Mandiant, Inc.
System and method for classifying an object based on an aggregated behavior results

Abstract:

Techniques for detecting malicious behavior of content (object) are described herein. An object is processed within a virtual machine. Responsive to receiving the result of the processing (response object), a parser parses the response object into a plurality of sub-objects. The plurality of sub-objects include a first sub-object and a second sub-object. A first behavior match result is determined based, at least in part, on whether information within the first sub-object corresponds to a identifiers associated with malicious activity. Also, a second behavior match result is determined based, at least in part, on whether information within the second sub-object corresponds to identifiers associated with malicious activity. Thereafter, the first and second behavior match results are aggregated to produce an aggregated result, wherein a malicious behavior score is calculated based, at least in part, on the aggregated result. The object is classified according to the malicious behavior score.