SYSTEM AND METHOD FOR DETECTING MALICIOUS LINKS IN ELECTRONIC MESSAGES
First Claim
1. A computer-implemented method for detecting malicious links in electronic messages, comprising:
- in response to receiving a plurality of uniform resource locator (URL) links for malicious determination, removing any known URL links from the URL links based on a list of known link signatures;
for each of remaining URL links that are unknown, performing a link analysis on the URL link based on link heuristics to determine whether the URL link is suspicious;
for each of the suspicious URL links, performing a dynamic analysis on a resource of the suspicious URL link; and
classifying whether the suspicious URL link is a malicious link based on a behavior of the resource during the dynamic analysis.
7 Assignments
0 Petitions
Accused Products
Abstract
According to one embodiment, in response to receiving a plurality of uniform resource locator (URL) links for malicious determination, any known URL links are removed from the URL links based on a list of known link signatures. For each of remaining URL links that are unknown, a link analysis is performed on the URL link based on link heuristics to determine whether the URL link is suspicious. For each of the suspicious URL links, a dynamic analysis is performed on a resource of the suspicious URL link. It is classified whether the suspicious URL link is a malicious link based on a behavior of the resource during the dynamic analysis.
-
Citations
28 Claims
-
1. A computer-implemented method for detecting malicious links in electronic messages, comprising:
-
in response to receiving a plurality of uniform resource locator (URL) links for malicious determination, removing any known URL links from the URL links based on a list of known link signatures; for each of remaining URL links that are unknown, performing a link analysis on the URL link based on link heuristics to determine whether the URL link is suspicious; for each of the suspicious URL links, performing a dynamic analysis on a resource of the suspicious URL link; and classifying whether the suspicious URL link is a malicious link based on a behavior of the resource during the dynamic analysis. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A non-transitory machine-readable medium having instructions stored therein, which when executed by a processor, cause the processor to perform a method for detecting malicious links in electronic messages, the method comprising:
-
in response to receiving a plurality of uniform resource locator (URL) links for malicious determination, removing any known URL links from the URL links based on a list of known link signatures; for each of remaining URL links that are unknown, performing a link analysis on the URL link based on link heuristics to determine whether the URL link is suspicious; for each of the suspicious URL links, performing a dynamic analysis on a resource of the suspicious URL link; and classifying whether the suspicious URL link is a malicious link based on a behavior of the resource during the dynamic analysis. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A computer-implemented method for detecting malicious links, comprising:
-
in response to receiving an email having a uniform resource locator (URL) link for malicious determination, extracting the URL link from the email; comparing at least a portion of the extracted URL link with a list of heuristic link signatures that represents a list of patterns to determine whether the URL link is suspicious; performing a dynamic analysis on the extracted URL link in a virtual machine (VM) if at least a portion of the extracted URL link matches at least one of the heuristic link signatures, including accessing and downloading a resource from a remote site via the extracted URL link, executing the resource within the VM using a software program that is associated with the resource, and monitoring a behavior of the resource within the VM; and classifying whether the extracted URL link is a malicious link based on the behavior of the resource during the execution of the resource within the VM. - View Dependent Claims (18, 19, 20, 21, 22)
-
-
23. A non-transitory machine-readable medium having instructions stored therein, which when executed by a processor, cause the processor to perform a method for detecting malicious links, the method comprising:
-
in response to receiving an email having a uniform resource locator (URL) link for malicious determination, extracting the URL link from the email; comparing at least a portion of the extracted URL link with a list of heuristic link signatures that represents a list of patterns to determine whether the URL link is suspicious; performing a dynamic analysis on the extracted URL link in a virtual machine (VM) if at least a portion of the extracted URL link matches at least one of the heuristic link signatures, including accessing and downloading a resource from a remote site via the extracted URL link, executing the resource within the VM using a software program that is associated with the resource, and monitoring a behavior of the resource within the VM; and classifying whether the extracted URL link is a malicious link based on the behavior of the resource during the execution of the resource within the VM. - View Dependent Claims (24, 25, 26, 27)
-
-
28. A data processing system for detecting malicious links, comprising:
-
a processor; and a memory coupled to the processor for storing instructions, which when executed from the memory by the processor, cause the processor to in response to receiving an email having a uniform resource locator (URL) link for malicious determination, extract the URL link from the email, compare at least a portion of the extracted URL link with a list of heuristic link signatures that represents a list of patterns to determine whether the URL link is suspicious, perform a dynamic analysis on the extracted URL link in a virtual machine (VM) if at least a portion of the extracted URL link matches at least one of the heuristic link signatures, including accessing and downloading a resource from a remote site via the extracted URL link, executing the resource within the VM using a software program that is associated with the resource, and monitoring a behavior of the resource within the VM, and classify whether the extracted URL link is a malicious link based on the behavior of the resource during the execution of the resource within the VM.
-
Specification