Method and system for isolating suspicious email

US 20050273856A1
Filed: 05/17/2005
Published: 12/08/2005
Est. Priority Date: 05/19/2004
Status: Active Grant

First Claim

Patent Images

1. A method for detecting malicious programs, the method comprising:

determining whether an object is suspicious;

opening the suspicious object in a disposable, secure, single purpose VM (virtual machine) session; and

detecting indications of malicious behavior when the suspicious object is opened within the VM session.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for detecting malicious programs, the method includes determining whether an object is suspicious, opening the suspicious object in a disposable, secure, single purpose VM (virtual machine) session and detecting indications of malicious behavior when the suspicious object is opened within the VM session.

85 Citations

View as Search Results

84 Claims

1. A method for detecting malicious programs, the method comprising:
- determining whether an object is suspicious;
  
  opening the suspicious object in a disposable, secure, single purpose VM (virtual machine) session; and
  
  detecting indications of malicious behavior when the suspicious object is opened within the VM session.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 2. The method of claim 1, wherein said object comprises an email.
  - 3. The method of claim 1, wherein said object comprises a web page.
  - 4. The method of claim 2, wherein said email comprises an HTML tag within the email.
  - 5. The method of claim 1, wherein said object comprises a file.
  - 6. The method of claim 5, wherein said file comprises an email attachment.
  - 7. The method of claim 1, wherein the object comprises an Instant Messaging communication.
  - 8. The method of claim 2, wherein determining whether the object is suspicious is based on a subject line of the email.
  - 9. The method of claim 1, wherein determining whether the object is suspicious is based on an originator of the object.
  - 10. The method of claim 1, wherein determining whether the object is suspicious comprises making an automatic determination.
  - 11. The method of claim 1, wherein determining whether the object is suspicious comprises having a user who has received the object make the determination.
  - 12. The method of claim 1, wherein the VM session is opened on a computer running a virtual machine monitor.
  - 13. The method of claim 1, wherein the opening the object in the VM session comprises:
    - opening a VM session;
      
      running an operating system within the VM session;
      
      running one or more applications useful for opening the object; and
      
      opening the object using the operating system and the one or more applications useful for opening the object.
  - 14. The method of claim 1, wherein the VM session is opened on a dedicated server.
  - 15. The method of claim 14, wherein the dedicated server comprises an isolation unit.
  - 16. The method of claim 14, wherein the dedicated server is connected to a computer network.
  - 17. The method of claim 16, wherein one or more objects are sent to the dedicated server from one or more workstations connected to the computer network.
  - 18. The method of claim 16, wherein the dedicated server is connected to the computer network via a 2-way firewall.
  - 19. The method of claim 14, wherein the dedicated server is optimized for detecting indications of malicious programs.
  - 20. The method of claim 14, wherein the dedicated server is optimized for containment of malicious programs.
  - 21. The method of claim 1, wherein the VM session is opened on a workstation of a user who has received the object.
  - 22. The method of claim 1, wherein the detecting of indications of the malicious behavior comprises:
    - taking a first snapshot of one or more system features of the VM session prior to opening the object in the VM session;
      
      taking a second snapshot of the one or more system features of the VM session after the opening of the object in the VM session; and
      
      comparing the first snapshot with the second snapshot to detect indications of the malicious programs within the VM session.
  - 23. The method of claim 1, wherein the detecting of indications of the malicious behavior comprises monitoring system activity of the VM session after opening the object.
  - 24. The method of claim 1, wherein the detecting of indications of the malicious behavior comprises:
    - observing at least one effect of opening the object;
      
      comparing the at least one observed effect against a security policy; and
      
      detecting that malicious behavior is present when at least one of the effects of opening the object violates the security policy.
  - 25. The method of claim 1, further comprising sending a report to a user when indications of the malicious behavior have been detected.
  - 26. The method of claim 1, wherein at least a portion of the suspicious object is encoded into a format that can be saved without fear of further infection.
  - 27. The method of claim 26, wherein the format comprises a binary file format.
  - 28. The method of claim 27, further comprising sending a report to a user including the binary file.

29. A system for detecting malicious programs comprising:
- a determining system for determining whether an object is suspicious;
  
  an opening system for opening the suspicious object in a disposable, secure, single purpose VM (virtual machine) session; and
  
  a detecting system for detecting indications of malicious behavior when the suspicious object is opened within the VM session.
- View Dependent Claims (30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56)
- - 30. The system of claim 29, wherein said object comprises an email.
  - 31. The system of claim 29, wherein said object comprises a web page.
  - 32. The system of claim 30, wherein said email comprises an HTML tag within an email.
  - 33. The system of claim 29, wherein said object comprises a file.
  - 34. The system of claim 33, wherein said file comprises an email attachment.
  - 35. The system of claim 29, wherein said object comprises an Instant Messaging communication.
  - 36. The system of claim 30, wherein the determination that the object is suspicious is based on a subject line of the email.
  - 37. The system of claim 29, wherein the determination that the object is suspicious is based on an originator of the object.
  - 38. The system of claim 29, wherein determining whether the object is suspicious comprises making an automatic determination.
  - 39. The system of claim 29, wherein determining whether the object is suspicious comprises having a user who has received the object make the determination.
  - 40. The system of claim 29, wherein the VM session is opened on a computer running a virtual machine monitor.
  - 41. The system of claim 29, wherein the opening system comprises:
    - a session-opening system for opening a VM session;
      
      an operating system-running system for running an operating system within the VM session;
      
      an application-running system for running one or more applications useful for opening the object; and
      
      an object-opening system for opening the object using the operating system and the one or more applications useful for opening the object.
  - 42. The system of claim 29, wherein the VM session is opened on a dedicated server.
  - 43. The system of claim 42, wherein the dedicated server comprises an isolation unit.
  - 44. The system of claim 42, wherein the dedicated server is connected to a computer network.
  - 45. The system of claim 44, wherein one or more objects are sent to the dedicated server from one or more workstations connected to the computer network.
  - 46. The system of claim 44, wherein the dedicated server is connected to the computer network via a 2-way firewall.
  - 47. The system of claim 42, wherein the dedicated server is optimized for detecting indications of malicious programs.
  - 48. The system of claim 42, wherein the dedicated server is optimized for containment of malicious programs.
  - 49. The system of claim 29, wherein the VM session is opened on a workstation of a user who has received the object.
  - 50. The system of claim 29, wherein the detecting system comprises:
    - a first-taking system for taking a first snapshot of one or more system features of the VM session prior to opening the object in the VM session;
      
      a second-taking system for taking a second snapshot of the one or more system features of the VM session after the opening of the object in the VM session; and
      
      a comparing system for comparing the first snapshot with the second snapshot to detect indications of the malicious programs within the VM session.
  - 51. The system of claim 29, wherein the detecting means comprises a monitoring means for monitoring system activity of the VM session after opening the object.
  - 52. The system of claim 29, wherein the detecting system comprises:
    - an observing system for observing one or more effects of opening the object;
      
      a comparing system for comparing the observed effects against a security policy; and
      
      a malicious program-detecting system for detecting that the malicious program is present when one or more of the one or more effects of opening the object violates the security policy.
  - 53. The system of claim 29, further comprising a sending system for sending a report to a user when indications of the malicious program have been detected.
  - 54. The system of claim 29, wherein at least a portion of the suspicious object is encoded into a format that can be saved without fear of further infection.
  - 55. The system of claim 54, wherein the format comprises a binary file format.
  - 56. The system of claim 55, further comprising a sending system for sending a report to a user including the binary file.

57. A computer storage medium including computer executable code for detecting malicious programs, comprising:
- code for determining whether an object is suspicious;
  
  code for opening the suspicious object in a disposable, secure, single purpose VM (virtual machine) session; and
  
  code for detecting indications of malicious behavior when the suspicious object is opened within the VM session.
- View Dependent Claims (58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84)
- - 58. The computer storage medium of claim 57, wherein said object comprises an email.
  - 59. The computer storage medium of claim 57, wherein said object comprises a web page.
  - 60. The computer storage medium of claim 58, wherein email comprises an HTML tag within an email.
  - 61. The computer storage medium of claim 57, wherein said object comprises a file.
  - 62. The computer storage medium of claim 61, wherein said file comprises an email attachment.
  - 63. The computer storage medium of claim 57, wherein said object comprises an Instant Messaging communication.
  - 64. The computer storage medium of claim 57, wherein the determination whether the object is suspicious is based on a subject line of the email.
  - 65. The computer storage medium of claim 57, wherein the determination whether the object is suspicious is based on an originator of the object.
  - 66. The computer storage medium of claim 57, wherein determining whether the object is suspicious comprises making an automatic determination.
  - 67. The computer storage medium of claim 57, wherein determining that the object is suspicious comprises having a user who has received the object make the determination.
  - 68. The computer storage medium of claim 57, wherein the VM session is opened on a computer running a virtual machine monitor.
  - 69. The computer storage medium of claim 57, wherein the code for opening the suspicious object in the VM session comprises:
    - code for opening a VM session;
      
      code for running an operating system within the VM session;
      
      code for running one or more applications useful for opening the object; and
      
      code for opening the object using the operating system and the one or more applications useful for opening the object.
  - 70. The computer storage medium of claim 57, wherein the VM session is opened on a dedicated server.
  - 71. The computer storage medium of claim 70, wherein the dedicated server comprises an isolation unit.
  - 72. The computer storage medium of claim 70, wherein the dedicated server is connected to a computer network.
  - 73. The computer storage medium of claim 70, wherein one or more objects are sent to the dedicated server from one or more workstations connected to the computer network.
  - 74. The computer storage medium of claim 70, wherein the dedicated server is connected to the computer network via a 2-way firewall.
  - 75. The computer storage medium of claim 70, wherein the dedicated server is optimized for detecting indications of malicious programs.
  - 76. The computer storage medium of claim 70, wherein the dedicated server is optimized for containment of malicious programs.
  - 77. The computer storage medium of claim 57, wherein the VM session is opened on a workstation of a user who has received the object.
  - 78. The computer storage medium of claim 57, wherein the code for detecting for the malicious behavior within the VM session comprises:
    - code for taking a first snapshot of one or more system features of the VM session prior to opening the object in the VM session;
      
      code for taking a second snapshot of the one or more system features of the VM session after the opening of the object in the VM session; and
      
      code for comparing the first snapshot with the second snapshot to detect indications of the malicious programs within the VM session.
  - 79. The computer storage medium of claim 57, wherein the detecting of indications of the malicious program within the VM session comprises monitoring system activity of the VM session after opening the object.
  - 80. The computer storage medium of claim 57, wherein the code for detecting indications of the malicious behavior within the VM session comprises:
    - code for observing one or more effects of opening the object;
      
      code for comparing the observed effects against a security policy; and
      
      code for detecting that the malicious program is present when one or more of the one or more effects of opening the object violates the security policy.
  - 81. The computer storage medium of claim 57, further comprising code for sending a report to a user when indications of the malicious program have been detected.
  - 82. The computer storage medium of claim 57, wherein at least a portion of the suspicious object is encoded into a format that can be saved without fear of further infection.
  - 83. The computer storage medium of claim 82, wherein the format comprises a binary file format.
  - 84. The computer storage medium of claim 83, further comprising code for sending a report to a user including the binary file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Computer Associates Think Inc. (Broadcom, Inc.)
Original Assignee
Computer Associates Think Inc. (Broadcom, Inc.)
Inventors
Huddleston, David E.

Granted Patent

US 7,832,012 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 21/566   Dynamic detection, i.e. det...

H04L 51/212   using filtering or selectiv...

H04L 63/145   the attack involving the pr...

Method and system for isolating suspicious email

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

85 Citations

84 Claims

Specification

Use Cases

Quick Links

Others

Method and system for isolating suspicious email

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

85 Citations

84 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others