Malware detector
First Claim
1. A non-transitory processor-readable medium storing code representing instructions to be executed by a processor, the code comprising code to cause the processor to:
- intercept a communication from an application acting as a web browser executing at a compute device, the communication addressed to a server different from the compute device;
identify a type of protocol of the communication;
select, based on the type of protocol, a redirect request as an active content challenge for the application;
send the redirect request to the application;
identify the application as a valid web browser and send the communication to the server when a response to the redirect request is received from the application within a predetermined time period and is determined to be a correct response to the redirect request; and
identify the application as malware and block the communication from being sent to the server when the response is not received from the application within the predetermined time period or is determined to be an incorrect response to the redirect request.
4 Assignments
0 Petitions
Accused Products
Abstract
A transparent proxy for malware detection includes a monitor module, a protocol determination module, a challenge generation module, a response determination module, and a data control module. The monitor module examines data originating from an application towards a remote server. The protocol determination module identifies the protocol type used for the data. The challenge generation module produces a challenge for the application based upon the protocol type, sends the challenge to the application, and maintains a state related to the data and the challenge. The response determination module makes a determination if an automatic non-interactive application response is received in response to the challenge from the application. The data control module allows the first data to continue to the remote server when the determination is valid. The data control module reports malware detection and blocks the data to continue to the remote server when the determination is invalid.
35 Citations
18 Claims
-
1. A non-transitory processor-readable medium storing code representing instructions to be executed by a processor, the code comprising code to cause the processor to:
-
intercept a communication from an application acting as a web browser executing at a compute device, the communication addressed to a server different from the compute device; identify a type of protocol of the communication; select, based on the type of protocol, a redirect request as an active content challenge for the application; send the redirect request to the application; identify the application as a valid web browser and send the communication to the server when a response to the redirect request is received from the application within a predetermined time period and is determined to be a correct response to the redirect request; and identify the application as malware and block the communication from being sent to the server when the response is not received from the application within the predetermined time period or is determined to be an incorrect response to the redirect request. - View Dependent Claims (2, 3, 4, 5)
-
-
6. An apparatus, comprising:
-
a memory; and a hardware processor communicatively coupled to the memory, the hardware processor configured to intercept a communication from an application executing at a compute device, the communication addressed to a server different from the compute device, the hardware processor configured to identify a type of protocol of the communication, the hardware processor configured to select, based on the type of protocol and in response to the communication, a redirect request as an active content challenge for the application, the hardware processor configured to send the redirect request to the application, the hardware processor configured to identify the application as malware based at least in part on not receiving, in response to the redirect request, an expected response to the redirect request from the application within a predetermined time period, the processor configured to prevent the communication from being sent to the server in response to the application being identified as malware. - View Dependent Claims (7, 8, 9, 10, 11, 12)
-
-
13. A method, comprising:
-
intercepting a communication from an application executing at a compute device, the communication addressed to a server different from the compute device; identifying a type of protocol of the communication; selecting, based on the type of protocol and in response to the communication, a redirect request as an active content challenge for the application; sending the communication to the server; sending the redirect request to the application; classifying the application as malware when an expected response to the redirect request is not received from the application within a predetermined time period; receiving, from the server, a response to the communication; and preventing the response to the communication from being delivered to the application when the application is classified as malware. - View Dependent Claims (14, 15, 16, 17, 18)
-
Specification