METHOD, DEVICE AND SYSTEM FOR ALERTING AGAINST UNKNOWN MALICIOUS CODES

US 20160212160A1
Filed: 03/25/2016
Published: 07/21/2016
Est. Priority Date: 11/26/2009
Status: Active Grant

First Claim

Patent Images

1. A method for alerting against unknown malicious codes, comprising:

receiving, by a network device, a request sent by a terminal for obtaining a file from a network entity and a data stream carrying the file;

recording, by the network device, a source path carried in the request, wherein the network entity providing the file on the source path;

judging, by the network device, whether the file is an executable file according to the request or the data stream carried the file; and

sending, by the network device, first alert information that carries the source path to a monitoring device, if the network device judges the file is the executable file.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, a device, and a system for alerting against unknown malicious codes are disclosed. The method includes: detecting characteristics of a packet; judging whether any suspicious code exists in the packet according to a result of the detection; recording a source path of the suspicious code if the suspicious code exists in the packet; and sending alert information that carries the source path to a monitoring device. The embodiments of the present disclosure can report source path of numerous suspicious codes proactively at the earliest possible time, lay a foundation for shortening the time required for overcoming virus threats, and avoid the trouble of installing software on the terminal.

13 Citations

View as Search Results

12 Claims

1. A method for alerting against unknown malicious codes, comprising:
- receiving, by a network device, a request sent by a terminal for obtaining a file from a network entity and a data stream carrying the file;
  
  recording, by the network device, a source path carried in the request, wherein the network entity providing the file on the source path;
  
  judging, by the network device, whether the file is an executable file according to the request or the data stream carried the file; and
  
  sending, by the network device, first alert information that carries the source path to a monitoring device, if the network device judges the file is the executable file.
- View Dependent Claims (2, 3, 4)
- - 2. The method according to claim 1, wherein the judging, by the network device, whether the file is the executable file according to the request or a data stream carried the file, comprises:
    - detecting, by the network device, whether a string which indicating the name of the executable file exists in the request; and
      
      /ordetecting, by the network device, whether a file header of the executable file exists in the data which transmitted by the data stream returned by the network entity.
  - 3. The method according to claim 1, further comprising:
    - receiving, by the network device, second alarm information sent by the monitoring device after further detecting the file downloaded according to the source path by the monitoring device, wherein the second alarm information comprises maliciousness of the executable file, or comprises both the maliciousness of the executable file and Botnet topology information.
  - 4. The method according to claim 3, the method further comprising:
    - intercepting, by the network device, the executable file that are malicious according to the maliciousness of the executable file if the second alarm information comprises the maliciousness of the executable file; and
      
      intercepting, by the network device, the executable file that are malicious and packets transmitted in a Botnet according to the maliciousness of the executable file and the Botnet topology information if the second alarm information comprises the maliciousness of the executable file and the Botnet topology information.

5. A network device, comprising:
- a receiving module, configured to receive a request sent by a terminal for obtaining a file from a network entity and receive a data stream carrying the file;
  
  a recording module, configured to record a source path carried in the request, wherein the network entity providing the file on the source path;
  
  a detecting module, configured to judge whether the file is an executable file according to the request or the data stream carried the file; and
  
  a sending module, configured to send first alert information that carries the source path to a monitoring device, if the network device judges the file is the executable file.
- View Dependent Claims (6, 7, 8, 9, 10)
- - 6. The network device according to claim 5, wherein the detecting module comprises:
    - a first detecting submodule, configured to detect whether a string which indicating the name of the executable file exists in the request; and
      
      /ora second detecting submodule, configured to detect whether a file header of the executable file exists in the data which transmitted by the data stream returned by the network entity.
  - 7. The network device according to claim 5,the receiving module is further configured to receive second alarm information sent by the monitoring device, wherein the second alarm information includes maliciousness of the suspicious code, or includes both the maliciousness of the suspicious code and the Botnet topology information;
    - the network device further comprises;
      
      a first intercepting module, configured to intercept suspicious codes that are malicious according to maliciousness of the suspicious codes;
      
      ora second intercepting module, configured to intercept the suspicious codes that are malicious and the packets in the Botnet corresponding to the Botnet topology information according to maliciousness of the suspicious codes and the Botnet topology information.
  - 8. A system for alerting against unknown malicious codes, comprising:
    - a network device according to claim 5, and a monitoring device;
      
      wherein the monitoring device is configured to receive first alert information that carries a source path sent from the network device;
      
      download an executable file according to the source path;
      
      detect the executable file to confirm maliciousness of the executable file;
      
      send second alarm information to the network device, wherein the second alarm information comprises maliciousness of the executable file, or comprises both the maliciousness of the executable and Botnet topology information.
  - 9. The system for alerting against unknown malicious codes according to claim 8,wherein the monitoring device is further configured to detect maliciousness of the executable file by characteristics detection;
    - and/ordetect maliciousness of the executable file by sandbox test.
  - 10. A system for alerting against unknown malicious codes, comprising:
    - a network device according to claim 6, and a monitoring device;
      
      wherein the monitoring device is configured to receive first alert information that carries a source path sent from the network device;
      
      download an executable file according to the source path;
      
      detect the executable file to confirm maliciousness of the executable file;
      
      send second alarm information to the network device, wherein the second alarm information comprises maliciousness of the executable file, or comprises both the maliciousness of the executable and Botnet topology information.

11. A network device, comprising:
- a memory storing instructions thereon; and
  
  a processor coupled to the memory and implements the instructions to;
  
  receive a request sent by a terminal for obtaining a file from a network entity and receive a data stream carrying the file;
  
  record a source path carried in the request, wherein the network entity providing the file on the source path;
  
  judge whether the file is an executable file according to the request or the data stream carried the file; and
  
  send first alert information that carries the source path to a monitoring device, if the network device judges the file is the executable file.
- View Dependent Claims (12)
- - 12. The network device according to claim 11, wherein the judge whether the file is an executable file according to the request or the data stream carried the file comprises:
    - detecting whether a string which indicating the name of the executable file exists in the request; and
      
      /ordetecting whether a file header of the executable file exists in the data which transmitted by the data stream returned by the network entity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Huawei Technologies Co., Ltd. (Huawei Investment & Holding Co., Ltd.)
Original Assignee
Huawei Digital Technologies (Cheng Du) Co. Ltd (Huawei Investment & Holding Co., Ltd.)
Inventors
JIANG, Wu

Granted Patent

US 10,027,693 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

H04L 2463/146   Tracing the source of attacks

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

METHOD, DEVICE AND SYSTEM FOR ALERTING AGAINST UNKNOWN MALICIOUS CODES

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

13 Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD, DEVICE AND SYSTEM FOR ALERTING AGAINST UNKNOWN MALICIOUS CODES

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

13 Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links