Methods and apparatus for control and detection of malicious content using a sandbox environment

US 10,467,406 B2
Filed: 06/26/2018
Issued: 11/05/2019
Est. Priority Date: 12/02/2011
Status: Active Grant

First Claim

Patent Images

1. An apparatus, comprising:

a memory; and

a processor operatively coupled to the memory, the processor configured to receive a set of indications of allowed behavior specific to an application, the processor configured to initiate an instance of the application within a sandbox environment,the processor configured to receive, from a monitor associated with the sandbox environment, an indication that the instance of the application is attempting to initiate a Transmission Control Protocol (TCP) connection, the processor configured to classify the attempting to initiate the TCP connection as an anomalous behavior for the application based on an indication of initiating the TCP connection not being in the set of indications of allowed behavior specific to the application,the processor configured to define and store a signature for the application using a cryptographic hash value of a file associated with the application in response to classifying the attempting to initiate the TCP connection as an anomalous behavior for the application.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A non-transitory processor-readable medium storing code representing instructions to cause a processor to perform a process includes code to cause the processor to receive a set of indications of allowed behavior associated with an application. The processor is also caused to initiate an instance of the application within a sandbox environment. The processor is further caused to receive, from a monitor module associated with the sandbox environment, a set of indications of actual behavior of the instance of the application in response to initiating the instance of the application within the sandbox environment. The processor is also caused to send an indication associated with an anomalous behavior if at least one indication from the set of indications of actual behavior does not correspond to an indication from the set of indications of allowed behavior.

173 Citations

20 Claims

1. An apparatus, comprising:
- a memory; and
  
  a processor operatively coupled to the memory, the processor configured to receive a set of indications of allowed behavior specific to an application, the processor configured to initiate an instance of the application within a sandbox environment,the processor configured to receive, from a monitor associated with the sandbox environment, an indication that the instance of the application is attempting to initiate a Transmission Control Protocol (TCP) connection, the processor configured to classify the attempting to initiate the TCP connection as an anomalous behavior for the application based on an indication of initiating the TCP connection not being in the set of indications of allowed behavior specific to the application,the processor configured to define and store a signature for the application using a cryptographic hash value of a file associated with the application in response to classifying the attempting to initiate the TCP connection as an anomalous behavior for the application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The apparatus of claim 1, wherein the processor is configured to terminate the application in response to classifying the attempting to initiate the TCP connection as an anomalous behavior for the application.
  - 3. The apparatus of claim 1, wherein the application is a first application, the processor is configured to initiate the instance of the first application within the sandbox environment based on an instruction from an instance of a second application to initiate the instance of the first application, the set of indications of allowed behavior specific to the first application being based on a set of indications of allowed behavior specific to the second application.
  - 4. The apparatus of claim 1, wherein the application is a first application, the processor configured to initiate an instance of a second application within the sandbox environment, the processor configured to receive, from the monitor associated with the sandbox environment, an indication that the instance of the second application is attempting to initiate the TCP connection, the processor configured to allow the instance of the second application to initiate the TCP connection based on an indication of initiating the TCP connection being within a set of indications of allowed behavior specific to the second application.
  - 5. The apparatus of claim 1, wherein the indication that the instance of the application is attempting to initiate the TCP connection includes a trace associated with a source of an instruction causing the instance of the application to attempt to initiate the TCP connection.
  - 6. The apparatus of claim 1, wherein the application is a first application, the processor is configured to initiate the instance of the first application within the sandbox environment based on the sandbox environment recognizing the first application,the processor is configured to exclude an instance of a second application from executing with the sandbox environment based on the sandbox environment not recognizing the second application.
  - 7. The apparatus of claim 1, wherein the set of indications of allowed behavior specific to the application is defined and associated with the application prior to initiating the instance of the application within the sandbox environment.
  - 8. The apparatus of claim 1, wherein the TCP connection is a first TCP connection, the processor configured to receive, from the monitor associated with the sandbox environment, an indication that the instance of the application is attempting to initiate a second TCP connection different from the first TCP connection, the processor configured to allow the instance of the application to initiate the second TCP connection based on an indication of initiating the second TCP connection being within the set of indications of allowed behavior specific to the application.

9. A non-transitory processor-readable medium storing code representing instructions to be executed by a processor, the instructions comprising code to cause the processor to:
- receive a set of indications of allowed behavior specific to an application;
  
  initiate an instance of the application within a sandbox environment;
  
  receive, from a monitor associated with the sandbox environment, an indication that the instance of the application is attempting to initiate a network connection; and
  
  terminate the instance of the application based on an indication of initiating the network connection not being within the set of indications of allowed behavior specific to the application.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The non-transitory processor-readable medium of claim 9, wherein the network connection is a first network connection, the code further comprising code to cause the processor to:
    - receive, from the monitor associated with the sandbox environment, an indication that the instance of the application is attempting to initiate a second network connection different from the first network connection; and
      
      allow the instance of the application to initiate the second network connection based on an indication of initiating the second network connection being within the set of indications of allowed behavior specific to the application.
  - 11. The non-transitory processor-readable medium of claim 9, wherein the application is a first application, the code to cause the processor to initiate includes code to cause the processor to initiate the instance of the first application within the sandbox environment based on an instruction from an instance of a second application to initiate the instance of the first application, the set of indications of allowed behavior specific to the first application being based on a set of indications of allowed behavior specific to the second application.
  - 12. The non-transitory processor-readable medium of claim 9, wherein the network connection is a Transmission Control Protocol (TCP) connection.
  - 13. The non-transitory processor-readable medium of claim 9, further comprising code to cause the processor to:
    - define and store a signature for the application using a cryptographic hash value of a file associated with the application in response to classifying the attempting to initiate the network connection as an anomalous behavior for the application.
  - 14. The non-transitory processor-readable medium of claim 9, wherein the application is a first application, the code to cause the processor to initiate includes code to cause the processor to initiate the instance of the first application within the sandbox environment based on the sandbox environment recognizing the first application,the code further comprising code to cause the processor to exclude an instance of a second application from executing within the sandbox environment based on the sandbox environment not recognizing the second application.
  - 15. The non-transitory processor-readable medium of claim 9, wherein the indication that the instance of the application is attempting to initiate the network connection includes a trace associated with a source of an instruction causing the instance of the application to attempt to initiate the network connection.

16. A method, comprising:
- receiving, at a processor, a set of indications of allowed behavior specific to a first application;
  
  receiving, at the processor a set of indications of allowed behavior specific to a second application different from the first application;
  
  initiating, using the processor, an instance of the first application and an instance of the second application within a sandbox environment;
  
  receiving, from a monitor associated with the sandbox environment, an indication that the instance of the first application is attempting to initiate a network connection;
  
  terminating, using the processor, the instance of the first application based on an indication of initiating the network connection not being within the set of indications of allowed behavior specific to the first application;
  
  receiving, from the monitor associated with the sandbox environment, an indication that the instance of the second application is attempting to initiate the network connection; and
  
  allowing the instance of the second application to initiate the network connection based on an indication of initiating the network connection being within the set of indications of allowed behavior specific to the second application.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The method of claim 16, wherein the network connection is a Transmission Control Protocol (TCP) connection.
  - 18. The method of claim 16, further comprising:
    - defining and storing a signature for the first application using a cryptographic hash value of a file associated with the first application in response to classifying the first application attempting to initiate the network connection as an anomalous behavior for the first application.
  - 19. The method of claim 16, wherein the network connection is a first network connection, the method further comprising:
    - receiving, from the monitor associated with the sandbox environment, an indication that the instance of the first application is attempting to initiate a second network connection different from the first network connection; and
      
      allowing the instance of the first application to initiate the second network connection based on an indication of initiating the second network connection being within the set of indications of allowed behavior specific to the first application.
  - 20. The method of claim 16, wherein the indication that the instance of the first application is attempting to initiate the network connection includes a trace associated with a source of an instruction causing the instance of the first application to attempt to initiate the network connection.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Invincea, Inc. (Sophos Group Ltd.)
Original Assignee
Invincea, Inc. (Sophos Group Ltd.)
Inventors
Ghosh, Anup, Cosby, Scott, Keister, Alan, Bryant, Benjamin, Taylor, Stephen
Primary Examiner(s)
Song, Hee K

Application Number

US16/018,720
Publication Number

US 20180314823A1
Time in Patent Office

497 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/56   Computer malware detection ...

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/034   Test or assess a computer o...

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2149   Restricted operating enviro...

Methods and apparatus for control and detection of malicious content using a sandbox environment

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

173 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and apparatus for control and detection of malicious content using a sandbox environment

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

173 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links