemented on one or more computing devices. The analyzers may perform a sequence of configurable analytic steps to extract information about the sample. The extracted information may be displayed to a user through the web interface.

Claims

exact text as granted — not AI-modified
1 - 20 . (canceled) 
     
     
         21 . A computer-implemented method comprising:
 obtaining a particular analyzer that is trained using machine learning to classify data samples as likely including malware or as likely not including malware;   providing data for generating a graphical user interface at a user device, the graphical user interface being configured to receive, through selectable options, configuration data that defines a user-defined workflow to control one or more analyzers for analyzing malware having a particular malware attribute;   receiving, at a server from the user device, the configuration data;   storing the configuration data in a workflow definition database, the workflow definition database including workflow definitions for a plurality of workflows respectively associated with a plurality of malware attributes;   receiving a sample including a potential malware;   determining, by the server, at least one malware attribute of the sample;   determining, by the server, that the at least one malware attribute of the sample is associated with the particular malware attribute;   selecting, from the plurality of workflows, the user-defined workflow for analyzing the sample;   causing, by the server, the one or more analyzers to analyze the sample according to the user-defined workflow associated with the stored configuration data to generate an analysis result that indicates a likelihood that the sample includes malware or does not include malware, the one or more analyzers including the particular analyzer that is trained using machine learning; and   providing the analysis result for output.   
     
     
         22 . The computer-implemented method of  claim 21 , wherein determining, by the server, at least one malware attribute of the sample comprises one or more of:
 uncompressing the sample;   decrypting the sample; and   identifying a file type of the sample.   
     
     
         23 . The computer-implemented method of  claim 22 , further comprising:
 selecting the particular analyzer to analyze the sample based on the identified file type.   
     
     
         24 . The computer-implemented method of  claim 21 , wherein receiving, at a server from the user device, the configuration data comprises one or more of:
 receiving order data indicative of an order in which to apply the one or more analyzers for analyzing the malware having the particular malware attribute; and   receiving compatibility data indicating that the user-defined workflow is configured to support one or more scripts or one or more virtual machines.   
     
     
         25 . The computer-implemented method of  claim 21 , further comprising:
 causing, by the server, an analyzer other than the particular analyzer to analyze the analysis result.   
     
     
         26 . The computer-implemented method of  claim 21 , wherein causing, by the server, one or more analyzers to analyze the sample according to the user-defined workflow comprises:
 providing the sample to one or more environments for execution and behavioral profiling.   
     
     
         27 . The computer-implemented method of  claim 21 , wherein causing, by the server, one or more analyzers to analyze the sample according to the user-defined workflow to generate an analysis result that indicates a likelihood that the sample includes malware or does not include malware comprises:
 obtaining one or more rules from a database;   classifying the sample as likely including malware or as likely not including malware based on the obtained one or more rules; and   generating the analysis result based, in part, on the classifying.   
     
     
         28 . A non-transitory computer-readable storage medium encoded with a computer program, the computer program comprising instructions that, upon execution by a computer, cause the computer to perform operations comprising:
 obtaining a particular analyzer that is trained using machine learning to classify data samples as likely including malware or as likely not including malware;   providing data for generating a graphical user interface at a user device, the graphical user interface being configured to receive, through selectable options, configuration data that defines a user-defined workflow to control one or more analyzers for analyzing malware having a particular malware attribute;   receiving, from the user device, the configuration data;   storing the configuration data in a workflow definition database, the workflow definition database including workflow definitions for a plurality of workflows respectively associated with a plurality of malware attributes;   receiving a sample including a potential malware;   determining that the particular malware attribute is an attribute of the sample;   causing the one or more analyzers to analyze the sample according to the user-defined workflow associated with the stored configuration data to generate an analysis result that indicates a likelihood that the sample includes malware or does not include malware, the one or more analyzers including the particular analyzer that is trained using machine learning; and   providing the analysis result for output.   
     
     
         29 . The non-transitory computer-readable storage medium of  claim 28 , determining that the particular malware attribute is an attribute of the sample comprises one or more of:
 uncompressing the sample;   decrypting the sample; and   identifying a file type of the sample and selecting the particular analyzer to analyze the sample based on the identified file type.   
     
     
         30 . The non-transitory computer-readable storage medium of  claim 28 , wherein receiving, from the user device, the configuration data comprises one or more of:
 receiving order data indicative of an order in which to apply the one or more analyzers for analyzing the malware having the particular malware attribute; and   receiving compatibility data indicating that the user-defined workflow is configured to support one or more scripts or one or more virtual machines.   
     
     
         31 . The non-transitory computer-readable storage medium of  claim 28 , wherein the operations further comprise:
 causing an analyzer other than the particular analyzer to analyze the analysis result.   
     
     
         32 . The non-transitory computer-readable storage medium of  claim 28 , wherein causing one or more analyzers to analyze the sample according to the user-defined workflow comprises:
 providing the sample to one or more environments for execution and behavioral profiling.   
     
     
         33 . The non-transitory computer-readable storage medium of  claim 28 , wherein causing one or more analyzers to analyze the sample according to the user-defined workflow to generate an analysis result that indicates a likelihood that the sample includes malware or does not include malware comprises:
 obtaining one or more rules from a database;   classifying the sample as likely including malware or as likely not including malware based on the obtained one or more rules; and   generating the analysis result based, in part, on the classifying.   
     
     
         34 . A system comprising:
 one or more processors and one or more computer storage media storing instructions that are operable and when executed by the one or more processors, cause the one or more processors to perform operations comprising:
 obtaining a particular analyzer that is trained using machine learning to classify data samples as likely including malware or as likely not including malware; 
 providing data for generating a graphical user interface at a user device, the graphical user interface being configured to receive, through selectable options, configuration data that defines a user-defined workflow to control one or more analyzers for analyzing malware having a particular malware attribute; 
 receiving, from the user device, the configuration data; 
 storing the configuration data in a workflow definition database, the workflow definition database including workflow definitions for a plurality of workflows respectively associated with a plurality of malware attributes; 
 receiving a sample including a potential malware; 
 determining that the particular malware attribute is an attribute of the sample; 
 causing the one or more analyzers to analyze the sample according to the user-defined workflow associated with the stored configuration data to generate an analysis result that indicates a likelihood that the sample includes malware or does not include malware, the one or more analyzers including the particular analyzer that is trained using machine learning; and 
 providing the analysis result for output. 
   
     
     
         35 . The system of  claim 34 , wherein determining that the particular malware attribute is an attribute of the sample comprises one or more of:
 uncompressing the sample;   decrypting the sample; and   identifying a file type of the sample.   
     
     
         36 . The system of  claim 35 , wherein the operations further comprise:
 selecting the particular analyzer to analyze the sample based on the identified file type.   
     
     
         37 . The system of  claim 34 , wherein receiving, from the user device, the configuration data comprises one or more of:
 receiving order data indicative of an order in which to apply the one or more analyzers for analyzing the malware having the particular malware attribute; and   receiving compatibility data indicating that the user-defined workflow is configured to support one or more scripts or one or more virtual machines.   
     
     
         38 . The system of  claim 34 , wherein the operations further comprise:
 causing an analyzer other than the particular analyzer to analyze the analysis result.   
     
     
         39 . The system of  claim 34 , wherein causing one or more analyzers to analyze the sample according to the user-defined workflow comprises:
 providing the sample to one or more environments for execution and behavioral profiling.   
     
     
         40 . The system of  claim 34 , wherein causing one or more analyzers to analyze the sample according to the user-defined workflow to generate an analysis result that indicates a likelihood that the sample includes malware or does not include malware comprises:
 obtaining one or more rules from a database;   classifying the sample as likely including malware or as likely not including malware based on the obtained one or more rules; and   generating the analysis result based, in part, on the classifying.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.