Systems and Methods for Scheduling Analysis of Network Content for Malware
4 Assignments
0 Petitions
Accused Products
Abstract
A method for detecting malicious network content comprises inspecting one or more packets of network content, identifying a suspicious characteristic of the network content, determining a score related to a probability that the network content includes malicious network content based on at least the suspicious characteristic, identifying the network content as suspicious if the score satisfies a threshold value, executing a virtual machine to process the suspicious network content, and analyzing a response of the virtual machine to detect malicious network content.
310 Citations
56 Claims
-
1-26. -26. (canceled)
-
27. A computer implemented method of scheduling analysis of items of network content to determine whether the items of network content contain malicious network content, the method comprising the steps of:
-
A) determining whether a probability score corresponding to each of a plurality of items of network content satisfies an analysis threshold, the probability score related to a probability that the corresponding items of network content includes malicious network content; B) storing each of the probability scores in a persistent memory; C) generating an order of processing of each of the items of network content by an analyzer if the corresponding probability score satisfies the analysis threshold, the order of processing being based on the corresponding probability scores, the analyzer comprising a digital device providing a virtual machine; and D) processing the items of network content in the virtual machine in accordance with the order of processing of the items of network content, the virtual machine being configured with a software profile corresponding to each of the processed items and adapted to detect malicious network content. - View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35, 36)
-
-
37. A computer implemented method of scheduling analysis of items of network content to determine whether the items of network content contain malicious network content, the method comprising the steps of:
-
A) generating an order of processing of a plurality of items of network content by an analyzer based on a probability score corresponding to each of the items of suspicious network content, each of the probability scores reflecting a probability that the corresponding item of suspicious network content comprises malicious network content, the analyzer comprising a digital device providing a virtual machine; and B) processing the plurality of items of network content in the virtual machine in accordance with the order of processing, the virtual machine reflecting a software profile corresponding to each of the items of suspicious network content being processed and being configured to monitor behavior associated with the items of network content thereby to detect malicious network content. - View Dependent Claims (38, 39, 40, 41, 42, 43, 44, 45)
-
-
46. A system operable to schedule processing of items of suspicious network content to determine whether the items of suspicious network content contains malicious network content, the system comprising:
-
A) a memory; B) an analyzer comprising a digital device having a processor;
the digital device configured to provide at least one virtual machine and a scheduler;C) wherein the scheduler is operatively coupled with the memory and is configured to generate an order of processing of a plurality of items of network content by the processor based on a plurality of probability scores, each corresponding to an item of network content, each of the probability scores reflecting a probability that the corresponding item of network content comprises malicious network content; and D) wherein the analyzer is configured to process the plurality of items of network content in the at least one virtual machine by replaying the items of network content in accordance with the order of processing, the virtual machine being configured with a software profile corresponding to each of the processed items and being adapted to monitor behavior of each of the items during processing, thereby to detect malicious network content. - View Dependent Claims (47, 48, 49, 50, 51, 52, 53, 54, 55, 56)
-
Specification