Systems and Methods for Detecting Malicious Network Content

US 20100115621A1
Filed: 11/03/2008
Published: 05/06/2010
Est. Priority Date: 11/03/2008
Status: Active Grant

First Claim

Patent Images

1. A method for detecting malicious network content, comprising:

inspecting one or more packets of network content;

identifying a suspicious characteristic of the network content;

determining a score related to a probability that the network content includes malicious network content based on at least the suspicious characteristic;

identifying the network content as suspicious if the score satisfies a threshold value;

executing a virtual machine to process the suspicious network content; and

analyzing a response of the virtual machine to detect malicious network content.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for detecting malicious network content comprises inspecting one or more packets of network content, identifying a suspicious characteristic of the network content, determining a score related to a probability that the network content includes malicious network content based on at least the suspicious characteristic, identifying the network content as suspicious if the score satisfies a threshold value, executing a virtual machine to process the suspicious network content, and analyzing a response of the virtual machine to detect malicious network content.

Citations

26 Claims

1. A method for detecting malicious network content, comprising:
- inspecting one or more packets of network content;
  
  identifying a suspicious characteristic of the network content;
  
  determining a score related to a probability that the network content includes malicious network content based on at least the suspicious characteristic;
  
  identifying the network content as suspicious if the score satisfies a threshold value;
  
  executing a virtual machine to process the suspicious network content; and
  
  analyzing a response of the virtual machine to detect malicious network content.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The method of claim 1, further comprising intercepting the one or more packets of network content in transit to an intended destination.
  - 3. The method of claim 1, wherein the score is determined by an approximate Bayesian probability analysis using a corpus of malicious network content and a corpus of non-malicious network content.
  - 4. The method of claim 3, further comprising updating at least one of the corpus of malicious network content and the corpus of non-malicious network content in response to the one or more packets of network content.
  - 5. The method of claim 1, further comprising increasing the priority level or the score if more than one suspicious characteristic has a score that satisfies the threshold value.
  - 6. The method of claim 1, wherein the threshold value is dynamically revised according to a quantity of packets of network content to be inspected.
  - 7. The method of claim 1, wherein the threshold value is dynamically revised according to an availability of one or more virtual machines.
  - 8. The method of claim 1, further comprising determining if the suspicious characteristic has previously been associated with a source domain of the network content by using a catalog of domain profiles including one or more previously associated suspicious characteristics.
  - 9. The method of claim 1, further comprising identifying a JavaScript keyword sequence including an “
    - unescape”
      
      command nested within an “
      
      eval”
      
      command argument.
  - 10. The method of claim 1, further comprising measuring a length of time or number of characters between a start and an end of a JavaScript function call.
  - 11. The method of claim 1, further comprising identifying a string of unusual character transitions within a JavaScript program.
  - 12. The method of claim 1, wherein inspecting one or more packets of network content includes identifying a keyword in the network content.
  - 13. The method of claim 1, further comprising executing a single pass parser to process the one or more data packets.
  - 14. The method of claim 1, further comprising executing an augmented finite state machine to process the one or more data packets.
  - 15. The method of claim 1, wherein the network content includes web content.
  - 16. The method of claim 1, wherein the network content includes email.
  - 17. The method of claim 1, wherein the network content includes data transferred via FTP.
  - 18. The method of claim 1, wherein the network content includes an Instant Message.

19. A system for detecting malicious network content, comprising:
- a computing processor;
  
  a data access component configured to intercept one or more packets of network content from a network; and
  
  logic configured to control the computing processor to perform a method comprisinginspecting the one or more packets of network content,identifying a suspicious characteristic of the network content,determining a score related to a probability that the network content includes malicious network content based on at least the suspicious characteristic,identifying the network content as suspicious if the probability score satisfies a threshold value,executing a virtual machine to process the suspicious network content, andanalyzing a response of the virtual machine to detect malicious network content.
- View Dependent Claims (20, 21, 22, 23, 24, 25)
- - 20. The system of claim 19, wherein the method further comprises intercepting the one or more packets of network content in transit to an intended destination.
  - 21. The system of claim 19, wherein the score is determined by an approximate Bayesian probability analysis using a corpus of malicious network content and a corpus of non-malicious network content.
  - 22. The system of claim 21, further comprising updating at least one of the corpus of malicious network content and the corpus of non-malicious network content in response to the one or more packets of network content.
  - 23. The system of claim 19, wherein the method further comprises increasing the priority level or the score if more than one suspicious characteristic has a score that satisfies the threshold value.
  - 24. The system of claim 19, wherein the threshold value is dynamically revised according to a quantity of packets of network content to be inspected.
  - 25. The system of claim 19, wherein the threshold value is dynamically revised according to an availability of one or more virtual machines.

26. A computer readable storage medium having stored thereon instructions executable by a processor for performing a method, the method comprising:
- inspecting one or more packets of network content;
  
  identifying a suspicious characteristic of the network content;
  
  determining a score related to a probability that the network content includes malicious network content based on at least the suspicious characteristic;
  
  identifying the network content as suspicious if the score satisfies a threshold value;
  
  executing a virtual machine to process the suspicious network content; and
  
  analyzing a response of the virtual machine to detect malicious network content.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
FireEye, Inc. (Alphabet Inc.)
Inventors
Staniford, Stuart Gresley, Aziz, Ashar

Granted Patent

US 8,850,571 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/25
CPC Class Codes

G06F 21/561   Virus type analysis

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/567   using dedicated hardware

G06F 9/45533   Hypervisors; Virtual machin...

H04L 2463/144   Detection or countermeasure...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

Systems and Methods for Detecting Malicious Network Content

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and Methods for Detecting Malicious Network Content

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links