Detecting a malicious file infection via sandboxing
First Claim
1. A device, comprising:
- a memory; and
one or more processors to;
receive a malicious file;
provoke, based on receiving the malicious file, a network activity reaction when operating the malicious file in a testing environment;
determine, based on provoking the network activity reaction, a network activity profile associated with the malicious file,the network activity profile including information regarding at least one of;
one or more requested network addresses,quantities of packets sent or received,distributions of packets sent or received,one or more ports that are opened for communication, orone or more ports that are utilized for communication;
determine whether network activity for one or more client devices corresponds to the network activity profile;
determine that the one or more client devices are infected with the malicious file based on the network activity having a threshold similarity to the network activity profile; and
cause, based on determining that the one or more client devices are infected with the malicious file, a remediation action to be performed on the one or more client devices.
1 Assignment
0 Petitions
Accused Products
Abstract
A device may receive a trigger to determine whether a malicious file is operating on a client device. The device may determine a network activity profile associated with the malicious file based on receiving the trigger to determine whether the malicious file is operating on the client device. The network activity profile may include information regarding network activity associated with the malicious file when the malicious file is executed in a testing environment. The device may monitor network activity associated with the client device. The device may determine that the network activity associated with the client device matches the network activity profile associated with the malicious file based on monitoring the network activity associated with the client device. The device may provide information indicating that the network activity associated with the client device matches the network activity profile associated with the malicious file.
-
Citations
20 Claims
-
1. A device, comprising:
-
a memory; and one or more processors to; receive a malicious file; provoke, based on receiving the malicious file, a network activity reaction when operating the malicious file in a testing environment; determine, based on provoking the network activity reaction, a network activity profile associated with the malicious file, the network activity profile including information regarding at least one of; one or more requested network addresses, quantities of packets sent or received, distributions of packets sent or received, one or more ports that are opened for communication, or one or more ports that are utilized for communication; determine whether network activity for one or more client devices corresponds to the network activity profile; determine that the one or more client devices are infected with the malicious file based on the network activity having a threshold similarity to the network activity profile; and cause, based on determining that the one or more client devices are infected with the malicious file, a remediation action to be performed on the one or more client devices. - View Dependent Claims (2, 3, 4, 5, 6, 19)
-
-
7. A method, comprising:
-
receiving, by a device, a malicious file; provoking, by the device and based on receiving the malicious file, a network activity reaction when operating the malicious file in a testing environment; determining, by the device and based on provoking the network activity reaction, a network activity profile associated with the malicious file, the network activity profile including information regarding at least one of; one or more requested network addresses, quantities of packets sent or received, distributions of packets sent or received, one or more ports that are opened for communication, or one or more ports that are utilized for communication; determining, by the device, whether network activity for one or more client devices corresponds to the network activity profile; determining, by the device, that the one or more client devices are infected with the malicious file based on the network activity having a threshold similarity to the network activity profile; and causing, by the device and based on determining that the one or more client devices are infected with the malicious file, a remediation action to be performed on the one or more client devices. - View Dependent Claims (8, 9, 10, 11, 12, 13)
-
-
14. A non-transitory computer-readable medium storing instructions, the instructions comprising:
one or more instructions that, when executed by one or more processors, cause the one or more processors to; receive a malicious file; provoke, based on receiving the malicious file, a network activity reaction when operating the malicious file in a testing environment; determine, based on provoking the network activity reaction, a network activity profile associated with the malicious file, the network activity profile including information regarding at least one of; one or more requested network addresses, quantities of packets sent or received, distributions of packets sent or received, one or more ports that are opened for communication, or one or more ports that are utilized for communication; determine whether network activity for one or more client devices corresponds to the network activity profile; determine that the one or more client devices are infected with the malicious file based on the network activity having a threshold similarity to the network activity profile; and cause, based on determining that that the one or more client devices are infected with the malicious file, a remediation action to be performed on the one or more client devices. - View Dependent Claims (15, 16, 17, 18, 20)
Specification