CN117708810A - System and method for detecting cyclical activity in event streams for dynamic application analysis - Google Patents
System and method for detecting cyclical activity in event streams for dynamic application analysis Download PDFInfo
- Publication number
- CN117708810A CN117708810A CN202311010083.8A CN202311010083A CN117708810A CN 117708810 A CN117708810 A CN 117708810A CN 202311010083 A CN202311010083 A CN 202311010083A CN 117708810 A CN117708810 A CN 117708810A
- Authority
- CN
- China
- Prior art keywords
- buffer
- events
- event
- unique
- unique events
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 75
- 230000000694 effects Effects 0.000 title claims abstract description 50
- 238000004458 analytical method Methods 0.000 title claims description 70
- 239000000872 buffer Substances 0.000 claims abstract description 212
- 238000001514 detection method Methods 0.000 claims abstract description 37
- 238000012545 processing Methods 0.000 claims abstract description 20
- 230000006870 function Effects 0.000 description 8
- 230000006399 behavior Effects 0.000 description 7
- 230000005540 biological transmission Effects 0.000 description 5
- 230000007246 mechanism Effects 0.000 description 5
- 230000002093 peripheral effect Effects 0.000 description 5
- 230000008569 process Effects 0.000 description 5
- 244000035744 Hura crepitans Species 0.000 description 4
- 238000004590 computer program Methods 0.000 description 4
- 230000001351 cycling effect Effects 0.000 description 4
- 230000003287 optical effect Effects 0.000 description 4
- 230000008901 benefit Effects 0.000 description 3
- 230000008859 change Effects 0.000 description 3
- 125000004122 cyclic group Chemical group 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 238000011156 evaluation Methods 0.000 description 3
- 238000011160 research Methods 0.000 description 3
- 238000003491 array Methods 0.000 description 2
- 229940127236 atypical antipsychotics Drugs 0.000 description 2
- 238000013480 data collection Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000001902 propagating effect Effects 0.000 description 2
- 238000010223 real-time analysis Methods 0.000 description 2
- 230000003252 repetitive effect Effects 0.000 description 2
- 239000007787 solid Substances 0.000 description 2
- RYGMFSIKBFXOCR-UHFFFAOYSA-N Copper Chemical compound [Cu] RYGMFSIKBFXOCR-UHFFFAOYSA-N 0.000 description 1
- 241000700605 Viruses Species 0.000 description 1
- 230000003213 activating effect Effects 0.000 description 1
- 230000004913 activation Effects 0.000 description 1
- 238000007630 basic procedure Methods 0.000 description 1
- 230000015572 biosynthetic process Effects 0.000 description 1
- 229910052802 copper Inorganic materials 0.000 description 1
- 239000010949 copper Substances 0.000 description 1
- 230000003247 decreasing effect Effects 0.000 description 1
- 230000009977 dual effect Effects 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 229920000747 poly(lactic acid) Polymers 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Landscapes
- Debugging And Monitoring (AREA)
Abstract
Systems and methods for detecting cyclical activity in an event stream are disclosed. In one aspect, an exemplary method includes: creating a buffer and determining a threshold value for indicating the start of a loop; processing each event by filling the buffer with each event, determining a number of unique events in the buffer; when the number in the buffer reaches a predetermined size of the buffer, recalculating the number of unique events by excluding the earliest event and including a new event to replace one event with another, comparing the recalculated number with a threshold for the maximum number of unique events for loop detection; the start of a loop is detected when the number of unique events is less than or equal to the maximum number of unique events for loop detection, excluding further events from the event stream, and continuing to recalculate the number of unique events after each addition.
Description
Cross Reference to Related Applications
The present application claims priority from russian patent application No.2022124419 filed at 2022, 9 and 15, the entire contents of which are incorporated herein by reference.
Technical Field
The present invention relates to the field of information technology, and more particularly, to the field of studying the behavior of an application during analysis by a dynamic analysis System (SDA) to determine malicious behavior.
Background
Currently, malware is one of a series of threats to computer security. The term "malware" refers to any program that exhibits malicious behavior and/or acts as one or more of the following: worms, viruses, trojan horses, system errors, spyware, certain advertisements, etc. Any suspicious program that may compromise a computer system is potentially malicious.
Various methods and tools may be applied to study the functionality of such programs (malware). One method is dynamic analysis, which involves analyzing the program execution process. There is a special class of automated tools, such as dynamic analysis systems, which are part of dynamic analysis that is performed to investigate the functionality of a program and detect malware. Dynamic analysis systems allow information about the operations a particular program performs during its execution to be obtained quickly.
Modern systems for dynamic analysis are large software running on a complex of server computers that perform the analysis, for example, by: the sample application is launched for execution in a particular environment and then activity of the sample application is automatically monitored during its execution. By operation of these systems, a report can be obtained. The report may contain one or another form of information regarding the operations performed by the application under study. Also, these systems for dynamic analysis described above may have one or more different functions. For example, one function may use an analysis component that executes in user mode and is hosted on the same computing device that executes the sample analysis application. Another function may use emulation and may be analyzed by callback functions. A third function may use the capabilities provided by the hardware virtualization extension. To illustrate, one example of a dynamic analysis system may be a tool, such as a kabasky research sandbox, designed to detect and analyze targeted or customized threats. Another example may be a kabaski anti-targeted attack platform (KATA) tool designed to resist targeted attacks.
There are some known dynamic analysis systems. However, these known dynamic analysis systems have common drawbacks that occur when using tools. Dynamic analysis systems for applications typically generate data streams describing events that occur while the application is running. Also, in many cases, such data occupies a lot of memory and disk space, processing time is long, and the data generation process can negatively impact the overall performance of the application itself being dynamically analyzed. Thus, when the analysis is performed in real-time on the user's computing device, one or more of the computational cost of the dynamic analysis and the negative impact on the user experience may increase.
Accordingly, there is a need for a method and system for detecting cyclical (repetitive) activity in an event stream for dynamic application analysis. In particular, there is a need for a method and system for reducing the operating load of an SDA during a determination of the malicious nature of an application.
Disclosure of Invention
Aspects of the present invention relate to detecting cyclical activity in an event stream for dynamic application analysis.
In one exemplary aspect, a method for detecting cyclical activity in an event stream of dynamic application analysis is provided, the method comprising: creating a buffer of a predetermined size for an event stream occurring during execution of the application program and determining a threshold value for indicating the start of a loop; processing each event in the event stream, wherein the processing includes populating the buffer with the events, populating a dictionary, determining a number of unique events in the buffer when the event is added to the buffer; when the number of events in the buffer reaches a predetermined size of the buffer, replacing one of the events in the buffer with a new event by excluding the earliest event and including the newly processed event, recalculating the number of unique events in the buffer, and comparing the recalculated number of unique events with a threshold for a maximum number of unique events in the buffer for loop detection; and detecting the start of a loop when the number of unique events in the buffer is less than or equal to the maximum number of unique events in the buffer for loop detection, excluding further events from the event stream, and continuing to recalculate the number of unique events in the buffer after each new event is added.
In one aspect, the threshold usage ratio X for indicating the start of a cycle is determined C Is performed by =l/K, wherein X C Representing the maximum number of unique events in the buffer for loop detection, L representing a parameter indicating the maximum number of events in the buffer, the size of the buffer, K representing a configurable parameter.
In one aspect, when the number of unique events in the buffer is greater than the maximum number of unique events in the buffer for loop detection, continuing to fill the buffer, replacing one event in the buffer with the new event, and recalculating the number of unique events in the buffer until the number of unique events in the buffer is less than or equal to the maximum number of unique events in the buffer for loop detection.
In one aspect, the method further comprises: after detecting the start of the loop, completing the loop and starting to include events generated in the event stream during dynamic analysis of the application when the number of unique events in the buffer increases and exceeds the maximum number of unique events in the buffer for loop detection.
In one aspect, the method further comprises: creating another buffer zone to which an event occurring in the event stream is added; and counting the number of unique events in the generated other buffer to detect another cycle.
In one aspect, the event occurs during execution of a system Application Programming Interface (API) call.
In one aspect, the buffer comprises a circular buffer.
In one aspect, the maximum number of unique events in the buffer for loop detection is less than a size of the buffer indicating the maximum number of events in the buffer, and the maximum number of unique events in the buffer for loop detection is less than the total number of events.
In one aspect, the buffers are generated in real-time during dynamic analysis of the application.
According to one aspect of the present invention, there is provided a system for detecting cyclical activity in an event stream of dynamic application analysis, the system comprising a hardware processor configured to: creating a buffer of a predetermined size for an event stream occurring during execution of the application program and determining a threshold value for indicating the start of a loop; processing each event in the event stream, wherein the processing includes populating the buffer with the events, populating a dictionary, determining a number of unique events in the buffer when the event is added to the buffer; when the number of events in the buffer reaches a predetermined size of the buffer, replacing one of the events in the buffer with a new event by excluding the earliest event and including the newly processed event, recalculating the number of unique events in the buffer, and comparing the recalculated number of unique events with a threshold for a maximum number of unique events in the buffer for loop detection; and detecting the start of a loop when the number of unique events in the buffer is less than or equal to the maximum number of unique events in the buffer for loop detection, excluding further events from the event stream, and continuing to recalculate the number of unique events in the buffer after each new event is added.
In one exemplary aspect, a non-transitory computer-readable medium is provided having stored thereon a set of instructions for detecting loop activity in an event stream of a dynamic application analysis, wherein the set of instructions includes instructions for: creating a buffer of a predetermined size for an event stream occurring during execution of the application program and determining a threshold value for indicating the start of a loop; processing each event in the event stream, wherein the processing includes populating the buffer with the events, populating a dictionary, determining a number of unique events in the buffer when the event is added to the buffer; when the number of events in the buffer reaches a predetermined size of the buffer, replacing one of the events in the buffer with a new event by excluding the earliest event and including the newly processed event, recalculating the number of unique events in the buffer, and comparing the recalculated number of unique events with a threshold for a maximum number of unique events in the buffer for loop detection; and detecting the start of a loop when the number of unique events in the buffer is less than or equal to the maximum number of unique events in the buffer for loop detection, excluding further events from the event stream, and continuing to recalculate the number of unique events in the buffer after each new event is added.
The method and system for detecting cyclical activity in an event stream for dynamic application analysis of the present invention addresses the limitations of existing SDAs in analyzing applications to determine application maliciousness. One technical result of the present method is that, for example, during real-time analysis of an application, the load of the computing resources of the computer system by the actions of the SDA is reduced. Another technical result of the present method and system is that no information about skip cycle events is written in the data log or file for analysis by the SDA, for example, in a subsequent step in the analysis of the application. In one aspect, the method reduces the load on the computing resources by detecting cyclical activity (repeated cycles) in the event stream and excluding events related to the cyclical activity from the data stream formed for subsequent analysis of the SDA. At the same time, the cyclical activity in the event stream appears to have a set of events that repeatedly occur a number of times. Thus, the present method reduces the load on the dynamic analysis system for analyzing applications, thereby reducing the amount of memory and disk space used by the computer device during such analysis. For example, the method of the present invention detects events related to cyclical activity (looping) in a data stream during operation of the system with an application and excludes those events from subsequent analysis. Excluding events related to cyclical activity significantly reduces the load on the computing resources.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate one or more exemplary aspects of the invention and, together with the detailed description, serve to explain the principles and implementations of these exemplary aspects.
FIG. 1 illustrates a block diagram of an exemplary system for detecting cyclical activity in an event stream in accordance with aspects of the invention.
FIG. 2 illustrates a methodology for detecting cyclical activity in an event stream of a dynamic analysis system, in accordance with aspects of the invention.
FIG. 3 illustrates an example of the operation of a method of detecting loop activity in an event stream, e.g., an example of the operation of the method of FIG. 2, in accordance with aspects of the invention.
FIG. 4 presents an example of a general-purpose computer system upon which aspects of the present invention may be implemented.
Detailed Description
Exemplary aspects are described herein in the context of systems, methods, and computer programs for detecting cyclical activity in an event stream for dynamic application analysis in accordance with aspects of the present invention. Those of ordinary skill in the art will realize that the following description is illustrative only and is not intended to be in any way limiting. Other aspects will readily occur to those skilled in the art having the benefit of this disclosure. Reference will now be made in detail to implementations of exemplary aspects as illustrated in the accompanying drawings. Wherever possible, the same reference numbers will be used throughout the drawings and the following description to refer to the same or like items.
Dynamic Analysis Systems (SDAs) are designed to search for threats and malicious actions in computer systems (e.g., as shown in fig. 4). SDA provides for the full launching of an application or file and then research into all actions taken, artifacts created, and network activities. Applications may be launched either directly on a computer, i.e., in a physical environment, or in a virtual environment, however, typically such physical or virtual environments contain many limitations and are SDA controlled execution environments. In one aspect, a so-called "sandbox" may be used as the controlled medium. In other aspects, a sandbox or any other similar isolation environment may be used. A physical medium is a data transmission medium that uses signals to transmit information (data) from a source device (transmitter) to a sink device (receiver). In the present invention, the term "signal" refers to an electrical signal.
In accordance with aspects of the present invention and implementations, the SDA may include a single dynamic analysis mechanism or multiple dynamic analysis mechanisms. Furthermore, in one aspect, the SDA may be implemented on a separate server (e.g., a kabas research sandbox) dedicated to dynamic analysis of the application. In another aspect, the SDA may be implemented directly on a user's computing device (e.g., personal computer, tablet, mobile device, or the like). The SDA implemented on a separate server or on the user's computing device may include any number of dynamic analysis mechanisms. During dynamic analysis, analysis is performed to determine the behavior of the application during its execution, including the network activity of the application. In one aspect, the analysis is performed on a plurality of computer device emulators running on physical or virtual devices.
In one aspect, the SDA is configured upon first activation. Configuring the SDA includes at least forming a particular controlled environment in which the censored application will execute, and activating one or more analysis mechanisms as part of the SDA.
As discussed above, dynamic analysis analyzes the behavior performed by an application to examine the actions of the application in relation to its suspicious or malicious behavior during its execution. SDA uses various evaluation mechanisms (e.g., heuristic rules or probabilistic methods) to help determine whether a particular behavior (e.g., running a particular file or connection library) should be considered malicious.
In one aspect, the environment in which the SDA is used is designed such that events occurring in actions occurring during execution of an application are recorded when they occur. In one aspect, data related to an event that occurs is recorded and stored in a particular database. The database may be a temporary file or other suitable storage location, such as a MSSQL or PostgreSQL database. In one aspect, events occur during execution of an application when a system Application Programming Interface (API) call is made.
In other words, during analysis of the application, a data stream is generated in the SDA describing events that occur during operation of the application. The data stream includes information about all events that occur during execution of the application. In many cases, the data associated with the event that occurs will consume a significant amount of memory and disk space, requiring a long time to process (e.g., because of their number). Furthermore, the process of creating data can negatively impact the performance of the application being dynamically analyzed. All this results in an increase in computational cost of dynamic analysis. In the case of real-time analysis of a user's computing device, there is an associated negative impact on the user's experience.
Thus, the method of the present invention solves the above-mentioned drawbacks. The method includes detecting a cyclic activity (cycle) in the event stream and excluding the detected cyclic activity from the data stream. The term "circulatory activity" refers to repetitive activity. Thus, "cyclic activity in an event stream" is defined as "a repeated set of events". Thus, excluding such cycling activity results in the data formed for subsequent analysis of the SDA being data that does not include the detected cycling activity.
In one aspect, the method of the present invention includes identifying a loop by estimating events from event streams that occur in real time during operation of an application. All events fall into a buffer of specified size at the time of evaluation. The method then determines a number of unique events and uses the determined number of unique events to determine the presence of circular activity in the buffer. The term "unique event" refers to an event that first occurs in a buffer. The unique event is unique only prior to the loop reset. In a particular implementation, the buffer is a memory region for temporarily storing I/O data.
Further, when determining the number of unique events in the buffer, X, the SDA determines that the application is performing a loop activity when the following condition is satisfied:
|X| < <|S| and |X| < < L, wherein,
a total set of events that may occur during the execution of the S-application,
the number of events in the L-buffer (buffer size), and
the number of unique events in the X-buffer.
In one aspect, when the SDA determines that the application is performing a loop activity, the SDA stops outputting or recording new events for later analysis, and only continues to observe what is happening. Upon occurrence of an event that is not part of many (X) unique events, the state of the loop is reset and advanced threat analysis or similar tools can begin outputting or recording events for analysis again.
The following are some aspects of the method of the present invention for processing events to detect cyclical activity in an event stream generated when an SDA analysis application. In one aspect, the method of the present invention is for detecting malicious activity in an application analyzed by the SDA.
FIG. 1 illustrates a block diagram of an exemplary system 100 for detecting cyclical activity in an event stream, in accordance with aspects of the invention. In one aspect, the system 100 includes a system 110 (or subsystem) for dynamic analysis of an application, a processor 120, a memory 130, and an I/O device 140. In one aspect, system 110 can include a component for receiving an application to analyze, a component for generating a buffer, a component for counting events, a component for performing analysis and determining when a loop activity is detected. The system 110 may then exclude events from the data stream that are related to the detected recurring activity.
In one aspect, the system 100 is implemented by a general-purpose computer including a hardware processor and memory as shown in FIG. 4. The system 110 may include a functionality and/or hardware module 111 for receiving an application to be analyzed, a buffer generator 112, an event counter 113, an analyzer 114, a loop activity identifier 115, a data flow filter 116 for excluding events related to a loop activity, which in turn includes instructions for execution on a hardware processor.
FIG. 2 illustrates a method 200 for detecting cyclical activity in an event stream of a dynamic analysis system, in accordance with aspects of the invention. In one aspect, the method 200 may be used to conduct an automatic search for such recurring events and then exclude them from the data stream in the SDA.
In step 210, the method 200 generates a buffer for each data stream created during evaluation of the application by the SDA. In particular, the method creates a ring buffer (also referred to as a circular buffer) of a particular size, and a dictionary (a type of list) with event counters in the buffer. For the purposes of the present invention, the term "dictionary" refers to a database containing information about unique events and the number of such events in a buffer. In one aspect, the buffers are generated in real-time during the SDA analysis application. When a buffer is formed, the size of the buffer (i.e., the maximum number of events that can be in the buffer at the same time) is determined. The current number of elements in the dictionary is denoted by "X". The value of X is a non-zero positive integer.
In step 215, the method 200 determines, via the SDA, the number of unique events in the buffer that indicate cyclical activity. Notably, the threshold value for indicating the start of a loop in the buffer is determined by the ratio:
xc=l/K, wherein,
k-is a configurable parameter,
l-a parameter representing the buffer size, which determines the maximum number of events in the buffer, or in other words the minimum length of the detected loop, and
xc-represents the number of unique events in the buffer indicating the start of loop activity in the buffer, or in other words the maximum number of unique events detecting loop activity.
In one aspect, parameters K and L are configured based on the type of event. For example, K and L may be configured by considering the type of operating system (e.g., android, windows, unix or Linux) on which the application is running. In another aspect, parameters K and L may also be configured by considering event settings. For example, the only event may be a "file creation" event. In another example, the only event may be "create a file in the user's folder" and/or create a file in the system folder. Thus, parameters may be selected differently for different sets of possible events and frequencies of occurrence of various events.
In step 220, with the SDA, the method 200 processes each event in the event stream, where processing the event includes filling the buffer with events from the event stream, filling the dictionary, determining the number of unique events in the buffer (i.e., X) each time an event is added to the buffer, and proceeding to step 230 to determine if the buffer is full.
In step 230, the method 200 determines whether the buffer is filled with the maximum number of events through the SDA. When the buffer is filled with the maximum number of events, the method 200 proceeds to step 240. Otherwise, the method returns to step 220 and continues to fill the buffer with the next event in the event stream.
In step 240, with the SDA, the method 200 replaces one event in the buffer with a new event by excluding the earliest event and including the event that just occurred, and recalculates the number of unique events.
In step 250, the method 200 compares the calculated number of unique events X with a threshold value Xc (threshold value) representing the maximum number of unique events for detecting cyclical activity, via SDA. When the condition of relationship |x| < = Xc is satisfied, the method 200 determines that the start of the loop activity is detected and proceeds to step 260. Otherwise, if the calculated number of unique events does not meet the specified condition, i.e., |X| > Xc, then the method 200 returns to step 240.
In step 260, the method 200 determines the cycling activity through the SDA and excludes further events from the event stream for subsequent analysis of the application by the SDA. In other words, the method stops recording events that occur in the analysis of the application.
In step 270, the method 200 also continues to monitor the buffer fill with new events and recalculate the number of unique events in the buffer, via the SDA.
In optional step 280, the method 200 determines, via the SDA, whether a condition is met that exceeds a threshold for the number of unique events. In other words, the method determines satisfaction of the condition |x| < =xc. If the threshold for the maximum number of unique events is not exceeded, the method 200 returns to step 270. Otherwise, if the threshold for the maximum number of unique events is exceeded, the method proceeds to step 290.
In one aspect, the implementation of step 280 includes checking for satisfaction of the following conditions: when any new event occurs in the loop, i.e., an event not included in the unique event set (X), a threshold value indicating the number of unique events is exceeded, and proceeds to step 290.
In step 290, the method 200 determines that the cycling activity has completed through the SDA and resumes the formation of the event stream by recording (enabling) further events for subsequent analysis of the SDA application. Thus, in step 290, the method 200 exits the loop activity.
Notably, in the event of exiting the loop, the method continues to detect new loop activity in the event stream until the application runs out.
In one aspect, the buffer size may be dynamically variable. For example, if the analysis of the application requires a long time and no loops have been detected, the buffer size may be increased or decreased. In this case, the time to decide to increase or decrease the buffer size and the amount of change in the buffer may be empirically determined.
FIG. 3 illustrates an example 300 of the operation of a method of detecting loop activity in an event stream, e.g., an example of the operation of the method of FIG. 2, in accordance with aspects of the invention.
Assuming that the application is running, its S event set consists of six (6) events: aaa, bbb, ccc, ddd, eee and fff. The size W of the buffer will be |w|=l=8. The ratio of the buffer length L to the number of unique events X in the buffer for loop detection in the buffer may be L/|xc|=k=4. Therefore, in this case, in order to detect a period, the method checks whether |xc|k < =l, i.e., |xc| < =2.
The selected buffer parameters ensure that:
·L<|S|,
|Xc| < L
·|Xc|<|S|。
As described above, |xc| is responsible for the maximum number of unique events in the detected loop, L is the minimum length of the detected loop. Thus, with the selected parameters, the claimed invention is able to find a loop of at least 8 events in length, the loop containing no more than 2 unique events.
Thus, fig. 3 shows the event flow during execution of an application using SDA. The second column of fig. 3 (titled loop detection) shows an example of filling the buffer with events that occur and determining the beginning and end of a loop, where the events are to be excluded from the event stream provided for analysis of the SDA.
The first step is an "aaa" event, which is added to the buffer and dictionary as the first unique event.
Thus, all events that occur during execution of an application fill the buffer until the buffer is full, i.e., the number of events in the buffer does not reach the maximum number of events in the buffer. Since the buffer can only contain 8 events at a time, the eighth step counts the number of unique events contained in the buffer and compares it to the conditions for detecting cyclical activity. According to this example, eighth step |x|=6, which is greater than 2. Thus, there is no circulation. The data collection operation continues. In the next ninth step, the first event is excluded from the buffer and a new event is entered, and then the number of unique events is recalculated. According to steps 9 to 11 of fig. 3, the number of unique events in the buffer starts to decrease, and in step 12, the buffer only leaves two unique events. It is detected that a loop is entered at step 12 (call). From this event, subsequent events will be excluded from the event stream. Thus, during steps 13-18 (event occurrence), the number of unique events does not change, and therefore, all events are excluded. Step 19 introduces unique new events in the event stream, which results in a change in the number of unique events, and |x|=3, so the loop exits and the data collection in the event stream resumes.
Notably, a loop will be a state where there are a number of unique events in the buffer, but their order in the buffer is not important. For example, for two events a and b, the following event set would be a loop: "ababababababab" and "aabbbabbabbbaabab".
At the same time, a new similar buffer is created that adds new events from the event stream and counts the number of unique events until analysis of the application in the SDA is completed.
In another aspect, the buffer is emptied, new events that have occurred are re-added to the event stream, and the number of unique events is counted until analysis (execution) of the application in the SDA is completed.
In another aspect, the following value relationship is preferably used:
|Xc| < L
·|Xc|<<|S|。
Thus, for example, when |s|=5000 types of events, and the buffer size l=500 events, the method can set the threshold for the number of unique events to 50. In this case, a much smaller mathematical ratio is defined as 10/100/N.
Notably, if an erroneous buffer value and threshold are selected, e.g., |s|=50 events, and the same buffer length of 500 events, using the threshold condition |xc|=50 will not allow loop activity (looping) to be determined because more than 50 events will never occur in the buffer.
FIG. 4 is a block diagram illustrating aspects of a computer system 20 upon which systems and methods for detecting cyclical activity in an event stream of a dynamic analysis system may be implemented. The computer system 20 may be in the form of a plurality of computing devices or may be in the form of a single computing device, such as a desktop computer, a notebook computer, a laptop computer, a mobile computing device, a smart phone, a tablet computer, a server, a mainframe, an embedded device, and other forms of computing devices.
As shown, the computer system 20 includes a central processing unit (Central Processing Unit, CPU) 21, a system memory 22, and a system bus 23 that connects the various system components, including memory associated with the central processing unit 21. The system bus 23 may include a bus memory or bus memory controller, a peripheral bus, and a local bus that may be capable of interacting with any other bus architecture. Examples of buses may include PCI, ISA, serial bus (PCI-Express), hyperTransport TM (HyperTransport TM ) Infinite bandwidth TM (InfiniBand TM ) Serial ATA, I 2 C. And other suitable interconnections. The central processing unit 21 (also referred to as a processor) may include a single set or multiple sets of processors having a single core or multiple cores. The processor 21 may execute one or more computer-executable codes that implement the techniques of the present invention. The system memory 22 may be any memory for storing data used herein and/or computer programs executable by the processor 21. The system Memory 22 may include volatile Memory, such as random access Memory (Random Access Memory, RAM) 25, and non-volatile Memory, such as Read-Only Memory (ROM) 24, flash Memory, etc., or any combination thereof. A Basic Input/Output System (BIOS) 26 may store Basic programs that transfer information between elements within the computer System 20, such as those during loading of the operating System using ROM 24 Basic procedure.
The computer system 20 may include one or more storage devices, such as one or more removable storage devices 27, one or more non-removable storage devices 28, or a combination thereof. The one or more removable storage devices 27 and the one or more non-removable storage devices 28 are connected to the system bus 23 by a memory interface 32. In one aspect, the storage devices and corresponding computer-readable storage media are power-independent modules for storing computer instructions, data structures, program modules, and other data for computer system 20. The system memory 22, the removable storage device 27, and the non-removable storage device 28 may use a variety of computer-readable storage media. Examples of the computer readable storage medium include: machine memory such as cache, SRAM, DRAM, zero capacitance RAM, dual transistor RAM, eDRAM, EDO RAM, DDR RAM, EEPROM, NRAM, RRAM, SONOS, PRAM; flash memory or other storage technology, such as in a solid state drive (Solid State Drive, SSD) or flash memory drive; magnetic tape cartridges, magnetic tape, and magnetic disk storage, such as in a hard disk drive or floppy disk; optical storage, such as in compact discs (CD-ROM) or digital versatile discs (Digital Versatile Disk, DVD); and any other medium that can be used to store the desired data and that can be accessed by computer system 20.
The system memory 22, the removable storage device 27, and the non-removable storage device 28 of the computer system 20 may be used to store an operating system 35, additional application programs 37, other program modules 38, and program data 39. The computer system 20 may include a peripheral interface 46 for communicating data from an input device 40, such as a keyboard, mouse, stylus, game controller, voice input device, touch input device, or other peripheral device, such as a printer or scanner via one or more I/O ports, such as a serial port, parallel port, universal serial bus (Universal Serial Bus, USB), or other peripheral interface. A display device 47, such as one or more monitors, projectors or integrated displays, can also be connected to system bus 23 via an output interface 48, such as a video adapter. In addition to the display device 47, the computer system 20 may be equipped with other peripheral output devices (not shown), such as speakers and other audiovisual devices.
The computer system 20 may operate in a networked environment using network connections to one or more remote computers 49. The one or more remote computers 49 may be local computer workstations or servers that include most or all of the elements previously described above in describing the nature of the computer system 20. Other devices may also be present in a computer network such as, but not limited to, routers, network sites, peer devices, or other network nodes. The computer system 20 may include one or more Network interfaces 51 or Network adapters for communicating with remote computer 49 through one or more networks, such as a Local-Area Network (LAN) 50, a Wide-Area Network (WAN), an intranet, and the internet. Examples of network interfaces 51 may include ethernet interfaces, frame relay interfaces, SONET (synchronous optical network) interfaces, and wireless interfaces.
Aspects of the present invention may be a system, method, and/or computer program product. The computer program product may include one or more computer-readable storage media having computer-readable program instructions thereon for causing a processor to perform aspects of the present invention.
The computer readable storage medium may be a tangible device that can hold and store program code in the form of instructions or data structures that can be accessed by a processor of a computing device, such as computer system 20. The computer readable storage medium may be an electronic storage device, a magnetic storage device, an optical storage device, an electromagnetic storage device, a semiconductor storage device, or any suitable combination thereof. By way of example, such computer-readable storage media may include Random Access Memory (RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), portable compact disc read-only memory (CD-ROM), digital Versatile Discs (DVD), flash memory, hard disks, portable computer diskette, memory stick, floppy disk, or even a mechanical coding device such as a punch card or a protrusion structure in a groove having instructions recorded thereon. As used herein, a computer-readable storage medium should not be considered a transitory signal per se, such as a radio wave or other freely propagating electromagnetic wave, an electromagnetic wave propagating through a waveguide or transmission medium, or an electrical signal transmitted through an electrical wire.
The computer readable program instructions described herein may be downloaded from a computer readable storage medium to a corresponding computing device, or downloaded over a network (e.g., the internet, a local area network, a wide area network, and/or a wireless network) to an external computer or external storage device. The network may include copper transmission cables, optical transmission fibers, wireless transmissions, routers, firewalls, switches, gateway computers and/or edge servers. The network interface in each computing device receives computer-readable program instructions from the network and forwards the computer-readable program instructions for storage in a computer-readable storage medium within the respective computing device.
Computer readable program instructions for performing the operations of the present invention can be assembly instructions, instruction Set Architecture (ISA) instructions, machine-related instructions, microcode, firmware instructions, state setting data, or source or object code written in any combination of one or more programming languages, including an object-oriented programming language and a conventional programming language. The computer-readable program instructions (as a stand-alone software package) may execute entirely on the user's computer, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the latter scenario, the remote computer may be connected to the user's computer through any type of network (including a LAN or a WAN), or the connection may be made to an external computer (for example, through the Internet). In some aspects, electronic circuitry, including, for example, programmable logic circuitry, field Programmable Gate Arrays (FPGAs), or programmable logic arrays (Programmable Logic Array, PLAs), may execute computer-readable program instructions by utilizing state information of the computer-readable program instructions to personalize the electronic circuitry to perform aspects of the present invention.
In various aspects, the systems and methods described in this disclosure may be handled as modules. The term "module" as used herein refers to, for example, a real world device, a component, or an arrangement of components implemented using hardware, such as through an Application Specific Integrated Circuit (ASIC) or FPGA, or a combination of hardware and software, such as implemented by a microprocessor system and a set of instructions that, when executed, transform the microprocessor system into a special-purpose device, implement the functions of the module. A module may also be implemented as a combination of two modules, where some functions are facilitated by hardware alone, and other functions are facilitated by a combination of hardware and software. In some implementations, at least a portion of the modules (and in some cases all of the modules) may run on a processor of a computer system (e.g., a computer system as described in more detail in FIG. 4 above). Thus, each module may be implemented in a variety of suitable configurations and should not be limited to any particular implementation illustrated herein.
In the interest of clarity, not all routine features of the various aspects are disclosed herein. It will be appreciated that in the development of any actual implementation of the invention, numerous implementation-specific decisions must be made in order to achieve the developer's specific goals, and that these specific goals will vary from one implementation to another and from one developer to another. It will be appreciated that such a development effort might be complex and time-consuming, but would nevertheless be a routine undertaking of engineering for those of ordinary skill in the art having the benefit of this disclosure.
Further, it is to be understood that the phraseology or terminology used herein is for the purpose of description and not of limitation, such that the terminology or phraseology of the present specification is to be interpreted by the skilled artisan in light of the teachings and guidance presented herein, in combination with the knowledge of one(s) of ordinary skill in the relevant art. Furthermore, no terms in the specification or claims are intended to be ascribed an uncommon or special meaning unless explicitly set forth as such.
Various aspects disclosed herein include present and future known equivalents to the known modules referred to herein by way of illustration. Furthermore, while various aspects and applications have been shown and described, it would be apparent to those skilled in the art having the benefit of this disclosure that many more modifications than mentioned above are possible without departing from the inventive concepts disclosed herein.
Claims (20)
1. A method for detecting cyclical activity in an event stream of a dynamic analysis system, the method comprising:
creating a buffer of a predetermined size for the event stream occurring during execution of the application and determining a threshold value for indicating the start of a loop;
Processing each event in the event stream, wherein the processing includes populating the buffer with the events, populating a dictionary, determining a number of unique events in the buffer when the event is added to the buffer;
when the number of events in the buffer reaches a predetermined size of the buffer, replacing one of the events in the buffer with a new event by excluding the earliest event and including the newly processed event, recalculating the number of unique events in the buffer, and comparing the recalculated number of unique events with a threshold for a maximum number of unique events in the buffer for loop detection; and
the start of a loop is detected when the number of unique events in the buffer is less than or equal to the maximum number of unique events in the buffer for loop detection, further events from the event stream are excluded, and the number of unique events in the buffer continues to be recalculated after each new event is added.
2. The method of claim 1, wherein determining the threshold value for indicating the start of a loop is performed using a ratio Xc = L/K, where Xc represents a maximum number of unique events in the buffer for loop detection, L represents a parameter of the size of the buffer indicating the maximum number of events in the buffer, and K represents a configurable parameter.
3. The method of claim 1, wherein when the number of unique events in the buffer is greater than the maximum number of unique events in the buffer for loop detection, continuing to fill the buffer, replacing one of the events in the buffer with the new event, and recalculating the number of unique events in the buffer until the number of unique events in the buffer is less than or equal to the maximum number of unique events in the buffer for loop detection.
4. The method of claim 1, further comprising:
after detecting the start of the loop, completing the loop and starting to include events generated in the event stream during dynamic analysis of the application when the number of unique events in the buffer increases and exceeds the maximum number of unique events in the buffer for loop detection.
5. The method of claim 4, further comprising:
creating another buffer zone to which an event occurring in the event stream is added; and
the number of unique events in the generated other buffer is counted to detect another cycle.
6. The method of claim 1, wherein the event occurs during execution of the application when a system application programming interface call is made.
7. The method of claim 1, wherein the buffer comprises a circular buffer.
8. The method of claim 1, wherein a maximum number of unique events in the buffer for loop detection is less than a size of the buffer indicating a maximum number of events in the buffer, and a maximum number of unique events in the buffer for loop detection is less than a total number of events.
9. The method of claim 1, wherein the buffer is generated in real-time during dynamic analysis of the application.
10. A system for detecting cyclical activity in an event stream of a dynamic analysis system, comprising:
at least one processor configured to:
creating a buffer of a predetermined size for the event stream occurring during execution of the application and determining a threshold value for indicating the start of a loop;
processing each event in the event stream, wherein the processing includes populating the buffer with the events, populating a dictionary, determining a number of unique events in the buffer when the event is added to the buffer;
When the number of events in the buffer reaches a predetermined size of the buffer, replacing one of the events in the buffer with a new event by excluding the earliest event and including the newly processed event, recalculating the number of unique events in the buffer, and comparing the recalculated number of unique events with a threshold for a maximum number of unique events in the buffer for loop detection; and
the start of a loop is detected when the number of unique events in the buffer is less than or equal to the maximum number of unique events in the buffer for loop detection, further events from the event stream are excluded, and the number of unique events in the buffer continues to be recalculated after each new event is added.
11. The system of claim 10, wherein determining the threshold value for indicating the start of a loop is performed using a ratio Xc = L/K, where Xc represents a maximum number of unique events in the buffer for loop detection, L represents a parameter of the size of the buffer indicating the maximum number of events in the buffer, and K represents a configurable parameter.
12. The system of claim 10, wherein when the number of unique events in the buffer is greater than the maximum number of unique events in the buffer for loop detection, continuing to fill the buffer, replacing one of the events in the buffer with the new event, and recalculating the number of unique events in the buffer until the number of unique events in the buffer is less than or equal to the maximum number of unique events in the buffer for loop detection.
13. The system of claim 10, the processor further configured to:
after detecting the start of the loop, completing the loop and starting to include events generated in the event stream during dynamic analysis of the application when the number of unique events in the buffer increases and exceeds the maximum number of unique events in the buffer for loop detection.
14. The system of claim 13, the processor further configured to:
creating another buffer zone to which an event occurring in the event stream is added; and
the number of unique events in the generated other buffer is counted to detect another cycle.
15. The system of claim 10, wherein the event occurs during execution of the application when a system application programming interface call is made.
16. The system of claim 10, wherein the buffer comprises a circular buffer.
17. The system of claim 10, wherein a maximum number of unique events in the buffer for loop detection is less than a size of the buffer indicating a maximum number of events in the buffer, and a maximum number of unique events in the buffer for loop detection is less than a total number of events.
18. A non-transitory computer-readable medium having stored thereon computer-executable instructions for detecting cyclical activity in an event stream of a dynamic analysis system, the computer-executable instructions comprising instructions for:
creating a buffer of a predetermined size for the event stream occurring during execution of the application and determining a threshold value for indicating the start of a loop;
processing each event in the event stream, wherein the processing includes populating the buffer with the events, populating a dictionary, determining a number of unique events in the buffer when the event is added to the buffer;
When the number of events in the buffer reaches a predetermined size of the buffer, replacing one of the events in the buffer with a new event by excluding the earliest event and including the newly processed event, recalculating the number of unique events in the buffer, and comparing the recalculated number of unique events with a threshold for a maximum number of unique events in the buffer for loop detection; and
the start of a loop is detected when the number of unique events in the buffer is less than or equal to the maximum number of unique events in the buffer for loop detection, further events from the event stream are excluded, and the number of unique events in the buffer continues to be recalculated after each new event is added.
19. The non-transitory computer-readable medium of claim 18, wherein determining the threshold for indicating the start of a loop is performed using a ratio Xc = L/K, where Xc represents a maximum number of unique events in the buffer for loop detection, L represents a parameter of the size of the buffer indicating the maximum number of events in the buffer, and K represents a configurable parameter.
20. The non-transitory computer-readable medium of claim 18, wherein when the number of unique events in the buffer is greater than the maximum number of unique events in the buffer for loop detection, continuing to fill the buffer, replacing one of the events in the buffer with the new event, and recalculating the number of unique events in the buffer until the number of unique events in the buffer is less than or equal to the maximum number of unique events in the buffer for loop detection.
Applications Claiming Priority (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| RU2022124419 | 2022-09-15 | ||
| US18/338,137 US20240095353A1 (en) | 2022-09-15 | 2023-06-20 | System and method for detecting cyclic activity in an event flow for dynamic application analysis |
| US18/338,137 | 2023-06-20 |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117708810A true CN117708810A (en) | 2024-03-15 |
Family
ID=90163030
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311010083.8A Pending CN117708810A (en) | 2022-09-15 | 2023-08-11 | System and method for detecting cyclical activity in event streams for dynamic application analysis |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117708810A (en) |
-
2023
- 2023-08-11 CN CN202311010083.8A patent/CN117708810A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10599846B2 (en) | Segregating executable files exhibiting network activity | |
| US11075945B2 (en) | System, apparatus and method for reconfiguring virtual machines | |
| US11055410B2 (en) | Malicious program identification based on program behavior | |
| EP3214568B1 (en) | Method, apparatus and system for processing cloud application attack behaviours in cloud computing system | |
| RU2514141C1 (en) | Method of emulating system function calls for evading emulation countermeasures | |
| JP6419787B2 (en) | Optimized resource allocation to virtual machines in malware content detection system | |
| US9094451B2 (en) | System and method for reducing load on an operating system when executing antivirus operations | |
| EP3014513B1 (en) | System and method for detecting time-bomb malware | |
| US9111096B2 (en) | System and method for preserving and subsequently restoring emulator state | |
| WO2020019505A1 (en) | Malicious software detection method and related device | |
| CN111382043B (en) | System and method for forming log when executing file with loopholes in virtual machine | |
| US9852042B2 (en) | Dynamically choosing data to collect in a system | |
| CN110659478B (en) | Method for detecting malicious files preventing analysis in isolated environment | |
| CN117708810A (en) | System and method for detecting cyclical activity in event streams for dynamic application analysis | |
| EP2881883B1 (en) | System and method for reducing load on an operating system when executing antivirus operations | |
| EP4160455A1 (en) | Behavior analysis based on finite-state machine for malware detection | |
| US20240095353A1 (en) | System and method for detecting cyclic activity in an event flow for dynamic application analysis | |
| EP4339816A1 (en) | System and method for detecting cyclic activity in an event flow for dynamic application analysis | |
| US8799873B2 (en) | Collecting tracepoint data | |
| CN115033889A (en) | Illegal copyright detection method and device, storage medium and computer equipment | |
| RU2794735C1 (en) | Method for detecting cyclic activity in the event stream for dynamic application analysis systems | |
| WO2023067667A1 (en) | Analysis function imparting method, analysis function imparting device, and analysis function imparting program | |
| US10162731B2 (en) | Conditional breakpoint on call stack during debugging at runtime | |
| EP2866167A1 (en) | System and method for preserving and subsequently restoring emulator state |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |