Determining the maliciousness of executable files using a remote sandbox environment

US 10,567,410 B2
Filed: 03/01/2018
Issued: 02/18/2020
Est. Priority Date: 03/01/2017
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, at a behavior analysis engine, an executable file from a network traffic hub in a local network as the executable file is being downloaded by a networked device in the local network;

executing the executable file in a sandbox environment operated by the behavior analysis engine and configured to replicate an operating system running by the networked device that is downloading the executable file and to execute the executable file as the networked device would execute the executable file;

extracting execution features from the execution of the executable file, the execution features corresponding to characteristics of the execution of the executable file;

applying an execution model to the extracted execution features, the execution model to determine whether an executable file is malicious based on execution features of the executable file; and

transmitting processing instructions to the network traffic hub based on the determination of whether the execution file is malicious.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The behavior analysis engine detects malicious executable files that are being downloaded by networked devices in the local network by executing the executable files in a sandboxing environment operating on the behavior analysis engine. The network traffic hub identifies network communications that are transmitted through the local network that contain executable files. The network traffic hub sends the executable file to the behavior analysis engine and the behavior analysis engine executes the executable file in a sandboxing environment that replicates the networked device that was downloading the executable. The behavior analysis engine extracts execution features from the execution of the executable file and applies an execution model to the execution features to determine a confidence score for the executable file. The behavior analysis engine uses the confidence score to provide instructions to the network traffic hub as to whether to allow the networked device to download the executable.

25 Citations

View as Search Results

18 Claims

1. A method comprising:
- receiving, at a behavior analysis engine, an executable file from a network traffic hub in a local network as the executable file is being downloaded by a networked device in the local network;
  
  executing the executable file in a sandbox environment operated by the behavior analysis engine and configured to replicate an operating system running by the networked device that is downloading the executable file and to execute the executable file as the networked device would execute the executable file;
  
  extracting execution features from the execution of the executable file, the execution features corresponding to characteristics of the execution of the executable file;
  
  applying an execution model to the extracted execution features, the execution model to determine whether an executable file is malicious based on execution features of the executable file; and
  
  transmitting processing instructions to the network traffic hub based on the determination of whether the execution file is malicious.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, further comprising:
    - receiving a network communication associated with the executable file; and
      
      extracting the executable file from the network communication.
  - 3. The method of claim 1, wherein the sandbox environment is configured based on device identification data received from the network traffic hub.
  - 4. The method of claim 1, wherein the execution model comprises a machine-learned model.
  - 5. The method of claim 4, wherein the execution model is trained based on execution features of a set of known-malicious executable files.
  - 6. The method of claim 4, wherein the execution model is trained based on execution features of a set of known-non-malicious executable files.
  - 7. The method of claim 1, wherein applying the execution model to the execution features comprises generating a confidence score based on the execution features, the confidence score representing a confidence of the execution model that the executable file is malicious.
  - 8. The method of claim 7, wherein further comprising comparing the confidence score to a threshold confidence score.
  - 9. The method of claim 1, further comprising, responsive to determining that the executable file is malicious, transmitting processing instructions to the network traffic hub to block the executable file from being downloaded by the networked device.
  - 10. The method of claim 1, further comprising, responsive to determining that the executable file is not malicious, transmitting processing instructions to the network traffic hub to allow the executable file to be downloaded by the networked device.

11. A non-transitory computer-readable medium comprising instructions that, when executed by a processor, cause the processor to:
- receive, at a behavior analysis engine, an executable file from a network traffic hub in a local network as the executable file is being downloaded by a networked device in the local network;
  
  execute the executable file in a sandbox environment operated by the behavior analysis engine and configured to replicate an operating system running by the networked device that is downloading the executable file and to execute the executable file as the networked device would execute the executable file;
  
  extract execution features from the execution of the executable file, the execution features corresponding to characteristics of the execution of the executable file;
  
  apply an execution model to the extracted execution features, the execution model to determine whether an executable file is malicious based on execution features of the executable file andtransmit processing instructions to the network traffic hub based on the determination of whether the execution file is malicious.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. The non-transitory computer-readable medium of claim 11, further comprising instructions that cause the processor to:
    - receive a network communication associated with the executable file; and
      
      extract the executable file from the network communication.
  - 13. The non-transitory computer-readable medium of claim 11, wherein the execution model comprises a machine-learned model.
  - 14. The non-transitory computer-readable medium of claim 13, wherein the execution model is trained based on execution features of a set of known-non-malicious executable files.
  - 15. The non-transitory computer-readable medium of claim 11, wherein the instructions for applying the execution model to the execution features further cause the processor to generate a confidence score based on the execution features, the confidence score representing a confidence of the execution model that the executable file is malicious.
  - 16. The non-transitory computer-readable medium of claim 15, wherein the instructions further cause the processor to compare the confidence score to a threshold confidence score.
  - 17. The non-transitory computer-readable medium of claim 11, further comprising instructions that cause the processor to, responsive to determining that the executable file is malicious, transmit processing instructions to the network traffic hub to block the executable file from being downloaded by the networked device.
  - 18. The non-transitory computer-readable medium of claim 11, further comprising instructions that cause the processor to, responsive to determining that the executable file is not malicious, transmit processing instructions to the network traffic hub to allow the executable file to be downloaded by the networked device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cujo LLC
Original Assignee
Cujo LLC
Inventors
Kuperman, Leonid, Frayman, Yuri, von Gravrock, Einaras, Takacs, Gabor
Primary Examiner(s)
Jamshidi, Ghodrat

Application Number

US15/909,958
Publication Number

US 20180253550A1
Time in Patent Office

719 Days
Field of Search
US Class Current
CPC Class Codes

G06F 15/76   Architectures of general pu...

G06F 21/53   by executing in a restricte...

G06F 21/55   Detecting local intrusion o...

G06F 21/554   involving event detection a...

G06N 20/00   Machine learning

H04L 41/145   involving simulating, desig...

H04L 41/16   using machine learning or a...

H04L 43/026   using flow identification

H04L 43/062   related to network traffic

H04L 63/0236   Filtering by address, proto...

H04L 63/102   Entity profiles

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1466   Active attacks involving in...

Determining the maliciousness of executable files using a remote sandbox environment

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

25 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Determining the maliciousness of executable files using a remote sandbox environment

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

25 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links