I 1111111111111111 11111 111111111111111 1111111111 1111111111 1111111111 11111111
`US009117078Bl
`
`c12) United States Patent
`Chien et al.
`
`(10) Patent No.:
`(45) Date of Patent:
`
`US 9,117,078 Bl
`Aug. 25, 2015
`
`(54) MALWARE BEHAVIOR ANALYSIS AND
`POLICY CREATION
`
`(75)
`
`Inventors: Hao-Liang Chien, Pingtung County
`(TW); Ming-Chang Shih, Taipei (TW);
`Ya-Hsuan Tsai, Taipei (TW)
`
`(73) Assignee: Trend Micro Inc., Tokyo (JP)
`
`( *) Notice:
`
`Subject to any disclaimer, the term ofthis
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 1460 days.
`
`(21) Appl. No.: 12/212,378
`
`(22) Filed:
`
`Sep.17,2008
`
`(2013.01)
`
`(51)
`
`(52)
`
`Int. Cl.
`G06F 21156
`U.S. Cl.
`CPC .................................... G06F 211566 (2013.01)
`( 58) Field of Classification Search
`None
`See application file for complete search history.
`
`Portokalidis et al., Argos: an Emulator for Fingerprinting Zero-Day
`Attacks for Advertised Honeypots with Automatic Signature Gen(cid:173)
`eration, ACM, 2006.*
`Rieck et al., Learning and Classification of Malware Behavior,
`Springer-Verlag, Jul. 2008.*
`Willems et al. Toward Automated Dynamic Mal ware Analysis Using
`CWSandbox, IEEE, Apr. 2007. *
`Sanabria et al., Malware Analysis: Environment Design and Archi(cid:173)
`tecture, SANS Institute, 2007. *
`White et al., Anatomy of a Commercial-Grade Immune System,
`IBM, 1999.*
`Mell et al., Guide to Malware Incident Prevention and Handling,
`NIST, 2005.*
`Sanabria et al., Malware Analysis: Environment Design and
`Archtecture, SANS Institute, 2007. *
`
`* cited by examiner
`
`Primary Examiner - Minh Dinh
`(74) Attorney, Agent, or Firm - Beyer Law Group LLP
`
`ABSTRACT
`(57)
`Creating a policy to be used by a malware prevention system
`uses multiple events triggered by malware. A sample of mali(cid:173)
`cious computer code or malware is executed in a computer
`system having a kernel space and a user space. Event data
`relating to multiple events caused by the malicious code
`executing on the computer system are captured and stored.
`The event data is configured using a specific property that
`facilitates malware behavior analysis. A behavior list is then
`created utilizing the multiple events and associated event
`data. The behavior list, together with data in a malware behav(cid:173)
`ior database, is used to derive a policy for use in a malware
`prevention system. The computer system is free of any mali(cid:173)
`cious code, including viruses, Trojan horses, or any other
`unwanted software code. The malicious computer code
`executes without any constraints so that the execution behav(cid:173)
`ior of the malicious code may be observed and captured.
`Critical events are selected based on the user's expertise and
`experience in dealing with malware and a sequential stream
`including the event as the events occur is created.
`
`(56)
`
`References Cited
`
`U.S. PATENT DOCUMENTS
`
`5,440,723 A *
`6,973,577 Bl *
`7,603,715 B2 *
`7,620,992 B2 *
`7,725,937 Bl*
`7,854,004 B2 *
`7,877,802 B2 *
`8,201,244 B2 *
`8,375,444 B2 *
`8,434,151 Bl*
`2003/0135791 Al*
`2008/0016570 Al *
`2010/0031353 Al*
`
`8/1995 Arnold et al. ..................... 714/2
`12/2005 Kouznetsov .................... 726/25
`10/2009 Costa et al ...................... 726/25
`11/2009 Monastyrsky et al.
`......... 726/24
`5/2010 Levy ............................... 726/23
`12/2010 vanderMade ................. 726/23
`1/2011 Marinescu ...................... 726/22
`6/2012 Sun et al. ........................ 726/22
`2/2013 Aziz et al ........................ 726/23
`4/2013 Franklin ......................... 726/24
`7/2003 Natvig ............................ 714/38
`1/2008 Capalik ........................... 726/23
`2/2010 Thomas et al.
`................. 726/22
`
`OTHER PUBLICATIONS
`
`Bayer et al., TTAnalyze: A Tool for Analyzing Malware, 2006.*
`
`18 Claims, 10 Drawing Sheets
`
`212
`
`Computer System
`/ 2 0 0
`
`Matware Behavior
`Database
`System Beha,ior ~ - - - - - , - -~
`Analyzer
`210
`
`312
`
`Stream Policy
`List
`
`Analyzing Man ager
`
`310
`
`Analysis
`Module
`
`Fi lier Manager
`
`Policy
`Creation
`
`2D6
`
`Eve11t
`Manager
`
`,-204
`User Space
`- -~ - - - - - - - - - - - -
`Kernel Space
`\... 202
`
`Activity
`Monitor
`
`Palo Alto Networks - Exhibit 1006
`Palo Alto Networks v. Taasera - IPR2023-00704
`Page 1 of 17
`
`

`

`U.S. Patent
`
`Aug. 25, 2015
`
`Sheet 1 of 10
`
`US 9,117,078 Bl
`
`BEGIN
`
`Capture Malware Behavior on PC
`(multiple single events)
`
`Create Behavior List based on
`Critical Events
`
`Derive Policy from Behavior List
`
`102
`
`104
`
`106
`
`FIG. 1
`
`Palo Alto Networks - Exhibit 1006
`Palo Alto Networks v. Taasera - IPR2023-00704
`Page 2 of 17
`
`

`

`U.S. Patent
`
`Aug. 25, 2015
`
`Sheet 2 of 10
`
`US 9,117,078 Bl
`
`,.-212
`
`Malware Behavior
`Database
`
`,..--210
`
`System Behavior
`Analyzer
`
`,..-214
`
`Malware Detection
`System
`
`,-204
`User Space
`------------------------
`Kernel Space
`\..... 202
`
`,.-208
`
`,,-206
`
`Activity Monitor
`
`Event Manager
`
`~ Computer System
`
`("Clean PC")
`
`FIG. 2
`
`Palo Alto Networks - Exhibit 1006
`Palo Alto Networks v. Taasera - IPR2023-00704
`Page 3 of 17
`
`

`

`System Behavior
`Analyzer
`210~
`
`212
`
`Malware Behavior
`Database
`
`Computer System
`200
`
`/
`
`I Analyzing Manager r
`
`-306
`
`,,- 310
`
`Stream Pol icy
`~ List
`
`,,.-302
`
`Capture
`
`304
`'--"
`-
`
`Analysis
`Module
`
`Policy
`Creation
`
`,...._ -
`
`-
`
`308
`
`Event Receiver
`h
`
`303
`
`I Filter Manager
`
`- - - - - - - - - - - - - - - - - - - - - - - -
`,-208
`,,.- 206
`
`204
`
`Event
`ManagBf
`
`Activity
`Monitor
`
`FIG. 3
`
`~
`00
`•
`~
`~
`~
`
`~ = ~
`
`~
`~
`N
`'"Ul
`N
`
`0 ....
`
`Ul
`
`('D
`('D
`
`~
`
`rJJ =(cid:173)
`.....
`0 ....
`....
`
`0
`
`d r.,;_
`_."-0
`"'""'
`"'""'
`_.--..l = --..l
`00 = "'""'
`
`Palo Alto Networks - Exhibit 1006
`Palo Alto Networks v. Taasera - IPR2023-00704
`Page 4 of 17
`
`

`

`U.S. Patent
`
`Aug. 25, 2015
`
`Sheet 4 of 10
`
`US 9,117,078 Bl
`
`Event Structure
`402
`
`I Su~ecl I performs
`
`404
`
`Operation
`
`on
`
`406
`I Obfect I FIG. 4
`
`Display Dialog
`Box
`(if needed)
`
`814
`
`Select events
`Create
`Behavior List
`
`816
`
`Create Policy
`based on List
`
`818
`
`END
`
`BEGIN
`
`Display Event
`Capture Window
`
`Initiate System
`Event Capture
`
`Stop System
`Event Capture
`
`Display Events
`Sequentially
`
`802
`
`804
`
`806
`
`808
`
`Detect Event
`Selection
`
`810
`
`Detect Option Selection (e.g.
`11Follow Process Stream")
`
`812
`
`FIG. 8
`
`Palo Alto Networks - Exhibit 1006
`Palo Alto Networks v. Taasera - IPR2023-00704
`Page 5 of 17
`
`

`

`504
`
`506
`
`-Flle Edit Capture Analysis ExtractPolicy
`~E:,liilk§~I~ ¢1 c:¢>~~~
`Filter I
`, .. ~pression ... .Qlear
`No. ! Time.
`I
`Event Info
`lmageName
`
`I Proc ID
`
`,5pply
`
`Event Monitor
`- Event Capture
`27
`Total
`0
`FilelO
`0
`Process
`API
`9
`0
`Registry
`12
`DAC
`
`% of totaf
`
`1-l"lx!
`
`0.0%
`0.0%
`33.3%
`0.0%
`44.4%
`
`502
`,..__,,
`
`Running 00;00:09
`
`506
`~
`
`FIG. 5
`
`I
`
`Qru2]
`
`~
`00
`•
`~
`~
`~
`
`~ = ~
`
`~
`~
`N
`... ui
`N
`
`0 ....
`
`Ul
`
`('D
`('D
`
`rJJ =(cid:173)
`.....
`Ul
`0 ....
`....
`
`0
`
`d r.,;_
`
`,..'-0
`"'""'
`"'""'
`,..---l = --.,l
`00 = "'""'
`
`Palo Alto Networks - Exhibit 1006
`Palo Alto Networks v. Taasera - IPR2023-00704
`Page 6 of 17
`
`

`

`604
`
`Fire Edit Capture Analysis ExtractPolicy
`l~e,~x§~1~ ¢:i ~ ~ ~ ~
`I ... Expression ... Clear Apply
`Filter!
`I Proc ID I lmageName
`No. I Time.
`j
`Event Info
`1
`1925
`0.00000
`Explorer
`1324
`0.12001
`Msnmsgr
`2
`0.33657
`1925
`3
`Explorer
`1324
`4
`0.99102
`Msnmsgr
`1925
`5
`1.22456
`Explorer
`1925
`2.44512
`6
`Explorer
`test
`7
`1100
`2.97442
`8
`1100
`3.80011
`test
`
`Create File C:\Program FJles\Debuggings Tools forWindows\windbg.eid
`Write Registry Key H KLM\System\Curreri!Ccnl.rofSet\Services\T q:iip\Para
`Call API ZwCreateThread
`Create File C:\Deocuments and Settings\aawen shr\PattemGenera1or
`Create Process C:\Program Files\Debugg ing Tools for Windows\wind bg.
`Call API ZwMapVirtualMer!IDfY
`Write Registry ~ 8i<LMµ;CJN.iareWlcrosoft\Wlnd~ Nl)C\.m'ent
`Create File c:,Program Files\Debugging Tools for Windows\windbg.exe
`
`600 .
`
`Registry Event
`B Subject Process
`Subjed Process ID: 1100
`Subjeci Process Image Path : C:\windows\test.exe
`B Obied Registry
`Regfslry Key: HKLMSoftware,M icrosoft\Windows Nncu rrentVersion\Windows
`Registry Key Value : Applnit_DLLs
`Operation : Write
`
`Event List Pane
`
`FIG. 6
`
`Event Detail Pane
`
`I
`
`602
`
`~
`00
`•
`~
`~
`~
`
`~ = ~
`
`1-IEil@
`
`~
`~
`N
`'"Ul
`N
`
`0 ....
`
`Ul
`
`('D
`('D
`
`rJJ =(cid:173)
`.....
`O'I
`0 ....
`....
`
`0
`
`d r.,;_
`_."-0
`"'""'
`"'""'
`_.--..l = --..l
`00 = "'""'
`
`Palo Alto Networks - Exhibit 1006
`Palo Alto Networks v. Taasera - IPR2023-00704
`Page 7 of 17
`
`

`

`~
`00
`•
`~
`~
`~
`
`~ = ~
`
`~
`~
`N
`'"Ul
`N
`
`0 ....
`
`Ul
`
`('D
`('D
`
`rJ'1 =(cid:173)
`.....
`-....J
`0 ....
`....
`
`0
`
`702
`
`Explorer
`Explorer
`Explorer
`Explorer
`
`Create Flle C:\Program Files,Debuggings Tools for Windows\windbg.ext
`Call API ZwCreateThread
`Create Process C:\Prog ram f jles\Oebugging Tools for Windows\windbg.
`Call API ZwMapVirtualMemory
`
`08
`
`11
`
`}Follow Process Stream
`
`~
`
`.., ,
`0.00000
`0.33657
`1.22456
`2.44512
`
`1925
`1925
`1925
`1925
`
`1
`3
`5
`6
`
`1
`2
`3
`4
`5
`6
`7
`8
`
`0.00000
`0.12001
`0.33657
`0.99102
`1.22456
`·2:44512.
`2.97442
`3.80011
`
`1925
`1324
`1925
`1324
`1925
`1925
`1100
`1100
`
`Explorer
`Msnmsgr
`Explorer
`Msnmsgr
`Explorer
`Explorer.
`test
`test
`
`Create File c:,Program Files\Debuggings Tools for Windows\windbg.exl:
`Write Regl:Stry Key HKLM\System\CurrentControlSet\Services\ T cpip\Para
`Call APl ZwCreateThread
`Create File C:\Deocuments and Settings\aawen shr\PatternGenerator
`Create Process C:\Program Files\Debugging Tools for Windows\windbg.
`Write--~~.. KevHKlM\Soiwai-e\M~osbft\Windciws :Ni\current
`y
`Market Event
`Time Reference
`
`.
`
`I
`
`.
`
`·--
`
`--
`
`.
`
`-
`
`.
`
`--
`
`.
`
`/ng Tools for Windows\windbg.exe
`
`►
`
`d r.,;_
`
`'-"'-.0
`"'""'
`"'""'
`'-0-....l = --..l
`00 = "'""'
`
`Foltow Process Stream
`Decode event
`Apply the process as filter
`
`--...... 706
`
`04
`
`11
`
`FIG. 7
`
`Palo Alto Networks - Exhibit 1006
`Palo Alto Networks v. Taasera - IPR2023-00704
`Page 8 of 17
`
`

`

`U.S. Patent
`
`Aug. 25, 2015
`
`Sheet 8 of 10
`
`US 9,117,078 Bl
`
`1a og ox s 902
`F II a ows p rocess St ream D' I B
`[;]~~
`
`AEGIS Event Analysis
`
`Parsing Result
`
`OpenFile
`Event 1 Create File CA ....
`APICall
`Event 3 Call API Zw
`Write Registry
`Event 5 Write Registry ..
`Delete File
`Event 6 Cleanup File C:\
`Terminate Process
`Event 7 terminate Process E.exe
`write Registry
`Event 9 Wrrte Registry HKCU ....
`
`I Saveb,s I · ,Erint
`
`II
`
`A
`
`-
`
`~10
`
`RootKrt AJ Behavior
`Open File
`Terminate Process
`Write Registry
`.......
`
`Make Behavior List
`
`1v1/
`
`-:::::::
`
`I Make Behavior List 11 Filter out this stream II Qlose
`I
`I
`I
`)
`)
`)
`908
`904
`906
`
`FIG. 9
`
`Palo Alto Networks - Exhibit 1006
`Palo Alto Networks v. Taasera - IPR2023-00704
`Page 9 of 17
`
`

`

`1004
`
`\
`
`\
`J
`
`Extract Policy
`- Policy Info
`
`Policy Name I
`
`1002
`
`1-lr"IIXI
`
`I,.. 1
`
`Ordered: A policy may co ns1st more than one pattern and should
`be matched in order
`Depth, Offset: The matched position maybe with in a certain range
`or location
`
`ession ... ~lear Pipply
`Event Info
`
`lda!IX!
`
`~
`00
`•
`~
`~
`~
`
`~ = ~
`
`~
`~
`N
`'"Ul
`N
`
`0 ....
`
`Ul
`
`VVithin, Distance: The distance between two matched patterns_
`
`I Cancel I
`
`I OK
`1006)
`
`('D
`('D
`
`1,0
`
`rJJ =(cid:173)
`.....
`0 ....
`....
`
`0
`
`FIG. 10
`
`I
`
`d r.,;_
`_."-0
`"'""'
`"'""'
`
`-....l = -....l
`00 = "'""'
`
`Palo Alto Networks - Exhibit 1006
`Palo Alto Networks v. Taasera - IPR2023-00704
`Page 10 of 17
`
`

`

`U.S. Patent
`
`Aug. 25, 2015
`
`Sheet 10 of 10
`
`US 9,117,078 Bl
`
`1106
`
`~1100
`
`~114
`
`FIG. 11A
`
`1122
`
`1124
`
`1126
`
`1114
`
`PROCESSOR(S)
`
`MEMORY
`
`FIXED DISK
`
`REMOVABLE
`DISK
`
`~1100
`
`1120
`
`1104
`
`1110
`
`1112
`
`1130
`
`1140
`
`DISPLAY
`
`KEYBOARD
`
`MOUSE
`
`SPEAKERS
`
`NETWORK
`INTERFACE
`
`FIG. 11B
`
`Palo Alto Networks - Exhibit 1006
`Palo Alto Networks v. Taasera - IPR2023-00704
`Page 11 of 17
`
`

`

`US 9,117,078 Bl
`
`1
`MALWARE BEHAVIORANALYSISAND
`POLICY CREATION
`
`BACKGROUND OF THE INVENTION
`
`2
`Another embodiment is a computer system for creating a
`policy for use in a malware detection system. The system
`includes a processor and a system behavior analysis compo(cid:173)
`nent. The analysis component may include an event capture
`5 module, an analysis module, and a policy creation module.
`The computer system also has a memory that may contain a
`malware behavior database that stores malware samples and
`results from parsing the samples for analysis. It may also
`contain event data describing an event caused by malicious
`10 computer code. In one embodiment, the computer system
`does not have any malware. In another embodiment, the event
`capture module captures the effects of the malicious com(cid:173)
`puter code execution. In another embodiment, the computer
`system also includes an activity monitor and an event man-
`15 ager operating in the kernel space of the computer system.
`The event capture module also includes an event receiver for
`interfacing with the activity monitor. In another embodiment,
`the analysis module includes a filter manager for identifying
`events having a specific process identifier and an analyzing
`20 manager for creating a process stream. The event data is
`configured to include a subject field, an operation field, and an
`object field.
`
`1. Field of the Invention
`The present invention relates to computer network security.
`More specifically, it relates to software and computer systems
`for creating policies for malware detection and behavior
`analysis systems.
`2. Description of the Related Art
`A conventional malware detection and prevention system
`may operate using malware policies developed for detecting
`potentially malicious behavior in a computer system. The
`accuracy and efficiency of such a system depends in large part
`on the specificity of the policies which it uses to operate.
`Presently, polices are developed using single events. This
`limits the abilities ofthemalware detection system. Processes
`for analyzing malicious system behavior analyze a single
`event that results from the malware operating on the system.
`This may be too narrow and may limit the functionality of the
`malware detection and prevention system. Analysis based on
`a single event results in malware policies that are not very
`precise and which may result in a high frequency of false 25
`positives. That is, when a "white list" is checked in the mal(cid:173)
`ware prevention system, the event being checked may be in
`the white list but should not be because it may be part of a
`malicious process stream. Generally, it is difficult to charac(cid:173)
`terize malicious behavior by examining one event. However, 30
`presently it is difficult to obtain policies that are derived from
`examining multiple events in malicious behavior process
`streams. For example, conventionally, malware executes on a
`PC and when the malware's behavior on the PC is analyzed,
`a single event that is believed to be caused by the malware is 35
`used to derive a policy, which is used by the malware detec(cid:173)
`tion and prevention system. This system uses a white list to
`determine which events are acceptable and the white list, in
`turn, is determined by the policy. If the policy is not precise,
`then there is a high occurrence of false positives using the 40
`white list. Thus, it would be desirable to have a more precise
`process and system for making malware detection/prevention
`policies.
`
`SUMMARY OF THE INVENTION
`
`45
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`References are made to the accompanying drawings,
`which form a part of the description and in which are shown,
`by way of illustration, particular embodiments:
`FIG. 1 is a flow diagram showing a process of deriving a
`behavior list for malware detection system policy in accor(cid:173)
`dance with one embodiment of the present invention;
`FIG. 2 is an overview block diagram showing components
`and connections relevant to one embodiment of the present
`invention;
`FIG. 3 is a detailed logical block diagram of a system
`behavior analyzer in accordance with one embodiment;
`FIG. 4 is a block diagram showing a format of an event in
`accordance with one embodiment;
`FIG. 5 is a sample screen shot of a user interface related to
`capture module;
`FIG. 6 is a sample screen shot of a user interface showing
`an event listing;
`FIG. 7 is a sample screen shot of a user interface related to
`the analysis module;
`FIG. 8 is a flow diagram of a process of capturing events,
`analyzing them, and creating a behavior list in accordance
`with one embodiment;
`FIG. 9 is a sample screen diagram of a Follow Process
`Stream dialog box in accordance with one embodiment;
`FIG.10 is a sample screen diagram showing another dialog
`box which allows a user to create and name a policy in a text
`input window; and
`FIGS. llA and llB illustrate a computer system suitable
`for implementing embodiments of the present invention.
`
`DETAILED DESCRIPTION OF THE INVENTION
`
`In one embodiment, a method of creating a policy to be
`used by a malware prevention system is described. A sample
`of malicious computer code or malware is executed in a
`computer system having a kernel space and a user space. The 50
`computer system is connected to a malware prevention sys(cid:173)
`tem. Event data relating to multiple events caused by the
`malicious code executing on the computer system are cap(cid:173)
`tured and stored. The event data is configured using a specific
`property, such as process, that facilitates malware behavior 55
`analysis. A behavior list is created utilizing the multiple
`events and associated event data. The behavior list is then
`used, together with data in a malware behavior database, to
`derive a policy for use in a malware prevention system. In one
`embodiment, the computer system is free of any malicious
`code, including viruses, Trojan horses, or other malicious
`software code. The malicious computer code sample executes
`without any constraints so that the execution behavior of the
`malicious code may be observed and captured. In another
`embodiment, critical events are selected and a sequential
`process stream including the event as the events occur 1s
`created.
`
`Methods and systems for creating malware behavior lists
`which are utilized to derive malware detection policies in
`60 malware detection and behavior monitoring systems ("mal(cid:173)
`ware detection systems") are described in the various figures.
`As is known in the field of malware detection, policies for
`malware detection systems are typically developed by an
`anti-malware or computer security service provider who sup-
`65 plies malware detection systems to customers. Malware
`detection policies are often developed by service providers in
`a controlled environment, such as in a computer software lab.
`
`Palo Alto Networks - Exhibit 1006
`Palo Alto Networks v. Taasera - IPR2023-00704
`Page 12 of 17
`
`

`

`US 9,117,078 Bl
`
`3
`For example, policies may be developed by executing or
`running samples of new malware ( e.g., a new virus strain) on
`malware-free operating systems ("clean PCs") in the service
`provider's computer lab. The service provider carefully
`observes and analyzes single events created by the malware
`sample ( as described above). In this manner, the service pro(cid:173)
`vider derives the malware's behavior. Samples are often
`obtained by service provider employees and associates from
`the "real world" computing environment, typically the Inter(cid:173)
`net.
`Observing behavior of the sample malware includes iden(cid:173)
`tifying critical events that result during execution of the mal(cid:173)
`ware and creating malware behavior lists. Although not
`included in present invention, it is from these malware behav(cid:173)
`ior lists that malware detection policies may eventually be
`created for use on malware detection systems.
`FIG. 1 is a high-level flow diagram ofa process of deriving
`a malware detection policy using a behavior list in accordance
`with the first embodiment of the present invention. As noted,
`this process executes in a controlled environment, such as a 20
`computer software lab operated by an anti-malware service
`provider, such as TrendMicro, Inc. of Cupertino, Calif.
`Before the first step is performed, the service provider or
`related obtains a malware sample from an external environ(cid:173)
`ment. The sample may be a new outbreak of a virus which the
`service provider obtained and has delivered to the provider's
`lab. The service provider executes the malware sample, which
`may be referred to more generally as an unknown malicious
`process, on a virus-free client having a clean operating sys(cid:173)
`tem. That is, the service provider lets the malware code run
`freely on the PC, simulating malware execution in a real
`world environment. Malware may be malicious processes
`such as BOTS, Trojan horses, Instant Messages, Worms, mal(cid:173)
`ware that exploits software from specific vendors ( e.g.,
`Microsoft) and thousands of other specific malware samples.
`At step 102 the service provider executes the malware code
`sample ( which may be the entire malware program) on a clean
`PC and captures and records the malware behavior on the PC.
`In one embodiment, the service provider records this behav(cid:173)
`ior by creating a data record for each event that results from
`the malware. In one embodiment, when the malware begins
`execution on the PC and the service provider employee, such
`as a virus expert ("user") initiates an event capture process
`utilizing a software capture module, described below, and
`certain user interfaces also described below. As noted earlier,
`the malware is allowed to operate freely on the clean PC
`without any constraints so that the full effect of its behavior
`may be observed and captured. The user stops the event
`capture process of step 102 when she believes that the mali(cid:173)
`cious process has essentially "run its course." The user may 50
`make this decision, for example, by observing whether cer(cid:173)
`tain critical files have been modified or whether specific
`activities in the operating system have occurred, activities
`that malware would normally cause. The user exercises her
`professional discretion to decide when to stop the event cap(cid:173)
`ture. If the sample malware is from an entirely new breed of
`malicious software and does harm that previous malware did
`not, the user may simply allow events to be captured for a
`longer time and collect a larger sampling of events. As
`described below, the user may end event capturing via an
`event capture dialog box.
`At step 104 the user creates a malware behavior list based
`on events captured at step 102. In one embodiment, a behavior
`list is a sequence or stream of events that are characteristic or
`clearly indicative of execution of the malware sample.
`Examples of events include write to file, read file, append file,
`create registry, call API, file I/0, terminate, and others. As is
`
`4
`known in the art, not all of the events caused by the malware
`sample are necessarily malicious; some may be harmless or
`routine steps which many non-malicious processes would
`normally execute. Some events may even be "red herrings," or
`5 events that are intended to mislead or divert attention from the
`actual malicious behavior. The user, having expertise in virus
`and malware behavior, selects the appropriate critical events
`and creates a behavior list, as described below. The user may
`select multiple events from an event list which she considers
`10 to be critical or significant with respect to characterizing the
`behavior of the malware or for detecting the malware. In this
`manner, multiple events are used to create one or more behav(cid:173)
`ior lists. At step 106 the behavior lists are provided so that they
`may be used to derive or extract policy or, more specifically,
`15 policies that are used in behavior monitoring analysis which
`may be one component in a malware detection system. A
`policy database of the malware detection system is updated
`with the new policies. The policy database may also be
`referred to as a malware database.
`FIG. 2 is an overview block diagram of a computer system
`200 showing components and connections relevant to one
`embodiment of the present invention. Most of the compo(cid:173)
`nents reside in a user space 204 and some in a kernel space
`202 of a clean PC, the demarcation shown by the dashed line.
`25 As described in FIG. 1, these components and their related
`processes reside and take place in a controlled environment
`and virus-free operating system. Once the malware sample
`has been downloaded or installed on the computer 200, which
`may emulate, for example, a client PC in a network, a home
`30 computer, a server, or a mobile computing device, the user
`lets the malware run, as described above. At this stage an
`event manager 206 in kernel space 202 begins monitoring
`behavior of the executing malware. Event manager 206 man(cid:173)
`ages system interfaces ( also referred to as system "hooks"). In
`35 order to "monitor" events, event manager 202 may use a
`mini-filter to obtain data on system events caused by the
`malware and transmit this data to an activity monitor 208. A
`user mode hook may be used to collect application events and
`other events in the user space. Obtaining system events at this
`40 stage in kernel 202 by event manager 206 different from ( and
`is a sense complements) the capturing of non-system events
`in user space 204, as described below. Event manager 206
`transmits system event data in kernel 202 to an activity moni(cid:173)
`tor 208 which performs as an interface between event man-
`45 ager 206 and components in user space 204. Activity monitor
`208 receives events from event manager 206 and transmits
`them to system behavior analyzer 210. In one embodiment, a
`malware detection system may have drivers to perform the
`functions of event manager 206 and activity monitor 208.
`Activity monitor 208 interfaces with system behavior ana-
`lyzer 210 in user space 204. Analyzer 210 is a software
`component with modules that perform various functions,
`such as event capturing and analysis, and is described in
`greater detail in FIG. 3. In another embodiment, analyzer 210
`55 may be embodied in firmware on a suitable hardware com(cid:173)
`ponent. As a software component, it may reside in computer
`memory, such as ROM, RAM, non-volatile memory, cache
`memory, or other suitable storage media. It may also be stored
`on a CD-ROM, USB key, or other portable memory device.
`60 Analyzer210 shares data withamalware database 212, which
`it uses for certain analysis functions. When a policy has been
`derived by analyzer210 based on a behavior list, the policy is
`transmitted to malware detection system, which includes
`behavior monitoring functionality monitor 214. The policy
`65 may be transmitted to a "streaming policy" list that stores
`various policies utilized by detection system 214 (a list of
`streaming policies contains policies that are not based upon
`
`Palo Alto Networks - Exhibit 1006
`Palo Alto Networks v. Taasera - IPR2023-00704
`Page 13 of 17
`
`

`

`US 9,117,078 Bl
`
`5
`detection of only a single event, but rather are based upon
`detection of multiple events or a "stream" of sequential
`events).
`FIG. 3 is a logical block diagram of system behavior ana(cid:173)
`lyzer 210 in accordance with one embodiment. As described 5
`above, activity monitor 208 in kernel space 202 transmits
`event data (via activity monitor 208) to behavior analyzer
`210. In one embodiment, an event capture module 302 in
`analyzer 210 receives the event data. Event capture module
`302 creates a sequential event stream made up of events as 10
`they occur; that is, event capture manager 302 creates a time(cid:173)
`based list of events. The list of events is transmitted to analy-
`sis module 304. In one embodiment, event capture module
`302 has an event receiver module 303 that directly interfaces
`with activity monitor 208 and receives the actual event data as 15
`it is transmitted from kernel space 202 to user space 204.
`FIG. 4 is a block diagram showing a format of an event in
`accordance with one embodiment. An event includes three
`components: a subject 402, an operation 404, and an object
`406. Subject 402 performs operation 404 on object 406.
`Examples of subjects include ProcessLive, ProcessAny, and
`Process. Examples of operations include create, call, write,
`erase, and the like. Examples of objects include directories,
`registries, APis, etc. The event data is configured in to this
`format by event capture module 302. The formatted event
`data is sent to analysis module 304.
`In one embodiment, analysis module 304 uses a filter man(cid:173)
`ager 308 to parse and filter the event stream created by event
`capture module 302. As described above, an event in an event
`stream is caused by execution of the sample malware. The
`event stream may be analyzed by a user using malware data(cid:173)
`base 212, where data on the sample malware (e.g., virus,
`Trojan horse) behavior is stored. In one embodiment, mal(cid:173)
`ware database 212 stores a listing of malware samples, of
`which there may be thousands. It also contains results from
`parsing these malware samples, such as registries, file opera(cid:173)
`tions, and event sequences. These parsing results generally
`describe the behavior and actions that are characteristic of the
`malware samples. Analysis module 304 may transmit data to
`and receive data from malware database 212. Analysis mod- 40
`ule 304 enables the user to create a behavior list. Described in
`more detail below, a behavior list is a list of events selected by
`the user which characterize or is representative of behavior of
`the sample malware. There may be more than one behavior
`list for each sample malware. The use may perform this task
`using analysis manager 306 and various user interfaces
`described below. The behavior list is transmitted to a policy
`creation module 310 which creates a policy based on the
`behavior list for use in a malware detection system using
`behavior analysis. In one embodiment, a policy is comprised
`of one or more rules. A rule may have, generally, the same
`format as an event. The policies, comprised of rules, are
`stored in a rules database, which may also be referred to as a
`stream-list policy file, in the malware detection system. Each
`time the malware detection system, the file or database is
`loaded into the system's memory. The policy, which may be
`referred to as a "multi-event" behavior policy, is then trans(cid:173)
`mitted to a rules database 312 (a component in malware
`detection system 214). Module 310 may be used to create a
`policy. For example, a policy may contain numerous rules
`such as:
`Rule 1: Subject "Any process", Operation "Create", Object
`"Other Process"
`Rule 2: Subject "Any process", Operation "Open", Object
`"File-wshtcpip.dll"
`Rule 3: Subject "Any process", Operation "Open", Object
`"File-kerne132.dll"
`
`6
`Rule 4: Subject "Any process", Operation "Open", Object
`"File-RTUTILS.dll"
`Rule 5: Subject "Any process", Operation "Open", Object
`"File-RASAPI32.dll"
`Rule 6: Subject "Any process", Operation "Create", Object
`"Mutex-RasPbFile"
`Rule 7: Subject "Any process", Operation "Open", Object
`"File-rpert4.dll"
`FIG. 5 is a sample screen shot of a user interface related to
`event capture module 302. It shows one example of a screen
`configuration for obtaining data from a user and displaying
`the data. Many variations of this configuration may be used to
`design other screen shots. A dialog box 502 is shown in a
`system behavior analyzer screen 504. In a top menu bar 506
`the user can select one of three functions (in addition to "File"
`and "Edit"). They correspond to the modules 302, 304, and
`310 in system behavior analyzer component 210, namely,
`"Capture" "Analysis" and "ExtractPolicy". If the Capture
`option is selected, dialog box 502 is displayed and the user
`20 may begin an event capture sequence for the sample malware.
`That is, the malware will start executing ( or may already be
`executing) and capture module 302 begins operation. Dialog
`box 502 may display various types of information, such as the
`total number of events captured and event category. The per-
`25 centage of the total for each type of event may also be pro(cid:173)
`vided. For example, API events comprise 33.3% of all event
`captured. In other embodiments, this information may not be
`provided or may be displayed in a different format. At the
`bottom of box 502, the total rumiing time of the event cap-
`30 turing function is provided (in this example, 9 seconds) and a
`button 506 which the u