Detecting malicious code based on deviations in executable image import resolutions and load patterns
US10061924B1 · kind B1 · utility
Assignee
Inventor
Key dates
| Filing date | Dec 31, 2015 |
| Grant date | Aug 28, 2018 |
| Priority date | — |
| Expiry date | Apr 16, 2036 |
Classification
- Technology area (CPC G)Physics
- CPC primaryG06F2221/033
- WIPO fieldComputer technology
- WIPO sectorElectrical engineering
Abstract
Trusted executable images are run in a controlled environment, such as a dynamic malware analysis platform. For each trusted executable image, a corresponding baseline import-load signature is generated. This can be done by applying a cryptographic hash function to the specific instructions which resolve imports and/or load libraries, and their operands. Sample programs are run in the controlled environment and tested for maliciousness. Any executable image run by a given sample program in the controlled environment is identified, and an import-load signature of the executable image when run by the sample program is generated. The import-load signature of the executable image when run by the sample program is compared to the corresponding stored baseline import-load signature for the same executable image. The sample program is adjudicated as being benign or malicious based on at least the results of the comparison.
Source: USPTO / EPO open patent data. Objective bibliographic and citation counts.