Network-Based Binary File Extraction and Analysis for Malware Detection
First Claim
Patent Images
1. A method for network-based file analysis for malware detection by a system, the method comprising:
- receiving network content from a network tap;
identifying a binary packet in the network content;
extracting a binary file including the binary packet from the network content;
determining whether the extracted binary file is suspicious network content, wherein the suspicious network content potentially includes malicious network content;
processing the suspicious network content using a virtual environment component configured within a virtual environment to mimic a real application configured to process the suspicious network content; and
identifying the suspicious network content as malicious network content based on a behavior of the virtual environment component, wherein the malicious network content is harmful to a computer device.
7 Assignments
0 Petitions
Accused Products
Abstract
A system and method are disclosed for network-based file analysis for malware detection. Network content is received from a network tap. A binary packet is identified in the network content. A binary file, including the binary packet, is extracted from the network content. It is determined whether the extracted binary file is detected to be malware.
-
Citations
22 Claims
-
1. A method for network-based file analysis for malware detection by a system, the method comprising:
-
receiving network content from a network tap; identifying a binary packet in the network content; extracting a binary file including the binary packet from the network content; determining whether the extracted binary file is suspicious network content, wherein the suspicious network content potentially includes malicious network content; processing the suspicious network content using a virtual environment component configured within a virtual environment to mimic a real application configured to process the suspicious network content; and identifying the suspicious network content as malicious network content based on a behavior of the virtual environment component, wherein the malicious network content is harmful to a computer device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A system for network-based file analysis for malware detection, the system comprising:
-
a binary identification module configured to receive and identify a binary packet in network content; a binary extraction module communicatively coupled with the binary identification module and configured to extract a binary file including the identified binary packet from the network content; a static analysis module configured to determine whether the extracted binary file is suspicious network content, wherein the suspicious network content potentially includes malicious network content; and a virtual machine analysis module configured to process the suspicious network content using a virtual environment component configured within a virtual environment to mimic a real application configured to process the suspicious network content, the virtual machine analysis module being further configured to identify the suspicious network content as malicious network content based on a behavior of the virtual environment component, wherein the malicious network content is harmful to a computer device. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21)
-
-
22. A non-transitory computer-readable storage medium having stored thereon instructions executable by a processor to perform a method for network-based file analysis for malware detection, the method comprising:
-
receiving network content from a network tap; identifying a binary packet in the network content; extracting a binary file including the binary packet from the network content; determining whether the extracted binary file is suspicious network content;
wherein the suspicious network content potentially includes malicious network content;processing the suspicious network content using a virtual environment component configured within a virtual environment to mimic a real application configured to process the suspicious network content; and identifying the suspicious network content as malicious network content based on a behavior of the virtual environment component;
wherein the malicious network content is harmful to a computer device.
-
Specification