Network-Based Binary File Extraction and Analysis for Malware Detection

US 20120117652A1
Filed: 01/13/2012
Published: 05/10/2012
Est. Priority Date: 09/30/2009
Status: Active Grant

First Claim

Patent Images

1. A method for network-based file analysis for malware detection by a system, the method comprising:

receiving network content from a network tap;

identifying a binary packet in the network content;

extracting a binary file including the binary packet from the network content;

determining whether the extracted binary file is suspicious network content, wherein the suspicious network content potentially includes malicious network content;

processing the suspicious network content using a virtual environment component configured within a virtual environment to mimic a real application configured to process the suspicious network content; and

identifying the suspicious network content as malicious network content based on a behavior of the virtual environment component, wherein the malicious network content is harmful to a computer device.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method are disclosed for network-based file analysis for malware detection. Network content is received from a network tap. A binary packet is identified in the network content. A binary file, including the binary packet, is extracted from the network content. It is determined whether the extracted binary file is detected to be malware.

Citations

22 Claims

1. A method for network-based file analysis for malware detection by a system, the method comprising:
- receiving network content from a network tap;
  
  identifying a binary packet in the network content;
  
  extracting a binary file including the binary packet from the network content;
  
  determining whether the extracted binary file is suspicious network content, wherein the suspicious network content potentially includes malicious network content;
  
  processing the suspicious network content using a virtual environment component configured within a virtual environment to mimic a real application configured to process the suspicious network content; and
  
  identifying the suspicious network content as malicious network content based on a behavior of the virtual environment component, wherein the malicious network content is harmful to a computer device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein identifying the binary packet includes a binary identification module identifying the packet in one of multiple protocols, the binary identification module configured to recognize each of the multiple protocols.
  - 3. The method of claim 1, wherein identifying the binary packet includes a binary identification module identifying the packet in one of multiple formats, the binary identification module configured to recognize each of the multiple formats.
  - 4. The method of claim 1, wherein extracting the binary file includes utilizing TCP sequence numbers in order to put binary packets in a correct order.
  - 5. The method of claim 1, wherein determining whether the extracted binary file is suspicious network content comprises performing static analysis based on heuristics on the extracted binary file to determine if the extracted binary file is suspicious or not.
  - 6. The method of claim 5, wherein performing static analysis includes determining if obfuscation is present.
  - 7. The method of claim 5, wherein performing static analysis includes examining a size of the extracted binary file.
  - 8. The method of claim 1, further comprising performing pre-verification on the extracted binary file if the extracted binary file is suspicious, to determine if the extracted binary file matches known malware.
  - 9. The method of claim 5, further comprising performing further processing on the extracted binary file using the virtual environment component if the extracted binary file does not match known malware.
  - 10. The method of claim 1, wherein identifying the suspicious network content as malicious network content based on a behavior of the virtual environment component comprises examining the behavior of the virtual environment component against an expected behavior.
  - 11. The method of claim 1, further comprising retrieving the virtual environment component from a virtual environment component pool.
  - 12. The method of claim 11, wherein the virtual environment component pool is located within the system.

13. A system for network-based file analysis for malware detection, the system comprising:
- a binary identification module configured to receive and identify a binary packet in network content;
  
  a binary extraction module communicatively coupled with the binary identification module and configured to extract a binary file including the identified binary packet from the network content;
  
  a static analysis module configured to determine whether the extracted binary file is suspicious network content, wherein the suspicious network content potentially includes malicious network content; and
  
  a virtual machine analysis module configured to process the suspicious network content using a virtual environment component configured within a virtual environment to mimic a real application configured to process the suspicious network content, the virtual machine analysis module being further configured to identify the suspicious network content as malicious network content based on a behavior of the virtual environment component, wherein the malicious network content is harmful to a computer device.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21)
- - 14. The system of claim 13, wherein the binary extraction module extracts a binary file utilizing TCP sequence numbers in order to put the binary packets in a correct order.
  - 15. The system of claim 13, wherein the static analysis module is communicatively coupled with the binary extraction module.
  - 16. The system of claim 15, wherein the static analysis module is configured to determine based on heuristics if an extracted binary file is suspicious or not.
  - 17. The system of claim 13, wherein the static analysis module is further configured to determine if obfuscation is present.
  - 18. The system of claim 13, further comprising a pre-verification module.
  - 19. The system of claim 18, wherein the pre-verification module is configured to perform pre-verification on the extracted binary file if the extracted binary file is suspicious, in order to determine if the extracted binary file matches known malware.
  - 20. The system of claim 13, wherein the virtual environment component is retrieved from a virtual environment component pool.
  - 21. The system of claim 20, wherein the virtual environment component pool is located within the system.

22. A non-transitory computer-readable storage medium having stored thereon instructions executable by a processor to perform a method for network-based file analysis for malware detection, the method comprising:
- receiving network content from a network tap;
  
  identifying a binary packet in the network content;
  
  extracting a binary file including the binary packet from the network content;
  
  determining whether the extracted binary file is suspicious network content;
  
  wherein the suspicious network content potentially includes malicious network content;
  
  processing the suspicious network content using a virtual environment component configured within a virtual environment to mimic a real application configured to process the suspicious network content; and
  
  identifying the suspicious network content as malicious network content based on a behavior of the virtual environment component;
  
  wherein the malicious network content is harmful to a computer device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
FireEye, Inc. (Alphabet Inc.)
Inventors
Manni, Jayaraman, Aziz, Ashar, Gong, Fengmin, Loganathan, Upendran, Sukhera, Amin

Granted Patent

US 8,935,779 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/567   using dedicated hardware

H04L 63/14   for detecting or protecting...

H04L 63/1408   by monitoring network traff...

Network-Based Binary File Extraction and Analysis for Malware Detection

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Network-Based Binary File Extraction and Analysis for Malware Detection

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links