Search

KR-20260064693-A - System and method for responding to persistent malware

KR20260064693AKR 20260064693 AKR20260064693 AKR 20260064693AKR-20260064693-A

Abstract

Some embodiments construct an entity map describing a group of interrelated entities and determine whether a computing device contains malware based on each entity map. The entity map includes worker entities (e.g., processes) and resource entities (e.g., files) accessed by each of the worker entities. Some entity maps are permanently stored and restored in response to a reboot, enabling the complete reconstruction of the kill chain even when malicious activities are distributed among multiple entities and across multiple computing sessions. Some embodiments detect an infection by comparing the current entity map with a signature map describing at least a fragment of a known attack.

Inventors

  • 포르타세, 라두-마리안
  • 하지마샨, 게오르게 플로린
  • 하지마샨, 알렉산드라

Assignees

  • 비트데펜더 아이피알 매니지먼트 엘티디

Dates

Publication Date
20260507
Application Date
20240827
Priority Date
20230905

Claims (20)

  1. A computer system comprising at least one hardware processor configured to execute an entity map manager and a malware detection engine connected to the entity map manager, wherein: The above entity map manager is configured to configure entity maps that specify groups of interrelated software entities, and additionally: In response to a reboot of the computer system and in response to an attempt by a worker entity currently running on the computer system to access a resource entity stored in a non-volatile storage device of the computer system, to selectively retrieve the entity map from the map store depending on whether the entity map contains the specifications of the resource entity, and The entity map is configured to be updated by adding the specifications of the above worker entity to the entity map—wherein the entity map additionally includes the specifications of another worker entity executed on the computer system prior to the reboot and the specifications of the relationship between the other worker entity and the resource entity; and A computer system configured such that the malware detection engine determines whether the computer system contains malicious software according to the updated entity map.
  2. In paragraph 1, A computer system characterized in that the above resource entity is selected from a group consisting of computer files and operating system registry keys.
  3. In paragraph 1, A computer system characterized in that the entity map manager is further configured to add the specifications of the other resource entity to the entity map in response to another attempt by the worker entity to access another resource entity.
  4. In paragraph 1, The above entity map manager, in response to the worker entity's attempt to access the resource entity: To identify the other entity map based on whether the other entity map includes the specifications of the worker entity; and A computer system characterized by being configured to merge the entity map with the other entity map in response.
  5. In paragraph 1, In response to detecting the creation of a child worker entity by a parent worker entity, the above entity map manager: To determine whether the above parent worker entity has accessed the above resource entity; and A computer system characterized by being configured to add, in response, if yes, the specifications of the child worker entity and the specifications of the relationship between the child worker entity and the resource entity to the entity map.
  6. In paragraph 1, The above specification of the above worker entity includes a security flag; The entity map manager is configured to set the security flag in response to an attempt by the worker entity to access the resource entity; and A computer system characterized in that the malware detection engine is configured to select a detection model from a plurality of detection models to determine whether the worker entity is malicious according to the current value of the security flag.
  7. In paragraph 1, The specification of the above resource entity includes a security flag; and The above entity map manager, in response to an attempt to overwrite the contents of the above resource entity: To set the above security flag, To selectively retrieve the other entity map from the map repository depending on whether the other entity map includes the specifications of the resource entity, and A computer system characterized by being configured to delete the other entity map in response.
  8. In paragraph 6, A computer system characterized in that the entity map manager is further configured to add another instance of the resource entity to the entity map in response to an attempt to overwrite the contents of the resource entity.
  9. In paragraph 1, A computer system characterized in that the entity map manager is additionally configured to store the updated entity map in the map repository.
  10. In paragraph 1, A computer system characterized in that the malware detection engine is configured to determine whether the computer system contains malicious software based on the result of comparing the entity map with a signature map describing a group of malicious interrelated entities.
  11. In paragraph 1, A computer system characterized in that the above malware detection engine is configured to determine whether the computer system contains malicious software according to a malware-indicative score that is associated with the entity map and collectively characterizes all members of an entity group identified according to the entity map, and the score is determined according to the behavior of at least one member of the entity group.
  12. A computer security method comprising employing at least one hardware processor to execute an entity map manager and a malware detection engine connected to the entity map manager, wherein: The above entity map manager is configured to configure entity maps that specify groups of interrelated software entities; Running the above Entity Map Manager is: In response to a reboot of the computer system and in response to an attempt by a worker entity currently running on the computer system to access a resource entity stored in a non-volatile storage device of the computer system, to selectively retrieve the entity map from the map store depending on whether the entity map contains the specifications of the resource entity, and To update the entity map by adding the specifications of the worker entity to the entity map—wherein the entity map additionally includes the specifications of another worker entity executed on the computer system prior to the reboot and the specifications of the relationship between the other worker entity and the resource entity—the method comprises employing at least one hardware processor; and A computer security method comprising employing at least one hardware processor to determine whether the computer system contains malicious software according to the updated entity map, thereby performing the above malware detection.
  13. In Paragraph 12, A computer security method characterized in that the above resource entity is selected from a group consisting of computer files and operating system registry keys.
  14. In Paragraph 12, A computer security method characterized by executing the entity map manager further including adding the specifications of the other resource entity to the entity map in response to another attempt by the worker entity to access another resource entity.
  15. In Paragraph 12, Executing the above entity map manager in response to an attempt by the worker entity to access the resource entity: Identifying the other entity map based on whether the other entity map includes the specifications of the worker entity; and A computer security method characterized by further including, in response, merging the entity map with the other entity map.
  16. In Paragraph 12, Executing the above entity map manager in response to detecting the creation of a child worker entity by a parent worker entity: Determining whether the above parent worker entity has accessed the above resource entity; and A computer security method characterized by further including, in response, if so, adding the specifications of the child worker entity and the specifications of the relationship between the child worker entity and the resource entity to the entity map.
  17. In Paragraph 12, The above specification of the above worker entity includes a security flag; Executing the above entity map manager further includes setting the security flag in response to an attempt by the worker entity to access the resource entity; and A computer security method characterized by further including, executing the above malware detection engine, selecting a detection model from a plurality of detection models to determine whether the worker entity is malicious according to the current value of the above security flag.
  18. In Paragraph 12, The specification of the above resource entity includes a security flag; and Executing the above entity map manager in response to an attempt to overwrite the contents of the above resource entity: Setting the above security flag, Selectively searching for the other entity map from the map repository depending on whether the other entity map includes the specifications of the resource entity, and A computer security method characterized by further including, in response, deleting the other entity map.
  19. In Paragraph 18, A computer security method characterized by executing the above entity map manager further including adding another instance of the resource entity to the entity map in response to an attempt to overwrite the contents of the resource entity.
  20. In Paragraph 12, A computer security method characterized by further including executing the entity map manager to store the updated entity map in the map repository.

Description

System and method for responding to persistent malware The present invention relates to computer security, and in particular to detecting malicious software and intrusions. Malicious software, also known as malware, affects a large number of computer systems worldwide. Malware takes many forms, such as computer viruses, worms, rootkits, unwanted adware, ransomware, and spyware, posing a serious threat to millions of computer users and, above all, making them vulnerable to extortion, loss of data and sensitive information, identity theft, and loss of productivity. Malware can also display additional content that some users consider obscene, excessively violent, harassing, or otherwise offensive. The explosive growth of mobile computing has only exacerbated exposure and associated risks, as millions of devices, such as smartphones and tablet computers, remain constantly connected to the internet, becoming potential targets for malware. Security software can be used to detect malware that infects a user's computer system and, furthermore, to remove or prevent the execution of such malware. Several malware detection techniques are known in the industry. Some rely on matching code snippets of malware agents with malware indicator signature libraries. Other conventional methods detect malware indicator behaviors, such as specific sequences of actions performed by malware agents. Modern methods analyze software behavior using artificial intelligence (AI) technologies, such as various types of artificial neural networks, for malware detection. However, some advanced malware succeeds in evading detection. One detection evasion strategy involves splitting malicious activity among multiple software agents, each agent performing a distinct set of behaviors that do not exhibit particular malice when isolated from the behavior of other agents. An exemplary method for responding to such threats is described in U.S. Patent No. 10,706,151 B2, by G. Hajmasan et al., titled “Systems and Methods for Tracking Malicious Behavior Across Multiple Software Entities,” which proposes grouping entities associated by filiation and/or code injection relationships together so that the behaviors of individual group members can be attributed to the group as a whole. More sophisticated malware attacks can occur in stages, and some actions that make up a malicious chain can be separated by relatively long periods, such as weeks or even months. In such an example, an unsuspecting user might follow a link included in an email message and download a file containing malicious code. The malicious code may remain dormant on the user's computer until it is invoked by some other software agent and/or remotely activated by a malicious command-and-control server. The aforementioned embodiments and advantages of the present invention will be better understood by reading the following detailed description and referring to the following drawings: FIG. 1 shows a plurality of client devices protected from malware according to some embodiments of the present invention. FIG. 2 shows exemplary software executed on a client device according to some embodiments of the present invention. FIG. 3 shows exemplary components of a computer security module according to some embodiments of the present invention. FIG. 4 shows a general, exemplary entity map interconnecting worker entities and resource entities according to some embodiments of the present invention. FIG. 5a shows an exemplary realistic entity map according to some embodiments of the present invention. FIG. 5b shows another exemplary entity map according to some embodiment of the present invention. FIG. 6 shows an exemplary computer-readable encoding of an entity map according to some embodiments of the present invention. FIG. 7 shows an exemplary sequence of steps performed by an entity map manager module according to some embodiment of the present invention. FIG. 8 shows another exemplary sequence of steps performed by an entity map manager according to some embodiment of the present invention. FIG. 9 shows another exemplary sequence of steps performed by an entity map manager according to some embodiment of the present invention. FIG. 10 shows another exemplary sequence of steps performed by an entity map manager according to some embodiment of the present invention. FIG. 11 shows an exemplary merging of two entity maps according to some embodiments of the present invention. FIG. 12 shows another exemplary sequence of steps performed by an entity map manager according to some embodiment of the present invention. FIG. 13 shows an exemplary entity map signature match according to some embodiments of the present invention. FIG. 14 shows an exemplary computer-readable encoding of a map signature according to some embodiments of the present invention. FIG. 15 shows an exemplary sequence of steps performed by an entity map manager to verify a map signature match according to some embodiments of the present i