Search

KR-20260064694-A - System and method for responding to persistent malware

KR20260064694AKR 20260064694 AKR20260064694 AKR 20260064694AKR-20260064694-A

Abstract

Some embodiments construct an entity map describing a group of interrelated entities and determine whether a computing device contains malware based on each entity map. The entity map includes worker entities (e.g., processes) and resource entities (e.g., files) accessed by each of the worker entities. Some entity maps are permanently stored and restored in response to a reboot, enabling the complete reconstruction of the kill chain even when malicious activities are distributed among multiple entities and across multiple computing sessions. Some embodiments detect an infection by comparing the current entity map with a signature map describing at least a fragment of a known attack.

Inventors

  • 포르타세, 라두-마리안
  • 하지마샨, 게오르게 플로린
  • 하지마샨, 알렉산드라

Assignees

  • 비트데펜더 아이피알 매니지먼트 엘티디

Dates

Publication Date
20260507
Application Date
20240827
Priority Date
20230905

Claims (20)

  1. A computer system comprising at least one hardware processor configured to execute an entity map manager and a malware detection engine connected to the entity map manager, wherein: The above entity map manager is: To construct an entity map that specifies a group of interrelated software entities—wherein the entity map includes specifications of a worker entity currently running in the computer system, specifications of a resource entity stored in a non-volatile storage device of the computer system, and specifications of the relationship between the worker entity and the resource entity—, In response to configuring the above entity map, a signature is selected from a predetermined set of security signatures—wherein the selected signature identifies a malicious group of interrelated software entities and includes specifications of another worker entity, specifications of another resource entity, and specifications of another relationship between said other worker entity and said other resource entity—, To determine whether the above-mentioned selected signature matches the above-mentioned entity map, and Configured to update the entity map by setting a security flag of the entity map in response to determining that the above security signature matches the above entity map; and A computer system configured such that the malware detection engine determines whether the computer system contains malicious software according to the updated entity map.
  2. In paragraph 1, Determining whether the above-selected signature matches the above-mentioned entity map is: Determining whether the above worker entity matches the above other worker entity; Determining whether the above resource entity matches the above other resource entity; and A computer system characterized by including determining whether the relationship between the worker entity and the resource entity matches the other relationship between the other worker entity and the other resource entity.
  3. In paragraph 2, A computer system characterized in that the specification of the worker entity includes a set of attribute values characterizing the worker entity, the specification of the other worker entity includes a predicate, and determining whether the worker entity matches the other worker entity includes evaluating the predicate according to the set of attribute values.
  4. In paragraph 1, The above malware detection engine is: To determine the score increment based on the current value of the above security flag; In response to a determination that the worker entity has performed a predetermined action, to modify the malware-indicative score associated with the worker entity by the score increment; and A computer system characterized by being configured to determine whether the computer system contains malware according to the above modified score.
  5. In paragraph 1, A computer system characterized in that the malware detection engine is configured to select a detection model from a plurality of available detection models to determine whether the computer system contains malware according to the current value of the security flag.
  6. In paragraph 1, A computer system characterized in that the selected signature further includes specifications for an action to be performed by the entity map manager in response to a determination that the selected signature matches the entity map.
  7. In paragraph 6, A computer system characterized by the above operation including storing the entity map in a map storage permanently stored on a non-volatile computer-readable medium.
  8. In paragraph 1, A computer system characterized in that the above entity map further includes specifications of a terminated worker entity associated with the worker entity or the resource entity, and the terminated worker entity was executed in the computer system in a previous computing session that was separated from the current computing session by a reboot event.
  9. In paragraph 1, A computer system characterized in that the above resource entity is selected from a group consisting of computer files and operating system registry keys.
  10. In paragraph 1, A computer system characterized by configuring the entity map, which includes adding the specifications of the other resource entity to the entity map in response to an attempt by the worker entity to access another resource entity.
  11. In order to construct an entity map that specifies a group of mutually related software entities—wherein, the entity map includes specifications of a worker entity currently running in the computer system, specifications of a resource entity stored in a non-volatile storage device of the computer system, and specifications of the relationship between the worker entity and the resource entity—; In response to constructing the above entity map, to select a signature from a predetermined set of security signatures—wherein the selected signature identifies a malicious group of interrelated software entities and includes specifications of another worker entity, specifications of another resource entity, and specifications of another relationship between said other worker entity and said other resource entity—; To determine whether the above-mentioned selected signature matches the above-mentioned entity map; To update the entity map by setting a security flag of the entity map in response to determining that the above security signature matches the entity map; and An anti-malware method comprising employing at least one hardware processor of a computer system to determine whether the computer system contains malicious software according to the above-mentioned updated entity map.
  12. In Paragraph 11, Determining whether the above-selected signature matches the above-mentioned entity map is: Determining whether the above worker entity matches the above other worker entity; Determining whether the above resource entity matches the above other resource entity; and An anti-malware method characterized by including determining whether the relationship between the worker entity and the resource entity matches the other relationship between the other worker entity and the other resource entity.
  13. In Paragraph 12, An anti-malware method characterized in that the specification of the worker entity includes a set of attribute values characterizing the worker entity, the specification of the other worker entity includes a predicate, and determining whether the worker entity matches the other worker entity includes evaluating the predicate according to the set of attribute values.
  14. In Paragraph 11, In response to updating the above entity map: Determining the score increment based on the current value of the above security flag; In response to a determination that the worker entity has performed a predetermined action, modifying the malware indication score associated with the worker entity by the score increment; and An anti-malware method characterized by further including determining whether the computer system contains malware according to the modified score.
  15. In Paragraph 11, An anti-malware method characterized by further including, in response to updating the entity map, selecting a detection model from a plurality of available detection models to determine whether the computer system contains malware according to the current value of the security flag.
  16. In Paragraph 11, An anti-malware method characterized in that the selected signature further includes specifications for an action to be performed in response to a determination that the selected signature matches the entity map.
  17. In Paragraph 16, An anti-malware method characterized by the above operation including storing the entity map in a map storage permanently stored on a non-volatile computer-readable medium.
  18. In Paragraph 11, An anti-malware method characterized in that the entity map further includes specifications of a terminated worker entity associated with the worker entity or the resource entity, and the terminated worker entity was executed on the computer system in a previous computing session that was separated from the current computing session by a reboot event.
  19. In Paragraph 11, An anti-malware method characterized in that the above resource entity is selected from a group consisting of computer files and operating system registry keys.
  20. In Paragraph 11, An anti-malware method characterized by configuring the entity map, which includes adding the specifications of the other resource entity to the entity map in response to an attempt by the worker entity to access another resource entity.

Description

System and method for responding to persistent malware Cross-reference of related applications This application is a continuation of United States Patent Application No. 18/461,134 filed on September 5, 2023 (titled “Systems and Methods for Countering Persistent Malware”), the entire contents of which are incorporated herein by reference. The present invention relates to computer security, and in particular to detecting malicious software and intrusions. Malicious software, also known as malware, affects a large number of computer systems worldwide. Malware takes many forms, such as computer viruses, worms, rootkits, unwanted adware, ransomware, and spyware, posing a serious threat to millions of computer users and, above all, making them vulnerable to extortion, loss of data and sensitive information, identity theft, and loss of productivity. Malware can also display additional content that some users consider obscene, excessively violent, harassing, or otherwise offensive. The explosive growth of mobile computing has only exacerbated exposure and associated risks, as millions of devices, such as smartphones and tablet computers, remain constantly connected to the internet, becoming potential targets for malware. Security software can be used to detect malware that infects a user's computer system and, furthermore, to remove or prevent the execution of such malware. Several malware detection techniques are known in the industry. Some rely on matching code snippets of malware agents with malware indicator signature libraries. Other conventional methods detect malware indicator behaviors, such as specific sequences of actions performed by malware agents. Modern methods analyze software behavior using artificial intelligence (AI) technologies, such as various types of artificial neural networks, for malware detection. However, some advanced malware succeeds in evading detection. One detection evasion strategy involves splitting malicious activity among multiple software agents, each agent performing a distinct set of behaviors that do not exhibit particular malice when isolated from the behavior of other agents. An exemplary method for responding to such threats is described in U.S. Patent No. 10,706,151 B2, by G. Hajmasan et al., titled “Systems and Methods for Tracking Malicious Behavior Across Multiple Software Entities,” which proposes grouping entities associated by filiation and/or code injection relationships together so that the behaviors of individual group members can be attributed to the group as a whole. More sophisticated malware attacks can occur in stages, and some actions that make up a malicious chain can be separated by relatively long periods, such as weeks or even months. In such an example, an unsuspecting user might follow a link included in an email message and download a file containing malicious code. The malicious code may remain dormant on the user's computer until it is invoked by some other software agent and/or remotely activated by a malicious command-and-control server. The aforementioned embodiments and advantages of the present invention will be better understood by reading the following detailed description and referring to the following drawings: FIG. 1 shows a plurality of client devices protected from malware according to some embodiments of the present invention. FIG. 2 shows exemplary software executed on a client device according to some embodiments of the present invention. FIG. 3 shows exemplary components of a computer security module according to some embodiments of the present invention. FIG. 4 shows a general, exemplary entity map interconnecting worker entities and resource entities according to some embodiments of the present invention. FIG. 5a shows an exemplary realistic entity map according to some embodiments of the present invention. FIG. 5b shows another exemplary entity map according to some embodiment of the present invention. FIG. 6 shows an exemplary computer-readable encoding of an entity map according to some embodiments of the present invention. FIG. 7 shows an exemplary sequence of steps performed by an entity map manager module according to some embodiment of the present invention. FIG. 8 shows another exemplary sequence of steps performed by an entity map manager according to some embodiment of the present invention. FIG. 9 shows another exemplary sequence of steps performed by an entity map manager according to some embodiment of the present invention. FIG. 10 shows another exemplary sequence of steps performed by an entity map manager according to some embodiment of the present invention. FIG. 11 shows an exemplary merging of two entity maps according to some embodiments of the present invention. FIG. 12 shows another exemplary sequence of steps performed by an entity map manager according to some embodiment of the present invention. FIG. 13 shows an exemplary entity map signature match according to some embodiments of the present invention. F