Systems and methods for behavioral sandboxing

US 8,479,286 B2
Filed: 12/15/2009
Issued: 07/02/2013
Est. Priority Date: 12/15/2009
Status: Active Grant

First Claim

Patent Images

1. A method for dynamically determining an execution environment in a system having a plurality of execution environments including a first execution environment and a sandbox execution environment, the method comprising:

receiving an executable application over a network connection;

performing behavioral analysis, prior to execution of the executable application, on the executable application;

determining an initial execution environment as a function of the behavioral analysis;

if the behavioral analysis indicates sandboxed execution for the initial execution environment, performing a first load for execution of the executable application within the sandbox execution environment;

if the behavioral analysis indicates other than sandboxed execution for the initial execution environment, performing a first load for execution of the executable application within the first execution environment;

collecting behavioral characteristics of the executable application as it is executed in response to the first load in the initial execution environment; and

performing behavioral analysis on the collected behavioral characteristics to determine whether the execution of the executable application should be moved from the initial execution environment to a secondary execution environment while the executable application is still executing in response to the first load, wherein only one of the initial execution environment and the secondary execution environment is the sandboxed execution environment.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and system for behavioral sandboxing are described. In one example embodiment, a system for behavioral sandboxing can include a network and a computer. The network communicatively coupled to a source of an executable application. The computer communicatively couple to the network and including a behavioral analysis module and a plurality of execution environments. The behavioral analysis module is configured to perform behavioral analysis on the executable application downloaded over the network. The plurality of execution environments including a standard execution environment and a protected execution environment. The behavioral analysis module is configured to evaluate a plurality of behavioral characteristics of the executable application to determine whether the executable application should be executed within the protected execution environment prior to execution of the executable application. The behavioral analysis module also monitors execution of the executable application to determine whether the execution environment can be changed.

105 Citations

View as Search Results

25 Claims

1. A method for dynamically determining an execution environment in a system having a plurality of execution environments including a first execution environment and a sandbox execution environment, the method comprising:
- receiving an executable application over a network connection;
  
  performing behavioral analysis, prior to execution of the executable application, on the executable application;
  
  determining an initial execution environment as a function of the behavioral analysis;
  
  if the behavioral analysis indicates sandboxed execution for the initial execution environment, performing a first load for execution of the executable application within the sandbox execution environment;
  
  if the behavioral analysis indicates other than sandboxed execution for the initial execution environment, performing a first load for execution of the executable application within the first execution environment;
  
  collecting behavioral characteristics of the executable application as it is executed in response to the first load in the initial execution environment; and
  
  performing behavioral analysis on the collected behavioral characteristics to determine whether the execution of the executable application should be moved from the initial execution environment to a secondary execution environment while the executable application is still executing in response to the first load, wherein only one of the initial execution environment and the secondary execution environment is the sandboxed execution environment.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the performing behavioral analysis prior to execution of the executable application includes evaluating one or more characteristics associated with the executable application that provide an indication as to the origin of the executable application.
  - 3. The method of claim 2, wherein the performing behavioral analysis prior to execution of the executable application further includes analysis of resources the executable application will operate on.
  - 4. The method of claim 2, wherein the one or more characteristics include one or more of the following:
    - network address the executable application was received from;
      
      trust level of the process that requested the executable application;
      
      signed certificate from a trusted source; and
      
      prior performance of suspicious or out of policy activities.
  - 5. The method of claim 1, wherein the performing a first load for execution of the executable application within the sandbox execution environment includes determining a scope of restrictions to apply to the sandbox execution environment prior to execution of the executable application.
  - 6. The method of claim 5, wherein the determining the scope of restrictions includes determining what types of activity should be contained within the sandbox execution environment.
  - 7. The method of claim 5, wherein the determining the scope of restrictions includes determining a disposition for operations performed within the sandbox execution environment by the executable application.
  - 8. The method of claim 1, wherein the performing behavioral analysis on the collected behavioral characteristics includes detecting potentially malicious activities including:
    - opening resource files;
      
      loading plug-ins;
      
      manipulation by other processes;
      
      manipulating other processes; and
      
      accessing the Internet.
  - 9. The method of claim 1, wherein the determining the initial execution environment includes applying a security policy.
  - 10. The method of claim 1, wherein the determining the initial execution environment includes determining a first portion of a single execution of the executable application to be executed within the sandboxed execution environment and a second portion of the single execution of the executable application to be executed in the first execution environment.
  - 11. The method of claim 10, wherein the first portion of the executable application can include:
    - a fiber;
      
      a thread;
      
      a process;
      
      a dynamic link library;
      
      a script;
      
      ora plug-in component.

12. A system comprising:
- a computer communicatively coupled to a network, the network comprising a source of an executable application, wherein the computer comprises;
  
  a behavioral analysis module configured to perform behavioral analysis on the executable application downloaded from the network; and
  
  a plurality of execution environments including,a standard execution environment; and
  
  a protected execution environment configured to provide a self-contained execution environment that protects the computer from malicious operations performed by the executable application;
  
  wherein the behavioral analysis module is to evaluate a plurality of behavioral characteristics of the executable application prior to performing a first load for execution of the executable application, the evaluation to determine whether the executable application should be executed within the protected execution environment; and
  
  wherein the behavioral analysis module is to monitor execution of the executable application to determine whether the execution of the executable application should be moved from the standard execution environment to the protected execution environment or from the protected execution environment to the standard execution environment, the move to occur while the executable application is still executing in response to the first load for execution.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 13. The system of claim 12, wherein the behavioral analysis module is configured to evaluate a characteristic associated with the executable application, wherein the characteristic provides an indication as to whether the source of the executable application can be trusted.
  - 14. The system of claim 13, wherein the behavioral analysis module is configured to evaluate a plurality of characteristics including two or more of the following:
    - network address the executable application was received from;
      
      trust level of the process that requested the executable application;
      
      signed certificate from a trusted source; and
      
      prior performance of suspicious or out of policy activities.
  - 15. The system of claim 12, wherein the behavioral analysis module is configured to analyze, prior to execution of the executable application, a resource the executable application will operate on.
  - 16. The system of claim 12, wherein the behavioral analysis module is configured to determine a scope of restrictions the protected execution environment will use to control the execution of the executable application.
  - 17. The system of claim 16, wherein the behavioral analysis module is configured to determine what types of activity should be contained within the protected execution environment.
  - 18. The system of claim 16, wherein the behavioral analysis module is configured to apply a security policy when determining the scope of restrictions for use by the protected execution environment.
  - 19. The system of claim 16, wherein the behavioral analysis module is configured to determine a disposition for operations performed within the protected execution environment by the executable application.
  - 20. The system of claim 12, wherein the behavioral analysis module is configured to detect potentially malicious activities, including:
    - opening resource files;
      
      loading plug-ins;
      
      manipulation by other processes;
      
      manipulating other processes; and
      
      accessing the Internet.
  - 21. The system of claim 12, wherein the behavioral analysis module is configured to apply a security policy when evaluating the plurality of behavioral characteristics of the executable application to determine whether the executable application should be executed within the protected execution environment.
  - 22. The system of claim 12, wherein the behavioral analysis module is configured to determine a first portion of a single execution of the executable application to be executed within the protected execution environment and a second portion of the single execution of the executable application to be executed in the standard execution environment.
  - 23. The system of claim 22, wherein the portion of the executable application can include:
    - a fiber;
      
      a thread;
      
      a process;
      
      a dynamic link library;
      
      a script;
      
      ora plug-in component.

24. A non-transitory computer-readable storage medium comprising instructions stored thereon to cause one or more processors to:
- receive a executable application over a network connection;
  
  perform behavioral analysis, prior to execution of the executable application, on the executable application;
  
  determine, based on the performing behavioral analysis, whether to perform a first load for execution of the executable application in a sandbox environment;
  
  perform the first load for execution of the executable application within the sandbox environment;
  
  dynamically monitor behavioral characteristics of the executable application during the execution within the sandbox environment, the execution initiated in response to the first load;
  
  perform behavioral analysis on the monitored behavioral characteristics to determine whether the executable application can be moved from the sandbox environment; and
  
  move, based on the behavioral analysis of the monitored behavioral characteristics, the executable application from the sandbox environment to a standard environment prior to termination of the execution initiated by the first load.
- View Dependent Claims (25)
- - 25. The non-transitory computer-readable storage medium of claim 24, further comprising instructions stored thereon to cause one or more processors to:
    - dynamically monitor second behavioral characteristics of the executable application during the execution within the standard environment after the executable application was moved from the sandbox environment;
      
      perform behavioral analysis on the monitored second behavioral characteristics to determine whether the executable application should be moved from the standard environment back to the sandbox environment; and
      
      move, based on the behavioral analysis of the monitored second behavioral characteristics, the executable application from the standard environment to the sandbox environment prior to termination of the execution initiated by the first load.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Dalcher, Gregory William, Teddy, John D.
Primary Examiner(s)
Gregory, Shaun

Application Number

US12/638,660
Publication Number

US 20110145926A1
Time in Patent Office

1,295 Days
Field of Search

None
US Class Current

726/22
CPC Class Codes

G06F 11/3466   Performance evaluation by t...

G06F 21/53   by executing in a restricte...

G06F 21/552   involving long-term monitor...

G06F 21/566   Dynamic detection, i.e. det...

G06F 2201/86   Event-based monitoring

G06F 2221/2149   Restricted operating enviro...

H04L 63/105   Multiple levels of security

H04L 63/145   the attack involving the pr...

H04L 63/20   for managing network securi...

Systems and methods for behavioral sandboxing

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

105 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for behavioral sandboxing

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

105 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links