SYSTEMS AND METHODS FOR MALWARE ANALYSIS OF NETWORK TRAFFIC

US 20160269437A1
Filed: 03/08/2016
Published: 09/15/2016
Est. Priority Date: 03/12/2015
Status: Active Grant

First Claim

Patent Images

1. A non-transitory machine-readable storage device including instructions stored thereon that, when executed by processing circuitry of a machine, configure the processing circuitry to perform operations comprising:

copying application layer data traffic to create copied application layer data traffic;

forwarding at least a portion of the application layer data traffic to a destination client prior to a malware analysis of corresponding copied application layer data traffic;

determining whether the copied application layer data traffic includes a specified property; and

in response to a determination that the copied application layer data traffic includes the specified property, storing the copied application layer data traffic determined to include the specified property for subsequent malware analysis, the stored copied application layer data traffic including context data of the copied application layer data traffic.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Generally discussed herein are systems, devices, and methods for malware analysis. In one or more embodiments, a method can include copying application layer data traffic to create copied application layer data traffic, forwarding at least a portion of the application layer data traffic to a destination client prior to a malware analysis of corresponding copied application layer data traffic, determining whether the copied application layer data traffic includes a specified property, and in response to a determination that the copied application layer data traffic includes the specified property, storing the copied application layer data traffic determined to include the specified property for subsequent malware analysis, the stored copied application layer data traffic including context data of the copied application layer data traffic.

Citations

20 Claims

1. A non-transitory machine-readable storage device including instructions stored thereon that, when executed by processing circuitry of a machine, configure the processing circuitry to perform operations comprising:
- copying application layer data traffic to create copied application layer data traffic;
  
  forwarding at least a portion of the application layer data traffic to a destination client prior to a malware analysis of corresponding copied application layer data traffic;
  
  determining whether the copied application layer data traffic includes a specified property; and
  
  in response to a determination that the copied application layer data traffic includes the specified property, storing the copied application layer data traffic determined to include the specified property for subsequent malware analysis, the stored copied application layer data traffic including context data of the copied application layer data traffic.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The storage device of claim 1, wherein the specified property is data indicating that the application layer data traffic is one or more of electronic mail (email) traffic that includes an attachment, a file, and an executable.
  - 3. The storage device of claim 2, further comprising instructions stored thereon that, when executed by processing circuitry of the machine, configure the processing circuitry to perform operations comprising:
    - sessionizing the copied application layer data traffic prior to determining whether the copied application layer data traffic includes the specified property and wherein storing the copied application layer data traffic includes storing the sessionized copied application layer data traffic.
  - 4. The storage device of claim 3, wherein the sessionized copied application layer data traffic includes content of the email as well as context of the email including two or more of a sender address, a recipient address, a send port, a receive port, a sender identity, a recipient identity, a time of transmission, a copy contact, a blind copy contact, a subject line content, an author, and time of creation.
  - 5. The storage device of claim 4, further comprising instructions stored thereon that, when executed by processing circuitry of the machine, configure the processing circuitry to perform operations comprising:
    - decrypting the copied application layer data traffic prior to determining if the copied application layer data traffic includes the specified property.
  - 6. The storage device of claim 4, further comprising instructions stored thereon that, when executed by processing circuitry of the machine, configure the processing circuitry to perform operations comprising:
    - converting the sessionized copied application layer data traffic into a format compatible with a malware analysis module before storing the sessionized copied application layer data traffic.
  - 7. The storage device of claim 6, wherein the format compatible with the malware analysis module includes a Message Transfer Agent (MTA) format.
  - 8. The storage device of claim 4, wherein the instructions for determining whether the copied application layer data traffic includes a specified property include instructions for decoding a multipurpose internet mail extension (MIME) header to determine the specified property.

9. A method for malware analysis performed by one or more hardware processors, the method comprising:
- copying application layer data traffic to create copied application layer data traffic;
  
  forwarding at least a portion of the application layer data traffic to a destination client prior to a malware analysis of corresponding copied application layer data traffic;
  
  determining whether the copied application layer data traffic includes a specified property; and
  
  in response to a determination that the copied application layer data traffic includes the specified property, storing the copied application layer data traffic determined to include the specified property for subsequent malware analysis, the stored copied application layer data traffic including context data of the copied application layer data traffic.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
- - 10. The method of claim 9, wherein the specified property is data indicating that the application layer data traffic is electronic mail (email) traffic that includes an attachment.
  - 11. The method of claim 10, further comprising:
    - sessionizing the copied application layer data traffic prior to determining whether the copied application layer data traffic includes the specified property and wherein storing the copied application layer data traffic includes storing the sessionized copied application layer data traffic.
  - 12. The method of claim 11, wherein the sessionized copied application layer data traffic includes content of the email as well as context of the email including two or more of a sender address, a recipient address, a send port, a receive port, a sender identity, a recipient identity, a time of transmission, a copy contact, a blind copy contact, a subject line content, an author, and time of creation.
  - 13. The method of claim 12, further comprising:
    - decrypting the copied application layer data traffic prior to determining if the copied application layer data traffic includes the specified property.
  - 14. The method of claim 12, further comprising:
    - converting the sessionized copied application layer data traffic into a format compatible with a malware analysis module before storing the sessionized copied application layer data traffic.
  - 15. The method of claim 14, wherein the format compatible with the malware analysis module includes a Message Transfer Agent (MTA) format.
  - 16. The method of claim 12, wherein determining whether the copied application layer data traffic includes a specified property includes decoding a multipurpose internet mail extension (MIME) header to determine the specified property.
  - 17. The method of claim 12, wherein the application layer data traffic is communicated between a client and a gateway such that the application layer data traffic of the client is copied prior to being received at the gateway.

18. A system comprising:
- a first hardware module communicatively situated between an originating client and a destination client, the first hardware module to;
  
  copy the application layer data traffic to create copied application layer data traffic;
  
  forward at least a portion of the application layer data traffic to the destination client prior to a malware analysis of corresponding copied application layer data traffic;
  
  determine whether the copied application layer data traffic includes a specified property; and
  
  in response to a determination that the copied application layer data traffic includes the specified property, store the copied application layer data traffic determined to include the specified property for subsequent malware analysis, the stored copied application layer data traffic including context data of the copied application layer data traffic; and
  
  a second hardware module to perform a malware analysis on the stored copied application layer data traffic.
- View Dependent Claims (19, 20)
- - 19. The system of claim 18, further comprising:
    - the destination client;
      
      a network gateway to route application layer data traffic from the originating client towards the destination client; and
      
      wherein the second hardware module is further to provide a communication to the destination client in response to a determination that the stored copied application layer data traffic includes malware.
  - 20. The system of claim 18, wherein the first hardware module is further to determine whether the copied application layer data traffic includes a specified property including decoding a multipurpose internet mail extension (MIME) header to determine the specified property.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Forcepoint Federal Holdings LLC (Francisco Partners Management LLC)
Original Assignee
Forcepoint Federal LLC (Everfox Holdings LLC)
Inventors
Zottl, Julian A., Lee, Jesse J., McDougal, Monty D., Lear, John S.

Granted Patent

US 9,882,924 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 51/08   Annexed information, e.g. a...

H04L 51/212   using filtering or selectiv...

H04L 63/0428   wherein the data content is...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04L 63/145   the attack involving the pr...

SYSTEMS AND METHODS FOR MALWARE ANALYSIS OF NETWORK TRAFFIC

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEMS AND METHODS FOR MALWARE ANALYSIS OF NETWORK TRAFFIC

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links