Systems and methods for malware detection and scanning
First Claim
1. A computer-implemented method operating in a computing system for malware scanning and detection, the method comprising:
- launching, in a computing device of the computing system, a controller virtual machine;
launching, in the computing device, a plurality of honeypot virtual machines (HPVMs), each HPVM including an internet browser;
selecting, by the controller virtual machine, a subset of the plurality of HPVMs to access one or more web pages based on rate-limiting criteria associated with the one or more web pages;
transmitting, by the controller virtual machine, instructions to the subset of the plurality of HPVMs to access one or more web pages;
requesting, the subset of the plurality of HPVMs, data from one or more web pages; and
performing analysis on the one or more web pages using one or more analysis tools, wherein performing analysis on the one or more web pages includes;
performing monitoring and recording of system application programming interface (API) calls,creating software objects associated with the one or more web pages,performing antivirus scanning of the software objects,de-obfuscating JavaScript associated with the software objects, andcorrelating data associated with the performed analysis to determine if the one or more web pages includes a malicious web page.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems and methods are provided for malware scanning and detection in a computing system. In one exemplary embodiment, the method includes launching, in a computing device of the computing system, a virtual machine, and launching, in the virtual machine of the computing device, an internet browser. The method also includes requesting, by the internet browser, data from a web page, and performing, using one or more analysis tools, analysis on the web page. In the method, performing analysis on the web page includes performing monitoring and recording of system application programming interface (API) calls, and creating software objects associated with the web page. The method also includes performing antivirus scanning of the software objects, de-obfuscating JavaScript associated with the software objects, and correlating data associated with the performed analysis to determine if the web page is a malicious web page.
29 Citations
23 Claims
-
1. A computer-implemented method operating in a computing system for malware scanning and detection, the method comprising:
-
launching, in a computing device of the computing system, a controller virtual machine; launching, in the computing device, a plurality of honeypot virtual machines (HPVMs), each HPVM including an internet browser; selecting, by the controller virtual machine, a subset of the plurality of HPVMs to access one or more web pages based on rate-limiting criteria associated with the one or more web pages; transmitting, by the controller virtual machine, instructions to the subset of the plurality of HPVMs to access one or more web pages; requesting, the subset of the plurality of HPVMs, data from one or more web pages; and performing analysis on the one or more web pages using one or more analysis tools, wherein performing analysis on the one or more web pages includes; performing monitoring and recording of system application programming interface (API) calls, creating software objects associated with the one or more web pages, performing antivirus scanning of the software objects, de-obfuscating JavaScript associated with the software objects, and correlating data associated with the performed analysis to determine if the one or more web pages includes a malicious web page. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A computing system for malware scanning and detection, the system comprising:
-
a memory that includes a software component; and a processor that is coupled to the memory and, when executing the software component, is configured to; launch, in a computing device of the computing system, a controller virtual machine; launch, in the computing device, a plurality of honeypot virtual machines (HPVMs), each HPVM including an internet browser; select, by the controller virtual machine, a subset of the plurality of HPVMs to access one or more web pages based on rate-limiting criteria associated with the one or more web pages; transmit, by the controller virtual machine, instructions to the subset of the plurality of HPVMs to access one or more web pages; request, the subset of the plurality of HPVMs, data from one or more web pages; and perform analysis on the one or more web pages using one or more analysis tools, wherein performing analysis on the one or more web pages includes; performing monitoring and recording of system application programming interface (API) calls, creating software objects associated with the one or more web pages, performing antivirus scanning of the software objects, de-obfuscating JavaScript associated with the software objects, and correlating data associated with the performed analysis to determine if the one or more web pages includes a malicious web page. - View Dependent Claims (13, 14, 15, 16, 17, 18)
-
-
19. A non-transitory computer-readable storage medium including instructions that, when executed by a processor, cause the processor to scan and detect malware, by performing the steps of:
-
launching, in a computing device of the computing system, a controller virtual machine; launching, in the computing device, a plurality of honeypot virtual machines (HPVMs), each HPVM including an internet browser; selecting, by the controller virtual machine, a subset of the plurality of HPVMs to access one or more web pages based on rate-limiting criteria associated with the one or more web pages; transmitting, by the controller virtual machine, instructions to the subset of the plurality of HPVMs to access one or more web pages; requesting, the subset of the plurality of HPVMs, data from one or more web pages; and performing analysis on the one or more web pages using one or more analysis tools, wherein performing analysis on the one or more web pages includes; performing monitoring and recording of system application programming interface (API) calls, creating software objects associated with the web page, performing antivirus scanning of the software objects, de-obfuscating JavaScript associated with the software objects, and correlating data associated with the performed analysis to determine if the web page is a malicious web page. - View Dependent Claims (20, 21, 22, 23)
-
Specification