Detecting Malicious Network Content

US 20130227691A1
Filed: 02/24/2012
Published: 08/29/2013
Est. Priority Date: 02/24/2012
Status: Active Grant

First Claim

Patent Images

1. A method for detecting malicious content within portable data storage devices, the method comprising:

detecting insertion of one or more portable data storage devices into a security appliance, the security appliance being configured to receive the one or more portable data storage devices;

receiving from the security appliance, via a communication network, data associated with the one or more portable data storage devices;

analyzing the data to determine whether the one or more portable data storage devices store malware; and

based on the determination, selectively identifying the one or more portable data storage devices storing the malware.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for detecting malicious content on portable data storage devices or remote network servers are provided. In an exemplary embodiment, a system comprises a quarantine module configured to detect one or more portable data storage devices upon insertion of the devices into a security appliance, wherein the security appliance is configured to receive the portable data storage devices, a controller configured to receive from the security appliance, via a communication network, data associated with the portable data storage devices, an analysis module configured to analyze the data to determine whether the data includes malware, and a security module to selectively identify, based on the determination, the one or more portable data storage devices storing the malware.

342 Citations

20 Claims

1. A method for detecting malicious content within portable data storage devices, the method comprising:
- detecting insertion of one or more portable data storage devices into a security appliance, the security appliance being configured to receive the one or more portable data storage devices;
  
  receiving from the security appliance, via a communication network, data associated with the one or more portable data storage devices;
  
  analyzing the data to determine whether the one or more portable data storage devices store malware; and
  
  based on the determination, selectively identifying the one or more portable data storage devices storing the malware.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein at least one of the one or more portable storage devices is a Universal Serial Bus (USB) flash drive.
  - 3. The method of claim 1, wherein the security appliance is configured to receive the one or more portable storage devices simultaneously.
  - 4. The method of claim 1, wherein in response to the selectively identifying of the one or more portable data storage devices as storing the malware, the security appliance provides a warning signal.
  - 5. The method of claim 1, wherein the security appliance provides an estimated time to complete the analyzing of the data.
  - 6. The method of claim 1, further comprising transmitting a command to the security appliance to configure security settings associated with the one or more portable data storage devices.
  - 7. The method of claim 1, wherein analyzing the data comprises:
    - configuring a virtual machine to receive the data; and
      
      analyzing a response of the virtual machine to the data to identify a malware attack.
  - 8. The method of claim 1, wherein analyzing the data comprises:
    - analyzing the data with a heuristic to identify data containing suspicious activity;
      
      configuring a virtual machine to receive the data containing suspicious activity; and
      
      analyzing a response of the virtual machine to identify the malware within the data containing suspicious activity from the one or more portable data storage devices.
  - 9. The method of claim 8, further comprising:
    - determining a latency associated with both the communication network and an estimated time to complete the analyzing of the data; and
      
      based on the latency, analyzing the data with a latency-based heuristic to satisfy a predetermined permissible time allotted for the analysis.
  - 10. The method of claim 8, wherein analyzing the data with the heuristic to identify data containing suspicious activity further comprises saving a copy of the data and analyzing the copy of the data with the heuristic;
    - andwherein analyzing the response of the virtual machine further comprises selectively identifying the one or more portable data storage devices as storing the malware.

11. A method for detecting malicious content within portable data storage devices, the method comprising:
- detecting connection of a portable storage device to a host device;
  
  accessing device data stored on the portable storage device;
  
  analyzing the device data to determine whether the device data includes malware; and
  
  based on the determination, selectively identifying the portable storage device as storing the malware.
- View Dependent Claims (12, 13)
- - 12. The method of claim 11, further comprising quarantining the device data.
  - 13. The method of claim 11, wherein analyzing the device data comprises:
    - analyzing the data with a heuristic to identify device data containing suspicious activity;
      
      configuring a virtual machine to receive the device data containing suspicious activity; and
      
      analyzing the response of the virtual machine to the device data containing suspicious activity to identify a malware attack.

14. A method for detecting malicious network content within a remote network server, the method comprising:
- detecting connection of a client device to the remote network server;
  
  receiving data stored on the remote network server;
  
  analyzing the data to determine whether the data includes malware; and
  
  based on the determination, selectively identifying the remote network server as storing the malware.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The method of claim 14, wherein the data including malware is located within one or more files, the method further comprising moving the one or more files including malware to a pre-configured quarantine folder.
  - 16. The method of claim 14, wherein analyzing the device data comprises:
    - analyzing the data with a heuristic to identify device data containing suspicious activity;
      
      configuring a virtual machine to receive the device data containing suspicious activity; and
      
      analyzing the response of the virtual machine to the device data containing suspicious activity to identify a malware attack.
  - 17. The method of claim 14, further comprising, based on the determination that the data includes malware:
    - detecting presence of a callback channel between the client device and the remote network server; and
      
      providing information regarding the detected callback channel to a malware detection system.
  - 18. The method of claim 17, wherein detecting presence of the callback channel occurs via a virtual machine level analysis.

19. A system for detecting malicious content within portable data storage devices, the system comprising:
- a quarantine module configured to detect one or more portable data storage devices upon insertion of the devices into a security appliance, the security appliance being configured to receive the one or more portable data storage devices;
  
  a controller configured to receive from the security appliance, via a communication network, data associated with the one or more portable data storage devices;
  
  an analysis module configured to analyze the data to determine whether the network data includes malware; and
  
  a security module to selectively identify, based on the determination, the one or more portable data storage devices storing the malware.

20. A non-transitory machine readable medium having embodied thereon executable code, the executable code being executed by a processor for performing a method for detecting malicious content within portable data storage devices, the method comprising:
- detecting insertion of one or more portable data storage devices into a security appliance, the security appliance being configured to receive the one or more portable data storage devices;
  
  receiving from the security appliance, via a communication network, data associated with the one or more portable data storage devices;
  
  analyzing the data to determine whether the data includes malware; and
  
  based on the determination, selectively identifying the one or more portable data storage devices storing the malware.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Aziz, Ashar, Staniford, Stuart Gresley, Amin, Muhammad, Uyeno, Henry, Yie, Samuel

Granted Patent

US 9,519,782 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 21/567 using dedicated hardware

H04L 63/145 the attack involving the pr...

Detecting Malicious Network Content

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

342 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting Malicious Network Content

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

342 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links