Multi-tiered sandbox based network threat detection

US 10,534,909 B2
Filed: 03/02/2017
Issued: 01/14/2020
Est. Priority Date: 03/02/2017
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, by a computer system, a file, wherein the file has been previously tagged, by a network security device, based on one or more of an application to which the file pertains and a threat-level associated with the file as determined by a pre-filtering process performed on the file by the network security device;

causing the file to exhibit a first set of behaviors by processing the file within a virtualization application based environment of the computer system, wherein the virtualization application based environment is created based on the application to which the file pertains;

causing the file to exhibit a second set of behaviors by processing the file within a container of a plurality of containers of a container based environment of the computer system, wherein the plurality of containers share a common kernel of a particular operating system;

determining, by the computer system, differences, if any, between the first set of behaviors and the second set of behaviors; and

classifying, by the computer system, the file as malicious when the differences are greater than a predefined or configurable threshold.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for multi-tiered sandbox based network threat detection are provided. According to one embodiment, a file is received by a computer system. The file is caused to exhibit a first set of behaviors by processing the file within a virtualization application based environment of the computer system. The virtualization application based environment is created based on an application to which the file pertains. The file is further caused to exhibit a second set of behaviors by processing the file within a container based environment of the computer system. Differences, if any, between the first set of behaviors and the second set of behaviors. Finally, the file is classified as malicious when the differences are greater than a predefined or configurable threshold.

8 Citations

View as Search Results

16 Claims

1. A method comprising:
- receiving, by a computer system, a file, wherein the file has been previously tagged, by a network security device, based on one or more of an application to which the file pertains and a threat-level associated with the file as determined by a pre-filtering process performed on the file by the network security device;
  
  causing the file to exhibit a first set of behaviors by processing the file within a virtualization application based environment of the computer system, wherein the virtualization application based environment is created based on the application to which the file pertains;
  
  causing the file to exhibit a second set of behaviors by processing the file within a container of a plurality of containers of a container based environment of the computer system, wherein the plurality of containers share a common kernel of a particular operating system;
  
  determining, by the computer system, differences, if any, between the first set of behaviors and the second set of behaviors; and
  
  classifying, by the computer system, the file as malicious when the differences are greater than a predefined or configurable threshold.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein when the differences are less than or equal to the predefined or configurable threshold, the method further comprisescausing the file to exhibit a third set of behaviors by processing the file within a full hypervisor based environment of the computer system;
    - andclassifying, by the computer system, the file as malicious when an evaluation of differences, if any, between any of the first set of behaviors, the second set of behaviors and the third set of behaviors have been confirmed to be greater than a predefined or configurable threshold.
  - 3. The method of claim 2, wherein said processing the file within a virtualized application based environment and said processing the file within a container based environment are performed in parallel.
  - 4. The method of claim 3, wherein the first set of behaviors and the second set of behaviors are provided as an input to the full hypervisor based environment prior to said processing the file within the full hypervisor based environment.
  - 5. The method of claim 2, wherein the full hypervisor based environment employs a first level of entropy generation for creation of the full hypervisor based environment that is greater than a second level of entropy generation employed in connection with creation of the container based environment, and wherein the second level of entropy generation is greater than a third level of entropy generation employed in connection with creation of the virtualization application based environment.
  - 6. The method of claim 2, wherein the full hypervisor based environment utilizes a first amount of resources of the computer system that is greater than a second amount of the resources utilized by the container based environment, and wherein the second amount of the resources is greater than a third amount of the resources utilized by the virtualization application based environment.
  - 7. The method of claim 1, wherein the network security device comprises a firewall, an intrusion detection system, an intrusion prevention system or a unified threat management (UTM) appliance.
  - 8. The method of claim 1, further comprising queuing the file prior to said processing the file within a virtualized application based environment and prior to said processing the file within a container based environment.
  - 9. The method of claim 8, wherein said queuing enables separation of the file from corresponding network security threat data.
  - 10. The method of claim 1, wherein the virtualization application based environment and the container based environment use a pointer system through a change root environment rather than using a full operating system.

11. A system comprising:
- a non-transitory storage device having embodied therein one or more routines operable to determine if a file is malicious; and
  
  one or more processors coupled to the non-transitory storage device and operable to execute the one or more routines, wherein the one or more routines include;
  
  a file receive module, which when executed by the one or more processors, receives a file, wherein the file has been previously tagged, by a network security device, based on one or more of an application to which the file pertains and a threat-level associated with the file as determined by a pre-filtering process performed on the file by the network security device;
  
  a virtualization application based environment, which when executed by the one or more processors, processes the file to output a first set of behaviors, wherein the virtualization application based environment is created based on the application to which the file pertains;
  
  a container of a plurality of containers of a container based environment, which when executed by the one or more processors, processes the file to output a second set of behaviors, wherein the plurality of containers share a common kernel of a particular operating system;
  
  a delta computation based file classification module, which when executed by the one or more processors, identifies differences, if any, between the first set of behaviors and the second set of behaviors, wherein the file is classified as malicious when the differences are greater than a predefined or configurable threshold.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The system of claim 11, wherein when the differences between the first set of behaviors and the second set of behaviors is not greater than the predefined or configurable threshold, the file is further processed by a full hypervisor based environment of the system to output a third set of behaviors, wherein the file is evaluated to confirm whether the file is malicious and classified as malicious when differences between any of the first set of behaviors, the second set of behaviors, and the third set of behaviors are greater than the predefined or configurable threshold.
  - 13. The system of claim 12, wherein processing of the file performed by the virtualization application based environment and processing of the file performed by the container based environment are performed in parallel and wherein the first set of behaviors and the second set of behaviors are provided as input to the full hypervisor based environment.
  - 14. The system of claim 12, wherein creation of the full hypervisor based environment employs a first level of entropy generation that is greater than a second level of entropy generation employed in connection with creation of the container based environment, and wherein the second level of entropy generation is greater than a third level of entropy generation employed in connection with creation of the virtualization application based environment.
  - 15. The system of claim 12, wherein the full hypervisor based environment utilizes a first amount of computational resources of the system that is greater than a second amount of the computational resources utilized by the container based environment, and wherein the second amount of the computational resources is greater than a third amount of the resources utilized by the virtualization application based environment.
  - 16. The system of claim 11, wherein the network security device comprises a firewall, an intrusion detection system, an intrusion prevention system or a unified threat management (UTM) appliance.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Fortinet Inc.
Inventors
Chalmandrier-Perna, Michael F.
Primary Examiner(s)
Patel, Ashokkumar B
Assistant Examiner(s)
Jones, William B

Application Number

US15/448,476
Publication Number

US 20180253551A1
Time in Patent Office

1,048 Days
Field of Search
US Class Current
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 21/53   by executing in a restricte...

G06F 21/554   involving event detection a...

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/034   Test or assess a computer o...

G06F 9/45558   Hypervisor-specific managem...

Multi-tiered sandbox based network threat detection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

8 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Multi-tiered sandbox based network threat detection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

8 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links