Method, device and system for alerting against unknown malicious codes within a network environment

DC CAFC

US 10,027,693 B2
Filed: 03/25/2016
Issued: 07/17/2018
Est. Priority Date: 11/26/2009
Status: Active Grant

- Alert
- Pin

First Claim

Patent Images

1. A method for alerting against unknown malicious codes, the method comprising:

receiving, by a network device, a request sent by a terminal for obtaining a file from a network entity and a data stream carrying the file;

recording, by the network device, a source path carried in the request, wherein the network entity provides the file on the source path;

judging, by the network device, whether the file is an executable file according to at least one of;

the request and the data stream carrying the file;

when the network device judges the file is an executable file, sending, by the network device, first alert information that carries the source path to a monitoring device;

receiving, by the network device, second alarm information sent by the monitoring device after further detecting the file downloaded according to the source path by the monitoring device; and

intercepting, by the network device,a) the executable file according to the second alarm information comprising a maliciousness of the executable file;

orb) the executable file and packets transmitted in a Botnet according to the second alarm information comprising the maliciousness of the executable file and Botnet topology information.

View all claims

3 Assignments

Timeline View

Assignment View

Litigations

2 Petitions

Accused Products

Abstract

A method, a device, and a system for alerting against unknown malicious codes includes judging whether any suspicious code exists in the packet, recording a source path of the suspicious code and sending alert information that carries the source path to a monitoring device. The embodiments of the present disclosure report the source paths of suspicious codes proactively at the earliest possible time, which lays a foundation for shortening the time required for overcoming virus threats, and avoids the trouble of installing software on the terminal.

16 Citations

9 Claims

1. A method for alerting against unknown malicious codes, the method comprising:
- receiving, by a network device, a request sent by a terminal for obtaining a file from a network entity and a data stream carrying the file;
  
  recording, by the network device, a source path carried in the request, wherein the network entity provides the file on the source path;
  
  judging, by the network device, whether the file is an executable file according to at least one of;
  
  the request and the data stream carrying the file;
  
  when the network device judges the file is an executable file, sending, by the network device, first alert information that carries the source path to a monitoring device;
  
  receiving, by the network device, second alarm information sent by the monitoring device after further detecting the file downloaded according to the source path by the monitoring device; and
  
  intercepting, by the network device,a) the executable file according to the second alarm information comprising a maliciousness of the executable file;
  
  orb) the executable file and packets transmitted in a Botnet according to the second alarm information comprising the maliciousness of the executable file and Botnet topology information.
- View Dependent Claims (2)
- - 2. The method according to claim 1, wherein the judging, by the network device, whether the file is the executable file according to at least one of:
    - the request and the data stream carrying the file comprises at least one of;
      
      detecting, by the network device, whether a string which indicates a name of the executable file exists in the request; and
      
      detecting, by the network device, whether a file header of the executable file exists in the data stream-returned by the network entity.

3. A network device comprising computing hardware and a non-transitory computer-readable storage medium including computer-executable instructions executed by the computing hardware to perform, on the network device, operations comprising:
- receiving a request sent by a terminal for obtaining a file from a network entity and receiving a data stream carrying the file;
  
  recording a source path carried in the request, wherein the network entity provides the file on the source path;
  
  judging the file is an executable file according to at least one of;
  
  the request and the data stream carrying the file;
  
  when the network device judges the file is the executable file, sending first alert information that carries the source path to a monitoring device;
  
  receiving second alarm information sent by the monitoring device sent by the monitoring device after further detecting the file downloaded according to the source path by the monitoring device, wherein the second alarm information includes (a) a maliciousness of the executable file or (b) the maliciousness of the executable file and Botnet topology information; and
  
  interceptingi. the executable file according to one of the maliciousness of the executable file;
  
  orii. the executable file and packets transmitted in a Botnet according to the second alarm information comprising the maliciousness of the executable file and Botnet topology information.
- View Dependent Claims (4)
- - 4. The network device according to claim 3, wherein the judging whether the file is an executable file according to at least one of:
    - the request and the data stream carrying the file comprises at least one of;
      
      detecting whether a string which indicates a name of the executable file exists in the request; and
      
      detecting whether a file header of the executable file exists in the data stream received from the network entity.

5. A system for alerting against unknown malicious codes comprising a network device and a monitoring device:
- the network device comprising a first computing hardware and a first non-transitory computer-readable storage medium including a first set of computer-executable instructions executed by the first computing hardware to perform, on the network device, operations comprising;
  
  a) receiving a request sent by a terminal for obtaining a file from a network entity and receiving a data stream carrying the file;
  
  b) recording a source path carried in the request, wherein the network entity provides the file on the source path;
  
  c) determining the file is an executable file according to at least one of (a) the received request and (b) the data stream carrying the file;
  
  d) sending first alert information that carries the source path to a monitoring device when the network device determines the file is an executable file;
  
  e) receiving second alarm information sent by the monitoring device after detecting the executable file downloaded according to the source path; and
  
  f) interceptingi. the executable file according to one of the maliciousness of the executable file;
  
  orii. the executable file and packets transmitted in a Botnet according to the second alarm information comprising the maliciousness of the executable file and Botnet topology information; and
  
  the monitoring device comprising a second computing hardware and a second non-transitory computer-readable storage medium including a second set of computer-executable instructions executed by the second computing hardware to perform, on the monitoring device, operations comprising;
  
  a) receiving the first alert information from the network device;
  
  b) downloading an executable file according to the source path;
  
  c) detecting the executable file to confirm maliciousness of the executable file; and
  
  d) sending the second alarm information to the network device, wherein the second alarm information comprises one of;
  
  maliciousness of the executable file, and both the maliciousness of the executable file and Botnet topology information.
- View Dependent Claims (6, 7)
- - 6. The system for alerting against unknown malicious codes according to claim 5,wherein the operations performed on the monitoring device further comprise at least one of:
    - detecting maliciousness of the executable file by characteristics detection; and
      
      detecting maliciousness of the executable file by sandbox test.
  - 7. The system for alerting against unknown malicious codes according to claim 5, wherein determining the file is an executable file according to at least one of:
    - the request sent by the terminal and the data stream carrying the file, and determining the file is an executable file includes at least one of;
      
      a) detecting whether a string which indicates a name of the executable file exists in the request; and
      
      b) detecting whether a file header of the executable file exists in the data stream received from the network entity.

8. A non-transitory computer readable medium storing instructions for execution by a processor, the instructions causing the processor to be configured to provide the following:
- receive a request sent by a terminal for obtaining a file from a network entity and receive a data stream carrying the file;
  
  record a source path carried in the request, wherein the network entity provides the file on the source path;
  
  determine whether the file is an executable file according to (a) the request or (b) the data stream carrying the file;
  
  send first alert information that carries the source path to a monitoring device, if the network device judges the file is the executable file;
  
  receive second alarm information that includes (a) a maliciousness of the executable file or (b) the maliciousness of the executable file and Botnet topology information; and
  
  interceptinga) the executable file according to one of the maliciousness of the executable file;
  
  orb) the executable file and packets transmitted in a Botnet according to the second alarm information comprising the maliciousness of the executable file and Botnet topology information.
- View Dependent Claims (9)
- - 9. The network device according to claim 8, wherein determining the file is an executable file according to the request or the data stream carrying the file comprises:
    - detecting whether a string which indicates the name of the executable file exists in the request; and
      
      /ordetecting whether a file header of the executable file exists in the data, which is transmitted by the data stream returned by the network entity.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
Huawei Technologies Co., Ltd. (Huawei Investment & Holding Co., Ltd.)
Original Assignee
Huawei Digital Technologies (Cheng Du) Co. Ltd (Huawei Investment & Holding Co., Ltd.)
Inventors
Jiang, Wu
Primary Examiner(s)
WRIGHT, BRYAN F

Application Number

US15/081,018
Publication Number

US 20160212160A1
Time in Patent Office

844 Days
Field of Search

726 23
US Class Current
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

H04L 2463/146   Tracing the source of attacks

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

Method, device and system for alerting against unknown malicious codes within a network environment

First Claim

3 Assignments

Litigations

2 Petitions

Accused Products

Abstract

16 Citations

9 Claims

Specification

Solutions

Use Cases

Quick Links

Method, device and system for alerting against unknown malicious codes within a network environment

First Claim

3 Assignments

Subscription Required

Subscription Required

Litigations

2 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

16 Citations

9 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links