System and method for runtime detection, analysis and signature determination of obfuscated malicious code
US11822654B2 · kind B2 · utility
Assignee
Inventors
Key dates
| Filing date | Apr 20, 2018 |
| Grant date | Nov 21, 2023 |
| Priority date | — |
| Expiry date | Sep 12, 2038 |
Classification
- Technology area (CPC G)Physics
- CPC primaryG06F2221/2125
- WIPO fieldComputer technology
- WIPO sectorElectrical engineering
Abstract
Embodiments described herein enable the detection, analysis and signature determination of obfuscated malicious code. Such malicious code comprises a deobfuscation portion that deobfuscates the obfuscated portion during runtime to generate deobfuscated malicious code. The techniques described herein deterministically detect and suspend the deobfuscated malicious code when it attempts to access memory resources that have been morphed in accordance with embodiments described herein. This advantageously enables the deobfuscated malicious code to be suspended at its initial phase. By doing so, the malicious code is not given the opportunity to delete its traces in memory regions it accesses, thereby enabling the automated exploration of such memory regions to locate and extract runtime memory characteristics associated with the malicious code. Such characteristics may be analyzed to automatically determine indicators of compromise, which can be used as signatures of the malicious code for subsequent runtime detection of malicious code.
Source: USPTO / EPO open patent data. Objective bibliographic and citation counts.