Malware detection using internal and/or external malware detection operations

US 10,382,479 B2
Filed: 09/18/2017
Issued: 08/13/2019
Est. Priority Date: 03/31/2014
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a memory and;

one or more processors to;

perform an external malware detection operation that detects malware executing on a client device,the external malware detection operation including a communication with another device and a service validation operation to test a feature of a protocol associated with a connection attempt with the other device by exchanging messages with the other device;

monitor a result of performing the communication with the other device for a behavior indicative of the malware executing on the client device;

detect that the behavior has occurred based on monitoring the result,the behavior being detected based on detecting the other device failing the service validation operation that tests the feature of the protocol,the other device failing the service validation operation based on the other device not supporting the protocol;

determine that the client device is infected with malware based on detecting the other device failing the service validation operation that tests the feature of the protocol; and

provide a notification that the client device is infected with the malware based on determining that the client device is infected with malware.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system may determine to perform an internal and an external malware detection operation to detect a malware infection associated with a client device. The system may perform the internal operation by modifying an environment, executing on a particular device, to form a modified environment. The system may perform the external operation by performing a communication from the particular device. The system may monitor the modified environment for a first behavior indicative of the malware infection, and may monitor a result of performing the communication for a second behavior indicative of the malware infection. The system may detect that the first or second behavior has occurred. The system may provide a notification that the client device is infected with malware based on detecting that the first or second behavior has occurred. The notification may cause one or more network devices to block network traffic to or from the client device.

Citations

20 Claims

1. A system, comprising:
- a memory and;
  
  one or more processors to;
  
  perform an external malware detection operation that detects malware executing on a client device,the external malware detection operation including a communication with another device and a service validation operation to test a feature of a protocol associated with a connection attempt with the other device by exchanging messages with the other device;
  
  monitor a result of performing the communication with the other device for a behavior indicative of the malware executing on the client device;
  
  detect that the behavior has occurred based on monitoring the result,the behavior being detected based on detecting the other device failing the service validation operation that tests the feature of the protocol,the other device failing the service validation operation based on the other device not supporting the protocol;
  
  determine that the client device is infected with malware based on detecting the other device failing the service validation operation that tests the feature of the protocol; and
  
  provide a notification that the client device is infected with the malware based on determining that the client device is infected with malware.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1, where the external malware detection operation further includes a behavior invocation operation that attempts to invoke a particular behavior from an artifact on the client device, andwhere the behavior is further detected based on the particular behavior not being invoked by the client device.
  - 3. The system of claim 2, where the particular behavior is establishing a session with a server via a handshake.
  - 4. The system of claim 2, where the particular behavior is establishing a connection with a server based on detecting an outbound connection with the server via a particular port.
  - 5. The system of claim 1, where the one or more processors are further to:
    - infer the protocol from a port via which a connection with the other device is established.
  - 6. The system of claim 1, where the one or more processors are further to:
    - identify the protocol based on processing messages against a list of protocol signatures.
  - 7. The system of claim 1, where the one or more processors are further to:
    - calculate a malware detection score associated with the client device,the malware detection score being based on detecting the other device failing the service validation operation that tests the feature of the protocol; and
      
      where the one or more processors, when determining that the client device is infected with malware, are further to;
      
      determine that the client device is infected with malware based on the malware detection score associated with the client device.

8. A method, comprising:
- performing, by a device, an external malware detection operation that detects malware executing on a client device,the external malware detection operation including a communication with another device and a service validation operation to test a feature of a protocol associated with a connection attempt with the other device by exchanging messages with the other device;
  
  monitoring, by the device, a result of performing the communication with the other device for a behavior indicative of the malware executing on the client device;
  
  detecting, by the device, that the behavior has occurred based on monitoring the result,the behavior being detected based on detecting the other device failing the service validation operation that tests the feature of the protocol,the other device failing the service validation operation based on the other device not supporting the protocol;
  
  determining, by the device, that the client device is infected with malware based on detecting the other device failing the service validation operation that tests the feature of the protocol; and
  
  providing, by the device, a notification that the client device is infected with the malware based on determining that the client device is infected with malware.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method of claim 8, where the external malware detection operation further includes a behavior invocation operation that attempts to invoke a particular behavior from an artifact on the client device, andwhere the behavior is further detected based on the particular behavior not being invoked by the client device.
  - 10. The method of claim 9, where the particular behavior is establishing a session with a server via a handshake.
  - 11. The method of claim 9, where the particular behavior is establishing a connection with server based on detecting an outbound connection with the server via a particular port.
  - 12. The method of claim 8, further comprising:
    - inferring the protocol from a port via which a connection with the other device is established.
  - 13. The method of claim 8, further comprising:
    - identifying the protocol based on processing messages against a list of protocol signatures.
  - 14. The method of claim 8, further comprising:
    - calculating a malware detection score associated with the client device,the malware detection score being based on detecting the other device failing the service validation operation that tests the feature of the protocol; and
      
      where determining that the client device is infected with malware further comprises;
      
      determining that the client device is infected with malware based on the malware detection score associated with the client device.

15. A computer-readable medium storing instructions, the instructions comprising:
- one or more instructions that, when executed by one or more processors, cause the one or more processors to;
  
  perform an external malware detection operation that detects malware executing on a client device,the external malware detection operation including a communication with another device and a service validation operation to test a feature of a protocol associated with a connection attempt with the other device by exchanging messages with the other device;
  
  monitor a result of performing the communication with the other device for a behavior indicative of the malware executing on the client device;
  
  detect that the behavior has occurred based on monitoring the result,the behavior being detected based on detecting the other device failing the service validation operation that tests the feature of the protocol,the other device failing the service validation operation based on the other device not supporting the protocol;
  
  determine that the client device is infected with malware based on detecting the other device failing the service validation operation that tests the feature of the protocol; and
  
  provide a notification that the client device is infected with the malware based on determining that the client device is infected with malware.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer-readable medium of claim 15, where the external malware detection operation further includes a behavior invocation operation that attempts to invoke a particular behavior from an artifact on the client device, andwhere the behavior is further detected based on the particular behavior not being invoked by the client device.
  - 17. The computer-readable medium of claim 16, where the particular behavior is establishing a session with a server via a handshake.
  - 18. The computer-readable medium of claim 16, where the particular behavior is establishing a connection with server based on detecting an outbound connection with the server via a particular port.
  - 19. The computer-readable medium of claim 15, where the one or more instructions, when executed by the one or more processors further cause the one or more processors to:
    - infer the protocol from a port via which a connection with the other device is established.
  - 20. The computer-readable medium of claim 15, where the one or more instructions, when executed by the one or more processors further cause the one or more processors to:
    - calculate a malware detection score associated with the client device,the malware detection score being based on detecting the other device failing the service validation operation that tests the feature of the protocol; and
      
      where the one or more instructions, that cause the one or more processors to determine that the client device is infected with malware, further cause the one or more processors to;
      
      determine that the client device is infected with malware based on the malware detection score associated with the client device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Adams, Kyle, Quinlan, Daniel J.
Primary Examiner(s)
Shaw, Peter C

Application Number

US15/707,325
Publication Number

US 20180007064A1
Time in Patent Office

694 Days
Field of Search

726 23
US Class Current
CPC Class Codes

H04L 63/1416 Event detection, e.g. attac...

H04L 63/145 the attack involving the pr...

Malware detection using internal and/or external malware detection operations

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Malware detection using internal and/or external malware detection operations

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links