US 12,450,351 B2
Method of malware detection and system thereof
Tomer Weingarten, Petah Tikva (IL); Almog Cohen, Tel Aviv (IL); Udi Shamir, Rehovot (IL); and Kirill Motil, Petah Tikva (IL)
Assigned to Sentinel Labs Israel Ltd., Tel Aviv (IL)
Filed by Sentinel Labs Israel Ltd., Tel Aviv (IL)
Filed on May 30, 2024, as Appl. No. 18/679,330.
Application 18/679,330 is a continuation of application No. 18/179,711, filed on Mar. 7, 2023, granted, now 12,026,257.
Application 18/179,711 is a continuation of application No. 16/849,808, filed on Apr. 15, 2020, granted, now 11,625,485, issued on Apr. 11, 2023.
Application 16/849,808 is a continuation of application No. 15/623,669, filed on Jun. 15, 2017, granted, now 10,664,596, issued on May 26, 2020.
Application 15/623,669 is a continuation of application No. 14/456,127, filed on Aug. 11, 2014, granted, now 9,710,648, issued on Jul. 18, 2017.
Prior Publication US 2025/0005155 A1, Jan. 2, 2025
This patent is subject to a terminal disclaimer.
Int. Cl. G06F 21/56 (2013.01)
CPC G06F 21/566 (2013.01) [G06F 21/56 (2013.01)] 20 Claims
OG exemplary drawing
 
1. A computer-implemented method of performing a behavior-based analysis of an execution of a program in an operating system, the method comprising:
monitoring, by a computer system, by registering one or more kernel filter drivers for kernel space operations via one or more call back functions using an out-of-band monitoring module, one or more operations performed by the execution of the program, wherein the monitoring comprises tracking at least one of user space operations or the kernel space operations;
generating, by the computer system, an event data for each of the one or more monitored operations;
normalizing the event data into a logical data structure such that attributes of the event data can accessed and analyzed;
building, by the computer system, at least one stateful model of the execution of the program based on the normalized event data, the at least one stateful model comprising a hierarchal structure of the one or more monitored operations, wherein the hierarchal structure comprises an event context comprising:
one or more objects derived from the one or more monitored operations;
one or more fields for each of the one or more objects, the one or more fields storing one or more parameters characterizing a respective object of the one or more objects and an association to the respective object; and
one or more relationships identified among the one or more objects; and
attributes characterizing the one or more objects and the one or more relationships among the one or more objects, wherein the attributes comprise at least a type of the one or more monitored operations and a source of the one or more events;
analyzing, by the computer system, the event context to identify one or more behaviors of the execution of the program related to the one or more events; and
applying a score to the stateful model based on the one or more identified behaviors, wherein applying the score to the stateful model comprises:
determining a weighted behavior score for each of the one or more identified behaviors, wherein the weighted behavior score indicates a likelihood of a presence of malware based on the one or more identified behaviors; and
determining the score by computing a sum of the weighted behavior scores for each of the one or more identified behaviors.