Technique for malware detection capability comparison of network security devices
First Claim
1. A method comprising:
- generating and sending, by a virtualized endpoint that is operating within a test console being part of a testing network, one or more requests to acquire a plurality of samples from a remote server, each request having a uniform resource locator (URL) indicating a domain;
modifying, at the test console including a hardware processor and a memory each generated request to re-direct the request to the remote server and obscure address information associated with the request to render ineffective malware detection through address blacklisting by one or more units under test (UUTs) while maintaining the URL of the request as an alias destination domain;
receiving a response to each request by the virtualized endpoint, wherein a copy of the response being redirected to each of the one or more UUTs and the response including one or more samples, each sample including an object;
processing the object for each of the one or more samples at the virtualized endpoint and at each of the one or more UUTs to detect whether the object is either malicious or benign; and
generating a report to compare and contrast detection efficacy of the UUTs in correctly identifying each of the objects.
5 Assignments
0 Petitions
Accused Products
Abstract
A testing technique tests and compares malware detection capabilities of network security devices, such as those commercially available from a variety of cyber-security vendors. Testing is conducted on test samples in a “blind” fashion, where the security devices do not know beforehand whether the test samples are “live” malware or benign network traffic. The test samples are received from a remote server and potentially represent malicious attacks against a testing network. Notably, for truly blind testing, embodiments of the testing technique employ a mixture of malware and benign test samples, as well as addressing subterfuge, to prevent the security devices from being able to reliably determine maliciousness of the test samples based on a source of any of the samples.
739 Citations
33 Claims
-
1. A method comprising:
-
generating and sending, by a virtualized endpoint that is operating within a test console being part of a testing network, one or more requests to acquire a plurality of samples from a remote server, each request having a uniform resource locator (URL) indicating a domain; modifying, at the test console including a hardware processor and a memory each generated request to re-direct the request to the remote server and obscure address information associated with the request to render ineffective malware detection through address blacklisting by one or more units under test (UUTs) while maintaining the URL of the request as an alias destination domain; receiving a response to each request by the virtualized endpoint, wherein a copy of the response being redirected to each of the one or more UUTs and the response including one or more samples, each sample including an object;
processing the object for each of the one or more samples at the virtualized endpoint and at each of the one or more UUTs to detect whether the object is either malicious or benign; andgenerating a report to compare and contrast detection efficacy of the UUTs in correctly identifying each of the objects. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A system comprising:
-
a server storing a plurality of samples including objects identified as benign and objects identified as malicious; and a test computer coupled to the server via a network, the test computer having a first processor, the test computer configured to; send one or more requests over the network to acquire the plurality of samples, each request of the one or more requests includes a uniform resource locator (URL), modify each request of the one or more requests to re-direct the request to the server by at least obscuring address information associated with the request to render ineffective malware detection through address blacklisting by one or more security devices, receive a response to each request from the server with a copy of the response being redirected to the one or more security devices, the response including one or more samples, each sample having an object for processing by the test computer, process the object to detect whether the object is either malicious or benign, and generate a report of detection of the object for each of the plurality of samples as either malicious or benign. - View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
-
-
31. A non-transitory computer readable media containing instructions for execution on a processor for a method comprising:
-
modifying a destination internet protocol (IP) address of each request of one or more requests to re-direct the request to the remote server and obscure address information associated with the request to render ineffective malware detection through address blacklisting by one or more units under test (UUTs), wherein each request of the one or more requests initiated by a virtualized endpoint to acquire a plurality of samples stored at a remote server, each request having a uniform resource locator (URL); and receiving a response to each request at the virtualized endpoint, the response including one or more samples, each sample having an object for processing by the virtualized endpoint, the object being either malicious or benign, wherein processing the object at the virtualized endpoint to detect whether the object is either malicious or benign, wherein a copy of the response is provide to the one or more UUTs, wherein a mixture of objects identified as benign and objects identified as malicious provided as part of the response renders malware detection by address blacklisting ineffective for the one or more UUTs; and a report of detection of the object for each of the plurality of samples identified as malicious or benign by each UUT is generated. - View Dependent Claims (32, 33)
-
Specification