Network-Based Binary File Extraction and Analysis for Malware Detection

US 20110078794A1
Filed: 09/30/2009
Published: 03/31/2011
Est. Priority Date: 09/30/2009
Status: Active Grant

First Claim

Patent Images

1. A method for network-based file analysis for malware detection, the method comprising:

receiving network content from a network tap;

identifying a binary packet in the network content;

extracting a binary file including the binary packet from the network content; and

determining whether the extracted binary file is detected to be malware.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method are disclosed for network-based file analysis for malware detection. Network content is received from a network tap. A binary packet is identified in the network content. A binary file, including the binary packet, is extracted from the network content. It is determined whether the extracted binary file is detected to be malware.

458 Citations

20 Claims

1. A method for network-based file analysis for malware detection, the method comprising:
- receiving network content from a network tap;
  
  identifying a binary packet in the network content;
  
  extracting a binary file including the binary packet from the network content; and
  
  determining whether the extracted binary file is detected to be malware.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein identifying the binary packet includes a binary identification module identifying the packet in one of multiple protocols, the binary identification module configured to recognize each of the multiple protocols.
  - 3. The method of claim 1, wherein identifying the binary packet includes a binary identification module identifying the packet in one of multiple formats, the binary identification module configured to recognize each of the multiple formats.
  - 4. The method of claim 1, wherein extracting the binary file includes utilizing TCP sequence numbers in order to put binary packets in a correct order.
  - 5. The method of claim 1, further comprising performing static analysis on the extracted binary file to determine if the extracted binary file is suspicious or not.
  - 6. The method of claim 5, wherein performing static analysis includes determining if obfuscation is present.
  - 7. The method of claim 5, wherein performing static analysis includes examining a size of the extracted binary file.
  - 8. The method of claim 5, further comprising performing pre-verification on the extracted binary file if the extracted binary file is suspicious, to determine if the extracted binary file matches known malware.
  - 9. The method of claim 5, further comprising performing virtual machine analysis on the extracted binary file if the extracted binary file does not match known malware.
  - 10. The method of claim 5, wherein performing virtual machine analysis further comprises examining behavior of a virtual environment component against an expected behavior.

11. A system for network-based file analysis for malware detection, the system comprising:
- a binary identification module configured to receive and identify a binary packet in network content;
  
  a binary extraction module communicatively coupled with the binary identification module and configured to extract a binary file including the identified binary packet from the network content; and
  
  a malware determination module configured to determine whether an extracted binary file is detected to be malware.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The system of claim 11, wherein the binary extraction module extracts a binary file utilizing TCP sequence numbers in order to put the binary packets in a correct order.
  - 13. The system of claim 11, further comprising a static analysis module communicatively coupled with the binary extraction module.
  - 14. The system of claim 13, wherein the static analysis module is configured to determine if an extracted binary file is suspicious or not.
  - 15. The system of claim 14, wherein the static analysis module is further configured to determine if obfuscation is present.
  - 16. The system of claim 11, further comprising a pre-verification module.
  - 17. The system of claim 16, wherein the pre-verification module is configured to perform pre-verification on the extracted binary file if the extracted binary file is suspicious, in order to determine if the extracted binary file matches known malware.
  - 18. The system of claim 11, further comprising a virtual machine analysis module.
  - 19. The system of claim 18, wherein the virtual machine analysis module is configured to process suspicious network content using a virtual environment component within a virtual environment.

20. A computer-readable storage medium having stored thereon instructions executable by a processor to perform a method for network-based file analysis for malware detection, the method comprising:
- receiving network content from a network tap;
  
  identifying a binary packet in the network content;
  
  extracting a binary file including the binary packet from the network content; and
  
  determining whether the extracted binary file is detected to be malware.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Sukhera, Amin, Aziz, Ashar, Loganathan, Upendran, Manni, Jayaraman, Gong, Fengmin

Granted Patent

US 8,832,829 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/567   using dedicated hardware

H04L 63/14   for detecting or protecting...

H04L 63/1408   by monitoring network traff...

Network-Based Binary File Extraction and Analysis for Malware Detection

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

458 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Network-Based Binary File Extraction and Analysis for Malware Detection

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

458 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others