Systems and methods for behavioral sandboxing
First Claim
1. A method for dynamically determining an execution environment in a system having a plurality of execution environments including a first execution environment and a sandbox execution environment, the method comprising:
- receiving an executable application over a network connection;
performing behavioral analysis, prior to execution of the executable application, on the executable application;
determining an initial execution environment as a function of the behavioral analysis;
if the behavioral analysis indicates sandboxed execution for the initial execution environment, performing a first load for execution of the executable application within the sandbox execution environment;
if the behavioral analysis indicates other than sandboxed execution for the initial execution environment, performing a first load for execution of the executable application within the first execution environment;
collecting behavioral characteristics of the executable application as it is executed in response to the first load in the initial execution environment; and
performing behavioral analysis on the collected behavioral characteristics to determine whether the execution of the executable application should be moved from the initial execution environment to a secondary execution environment while the executable application is still executing in response to the first load, wherein only one of the initial execution environment and the secondary execution environment is the sandboxed execution environment.
10 Assignments
0 Petitions
Accused Products
Abstract
Methods and system for behavioral sandboxing are described. In one example embodiment, a system for behavioral sandboxing can include a network and a computer. The network communicatively coupled to a source of an executable application. The computer communicatively couple to the network and including a behavioral analysis module and a plurality of execution environments. The behavioral analysis module is configured to perform behavioral analysis on the executable application downloaded over the network. The plurality of execution environments including a standard execution environment and a protected execution environment. The behavioral analysis module is configured to evaluate a plurality of behavioral characteristics of the executable application to determine whether the executable application should be executed within the protected execution environment prior to execution of the executable application. The behavioral analysis module also monitors execution of the executable application to determine whether the execution environment can be changed.
105 Citations
25 Claims
-
1. A method for dynamically determining an execution environment in a system having a plurality of execution environments including a first execution environment and a sandbox execution environment, the method comprising:
-
receiving an executable application over a network connection; performing behavioral analysis, prior to execution of the executable application, on the executable application; determining an initial execution environment as a function of the behavioral analysis; if the behavioral analysis indicates sandboxed execution for the initial execution environment, performing a first load for execution of the executable application within the sandbox execution environment; if the behavioral analysis indicates other than sandboxed execution for the initial execution environment, performing a first load for execution of the executable application within the first execution environment; collecting behavioral characteristics of the executable application as it is executed in response to the first load in the initial execution environment; and performing behavioral analysis on the collected behavioral characteristics to determine whether the execution of the executable application should be moved from the initial execution environment to a secondary execution environment while the executable application is still executing in response to the first load, wherein only one of the initial execution environment and the secondary execution environment is the sandboxed execution environment. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A system comprising:
-
a computer communicatively coupled to a network, the network comprising a source of an executable application, wherein the computer comprises; a behavioral analysis module configured to perform behavioral analysis on the executable application downloaded from the network; and a plurality of execution environments including, a standard execution environment; and a protected execution environment configured to provide a self-contained execution environment that protects the computer from malicious operations performed by the executable application; wherein the behavioral analysis module is to evaluate a plurality of behavioral characteristics of the executable application prior to performing a first load for execution of the executable application, the evaluation to determine whether the executable application should be executed within the protected execution environment; and wherein the behavioral analysis module is to monitor execution of the executable application to determine whether the execution of the executable application should be moved from the standard execution environment to the protected execution environment or from the protected execution environment to the standard execution environment, the move to occur while the executable application is still executing in response to the first load for execution. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
-
-
24. A non-transitory computer-readable storage medium comprising instructions stored thereon to cause one or more processors to:
-
receive a executable application over a network connection; perform behavioral analysis, prior to execution of the executable application, on the executable application; determine, based on the performing behavioral analysis, whether to perform a first load for execution of the executable application in a sandbox environment; perform the first load for execution of the executable application within the sandbox environment; dynamically monitor behavioral characteristics of the executable application during the execution within the sandbox environment, the execution initiated in response to the first load; perform behavioral analysis on the monitored behavioral characteristics to determine whether the executable application can be moved from the sandbox environment; and move, based on the behavioral analysis of the monitored behavioral characteristics, the executable application from the sandbox environment to a standard environment prior to termination of the execution initiated by the first load. - View Dependent Claims (25)
-
Specification