SYSTEMS AND METHODS FOR DYNAMIC CLOUD-BASED MALWARE BEHAVIOR ANALYSIS

US 20140208426A1
Filed: 03/26/2014
Published: 07/24/2014
Est. Priority Date: 05/28/2008
Status: Active Grant

First Claim

Patent Images

1. A cloud-based method, comprising:

receiving known malware signatures at one or more nodes in a cloud-based system;

monitoring one or more users inline through the one or more nodes in the cloud-based system for regular traffic processing comprising malware detection and preclusion;

determining unknown content from a user of the one or more users is suspicious of being malware;

sending the unknown content to a behavioral analysis system for an offline analysis; and

receiving updated known malware signatures based on the offline analysis.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A cloud-based method, a behavioral analysis system, and a cloud-based security system can include a plurality of nodes communicatively coupled to one or more users, wherein the plurality of nodes each perform inline monitoring for one of the one or more users for security comprising malware detection and preclusion; and a behavioral analysis system communicatively coupled to the plurality of nodes, wherein the behavioral analysis system performs offline analysis for any suspicious content from the one or more users which is flagged by the plurality of nodes; wherein the plurality of nodes each comprise a set of known malware signatures for the inline monitoring that is periodically updated by the behavioral analysis system based on the offline analysis for the suspicious content.

Citations

19 Claims

1. A cloud-based method, comprising:
- receiving known malware signatures at one or more nodes in a cloud-based system;
  
  monitoring one or more users inline through the one or more nodes in the cloud-based system for regular traffic processing comprising malware detection and preclusion;
  
  determining unknown content from a user of the one or more users is suspicious of being malware;
  
  sending the unknown content to a behavioral analysis system for an offline analysis; and
  
  receiving updated known malware signatures based on the offline analysis.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The cloud-based method of claim 1, further comprising:
    - performing one of blocking or allowing the unknown content to or from the user based on policy.
  - 3. The cloud-based method of claim 1, wherein the one or more users comprise a plurality of users associated with a plurality of companies, and further comprising:
    - receiving a policy setting for each of the plurality of companies, wherein the policy setting comprises whether or not to perform the offline analysis for the unknown content; and
      
      performing the regular traffic processing for the unknown content for users associated with companies with the policy setting of not performing the offline analysis, wherein the regular traffic processing comprises monitoring for malware based on the offline analysis of other users.
  - 4. The cloud-based method of claim 1, further comprising:
    - determining unknown content is suspicious based on analysis in the one or more nodes based on smart filtering determining that the unknown content is an unknown, active software file that performs some functionality on the user'"'"'s device.
  - 5. The cloud-based method of claim 1, further comprising:
    - storing the unknown content in the behavioral analysis system and maintaining an event log associated with the unknown content in the behavioral analysis system; and
      
      performing the offline analysis on the unknown content comprising a static analysis and a dynamic analysis.
  - 6. The cloud-based method of claim 5, wherein the unknown content is stored in an encrypted format, and further comprising:
    - storing results data from various stages of the offline analysis of the unknown content, wherein the results data comprises static analysis results, JavaScript Object Notation (JSON) data from the dynamic analysis, packet capture data, screenshot images, and files created/deleted/downloaded during the dynamic analysis.
  - 7. The cloud-based method of claim 5, wherein the static analysis evaluates various properties of the unknown content and the dynamic analysis runs the unknown content on a virtual machine operating an appropriate operating system for the unknown content.
  - 8. The cloud-based method of claim 1, further comprising:
    - performing the offline analysis as a combination of a static analysis and a dynamic analysis by the behavioral analysis system.
  - 9. The cloud-based method of claim 8, wherein the static analysis evaluates various properties of the unknown content using a set of tools based on a type of file of the unknown content, wherein the set of tools comprise any of checking third party services to match the unknown content to known viruses detected by various anti-virus engines, using a Perl Compatible Regular Expressions (PCRE) engine to check the unknown content for known signatures, identifying code signing certificates to form a whitelist of known benign content using Portable Executable (PE)/Common Object File Format (COFF) specifications, and evaluating destinations of any communications from the dynamic analysis.
  - 10. The cloud-based method of claim 8, wherein the dynamic analysis runs the unknown content on a virtual machine operating an appropriate operating system for the unknown content and evaluates any of JavaScript Object Notation (JSON) data generated;
    - temporary files generated, system and registry files modified;
      
      files added or deleted;
      
      processor, network, memory and file system usages;
      
      external communications;
      
      security bypass;
      
      data leakage; and
      
      persistence.

11. A behavioral analysis system for detecting malware from a cloud-based system, comprising:
- a network interface;
  
  a data store;
  
  a processor communicatively coupled to the network interface and the data store;
  
  memory storing instructions that, when executed, cause the processor to;
  
  receive new content from the cloud-based system via the network interface for an offline analysis thereof;
  
  store the new content and track activity on the new content in the data store;
  
  perform the offline analysis comprising a static analysis and a dynamic analysis;
  
  determine whether the new content is malware based on the offline analysis; and
  
  update the cloud-based system regarding the offline analysis and whether the new content is malware.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The behavioral analysis system of claim 11, wherein the memory storing instructions that, when executed, further cause the processor to:
    - store results data from various stages of the offline analysis of the new content, wherein the results data comprises static analysis results, JavaScript Object Notation (JSON) data from the dynamic analysis, packet capture data, screenshot images, and files created/deleted/downloaded during the dynamic analysis.
  - 13. The behavioral analysis system of claim 11, wherein the static analysis evaluates various properties of the new content and the dynamic analysis runs the new content on a virtual machine operating an appropriate operating system for the new content.
  - 14. The behavioral analysis system of claim 11, wherein the static analysis evaluates various properties of the new content using a set of tools based on a type of file of the new content, wherein the set of tools comprise any of checking third party services to match the new content to known viruses detected by various anti-virus engines, using a Perl Compatible Regular Expressions (PCRE) engine to check the new content for known signatures, identifying code signing certificates to form a whitelist of known benign content using Portable Executable (PE)/Common Object File Format (COFF) specifications, and evaluating destinations of any communications from the dynamic analysis.
  - 15. The behavioral analysis system of claim 11, wherein the dynamic analysis runs the new content on a virtual machine operating an appropriate operating system for the new content and evaluates any of JavaScript Object Notation (JSON) data generated;
    - temporary files generated, system and registry files modified;
      
      files added or deleted;
      
      processor, network, memory and file system usages;
      
      external communications;
      
      security bypass;
      
      data leakage; and
      
      persistence.

16. A cloud-based security system, comprising:
- a plurality of nodes communicatively coupled to one or more users, wherein the plurality of nodes each perform inline monitoring for one of the one or more users for security comprising malware detection and preclusion; and
  
  a behavioral analysis system communicatively coupled to the plurality of nodes, wherein the behavioral analysis system performs offline analysis for any suspicious content from the one or more users which is flagged by the plurality of nodes; and
  
  wherein the plurality of nodes each comprise a set of known malware signatures for the inline monitoring that is periodically updated by the behavioral analysis system based on the offline analysis for the suspicious content.
- View Dependent Claims (17, 18, 19)
- - 17. The cloud-based security system of claim 16, wherein the offline analysis comprises a combination of a static analysis and a dynamic analysis.
  - 18. The cloud-based security system of claim 17, wherein the static analysis evaluates various properties of the suspicious content using a set of tools based on a type of file of the suspicious content, wherein the set of tools comprise any of checking third party services to match the suspicious content to known viruses detected by various anti-virus engines, using a Perl Compatible Regular Expressions (PCRE) engine to check the suspicious content for known signatures, identifying code signing certificates to form a whitelist of known benign content using Portable Executable (PE)/Common Object File Format (COFF) specifications, and evaluating destinations of any communications from the dynamic analysis.
  - 19. The cloud-based security system of claim 17, wherein the dynamic analysis runs the suspicious content on a virtual machine operating an appropriate operating system for the suspicious content and evaluates any of JavaScript Object Notation (JSON) data generated;
    - temporary files generated, system and registry files modified;
      
      files added or deleted;
      
      processor, network, memory and file system usages;
      
      external communications;
      
      security bypass;
      
      data leakage; and
      
      persistence.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Zscaler Incorporated
Original Assignee
Zscaler Incorporated
Inventors
SUTTON, Michael Andrew William, NATARAJAN, Sriram, PAUL, Narinder, SOBRIER, Julien, THAMILARASU, Karthikeyan, BAYAR, Balakrishna

Granted Patent

US 9,152,789 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/562   Static detection

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

SYSTEMS AND METHODS FOR DYNAMIC CLOUD-BASED MALWARE BEHAVIOR ANALYSIS

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEMS AND METHODS FOR DYNAMIC CLOUD-BASED MALWARE BEHAVIOR ANALYSIS

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links