Detecting a malicious file infection via sandboxing

US 10,389,740 B2
Filed: 06/12/2017
Issued: 08/20/2019
Est. Priority Date: 03/31/2015
Status: Active Grant

First Claim

Patent Images

1. A device, comprising:

a memory; and

one or more processors to;

receive a malicious file;

provoke, based on receiving the malicious file, a network activity reaction when operating the malicious file in a testing environment;

determine, based on provoking the network activity reaction, a network activity profile associated with the malicious file,the network activity profile including information regarding at least one of;

one or more requested network addresses,quantities of packets sent or received,distributions of packets sent or received,one or more ports that are opened for communication, orone or more ports that are utilized for communication;

determine whether network activity for one or more client devices corresponds to the network activity profile;

determine that the one or more client devices are infected with the malicious file based on the network activity having a threshold similarity to the network activity profile; and

cause, based on determining that the one or more client devices are infected with the malicious file, a remediation action to be performed on the one or more client devices.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A device may receive a trigger to determine whether a malicious file is operating on a client device. The device may determine a network activity profile associated with the malicious file based on receiving the trigger to determine whether the malicious file is operating on the client device. The network activity profile may include information regarding network activity associated with the malicious file when the malicious file is executed in a testing environment. The device may monitor network activity associated with the client device. The device may determine that the network activity associated with the client device matches the network activity profile associated with the malicious file based on monitoring the network activity associated with the client device. The device may provide information indicating that the network activity associated with the client device matches the network activity profile associated with the malicious file.

Citations

20 Claims

1. A device, comprising:
- a memory; and
  
  one or more processors to;
  
  receive a malicious file;
  
  provoke, based on receiving the malicious file, a network activity reaction when operating the malicious file in a testing environment;
  
  determine, based on provoking the network activity reaction, a network activity profile associated with the malicious file,the network activity profile including information regarding at least one of;
  
  one or more requested network addresses,quantities of packets sent or received,distributions of packets sent or received,one or more ports that are opened for communication, orone or more ports that are utilized for communication;
  
  determine whether network activity for one or more client devices corresponds to the network activity profile;
  
  determine that the one or more client devices are infected with the malicious file based on the network activity having a threshold similarity to the network activity profile; and
  
  cause, based on determining that the one or more client devices are infected with the malicious file, a remediation action to be performed on the one or more client devices.
- View Dependent Claims (2, 3, 4, 5, 6, 19)
- - 2. The device of claim 1, where the one or more processors are further to:
    - monitor the network activity; and
      
      receive a trigger to determine whether the malicious file is operating on the one or more client devices based on monitoring the network activity.
  - 3. The device of claim 1, where the one or more processors are further to:
    - monitor the network activity;
      
      determine, based monitoring the network activity, that a file, downloaded by the one or more client devices, is the malicious file; and
      
      receive a trigger to determine whether the malicious file is operating on the one or more client devices based on determining that the file is the malicious file.
  - 4. The device of claim 1, where the one or more client devices are one or more first client devices;
    - where the one or more processors are further to;
      
      determine whether the malicious file is operating on one or more second client devices based on determining that the one or more first client devices are infected with the malicious file.
  - 5. The device of claim 1, where the one or more processors, when receiving the malicious file, are to:
    - obtain the malicious file based on receiving a trigger to determine whether the malicious file is operating on the one or more client devices.
  - 6. The device of claim 1, where the one or more processors are further to:
    - receive a trigger to determine whether the malicious file is operating on the one or more client devices; and
      
      obtain information regarding the malicious file based on receiving the trigger,the information regarding the malicious file including at least one of;
      
      metadata associated with the malicious file, orcontents of the malicious file.
  - 19. The device of claim 1, where the one or more processors, when causing the remediation action to be performed, are to:
    - cause the one or more client devices to be quarantined, orcause a remediation software to be executed on the one or more client devices.

7. A method, comprising:
- receiving, by a device, a malicious file;
  
  provoking, by the device and based on receiving the malicious file, a network activity reaction when operating the malicious file in a testing environment;
  
  determining, by the device and based on provoking the network activity reaction, a network activity profile associated with the malicious file,the network activity profile including information regarding at least one of;
  
  one or more requested network addresses,quantities of packets sent or received,distributions of packets sent or received,one or more ports that are opened for communication, orone or more ports that are utilized for communication;
  
  determining, by the device, whether network activity for one or more client devices corresponds to the network activity profile;
  
  determining, by the device, that the one or more client devices are infected with the malicious file based on the network activity having a threshold similarity to the network activity profile; and
  
  causing, by the device and based on determining that the one or more client devices are infected with the malicious file, a remediation action to be performed on the one or more client devices.
- View Dependent Claims (8, 9, 10, 11, 12, 13)
- - 8. The method of claim 7, where determining the network activity profile comprises:
    - determining the network activity profile based on analyzing the malicious file.
  - 9. The method of claim 7, where the information is first information;
    - andwhere determining the network activity profile comprises;
      
      determining second information associated with the malicious file,the second information including at least one of;
      
      one or more device identifiers, orone or more network addresses.
  - 10. The method of claim 7, further comprising:
    - filtering a set of network resources based on a whitelist.
  - 11. The method of claim 7, where determining the network activity profile comprises:
    - determining the network activity profile based on information associated with other malicious files.
  - 12. The method of claim 7, further comprising:
    - receiving a trigger to determine whether one or more malicious files are operating on the one or more client devices; and
      
      analyzing a set of malicious files similar to the malicious file based on receiving the trigger.
  - 13. The method of claim 7, where determining the network activity profile comprises:
    - determining the network activity profile based on metadata associated with the malicious file.

14. A non-transitory computer-readable medium storing instructions, the instructions comprising:
- one or more instructions that, when executed by one or more processors, cause the one or more processors to;
  
  receive a malicious file;
  
  provoke, based on receiving the malicious file, a network activity reaction when operating the malicious file in a testing environment;
  
  determine, based on provoking the network activity reaction, a network activity profile associated with the malicious file,the network activity profile including information regarding at least one of;
  
  one or more requested network addresses,quantities of packets sent or received,distributions of packets sent or received,one or more ports that are opened for communication, orone or more ports that are utilized for communication;
  
  determine whether network activity for one or more client devices corresponds to the network activity profile;
  
  determine that the one or more client devices are infected with the malicious file based on the network activity having a threshold similarity to the network activity profile; and
  
  cause, based on determining that that the one or more client devices are infected with the malicious file, a remediation action to be performed on the one or more client devices.
- View Dependent Claims (15, 16, 17, 18, 20)
- - 15. The non-transitory computer-readable medium of claim 14, where the one or more instructions that, when executed by the one or more processors, further cause the one or more processors to:
    - utilize metadata associated with the malicious file to search for information associated with the malicious file.
  - 16. The non-transitory computer-readable medium of claim 14, where the one or more instructions that, when executed by the one or more processors, further cause the one or more processors to:
    - provide access to one or more files or system resources; and
      
      generate the network activity profile based on providing access to the one or more files or the system resources.
  - 17. The non-transitory computer-readable medium of claim 14, where the one or more instructions that, when executed by the one or more processors, further cause the one or more processors to:
    - establish a data structure storing dummy user information; and
      
      determine whether the malicious file exfiltrates the dummy user information to a particular server.
  - 18. The non-transitory computer-readable medium of claim 14, where the one or more instructions that, when executed by the one or more processors, further cause the one or more processors to:
    - cause at least one of;
      
      a network adaptor to be disabled, ora reset of an IP lease; and
      
      determine whether a network activity reaction is provoked based on causing the at least one of;
      
      the network adaptor to be disabled, orthe reset of the IP lease.
  - 20. The non-transitory computer-readable medium of claim 14, where the one or more instructions that, when executed by the one or more processors, further cause the one or more processors to:
    - receive a trigger;
      
      obtain, based on receiving the trigger, location information associated with the malicious file; and
      
      where the one or more instructions, that cause the one or more processors to receive the malicious file, cause the one or more processors to;
      
      receive the malicious file from a location identified by the location information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Langton, Jacob Asher, Quinlan, Daniel J., Adams, Kyle, Conlon, Declan
Primary Examiner(s)
To, Baotran N

Application Number

US15/620,388
Publication Number

US 20170346838A1
Time in Patent Office

799 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/566   Dynamic detection, i.e. det...

H04L 43/0876   Network utilisation, e.g. v...

H04L 63/0227   Filtering policies mail mes...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 67/303   Terminal profiles

Detecting a malicious file infection via sandboxing

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting a malicious file infection via sandboxing

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links