METHODS AND APPARATUS FOR CONTROL AND DETECTION OF MALICIOUS CONTENT USING A SANDBOX ENVIRONMENT

US 20130145463A1
Filed: 11/30/2012
Published: 06/06/2013
Est. Priority Date: 12/02/2011
Status: Active Grant

First Claim

Patent Images

1. A non-transitory processor-readable medium storing code representing instructions to be executed by a processor, the code comprising code to cause the processor to:

receive a set of indications of allowed behavior associated with an application;

initiate an instance of the application within a sandbox environment;

receive, from a monitor module associated with the sandbox environment, a set of indications of actual behavior of the instance of the application in response to initiating the instance of the application within the sandbox environment; and

send an indication associated with an anomalous behavior if at least one indication from the set of indications of actual behavior does not correspond to an indication from the set of indications of allowed behavior.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A non-transitory processor-readable medium storing code representing instructions to cause a processor to perform a process includes code to cause the processor to receive a set of indications of allowed behavior associated with an application. The processor is also caused to initiate an instance of the application within a sandbox environment. The processor is further caused to receive, from a monitor module associated with the sandbox environment, a set of indications of actual behavior of the instance of the application in response to initiating the instance of the application within the sandbox environment. The processor is also caused to send an indication associated with an anomalous behavior if at least one indication from the set of indications of actual behavior does not correspond to an indication from the set of indications of allowed behavior.

143 Citations

22 Claims

1. A non-transitory processor-readable medium storing code representing instructions to be executed by a processor, the code comprising code to cause the processor to:
- receive a set of indications of allowed behavior associated with an application;
  
  initiate an instance of the application within a sandbox environment;
  
  receive, from a monitor module associated with the sandbox environment, a set of indications of actual behavior of the instance of the application in response to initiating the instance of the application within the sandbox environment; and
  
  send an indication associated with an anomalous behavior if at least one indication from the set of indications of actual behavior does not correspond to an indication from the set of indications of allowed behavior.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The non-transitory processor-readable medium of claim 1, wherein the code to cause the processor to send includes code to cause the processor to send the indication associated with the anomalous behavior such that the sandbox environment is terminated.
  - 3. The non-transitory processor-readable medium of claim 1, wherein the code to cause the processor to send includes code to cause the processor to send the indication associated with the anomalous behavior to an evaluation module such that the indication associated with the anomalous behavior is stored such that it is associated with the application.
  - 4. The non-transitory processor-readable medium of claim 1, wherein the monitor module is configured to monitor at least one of process events of the instance of the application, file events of the instance of the application, registry events of the instance of the application, network events of the instance of the application or thread injection events of the instance of the application.
  - 5. The non-transitory processor-readable medium of claim 1, further comprising code to cause the processor to:
    - revise the set of indications of allowed behavior associated with the application in response to the anomalous behavior.
  - 6. The non-transitory processor-readable medium of claim 1, wherein the indication associated with the anomalous behavior includes a trace associated with a source of the anomalous behavior.
  - 7. The non-transitory processor-readable medium of claim 1, wherein the set of indications of allowed behavior associated with the application is based at least in part on a trust level associated with the application.
  - 8. The non-transitory processor-readable medium of claim 1, wherein the set of indications of allowed behavior associated with the application includes an identifier of a trusted process associated with the application.
  - 9. The non-transitory processor-readable medium of claim 1, wherein the monitor module is configured to collect at least one of a trace of network activity of the instance of the application or an executable file of the instance of the application.

10. An apparatus, comprising:
- a control module implemented in at least one of a memory or a processing device, the control module configured to initiate an instance of a first application and an instance of a second application within a sandbox environment,the control module configured to receive, from a monitor module associated with the sandbox environment, a set of indications of actual behavior of the instance of the first application and a set of indications of actual behavior of the instance of the second application, an indication of a behavior being within both the set of indications of actual behavior of the instance of the first application and the set of indications of actual behavior of the instance of the second application,the control module configured to classify the behavior as an anomalous behavior for the first application based on a baseline behavior set for the first application, the control module configured to not classify the behavior as an anomalous behavior for the second application based on a baseline behavior set for the second application,the control module configured to send a signal in response to classifying the behavior as an anomalous behavior for the first application.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The apparatus of claim 10, further comprising the sandbox environment.
  - 12. The apparatus of claim 10, wherein the control module is operatively coupled to the sandbox environment via a network.
  - 13. The apparatus of claim 10, wherein the baseline behavior set for the first application is based on a set of allowed behaviors of the first application.
  - 14. The apparatus of claim 10, wherein the control module is configured to send the signal such that the sandbox environment is terminated.
  - 15. The apparatus of claim 10, wherein the set of indications of actual behavior of the instance of the first application includes at least one of a process event identifier of the instance of the first application, a file event identifier of the instance of the first application, a registry event identifier of the instance of the first application or a network event identifier of the instance of the first application.

16. An apparatus, comprising:
- a control module implemented in at least one of a memory or a processing device, the control module configured to receive a set of indications of allowed behavior associated with a first application, the control module configured to initiate an instance of the first application within a sandbox environment such that the instance of the first application initiates an instance of a second application within the sandbox environment,the control module configured to receive, from a monitor module associated with the sandbox environment, a set of indications of actual behavior of the instance of the second application in response to the instance of the first application initiating the instance of the second application,the control module configured to send an indication associated with an anomalous behavior if at least one indication from the set of indications of actual behavior of the instance of the second application does not correspond to an indication from the set of indications of allowed behavior associated with the first application.
- View Dependent Claims (17, 18, 19, 20, 21, 22)
- - 17. The apparatus of claim 16, further comprising the sandbox environment.
  - 18. The apparatus of claim 16, wherein the control module is operatively coupled to the sandbox environment via a network.
  - 19. The apparatus of claim 16, wherein the control module is configured to send the indication associated with the anomalous behavior such that the sandbox environment is terminated.
  - 20. The apparatus of claim 16, wherein the control module is configured to revise the set of indications of allowed behavior associated with the first application in response to the anomalous behavior.
  - 21. The apparatus of claim 16, wherein the second application is a web browser application, the indication associated with the anomalous behavior includes a uniform resource locator (URL) trace associated with the web browser application.
  - 22. The apparatus of claim 16, wherein the set of indications of allowed behavior associated with the first application is based at least in part on a trust level associated with the first application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Invincea, Inc. (Sophos Group Ltd.)
Original Assignee
Invincea, Inc. (Sophos Group Ltd.)
Inventors
Ghosh, Anup, Keister, Alan, Cosby, Scott, Bryant, Benjamin, Taylor, Stephen

Granted Patent

US 9,081,959 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/56   Computer malware detection ...

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/034   Test or assess a computer o...

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2149   Restricted operating enviro...

METHODS AND APPARATUS FOR CONTROL AND DETECTION OF MALICIOUS CONTENT USING A SANDBOX ENVIRONMENT

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

143 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

METHODS AND APPARATUS FOR CONTROL AND DETECTION OF MALICIOUS CONTENT USING A SANDBOX ENVIRONMENT

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

143 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links