Detection and remediation of potentially malicious files

US 10,009,370 B1
Filed: 03/01/2016
Issued: 06/26/2018
Est. Priority Date: 03/01/2016
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

obtaining a potentially malicious file;

decoding the file to identify one or more code streams;

processing each of the identified code streams to determine the presence of respective ones of a set of indicators of compromise;

determining whether the file is malicious based at least in part on the presence of one or more of the indicators of compromise in the code streams; and

modifying access by a given client device to the file responsive to determining that the file is malicious;

wherein the set of indicators of compromise are arranged in a hierarchy from one or more relatively benign indicators of compromise to one or more relatively malicious indicators of compromise;

wherein processing each of the identified code streams to determine the presence of respective ones of the set of indicators of compromise comprises checking for the presence of respective ones of the set of indicators in an order determined based at least in part on the hierarchy; and

wherein the method is performed by at least one processing device comprising a processor coupled to a memory.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method comprises obtaining a potentially malicious file, decoding the file to identify one or more code streams, processing each of the identified code streams to determine the presence of respective ones of a set of indicators of compromise, determining whether the file is malicious based on the presence of one or more of the indicators of compromise in the code streams, and modifying access by a given client device to the file responsive to determining that the file is malicious.

Citations

20 Claims

1. A method comprising:
- obtaining a potentially malicious file;
  
  decoding the file to identify one or more code streams;
  
  processing each of the identified code streams to determine the presence of respective ones of a set of indicators of compromise;
  
  determining whether the file is malicious based at least in part on the presence of one or more of the indicators of compromise in the code streams; and
  
  modifying access by a given client device to the file responsive to determining that the file is malicious;
  
  wherein the set of indicators of compromise are arranged in a hierarchy from one or more relatively benign indicators of compromise to one or more relatively malicious indicators of compromise;
  
  wherein processing each of the identified code streams to determine the presence of respective ones of the set of indicators of compromise comprises checking for the presence of respective ones of the set of indicators in an order determined based at least in part on the hierarchy; and
  
  wherein the method is performed by at least one processing device comprising a processor coupled to a memory.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 19, 20)
- - 2. The method of claim 1 wherein the processing device comprises a network security system configured to communicate with a plurality of client devices, including the given client device, over at least one network.
  - 3. The method of claim 1 wherein the file comprises one of an Object Linking and Embedding Structure Storage (OLESS) document and an Office Open Extensible Markup Language (OOXML) document and at least one of the code streams comprises a Visual Basic for Application (VBA) scripting stream.
  - 4. The method of claim 1 wherein decoding the file comprises identifying one or more module stream names for respective ones of the code streams.
  - 5. The method of claim 4 wherein at least one of the module stream names comprises a stream name encoded utilizing a character set other than an American Standard Code for Information Interchange (ASCII) character set.
  - 6. The method of claim 1 wherein processing each of the identified code streams comprises de-obfuscating a given one of the code streams without executing the given code stream by:
    - identifying logic used to mask an original intent for the given code stream; and
      
      reversing the logic to restore the original intent of the given code stream.
  - 7. The method of claim 6 wherein the logic masks the original intent for the given code stream by obfuscating portions of code into fragmented strings, and reversing the logic comprises reassembling the fragmented strings to create a clear text code string.
  - 8. The method of claim 1 wherein the indicators of compromise comprise two or more of:
    - a first indicator of compromise that checks for one or more designated types of code;
      
      a second indicator of compromise that checks for code with auto-launch capability;
      
      a third indicator of compromise that checks for code with network download capability;
      
      a fourth indicator of compromise that checks for code with the ability to read from or write to memory; and
      
      a fifth indicator of compromise that checks for code with the ability to execute one or more other files from memory.
  - 9. The method of claim 8 wherein:
    - the first indicator of compromise checks for the presence of Visual Basic for Application (VBA) code;
      
      the second indicator of compromise checks VBA scripts for commands to automatically launch code when the file is opened without user intervention or knowledge;
      
      the third indicator of compromise checks for a set of VBA functions and ActiveX controls indicating that the file is capable of downloading content from a network;
      
      the fourth indicator of compromise checks for a set of VBA functions and ActiveX controls used to read from or write content to the memory; and
      
      the fifth indicator of compromise checks for a set of VBA functions and ActiveX controls that allow programs to be started.
  - 10. The method of claim 8 wherein different ones of the indicators of compromise are assigned different weights, and determining whether the file is malicious comprises determining whether a weighted total of the indicators of compromise present in the one or more code streams exceeds a designated threshold.
  - 11. The method of claim 10 wherein the first indicator of compromise and the second indicator of compromise are assigned lower weights relative to the third indicator of compromise, the fourth indicator of compromise and the fifth indicator of compromise.
  - 12. The method of claim 8 wherein determining whether the file is malicious comprises determining that the first, second, third, fourth and fifth indicators of compromise are present in a given one of the one or more code streams.
  - 13. The method of claim 8 wherein the set of indicators of compromise further comprise one or more user-defined indicators of compromise.
  - 14. The method of claim 1 wherein modifying access by the client device to the file comprises at least one of:
    - removing the file from a memory of the client device;
      
      preventing the client device from obtaining the file; and
      
      causing the file to be opened in a sandboxed application environment on the client device.
  - 19. The method of claim 1 wherein checking for the presence of the respective ones of the set of indicators in the order determined based at least in part on the hierarchy comprises:
    - checking for the presence of the one or more relatively benign indicators of compromise;
      
      progressing with checking for the presence of the one or more relatively malicious indicators of compromise responsive to detecting the presence of the one or more relatively benign indicators of compromise; and
      
      refraining from checking for the presence of the one or more relatively malicious indicators of compromise responsive to failure to detect the presence of the one or more relatively benign indicators of compromise.
  - 20. The method of claim 1 wherein the indicators of compromise are arranged in two or more groups within the hierarchy, and wherein checking for the presence of respective ones of the set of indicators in the order determined based at least in part on the hierarchy comprises checking for the presence of at least one indicator of compromise in each of the two or more groups within the hierarchy.

15. A computer program product comprising a non-transitory processor-readable storage medium having stored therein program code of one or more software programs, wherein the program code when executed by a processing device cause the processing device:
- to obtain a potentially malicious file;
  
  to decode the file to identify one or more code streams;
  
  to process each of the identified code streams to determine the presence of respective ones of a set of indicators of compromise;
  
  to determine whether the file is malicious based at least in part on the presence of one or more of the indicators of compromise in the code streams; and
  
  to modify access by a given client device to the file responsive to determining that the file is malicious;
  
  wherein the set of indicators of compromise are arranged in a hierarchy from one or more relatively benign indicators of compromise to one or more relatively malicious indicators of compromise; and
  
  wherein processing each of the identified code streams to determine the presence of respective ones of the set of indicators of compromise comprises checking for the presence of respective ones of the set of indicators in an order determined based at least in part on the hierarchy.
- View Dependent Claims (16)
- - 16. The computer program product of claim 15 wherein the indicators of compromise comprise two or more of:
    - a first indicator of compromise that checks for one or more designated types of code;
      
      a second indicator of compromise that checks for code with auto-launch capability;
      
      a third indicator of compromise that checks for code with network download capability;
      
      a fourth indicator of compromise that checks for code with the ability to read from or write to memory; and
      
      a fifth indicator of compromise that checks for code with the ability to execute one or more other files from memory.

17. An apparatus comprising:
- a processing device comprising a processor coupled to a memory;
  
  the processing device being configured;
  
  to obtain a potentially malicious file;
  
  to decode the file to identify one or more code streams;
  
  to process each of the identified code streams to determine the presence of respective ones of a set of indicators of compromise;
  
  to determine whether the file is malicious based at least in part on the presence of one or more of the indicators of compromise in the code streams; and
  
  to modify access by a given client device to the file responsive to determining that the file is malicious;
  
  wherein the set of indicators of compromise are arranged in a hierarchy from one or more relatively benign indicators of compromise to one or more relatively malicious indicators of compromise; and
  
  wherein processing each of the identified code streams to determine the presence of respective ones of the set of indicators of compromise comprises checking for the presence of respective ones of the set of indicators in an order determined based at least in part on the hierarchy.
- View Dependent Claims (18)
- - 18. The apparatus of claim 17 wherein the indicators of compromise comprise two or more of:
    - a first indicator of compromise that checks for one or more designated types of code;
      
      a second indicator of compromise that checks for code with auto-launch capability;
      
      a third indicator of compromise that checks for code with network download capability;
      
      a fourth indicator of compromise that checks for code with the ability to read from or write to memory; and
      
      a fifth indicator of compromise that checks for code with the ability to execute one or more other files from memory.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Inventors
Douglas, Kevin, Das, Diptanu
Primary Examiner(s)
Herzog, Madhuri

Application Number

US15/057,631
Time in Patent Office

847 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/562   Static detection

G06F 21/563   by source code analysis

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/145   the attack involving the pr...

Detection and remediation of potentially malicious files

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Detection and remediation of potentially malicious files

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links