SYSTEM AND METHOD FOR DETECTING MALICIOUS LINKS IN ELECTRONIC MESSAGES

US 20150007312A1
Filed: 07/18/2013
Published: 01/01/2015
Est. Priority Date: 06/28/2013
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for detecting malicious links in electronic messages, comprising:

in response to receiving a plurality of uniform resource locator (URL) links for malicious determination, removing any known URL links from the URL links based on a list of known link signatures;

for each of remaining URL links that are unknown, performing a link analysis on the URL link based on link heuristics to determine whether the URL link is suspicious;

for each of the suspicious URL links, performing a dynamic analysis on a resource of the suspicious URL link; and

classifying whether the suspicious URL link is a malicious link based on a behavior of the resource during the dynamic analysis.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to one embodiment, in response to receiving a plurality of uniform resource locator (URL) links for malicious determination, any known URL links are removed from the URL links based on a list of known link signatures. For each of remaining URL links that are unknown, a link analysis is performed on the URL link based on link heuristics to determine whether the URL link is suspicious. For each of the suspicious URL links, a dynamic analysis is performed on a resource of the suspicious URL link. It is classified whether the suspicious URL link is a malicious link based on a behavior of the resource during the dynamic analysis.

Citations

28 Claims

1. A computer-implemented method for detecting malicious links in electronic messages, comprising:
- in response to receiving a plurality of uniform resource locator (URL) links for malicious determination, removing any known URL links from the URL links based on a list of known link signatures;
  
  for each of remaining URL links that are unknown, performing a link analysis on the URL link based on link heuristics to determine whether the URL link is suspicious;
  
  for each of the suspicious URL links, performing a dynamic analysis on a resource of the suspicious URL link; and
  
  classifying whether the suspicious URL link is a malicious link based on a behavior of the resource during the dynamic analysis.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the URL links are received from one or more malware detection appliances over the Internet, and wherein the one or more malware detection appliances are deployed in one or more local area networks (LANs).
  - 3. The method of claim 2, wherein each of the malware detection appliances is configured torecognize a URL link embedded within an email,extract the URL from the email, andtransmit the extracted URL to the malware analysis system over the Internet as part of the plurality of URL links, without transmitting remaining content of the email.
  - 4. The method of claim 2, wherein performing a link analysis comprises:
    - determining whether a first domain name of the URL link occurs frequently amongst the plurality of URL links; and
      
      designating each of the URL links that includes the first domain name as suspicious, if the first domain name occurs frequently amongst the URL links.
  - 5. The method of claim 2, wherein performing a link analysis comprises:
    - determining whether a first uniform resource identifier (URI) of the URL link occurs frequently amongst the plurality of URL links; and
      
      designating each of the URL links that includes the first URI as suspicious, if the first URI occurs frequently amongst the URL links.
  - 6. The method of claim 2, wherein performing a link analysis comprises:
    - accessing a remote resource of a remote resource location via the URL link; and
      
      classifying whether the URL link is suspicious based on a response received from the remote resource location.
  - 7. The method of claim 6, wherein the URL link is classified as suspicious based on a combination of a type and a size of the remote resource.
  - 8. The method of claim 1, further comprising:
    - generating a link signature for each of the links that have been classified as malicious; and
      
      transmitting link signatures of the classified malicious links to the one or more malware detection appliances, such that the malware detection appliances can detect subsequent malicious links locally based on the link signatures.

9. A non-transitory machine-readable medium having instructions stored therein, which when executed by a processor, cause the processor to perform a method for detecting malicious links in electronic messages, the method comprising:
- in response to receiving a plurality of uniform resource locator (URL) links for malicious determination, removing any known URL links from the URL links based on a list of known link signatures;
  
  for each of remaining URL links that are unknown, performing a link analysis on the URL link based on link heuristics to determine whether the URL link is suspicious;
  
  for each of the suspicious URL links, performing a dynamic analysis on a resource of the suspicious URL link; and
  
  classifying whether the suspicious URL link is a malicious link based on a behavior of the resource during the dynamic analysis.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The medium of claim 9, wherein the URL links are received from one or more malware detection appliances over the Internet, and wherein the one or more malware detection appliances are deployed in one or more local area networks (LANs).
  - 11. The medium of claim 10, wherein each of the malware detection appliances is configured torecognize a URL link embedded within an email,extract the URL from the email, andtransmit the extracted URL to the malware analysis system over the Internet as part of the plurality of URL links, without transmitting remaining content of the email.
  - 12. The medium of claim 10, wherein performing a link analysis comprises:
    - determining whether a first domain name of the URL link occurs frequently amongst the plurality of URL links; and
      
      designating each of the URL links that includes the first domain name as suspicious, if the first domain name occurs frequently amongst the URL links.
  - 13. The medium of claim 10, wherein performing a link analysis comprises:
    - determining whether a first uniform resource identifier (URI) of the URL link occurs frequently amongst the plurality of URL links; and
      
      designating each of the URL links that includes the first URI as suspicious, if the first URI occurs frequently amongst the URL links.
  - 14. The medium of claim 10, wherein performing a link analysis comprises:
    - accessing a remote resource of a remote resource location via the URL link; and
      
      classifying whether the URL link is suspicious based on a response received from the remote resource location.
  - 15. The medium of claim 14, wherein the URL link is classified as suspicious based on a combination of a type and a size of the remote resource.
  - 16. The medium of claim 9, wherein the method further comprises:
    - generating a link signature for each of the links that have been classified as malicious; and
      
      transmitting link signatures of the classified malicious links to the one or more malware detection appliances, such that the malware detection appliances can detect subsequent malicious links locally based on the link signatures.

17. A computer-implemented method for detecting malicious links, comprising:
- in response to receiving an email having a uniform resource locator (URL) link for malicious determination, extracting the URL link from the email;
  
  comparing at least a portion of the extracted URL link with a list of heuristic link signatures that represents a list of patterns to determine whether the URL link is suspicious;
  
  performing a dynamic analysis on the extracted URL link in a virtual machine (VM) if at least a portion of the extracted URL link matches at least one of the heuristic link signatures, includingaccessing and downloading a resource from a remote site via the extracted URL link,executing the resource within the VM using a software program that is associated with the resource, andmonitoring a behavior of the resource within the VM; and
  
  classifying whether the extracted URL link is a malicious link based on the behavior of the resource during the execution of the resource within the VM.
- View Dependent Claims (18, 19, 20, 21, 22)
- - 18. The method of claim 17, wherein the heuristic link signatures are generated based on data previously collected from a plurality of malware detection systems using machine learning techniques.
  - 19. The method of claim 18, wherein the heuristic link signatures are updated periodically based on data periodically collected from the malware detection systems.
  - 20. The method of claim 18, wherein the heuristic link signatures represent patterns of likely malicious links based on previous malware detection operations.
  - 21. The method of claim 17, further comprising performing a static analysis on metadata of the email to determine whether the email is a suspicious email, wherein the dynamic analysis is performed on the extracted URL link if the email is determined to be suspicious.
  - 22. The method of claim 21, wherein the metadata of the email includes at least one of TO, FROM, and SUBJECT fields.

23. A non-transitory machine-readable medium having instructions stored therein, which when executed by a processor, cause the processor to perform a method for detecting malicious links, the method comprising:
- in response to receiving an email having a uniform resource locator (URL) link for malicious determination, extracting the URL link from the email;
  
  comparing at least a portion of the extracted URL link with a list of heuristic link signatures that represents a list of patterns to determine whether the URL link is suspicious;
  
  performing a dynamic analysis on the extracted URL link in a virtual machine (VM) if at least a portion of the extracted URL link matches at least one of the heuristic link signatures, includingaccessing and downloading a resource from a remote site via the extracted URL link,executing the resource within the VM using a software program that is associated with the resource, andmonitoring a behavior of the resource within the VM; and
  
  classifying whether the extracted URL link is a malicious link based on the behavior of the resource during the execution of the resource within the VM.
- View Dependent Claims (24, 25, 26, 27)
- - 24. The medium of claim 23, wherein the heuristic link signatures are generated based on data previously collected from a plurality of malware detection systems using machine learning techniques.
  - 25. The medium of claim 24, wherein the heuristic link signatures are updated periodically based on data periodically collected from the malware detection systems.
  - 26. The medium of claim 24, wherein the heuristic link signatures represent patterns of likely malicious links based on previous malware detection operations.
  - 27. The medium of claim 23, wherein the method further comprises performing a static analysis on metadata of the email to determine whether the email is a suspicious email, wherein the dynamic analysis is performed on the extracted URL link if the email is determined to be suspicious.

28. A data processing system for detecting malicious links, comprising:
- a processor; and
  
  a memory coupled to the processor for storing instructions, which when executed from the memory by the processor, cause the processor toin response to receiving an email having a uniform resource locator (URL) link for malicious determination, extract the URL link from the email,compare at least a portion of the extracted URL link with a list of heuristic link signatures that represents a list of patterns to determine whether the URL link is suspicious,perform a dynamic analysis on the extracted URL link in a virtual machine (VM) if at least a portion of the extracted URL link matches at least one of the heuristic link signatures, includingaccessing and downloading a resource from a remote site via the extracted URL link,executing the resource within the VM using a software program that is associated with the resource, andmonitoring a behavior of the resource within the VM, andclassify whether the extracted URL link is a malicious link based on the behavior of the resource during the execution of the resource within the VM.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
FireEye, Inc. (Alphabet Inc.)
Inventors
Uyeno, Henry, Pidathala, Vinay

Granted Patent

US 9,300,686 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

G06F 21/562   Static detection

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04L 63/145   the attack involving the pr...

H04L 63/1475   Passive attacks, e.g. eaves...

SYSTEM AND METHOD FOR DETECTING MALICIOUS LINKS IN ELECTRONIC MESSAGES

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR DETECTING MALICIOUS LINKS IN ELECTRONIC MESSAGES

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links