Methods and apparatus for control and detection of malicious content using a sandbox environment
First Claim
1. An apparatus, comprising:
- a memory; and
a processor operatively coupled to the memory, the processor configured to receive a set of indications of allowed behavior specific to an application, the processor configured to initiate an instance of the application within a sandbox environment,the processor configured to receive, from a monitor associated with the sandbox environment, an indication that the instance of the application is attempting to initiate a Transmission Control Protocol (TCP) connection, the processor configured to classify the attempting to initiate the TCP connection as an anomalous behavior for the application based on an indication of initiating the TCP connection not being in the set of indications of allowed behavior specific to the application,the processor configured to define and store a signature for the application using a cryptographic hash value of a file associated with the application in response to classifying the attempting to initiate the TCP connection as an anomalous behavior for the application.
4 Assignments
0 Petitions
Accused Products
Abstract
A non-transitory processor-readable medium storing code representing instructions to cause a processor to perform a process includes code to cause the processor to receive a set of indications of allowed behavior associated with an application. The processor is also caused to initiate an instance of the application within a sandbox environment. The processor is further caused to receive, from a monitor module associated with the sandbox environment, a set of indications of actual behavior of the instance of the application in response to initiating the instance of the application within the sandbox environment. The processor is also caused to send an indication associated with an anomalous behavior if at least one indication from the set of indications of actual behavior does not correspond to an indication from the set of indications of allowed behavior.
173 Citations
20 Claims
-
1. An apparatus, comprising:
-
a memory; and a processor operatively coupled to the memory, the processor configured to receive a set of indications of allowed behavior specific to an application, the processor configured to initiate an instance of the application within a sandbox environment, the processor configured to receive, from a monitor associated with the sandbox environment, an indication that the instance of the application is attempting to initiate a Transmission Control Protocol (TCP) connection, the processor configured to classify the attempting to initiate the TCP connection as an anomalous behavior for the application based on an indication of initiating the TCP connection not being in the set of indications of allowed behavior specific to the application, the processor configured to define and store a signature for the application using a cryptographic hash value of a file associated with the application in response to classifying the attempting to initiate the TCP connection as an anomalous behavior for the application. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A non-transitory processor-readable medium storing code representing instructions to be executed by a processor, the instructions comprising code to cause the processor to:
-
receive a set of indications of allowed behavior specific to an application; initiate an instance of the application within a sandbox environment; receive, from a monitor associated with the sandbox environment, an indication that the instance of the application is attempting to initiate a network connection; and terminate the instance of the application based on an indication of initiating the network connection not being within the set of indications of allowed behavior specific to the application. - View Dependent Claims (10, 11, 12, 13, 14, 15)
-
-
16. A method, comprising:
-
receiving, at a processor, a set of indications of allowed behavior specific to a first application; receiving, at the processor a set of indications of allowed behavior specific to a second application different from the first application; initiating, using the processor, an instance of the first application and an instance of the second application within a sandbox environment; receiving, from a monitor associated with the sandbox environment, an indication that the instance of the first application is attempting to initiate a network connection; terminating, using the processor, the instance of the first application based on an indication of initiating the network connection not being within the set of indications of allowed behavior specific to the first application; receiving, from the monitor associated with the sandbox environment, an indication that the instance of the second application is attempting to initiate the network connection; and allowing the instance of the second application to initiate the network connection based on an indication of initiating the network connection being within the set of indications of allowed behavior specific to the second application. - View Dependent Claims (17, 18, 19, 20)
-
Specification