Multi-tiered sandbox based network threat detection
First Claim
1. A method comprising:
- receiving, by a computer system, a file, wherein the file has been previously tagged, by a network security device, based on one or more of an application to which the file pertains and a threat-level associated with the file as determined by a pre-filtering process performed on the file by the network security device;
causing the file to exhibit a first set of behaviors by processing the file within a virtualization application based environment of the computer system, wherein the virtualization application based environment is created based on the application to which the file pertains;
causing the file to exhibit a second set of behaviors by processing the file within a container of a plurality of containers of a container based environment of the computer system, wherein the plurality of containers share a common kernel of a particular operating system;
determining, by the computer system, differences, if any, between the first set of behaviors and the second set of behaviors; and
classifying, by the computer system, the file as malicious when the differences are greater than a predefined or configurable threshold.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems and methods for multi-tiered sandbox based network threat detection are provided. According to one embodiment, a file is received by a computer system. The file is caused to exhibit a first set of behaviors by processing the file within a virtualization application based environment of the computer system. The virtualization application based environment is created based on an application to which the file pertains. The file is further caused to exhibit a second set of behaviors by processing the file within a container based environment of the computer system. Differences, if any, between the first set of behaviors and the second set of behaviors. Finally, the file is classified as malicious when the differences are greater than a predefined or configurable threshold.
8 Citations
16 Claims
-
1. A method comprising:
-
receiving, by a computer system, a file, wherein the file has been previously tagged, by a network security device, based on one or more of an application to which the file pertains and a threat-level associated with the file as determined by a pre-filtering process performed on the file by the network security device; causing the file to exhibit a first set of behaviors by processing the file within a virtualization application based environment of the computer system, wherein the virtualization application based environment is created based on the application to which the file pertains; causing the file to exhibit a second set of behaviors by processing the file within a container of a plurality of containers of a container based environment of the computer system, wherein the plurality of containers share a common kernel of a particular operating system; determining, by the computer system, differences, if any, between the first set of behaviors and the second set of behaviors; and classifying, by the computer system, the file as malicious when the differences are greater than a predefined or configurable threshold. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A system comprising:
-
a non-transitory storage device having embodied therein one or more routines operable to determine if a file is malicious; and one or more processors coupled to the non-transitory storage device and operable to execute the one or more routines, wherein the one or more routines include; a file receive module, which when executed by the one or more processors, receives a file, wherein the file has been previously tagged, by a network security device, based on one or more of an application to which the file pertains and a threat-level associated with the file as determined by a pre-filtering process performed on the file by the network security device; a virtualization application based environment, which when executed by the one or more processors, processes the file to output a first set of behaviors, wherein the virtualization application based environment is created based on the application to which the file pertains; a container of a plurality of containers of a container based environment, which when executed by the one or more processors, processes the file to output a second set of behaviors, wherein the plurality of containers share a common kernel of a particular operating system; a delta computation based file classification module, which when executed by the one or more processors, identifies differences, if any, between the first set of behaviors and the second set of behaviors, wherein the file is classified as malicious when the differences are greater than a predefined or configurable threshold. - View Dependent Claims (12, 13, 14, 15, 16)
-
Specification