Method and system for isolating suspicious email

US 7,832,012 B2
Filed: 05/17/2005
Issued: 11/09/2010
Est. Priority Date: 05/19/2004
Status: Active Grant

First Claim

Patent Images

1. A method for detecting malicious programs, the method comprising:

determining whether an object is suspicious;

opening, in response to determining that the object is suspicious, the suspicious object in a disposable, secure, single purpose virtual machine (VM) session running on a computer system; and

detecting indications of malicious behavior when the suspicious object is opened within the VM session, the detecting of the indications of the malicious behavior comprising;

taking a first snapshot of one or more system features of the VM session prior to opening the object in the VM session;

taking a second snapshot of the one or more system features of the VM session after the opening of the object in the VM session; and

comparing the first snapshot with the second snapshot to detect indications of the malicious programs within the VM session.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for detecting malicious programs, the method includes determining whether an object is suspicious, opening the suspicious object in a disposable, secure, single purpose VM (virtual machine) session and detecting indications of malicious behavior when the suspicious object is opened within the VM session.

Citations

81 Claims

1. A method for detecting malicious programs, the method comprising:
- determining whether an object is suspicious;
  
  opening, in response to determining that the object is suspicious, the suspicious object in a disposable, secure, single purpose virtual machine (VM) session running on a computer system; and
  
  detecting indications of malicious behavior when the suspicious object is opened within the VM session, the detecting of the indications of the malicious behavior comprising;
  
  taking a first snapshot of one or more system features of the VM session prior to opening the object in the VM session;
  
  taking a second snapshot of the one or more system features of the VM session after the opening of the object in the VM session; and
  
  comparing the first snapshot with the second snapshot to detect indications of the malicious programs within the VM session.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 2. The method of claim 1, wherein said object comprises an email.
  - 3. The method of claim 1, wherein said object comprises a web page.
  - 4. The method of claim 2, wherein said email comprises an HTML tag within the email.
  - 5. The method of claim 1, wherein said object comprises a file.
  - 6. The method of claim 5, wherein said file comprises an email attachment.
  - 7. The method of claim 1, wherein the object comprises an Instant Messaging communication.
  - 8. The method of claim 2, wherein determining whether the object is suspicious is based on a subject line of the email.
  - 9. The method of claim 1, wherein determining whether the object is suspicious is based on an originator of the object.
  - 10. The method of claim 1, wherein determining whether the object is suspicious comprises making an automatic determination.
  - 11. The method of claim 1, wherein determining whether the object is suspicious comprises having a user who has received the object make the determination.
  - 12. The method of claim 1, wherein the computer system on which the VM session is running is running a virtual machine monitor.
  - 13. The method of claim 1, wherein the opening the object in the VM session comprises:
    - opening a VM session;
      
      running an operating system within the VM session;
      
      running one or more applications useful for opening the object; and
      
      opening the object using the operating system and the one or more applications useful for opening the object.
  - 14. The method of claim 1, wherein the computer system on which the VM session is running comprises a dedicated server.
  - 15. The method of claim 14, wherein the dedicated server comprises an isolation unit.
  - 16. The method of claim 14, wherein the dedicated server is connected to a computer network.
  - 17. The method of claim 16, wherein one or more objects are sent to the dedicated server from one or more workstations connected to the computer network.
  - 18. The method of claim 16, wherein the dedicated server is connected to the computer network via a 2-way firewall.
  - 19. The method of claim 14, wherein the dedicated server is optimized for detecting indications of malicious programs.
  - 20. The method of claim 14, wherein the dedicated server is optimized for containment of malicious programs.
  - 21. The method of claim 1, wherein the computer system on which the VM session is running comprises a workstation of a user who has received the object.
  - 22. The method of claim 1, wherein the detecting of indications of the malicious behavior comprises monitoring system activity of the VM session after opening the object.
  - 23. The method of claim 1, wherein the detecting of indications of the malicious behavior comprises:
    - observing at least one effect of opening the object;
      
      comparing the at least one observed effect against a security policy; and
      
      detecting that malicious behavior is present when at least one of the effects of opening the object violates the security policy.
  - 24. The method of claim 1, further comprising sending a report to a user when indications of the malicious behavior have been detected.
  - 25. The method of claim 1, wherein at least a portion of the suspicious object is encoded into a format that can be saved without fear of further infection.
  - 26. The method of claim 25, wherein the format comprises a binary file format.
  - 27. The method of claim 26, further comprising sending a report to a user including the binary file.

28. A system for detecting malicious programs comprising:
- one or more memory units; and
  
  one or more processing units operable to perform operations comprising;
  
  determining whether an object is suspicious;
  
  opening, in response to determining that the object is suspicious, the suspicious object in a disposable, secure, single purpose virtual machine (VM) session; and
  
  detecting indications of malicious behavior when the suspicious object is opened within the VM session, the detecting comprising;
  
  taking a first snapshot of one or more system features of the VM session prior to opening the object in the VM session;
  
  taking a second snapshot of the one or more system features of the VM session after the opening of the object in the VM session; and
  
  comparing the first snapshot with the second snapshot to detect indications of the malicious programs within the VM session.
- View Dependent Claims (29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54)
- - 29. The system of claim 28, wherein said object comprises an email.
  - 30. The system of claim 28, wherein said object comprises a web page.
  - 31. The system of claim 29, wherein said email comprises an HTML tag within an email.
  - 32. The system of claim 28, wherein said object comprises a file.
  - 33. The system of claim 32, wherein said file comprises an email attachment.
  - 34. The system of claim 28, wherein said object comprises an Instant Messaging communication.
  - 35. The system of claim 29, wherein the determination that the object is suspicious is based on a subject line of the email.
  - 36. The system of claim 28, wherein the determination that the object is suspicious is based on an originator of the object.
  - 37. The system of claim 28;
    - wherein determining whether the object is suspicious comprises making an automatic determination.
  - 38. The system of claim 28, wherein determining whether the object is suspicious comprises having a user who has received the object make the determination.
  - 39. The system of claim 28, wherein the VM session is opened on a computer running a virtual machine monitor.
  - 40. The system of claim 28, wherein the one or more processing units are operable to open, in response to determining that the object is suspicious, the suspicious object by performing operations comprising:
    - opening a VM session;
      
      running an operating system within the VM session;
      
      running one or more applications useful for opening the object; and
      
      opening the object using the operating system and the one or more applications useful for opening the object.
  - 41. The system of claim 28, wherein the VM session is opened on a dedicated server.
  - 42. The system of claim 41, wherein the dedicated server comprises an isolation unit.
  - 43. The system of claim 41, wherein the dedicated server is connected to a computer network.
  - 44. The system of claim 43, wherein one or more objects are sent to the dedicated server from one or more workstations connected to the computer network.
  - 45. The system of claim 43, wherein the dedicated server is connected to the computer network via a 2-way firewall.
  - 46. The system of claim 41, wherein the dedicated server is optimized for detecting indications of malicious programs.
  - 47. The system of claim 41, wherein the dedicated server is optimized for containment of malicious programs.
  - 48. The system of claim 28, wherein the VM session is opened on a workstation of a user who has received the object.
  - 49. The system of claim 28, wherein the one or more processing units are operable to monitor system activity of the VM session after opening the object.
  - 50. The system of claim 28, wherein the detecting comprises:
    - observing one or more effects of opening the object;
      
      comparing the observed effects against a security policy; and
      
      detecting that the malicious program is present when one or more of the one or more effects of opening the object violates the security policy.
  - 51. The system of claim 28, wherein the one or more processing units are operable to send a report to a user when indications of the malicious program have been detected.
  - 52. The system of claim 28, wherein at least a portion of the suspicious object is encoded into a format that can be saved without fear of further infection.
  - 53. The system of claim 52, wherein the format comprises a binary file format.
  - 54. The system of claim 53, wherein the one or more processing units are operable to send a report to a user including the binary file.

55. A non-transitory, tangible computer-readable storage medium including computer executable code for detecting malicious programs, comprising:
- code for determining whether an object is suspicious;
  
  code for opening, in response to determining that the object is suspicious, the suspicious object in a disposable, secure, single purpose virtual machine (VM) session; and
  
  code for detecting indications of malicious behavior when the suspicious object is opened within the VM session, the code for detecting for the malicious behavior within the VM session comprising;
  
  code for taking a first snapshot of one or more system features of the VM session prior to opening the object in the VM session;
  
  code for taking a second snapshot of the one or more system features of the VM session after the opening of the object in the VM session; and
  
  code for comparing the first snapshot with the second snapshot to detect indications of the malicious programs within the VM session.
- View Dependent Claims (56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81)
- - 56. The non-transitory, tangible computer-readable storage medium of claim 55, wherein said object comprises an email.
  - 57. The non-transitory, tangible computer-readable storage medium of claim 55, wherein said object comprises a web page.
  - 58. The non-transitory, tangible computer-readable storage medium of claim 56, wherein email comprises an HTML tag within an email.
  - 59. The non-transitory, tangible computer-readable storage medium of claim 55, wherein said object comprises a file.
  - 60. The non-transitory, tangible computer-readable storage medium of claim 59, wherein said file comprises an email attachment.
  - 61. The non-transitory, tangible computer-readable storage medium of claim 55, wherein said object comprises an Instant Messaging communication.
  - 62. The non-transitory, tangible computer-readable storage medium of claim 55, wherein the determination whether the object is suspicious is based on a subject line of the email.
  - 63. The non-transitory, tangible computer-readable storage medium of claim 55, wherein the determination whether the object is suspicious is based on an originator of the object.
  - 64. The non-transitory, tangible computer-readable storage medium of claim 55, wherein determining whether the object is suspicious comprises making an automatic determination.
  - 65. The non-transitory, tangible computer-readable storage medium of claim 55, wherein determining that the object is suspicious comprises having a user who has received the object make the determination.
  - 66. The non-transitory, tangible computer-readable storage medium of claim 55, wherein the VM session is opened on a computer running a virtual machine monitor.
  - 67. The non-transitory, tangible computer-readable storage medium of claim 55, wherein the code for opening the suspicious object in the VM session comprises:
    - code for opening a VM session;
      
      code for running an operating system within the VM session;
      
      code for running one or more applications useful for opening the object; and
      
      code for opening the object using the operating system and the one or more applications useful for opening the object.
  - 68. The non-transitory, tangible computer-readable storage medium of claim 55, wherein the VM session is opened on a dedicated server.
  - 69. The non-transitory, tangible computer-readable storage medium of claim 68, wherein the dedicated server comprises an isolation unit.
  - 70. The non-transitory, tangible computer-readable storage medium of claim 68, wherein the dedicated server is connected to a computer network.
  - 71. The non-transitory, tangible computer-readable storage medium of claim 68, wherein one or more objects are sent to the dedicated server from one or more workstations connected to the computer network.
  - 72. The non-transitory, tangible computer-readable storage medium of claim 68, wherein the dedicated server is connected to the computer network via a 2-way firewall.
  - 73. The non-transitory, tangible computer-readable storage medium of claim 68, wherein the dedicated server is optimized for detecting indications of malicious programs.
  - 74. The non-transitory, tangible computer-readable storage medium of claim 68, wherein the dedicated server is optimized for containment of malicious programs.
  - 75. The non-transitory, tangible computer-readable storage medium of claim 55, wherein the VM session is opened on a workstation of a user who has received the object.
  - 76. The non-transitory, tangible computer-readable storage medium of claim 55, wherein the detecting of indications of the malicious program within the VM session comprises monitoring system activity of the VM session after opening the object.
  - 77. The non-transitory, tangible computer-readable storage medium of claim 55, wherein the code for detecting indications of the malicious behavior within the VM session comprises:
    - code for observing one or more effects of opening the object;
      
      code for comparing the observed effects against a security policy; and
      
      code for detecting that the malicious program is present when one or more of the one or more effects of opening the object violates the security policy.
  - 78. The non-transitory, tangible computer-readable storage medium of claim 55, further comprising code for sending a report to a user when indications of the malicious program have been detected.
  - 79. The non-transitory, tangible computer-readable storage medium of claim 55, wherein at least a portion of the suspicious object is encoded into a format that can be saved without fear of further infection.
  - 80. The non-transitory, tangible computer-readable storage medium of claim 79, wherein the format comprises a binary file format.
  - 81. The non-transitory, tangible computer-readable storage medium of claim 80, further comprising code for sending a report to a user including the binary file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Computer Associates Think Inc. (Broadcom, Inc.)
Original Assignee
Computer Associates Think Inc. (Broadcom, Inc.)
Inventors
Huddleston, David E.
Primary Examiner(s)
Arani; Taghi T
Assistant Examiner(s)
Rahman; Mohammad L

Application Number

US11/130,896
Publication Number

US 20050273856A1
Time in Patent Office

2,002 Days
Field of Search

726/2, 726/3, 726/4, 726/15, 726/17, 726 22- 25, 726/27, 713/151, 713/152, 713/156, 713/161, 713187-188, 713193-194, 709/224, 709/228, 709/232, 709/206
US Class Current

726/24
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 21/566   Dynamic detection, i.e. det...

H04L 51/212   using filtering or selectiv...

H04L 63/145   the attack involving the pr...

Method and system for isolating suspicious email

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

81 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for isolating suspicious email

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

81 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links