Determining the maliciousness of executable files using a remote sandbox environment
First Claim
1. A method comprising:
- receiving, at a behavior analysis engine, an executable file from a network traffic hub in a local network as the executable file is being downloaded by a networked device in the local network;
executing the executable file in a sandbox environment operated by the behavior analysis engine and configured to replicate an operating system running by the networked device that is downloading the executable file and to execute the executable file as the networked device would execute the executable file;
extracting execution features from the execution of the executable file, the execution features corresponding to characteristics of the execution of the executable file;
applying an execution model to the extracted execution features, the execution model to determine whether an executable file is malicious based on execution features of the executable file; and
transmitting processing instructions to the network traffic hub based on the determination of whether the execution file is malicious.
2 Assignments
0 Petitions
Accused Products
Abstract
The behavior analysis engine detects malicious executable files that are being downloaded by networked devices in the local network by executing the executable files in a sandboxing environment operating on the behavior analysis engine. The network traffic hub identifies network communications that are transmitted through the local network that contain executable files. The network traffic hub sends the executable file to the behavior analysis engine and the behavior analysis engine executes the executable file in a sandboxing environment that replicates the networked device that was downloading the executable. The behavior analysis engine extracts execution features from the execution of the executable file and applies an execution model to the execution features to determine a confidence score for the executable file. The behavior analysis engine uses the confidence score to provide instructions to the network traffic hub as to whether to allow the networked device to download the executable.
25 Citations
18 Claims
-
1. A method comprising:
-
receiving, at a behavior analysis engine, an executable file from a network traffic hub in a local network as the executable file is being downloaded by a networked device in the local network; executing the executable file in a sandbox environment operated by the behavior analysis engine and configured to replicate an operating system running by the networked device that is downloading the executable file and to execute the executable file as the networked device would execute the executable file; extracting execution features from the execution of the executable file, the execution features corresponding to characteristics of the execution of the executable file; applying an execution model to the extracted execution features, the execution model to determine whether an executable file is malicious based on execution features of the executable file; and transmitting processing instructions to the network traffic hub based on the determination of whether the execution file is malicious. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A non-transitory computer-readable medium comprising instructions that, when executed by a processor, cause the processor to:
-
receive, at a behavior analysis engine, an executable file from a network traffic hub in a local network as the executable file is being downloaded by a networked device in the local network; execute the executable file in a sandbox environment operated by the behavior analysis engine and configured to replicate an operating system running by the networked device that is downloading the executable file and to execute the executable file as the networked device would execute the executable file; extract execution features from the execution of the executable file, the execution features corresponding to characteristics of the execution of the executable file; apply an execution model to the extracted execution features, the execution model to determine whether an executable file is malicious based on execution features of the executable file and transmit processing instructions to the network traffic hub based on the determination of whether the execution file is malicious. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
-
Specification