Detecting Malicious Network Content Using Virtual Environment Components
First Claim
1. A method for detecting malicious network content by a network content processing system, comprising:
- receiving network content detected to be suspicious;
configuring a virtual environment component within a virtual environment to mimic a real application configured to process the suspicious network content, the virtual environment configured within the network content processing system;
processing the suspicious network content using the virtual environment component within the virtual environment; and
identifying the suspicious network content as malicious network content based on a behavior of the virtual environment component.
5 Assignments
0 Petitions
Accused Products
Abstract
Malicious network content is identified based on the behavior of one or more virtual environment components which process network content in a virtual environment. Network content can be monitored and analyzed using a set of heuristics. The heuristics identify suspicious network content communicated over a network. The suspicious network content can further be analyzed in a virtual environment that includes one or more virtual environment components. Each virtual environment component is configured to mimic live environment components, for example a browser application component or an operating system component. The suspicious network content is replayed in the virtual environment using one or more of the virtual environment components. The virtual environment component behavior is analyzed in view of an expected behavior to identify malicious network content. The malicious network content is then identified and processed.
438 Citations
30 Claims
-
1. A method for detecting malicious network content by a network content processing system, comprising:
-
receiving network content detected to be suspicious; configuring a virtual environment component within a virtual environment to mimic a real application configured to process the suspicious network content, the virtual environment configured within the network content processing system; processing the suspicious network content using the virtual environment component within the virtual environment; and identifying the suspicious network content as malicious network content based on a behavior of the virtual environment component. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A computer implemented method for processing network content, comprising:
-
receiving suspicious network content, the suspicious network content detected within a copy of network content communicated over a network; configuring an agent to monitor processing of the suspicious network content within a virtual environment; configuring at least one virtual environment component to process the suspicious network content within the virtual environment; detecting an anomaly associated with the virtual environment component using the agent; and generating a signature from the suspicious network content to apply to subsequent network content. - View Dependent Claims (13, 14, 15, 16, 17, 18)
-
-
19. A computer readable storage medium having stored thereon instructions executable by a processor for performing a method for detecting malicious network content, the method comprising:
-
receiving suspicious network content; configuring a virtual environment component within a virtual environment to mimic a real application configured to process the suspicious network content, the virtual environment configured within the network content processing system; processing the suspicious network content by the virtual environment component within a virtual environment; and identifying the suspicious network content as malicious network content based on a behavior for the virtual environment component. - View Dependent Claims (20, 21, 22, 23, 24)
-
-
25. A system for detecting malicious network content comprising:
-
a first module that accesses suspicious network content; a pool of virtual environment components; a scheduler that retrieves a virtual environment component from the virtual environment pool, the virtual environment component configured to mimic a real application; a replayer that processes the suspicious network content using the retrieved virtual environment component within a virtual environment. - View Dependent Claims (26, 27, 28, 29, 30)
-
Specification