System and method for malicious software detection in multiple protocols
First Claim
1. An apparatus for identifying malicious content associated with an electronic message specifying a destination computing device, the apparatus comprising:
- a processor;
a filtering module stored on a memory and executable by the processor, the filtering module for receiving the electronic message and content associated with the electronic message, determining whether the electronic message and the content associated with the electronic message include content known to be malicious by comparing the electronic message and the content associated with the electronic message with a database of content determined to be malicious and parsing the electronic message and the content associated with the electronic message into a plurality of components, the plurality of components including uniform resource locators that are formatted as plain text;
a network access module stored on the memory and executable by the processor, the network access module adapted to communicate with the filtering module, the network access module identifying a destination associated with the electronic message and the plurality of components;
a virtual machine stored on the memory and executable by the processor, the virtual machine adapted to communicate with the network access module, the virtual machine executing the plurality of components in an environment simulating a destination computing device environment, monitoring execution of the plurality of components for one or more malicious actions, generating a classification result associated with the electronic message and content associated with the electronic message responsive to monitoring execution of the plurality of components, storing a description of the electronic message and content associated with the electronic message in the database responsive to the classification result indicating the electronic message or content associated with the electronic message is malicious and modifying filtering rules for identifying the content known to be malicious based at least in part on the classification result;
an administration module stored on the memory and executable by the processor, the administration module adapted to communicate with the network access module for performing an action on the electronic message and content associated with the electronic message responsive to the classification result; and
a reporting module adapted to communicate with the administration module, the reporting module for appending a flag to the electronic message responsive to the electronic message or content associated with the electronic message including malicious content.
7 Assignments
0 Petitions
Accused Products
Abstract
A system and a method for detecting malicious content associated with an electronic message are described. An electronic message, such as an e-mail, a chat request, a torrent file or a text message is initially received. The electronic message can then be compared to known viruses using pattern or signature matching techniques. The electronic message is then transmitted to a virtual machine which executes the electronic message in an environment simulating the destination computing system of the electronic message. The virtual machine monitors execution of the electronic message to identify one or more malicious actions and classifies the electronic message accordingly. For example, message component execution is monitored for attempts to access system files, attempts to access user information, attempts to transmit system configuration data or attempts to transmit user information.
-
Citations
19 Claims
-
1. An apparatus for identifying malicious content associated with an electronic message specifying a destination computing device, the apparatus comprising:
-
a processor; a filtering module stored on a memory and executable by the processor, the filtering module for receiving the electronic message and content associated with the electronic message, determining whether the electronic message and the content associated with the electronic message include content known to be malicious by comparing the electronic message and the content associated with the electronic message with a database of content determined to be malicious and parsing the electronic message and the content associated with the electronic message into a plurality of components, the plurality of components including uniform resource locators that are formatted as plain text; a network access module stored on the memory and executable by the processor, the network access module adapted to communicate with the filtering module, the network access module identifying a destination associated with the electronic message and the plurality of components; a virtual machine stored on the memory and executable by the processor, the virtual machine adapted to communicate with the network access module, the virtual machine executing the plurality of components in an environment simulating a destination computing device environment, monitoring execution of the plurality of components for one or more malicious actions, generating a classification result associated with the electronic message and content associated with the electronic message responsive to monitoring execution of the plurality of components, storing a description of the electronic message and content associated with the electronic message in the database responsive to the classification result indicating the electronic message or content associated with the electronic message is malicious and modifying filtering rules for identifying the content known to be malicious based at least in part on the classification result; an administration module stored on the memory and executable by the processor, the administration module adapted to communicate with the network access module for performing an action on the electronic message and content associated with the electronic message responsive to the classification result; and a reporting module adapted to communicate with the administration module, the reporting module for appending a flag to the electronic message responsive to the electronic message or content associated with the electronic message including malicious content. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A computer-implemented method for identifying malicious content associated with an electronic message specifying a destination computing device, comprising:
-
filtering the electronic message and content associated with the electronic message for content previously known to be malicious by comparing the electronic message and content associated with the electronic message with a database of content determined to be malicious; parsing the electronic message and content associated with the electronic message into a plurality of components, the plurality of components including uniform resource locators that are formatted as plain text; associating the plurality of components with a virtual machine; executing the plurality of components in the virtual machine using an environment similar to an environment of the destination computing device; monitoring execution of the plurality of components for one or more actions associated with malicious content; generating a classification result associated with the plurality of components responsive to a result of monitoring execution; storing a description of the electronic message and content associated with the electronic message in the database responsive to the classification result indicating the electronic message or content associated with the electronic message is malicious; modifying filtering rules for identifying the content previously known to be malicious based at least in part on the classification result; and appending a flag to the electronic message responsive to the electronic message or content associated with the electronic message including malicious content. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
-
-
19. A system for identifying malicious content associated with an electronic message specifying a destination computing device, the system comprising:
-
an agent including; a processor; a filtering module stored on a memory and executable by the processor, the filtering module for receiving the electronic message and content associated with the electronic message and for determining whether electronic message and the content associated with the electronic message include content known to be malicious by comparing the electronic message and the content associated with the electronic message with a database of content determined to be malicious and parsing the electronic message and the content associated with the electronic message into a plurality of components, the plurality of components including uniform resource locators that are formatted as plain text; and a communication module stored on the memory and executable by the processor, the communication module adapted to communicate with the filtering module; and a simulation system remote from the agent, the simulation system including; a network access module adapted to communicate with the communication module, the network access module identifying a virtual machine associated with the electronic message and content associated with the electronic message; a plurality of virtual machines adapted to communicate with the network access module, an identified virtual machine executing the plurality of components in an environment simulating a destination computing device environment, monitoring execution of the plurality of components for one or more malicious actions, generating a classification result associated with the electronic message and content associated with the electronic message, the classification result transmitted to the communication module using the network access module, storing a description of the electronic message and content associated with the electronic message in the database responsive to the classification result indicating the electronic message or content associated with the electronic message is malicious and modifying filtering rules for identifying the content known to be malicious based at least in part on the classification result; and a reporting module adapted to communicate with the administration module, the reporting module for appending a flag to the electronic message responsive to the electronic message or content associated with the electronic message including malicious content.
-
Specification