Electronic message analysis for malware detection
First Claim
1. A computer implemented method for detecting malicious network content by a malware detection system including a hardware processor and a memory, comprising:
- receiving, by the malware detection system, an electronic email message;
analyzing, by the malware detection system, the electronic email message to detect a uniform resource locator (URL) within message content of the electronic email message;
determining whether the detected URL within the message content is suspicious;
in response to a determination that the detected URL is suspicious, processing the suspicious URL detected within the message content of the electronic email message, wherein the processing of the suspicious URL comprises analyzing, within a virtual environment, one or more behaviors in response to a request for content associated with the suspicious URL; and
identifying the suspicious URL detected within the message content of the electronic email message as malicious based on results of the analyzing of the suspicious URL in the virtual environment.
7 Assignments
0 Petitions
Accused Products
Abstract
An electronic message is analyzed for malware contained in the message. Text of an electronic message may be analyzed to detect and process malware content in the electronic message itself. The present technology may analyze an electronic message and attachments to electronic messages to detect a uniform resource location (URL), identify whether the URL is suspicious, and analyze all suspicious URLs to determine if they are malware. The analysis may include re-playing the suspicious URL in a virtual environment which simulates the intended computing device to receive the electronic message. If the re-played URL is determined to be malicious, the malicious URL is added to a black list which is updated throughout the computer system.
-
Citations
43 Claims
-
1. A computer implemented method for detecting malicious network content by a malware detection system including a hardware processor and a memory, comprising:
-
receiving, by the malware detection system, an electronic email message; analyzing, by the malware detection system, the electronic email message to detect a uniform resource locator (URL) within message content of the electronic email message; determining whether the detected URL within the message content is suspicious; in response to a determination that the detected URL is suspicious, processing the suspicious URL detected within the message content of the electronic email message, wherein the processing of the suspicious URL comprises analyzing, within a virtual environment, one or more behaviors in response to a request for content associated with the suspicious URL; and identifying the suspicious URL detected within the message content of the electronic email message as malicious based on results of the analyzing of the suspicious URL in the virtual environment. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. A system for detecting malicious network content, comprising:
-
an electronic message malware detection system to (i) receive an electronic email message, (ii) analyze the electronic email message to detect a uniform resource locator (URL) address within message content of the electronic email message, and (iii) determine whether the detected URL within the message content is suspicious; a web malware detection system coupled with the electronic message malware detection system, the web malware detection system, in response to receipt of the suspicious URL, (i) processes the suspicious URL detected within the message content of the electronic email message, wherein processing of the suspicious URL comprises analyzing, within a virtual environment, one or more behaviors in response to a request for web content, and (ii) identifies the suspicious URL detected within the electronic email message content as malicious based on results of the analyzing of the suspicious URL detected within the electronic email message content in the virtual environment. - View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
-
-
29. A malware detection system comprising:
-
a processor; and a memory communicatively coupled to the processor, the memory comprises software that, when executed by the processor, performs operations that comprise; analyzing content within an electronic message to detect a uniform resource locator (URL) within the content of the electronic message, determining whether the detected URL is suspicious, in response to determining that the detected URL is suspicious, analyzing, within a virtual environment, content received in response to a request initiated during processing of the suspicious URL, and identifying the suspicious URL detected within the message content of the electronic email message as malicious based on one or more undesirable behaviors being detected within the virtual environment upon the request being initiated during processing of the URL. - View Dependent Claims (30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43)
-
Specification