Detecting malicious software by analyzing patterns of system calls generated during emulation

   
   

One embodiment of the present invention provides a system for determining whether software is likely to exhibit malicious behavior by analyzing patterns of system calls made during emulation of the software. The system operates by emulating the software within an insulated environment in a computer system so that the computer system is insulated from malicious actions of the software. During the emulation process, the system records a pattern of system calls directed to an operating system of the computer system. The system compares the pattern of system calls against a database containing suspect patterns of system calls. Based upon this comparison, the system determines whether the software is likely to exhibit malicious behavior. In one embodiment of the present invention, if the software is determined to be likely to exhibit malicious behavior, the system reports this fact to a user of the computer system. In one embodiment of the present invention, the process of comparing the pattern of system calls is performed on-the-fly as the emulation generates system calls.

Una encarnación de la actual invención proporciona un sistema para determinarse si el software es probable exhibir comportamiento malévolo analizando patrones de las llamadas del sistema hechas durante la emulación del software. El sistema funciona emulando el software dentro de un ambiente aislado en un sistema informático para aislar el sistema informático de las acciones malévolas del software. Durante el proceso de la emulación, el sistema registra un patrón de las llamadas del sistema dirigidas a un sistema operativo del sistema informático. El sistema compara el patrón de las llamadas del sistema contra una base de datos que contiene los patrones sospechados de las llamadas del sistema. Basado sobre esta comparación, el sistema se determina si el software es probable exhibir comportamiento malévolo. En una encarnación de la actual invención, si el software se determina para ser probable exhibir comportamiento malévolo, el sistema divulga este hecho a un usuario del sistema informático. En una encarnación de la actual invención, el proceso de comparar el patrón de las llamadas del sistema se realiza en marcha mientras que la emulación genera llamadas del sistema.

 
Web www.patentalert.com

< Platform for internet based real-time communication content selection

< Method and system for generating structured data from semi-structured data sources

> Portable high speed internet access device with encryption

> Method, apparatus and computer program product for editing in a translation verification test procedure

~ 00124