Method for detecting malware within network content

US 10,282,548 B1
Filed: 12/12/2016
Issued: 05/07/2019
Est. Priority Date: 02/24/2012
Status: Active Grant

First Claim

Patent Images

1. A method for detecting malicious content within a data storage device, the method comprising:

quarantining data associated with a first digital device by at least (i) redirecting at least a portion of the data that is transmitted from the first digital device to a controller remotely located from the second digital device for analysis;

receiving, by the controller, the redirected data from the first digital device;

analyzing the redirected data in accordance with a first analysis to determine whether the first digital device is associated with a malicious attack, the first analysis being selected from a plurality of analyses, including the first analysis and a second analysis having a different depth of analysis than the first analysis, based on an estimated amount of time needed for an analysis of the redirected data without exceeding a predetermined time allotted for the analysis; and

providing a warning signal based on a determination that the first digital device is associated with a malicious attack.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for detecting malicious content are provided. In an exemplary embodiment, a method for detecting malicious content is described that detects when a client device has access to a remote network server of a communication network. The client device includes one or more processors. Thereafter, a controller being a device separate from the client device, activates one or more security programs within the remote network server. The security programs enable the controller to analyze data stored within or transmitted from the remote network server. Lastly, the controller analyzing the data to determine whether the data includes malware.

Citations

20 Claims

1. A method for detecting malicious content within a data storage device, the method comprising:
- quarantining data associated with a first digital device by at least (i) redirecting at least a portion of the data that is transmitted from the first digital device to a controller remotely located from the second digital device for analysis;
  
  receiving, by the controller, the redirected data from the first digital device;
  
  analyzing the redirected data in accordance with a first analysis to determine whether the first digital device is associated with a malicious attack, the first analysis being selected from a plurality of analyses, including the first analysis and a second analysis having a different depth of analysis than the first analysis, based on an estimated amount of time needed for an analysis of the redirected data without exceeding a predetermined time allotted for the analysis; and
  
  providing a warning signal based on a determination that the first digital device is associated with a malicious attack.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the quarantining the data associated with the first device further comprises intercepting one or more requests from the first digital device.
  - 3. The method of claim 1, wherein prior to quarantining the data associated with the first digital device, the method further comprising:
    - detecting a communicative coupling of the first digital device to the second digital device.
  - 4. The method of claim 1, wherein the first digital device comprises one or more portable storage devices including a Universal Serial Bus (USB) flash drive and the second digital device includes a USB interface.
  - 5. The method of claim 1, wherein in response to determining the first digital device is associated with the malicious attack, providing the warning signal that causes emission of a pattern of audible sound.
  - 6. The method of claim 1, wherein the second digital device comprises a security appliance that is positioned at a selected security screening location.
  - 7. The method of claim 2, wherein the quarantining further comprises preventing processing of the data from the first digital device by the second digital device and at least one of the one or more requests includes a request for an internet protocol (IP) address.
  - 8. The method of claim 1, wherein the first analysis being selected based on the estimated amount of time needed for the analysis of the redirected data where the estimated amount of time is based, at least in part, on a determined latency of a communication network coupling the controller to the first digital device.
  - 9. The method of claim 1, wherein the analyzing of the redirected data comprises:
    - configuring a virtual machine to receive the redirected data, wherein the virtual machine is configured with one of a plurality of different virtual machine configurations to simulate one or more performance characteristics of a destination device intended to receive the redirected data; and
      
      analyzing a response of the virtual machine to the redirected data to identify whether the first digital device is associated with the malicious attack.
  - 10. The method of claim 1, wherein the analyzing of the redirected data comprises:
    - analyzing the redirected data with the first analysis to identify data containing one or more suspicious characteristics, the first analysis being a first heuristic analysis of a plurality of different heuristic analyses;
      
      configuring a virtual machine to receive the data containing one or more suspicious characteristics; and
      
      analyzing a response of the virtual machine to identify the malware within the data containing one or more suspicious characteristics from the first digital device.
  - 11. The method of claim 10, wherein the analyzing of the redirected data further comprisessaving a copy of the redirected data and analyzing the copy of the redirected data in accordance with the first analysis, wherein the analyzing of the response of the virtual machine further comprises selectively identifying the one or more data storage devices as storing the malware.

12. A method for detecting malicious content within a data storage device, the method comprising:
- quarantining data associated with a first digital device by (i) redirecting at least a portion of the data, being transmitted from the first digital device to a second digital device, to a controller remotely located from the second digital device for analysis and (ii) intercepting one or more requests from the first digital device;
  
  receiving, by the controller, the redirected data from the first device;
  
  determining an estimated amount of time needed for an analysis of the redirected data;
  
  selecting a first analysis from a plurality of analysis, including the first analysis and a second analysis being independent of the first analysis, based on the estimated amount of time;
  
  analyzing the redirected data in accordance with the first analysis to determine whether the first digital device is associated with a malicious attack without exceeding a predetermined time allotted for the first analysis; and
  
  providing a warning signal based on a determination that the first digital device is associated with a malicious attack.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
- - 13. The method of claim 12, wherein the first digital device comprises one or more portable storage devices including a Universal Serial Bus (USB) flash drive and the second digital device includes a USB interface.
  - 14. The method of claim 12, wherein in response to determining the first digital device stores malware, providing the warning signal that causes emission of a pattern of audible sound.
  - 15. The method of claim 12, wherein the second digital device comprises a security appliance that is positioned at a selected security screening location.
  - 16. The method of claim 12, wherein the quarantining further comprises preventing processing of the data from the first digital device by the second digital device and at least one of the one or more requests includes a request for an internet protocol (IP) address.
  - 17. The method of claim 12, wherein the first analysis being selected based on the estimated amount of time needed for the analysis of the redirected data where the estimated amount of time is based, at least in part, on a determined latency of a communication network coupling the controller to the first digital device.
  - 18. The method of claim 12, wherein the analyzing of the redirected data comprises:
    - configuring a virtual machine to receive the redirected data, wherein the virtual machine is configured with one of a plurality of different virtual machine configurations to simulate one or more performance characteristics of a destination device intended to receive the redirected data; and
      
      analyzing a response of the virtual machine to the redirected data to identify whether the first digital device is associated with the malware attack.
  - 19. The method of claim 12, wherein the analyzing of the redirected data comprises:
    - analyzing the redirected data with the first analysis to identify data containing one or more suspicious characteristics, the first analysis being a first heuristic analysis of a plurality of different heuristic analyses;
      
      configuring a virtual machine to receive the data containing one or more suspicious characteristics; and
      
      analyzing a response of the virtual machine to identify the malware within the data containing one or more suspicious characteristics from the first digital device.
  - 20. The method of claim 19, wherein the analyzing of the redirected data further comprisessaving a copy of the redirected data and analyzing the copy of the redirected data in accordance with the first analysis, wherein the analyzing of the response of the virtual machine further comprises selectively identifying the one or more data storage devices as storing the malware.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
FireEye, Inc. (Alphabet Inc.)
Inventors
Aziz, Ashar, Staniford, Stuart, Amin, Muhammad, Uyeno, Henry, Yie, Samuel
Primary Examiner(s)
Poltorak, Piotr

Application Number

US15/376,531
Time in Patent Office

876 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/567 using dedicated hardware

H04L 63/145 the attack involving the pr...

Method for detecting malware within network content

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method for detecting malware within network content

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links