Traitement en cours

Veuillez attendre...

Paramétrages

Paramétrages

Aller à Demande

1. WO2020014663 - SYSTÈMES ET PROCÉDÉS POUR DÉTECTER UN LOGICIEL MALVEILLANT OBSCURCI DANS UN CODE COMPILÉ À LA VOLÉE (JIT) OBSCURCI

Note: Texte fondé sur des processus automatiques de reconnaissance optique de caractères. Seule la version PDF a une valeur juridique

[ EN ]

CLAIMS

What is claimed is:

1. A method for detecting obfuscated malware in just-in-time (JIT) code, comprising: obtaining a portion of JIT code from a repository;

associating the JIT code portion with metadata;

hashing the JIT code portion and metadata to generate a hash value;

comparing the hash value to a plurality of hash values stored in a cache, the plurality of hash values corresponding to a respective plurality of previously analyzed JIT code portions;

determining, based on the comparison of the hash value to the plurality of hash values , that JIT code portion is not one of the plurality of previously analyzed JIT code portions; encoding the JIT code portion into a byte stream;

instantiating a virtual machine comprising an executing environment for the JIT code portion;

executing the JIT code portion in the virtual machine;

collecting runtime data during the executing, the runtime data comprising function calls;

analyzing the runtime data to detect malware; and

providing the JIT code portion and associated metadata for generation of a notification based on the detection of malware.

2. The method of claim 1, wherein obtaining the portion of JIT code from a repository comprises:

selecting a rule from a rule base; and

querying the repository according to the selected rule.

3. The method of any one of the preceding claims, wherein analyzing the runtime data to detect malware comprises comparing a signature of a known malicious indicator to the runtime data.

4. The method of any one of the preceding claims, wherein analyzing the runtime data to detect malware comprises:

performing a heuristic matching of the JIT code based on a JIT code patterns; or performing a heuristic matching of the runtime data based on runtime behavioral

patterns.

5. The method of any one of the preceding claims, wherein analyzing the runtime data to detect malware comprises

performing an n-gram analysis of the runtime data based on a plurality of predetermined n-grams.

6. The method of any one of the preceding claims, wherein analyzing the runtime data to detect malware comprises

analyzing the runtime code using a recurrent neural network (RNN).

7. The method of any one of the preceding claims, wherein the metadata comprising at least one of: a hostname, a host type, a host identifier, and a timestamp.

8. The method of any one of the preceding claims, comprising:

parsing the JIT code portion to determine the execution environment for execution of the compiled JIT code portion;

selecting the execution environment before instantiating the virtual machine comprising an executing environment for the JIT code portion.

9. The method of any one of the preceding claims, wherein the hash value is a first hash value, the method comprising:

hashing, after analyzing the runtime data to detect malware, the JIT code portion and the associated metadata to produce a second hash value; and

storing the second hash value in the cache of the plurality of previously analyzed hashed values.

10. A system for detecting obfuscated malware in just-in-time (JIT) code, comprising: a processor;

a non-transitory computer readable memory having executable instructions stored thereon, the executable instructions comprising code that cause the processor to perform operations comprising:

obtaining a portion of JIT code from a repository;

associating the JIT code portion with metadata;

hashing the JIT code portion and metadata to generate a hash value;

comparing the hash value to a plurality of hash values stored in a cache, the plurality of hash values corresponding to a respective plurality of previously analyzed JIT code portions;

determining, based on the comparison of the hash value to the plurality of hash values , that JIT code portion is not one of the plurality of previously analyzed JIT code portions;

encoding the JIT code portion into a byte stream;

instantiating a virtual machine comprising an executing environment for the JIT code portion;

executing the JIT code portion in the virtual machine;

collecting runtime data during the executing, the runtime data comprising function calls;

analyzing the runtime data to detect malware; and

providing the JIT code portion and associated metadata for generation of a notification based on the detection of malware.

11. The system of claim 10, wherein analyzing the runtime data to detect malware comprises

comparing a signature of a known malicious indicator to the runtime data.

12. The system of claims 10 or 11, wherein analyzing the runtime data to detect malware comprises:

performing a heuristic matching of the JIT code based on a JIT code patterns; or performing a heuristic matching of the runtime data based on runtime behavioral patterns.

13. The system of claims 10, 11, or 12, wherein analyzing the runtime data to detect malware comprises

performing an n-gram analysis of the runtime data based on a plurality of predetermined n-grams.

14. The system of claims 10, 11, 12, or 13, wherein analyzing the runtime data to detect malware comprises

analyzing the runtime code using a recurrent neural network (RNN).

15. The system of claims 10, 11, 12, 13, or 14, wherein the metadata comprising at least one of: a hostname, a host type, a host identifier, and a timestamp.

16. The system of claims 10, 11, 12, 13, 14, or 15, comprising a network interface, the operations comprising sending, over the network interface, the alert to a security system.

17. A non-transitory computer readable medium having executable instructions stored thereon for detecting obfuscated malware in just-in-time (JIT) code, the executable instructions comprising code that causes a processor to perform operations comprising: obtaining a portion of JIT code from a repository;

associating the JIT code portion with metadata;

hashing the JIT code portion and metadata to generate a hash value;

comparing the hash value to a plurality of hash values stored in a cache, the plurality of hash values corresponding to a respective plurality of previously analyzed JIT code portions;

determining, based on the comparison of the hash value to the plurality of hash values , that JIT code portion is not one of the plurality of previously analyzed JIT code portions; encoding the JIT code portion into a byte stream;

instantiating a virtual machine comprising an executing environment for the JIT code portion;

executing the JIT code portion in the virtual machine;

collecting runtime data during the executing, the runtime data comprising function calls;

analyzing the runtime data to detect malware; and

providing the JIT code portion and associated metadata for generation of a notification based on the detection of malware.

18. The non-transitory computer readable medium of claim 17, wherein analyzing the runtime data to detect malware comprises comparing a signature of a known malicious indicator to the runtime data.

19. The non-transitory computer readable medium of claims 17 or 18, wherein analyzing the runtime data to detect malware comprises:

performing a heuristic matching of the JIT code based on a JIT code patterns; or performing a heuristic matching of the runtime data based on runtime behavioral patterns.

20. The non-transitory computer readable medium of claims 17, 18, or 19, wherein analyzing the runtime data to detect malware comprises performing an n-gram analysis of the runtime data based on a plurality of predetermined n-grams.

21. The non-transitory computer readable medium of claims 17, 18, 19, or 20, wherein analyzing the runtime data to detect malware comprises analyzing the runtime code using a recurrent neural network (RNN).