Detecting malicious network content using virtual environment components
First Claim
1. A computer implemented method for detecting malicious network content by a network content processing system, comprising:
- receiving network content detected to be suspicious;
identifying a real application that is affected by the suspicious network content;
providing a virtual environment component that is associated with the identified real application and selected from a virtual environment component pool to a virtual environment;
configuring the virtual environment component within a virtual environment to mimic the identified real application to process the suspicious network content within the network content processing system, the virtual environment being one of a plurality of concurrently existing virtual environments within the network content processing system, each virtual environment of the concurrently existing virtual environments including a respective virtual environment operating system to process respective suspicious network content to detect whether the respective suspicious network content contains malicious network content;
processing the suspicious network content using the virtual environment component within the virtual environment, the virtual environment component operating as a browser application which provides the suspicious network content for rendering as at least part of a content page; and
identifying the suspicious network content as malicious network content based on a behavior of the virtual environment component.
5 Assignments
0 Petitions
Accused Products
Abstract
Malicious network content is identified based on the behavior of one or more virtual environment components which process network content in a virtual environment. Network content can be monitored and analyzed using a set of heuristics. The heuristics identify suspicious network content communicated over a network. The suspicious network content can further be analyzed in a virtual environment that includes one or more virtual environment components. Each virtual environment component is configured to mimic live environment components, for example a browser application component or an operating system component. The suspicious network content is replayed in the virtual environment using one or more of the virtual environment components. The virtual environment component behavior is analyzed in view of an expected behavior to identify malicious network content. The malicious network content is then identified and processed.
569 Citations
69 Claims
-
1. A computer implemented method for detecting malicious network content by a network content processing system, comprising:
-
receiving network content detected to be suspicious; identifying a real application that is affected by the suspicious network content; providing a virtual environment component that is associated with the identified real application and selected from a virtual environment component pool to a virtual environment; configuring the virtual environment component within a virtual environment to mimic the identified real application to process the suspicious network content within the network content processing system, the virtual environment being one of a plurality of concurrently existing virtual environments within the network content processing system, each virtual environment of the concurrently existing virtual environments including a respective virtual environment operating system to process respective suspicious network content to detect whether the respective suspicious network content contains malicious network content; processing the suspicious network content using the virtual environment component within the virtual environment, the virtual environment component operating as a browser application which provides the suspicious network content for rendering as at least part of a content page; and identifying the suspicious network content as malicious network content based on a behavior of the virtual environment component. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A computer implemented method for processing network content by a network content processing system, comprising:
-
receiving suspicious network content from a network interface, the suspicious network content associated with the network content communicated over a network; identifying a real application that is affected by the suspicious network content; providing a virtual environment component that is associated with the identified real application and selected from a virtual environment component pool to a virtual environment, the virtual environment component including a virtual environment operating system for the virtual environment; configuring an agent to monitor processing of the suspicious network content within the virtual environment and monitor changes to the virtual environment operating system; configuring the virtual environment component to mimic the real application to process the suspicious network content within the virtual environment, the virtual environment being one of a plurality of concurrently existing virtual environments, each virtual environment of the concurrently existing virtual environments to operate on respective suspicious network content from the network interface, each concurrently existing virtual environment including a respective virtual environment operating system to process respective suspicious network content to detect whether the respective suspicious network content contains malicious network content; detecting at least one anomaly associated with the virtual environment component using the agent, the at least one anomaly including improper changes to the virtual environment operating system of the virtual environment that identifies that the suspicious network content contains malicious network content; and generating a signature from the suspicious network content to apply to subsequent network content. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
-
-
28. A system for detecting malicious network content, comprising:
-
a network interface; a first module executable by a processor that accesses suspicious network content; a scheduler that identifies a real application that is affected by the suspicious network content, provides a virtual environment component that is associated with the real application and selected from a virtual environment component pool, configures the virtual environment component to mimic the real application and operate as a browser application which provides the suspicious network content for rendering as at least part of a content page, the virtual environment component part of a virtual environment, the virtual environment being one of a plurality of concurrently existing virtual environments, each virtual environment of the concurrently existing virtual environments including a respective virtual environment operating system and to process respective suspicious network content received from the network interface to process respective suspicious network content to detect whether the respective suspicious network content contains malicious network content; and a replayer that operates in combination with the virtual environment operating system of the virtual environment to process the suspicious network content. - View Dependent Claims (29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49)
-
-
50. A non-transitory computer readable storage medium having stored thereon instructions executable by a processor for performing a method for detecting malicious network content, the method comprising:
-
receiving suspicious network content from a network interface; identifying a real application that is affected by the suspicious network content; providing a virtual environment component that is associated with the real application and selected from a virtual environment component pool to a virtual environment, the virtual environment component operating as a browser application which provides the suspicious network content for rendering as at least part of a content page; configuring the virtual environment component within the virtual environment to mimic a real application to process the suspicious network content within the network content processing system, the virtual environment being one of a plurality of concurrently existing virtual environments, each virtual environment of the concurrently existing virtual environments including a respective virtual environment operating system and being communicatively coupled to the network interface to process respective suspicious content received from the network interface to process respective suspicious network content to detect whether the respective suspicious network content contains malicious network content; processing the suspicious network content by the virtual environment component within a virtual environment; and identifying the suspicious network content as malicious network content based on a behavior for the virtual environment component. - View Dependent Claims (51, 52, 53, 54, 55)
-
-
56. A computer implemented method for processing network content by a network content processing system, comprising:
-
receiving suspicious network content from a network interface, the suspicious network content associated with the network content communicated over a network; identifying a real application that is affected by the suspicious network content; providing a virtual environment component that is associated with the identified real application and selected from a virtual environment component pool to a virtual environment, the virtual environment component operating as a browser application that renders the suspicious network content as at least part of a content page; configuring an agent to monitor processing of the suspicious network content within the virtual environment; configuring the virtual environment component to mimic the real application to process the suspicious network content within the virtual environment, the virtual environment being one of a plurality of concurrently existing virtual environments, each virtual environment of the concurrently existing virtual environments to operate on respective suspicious network content from the network interface, each concurrently existing virtual environment including a respective virtual environment operating system to process respective suspicious network content to detect whether the respective suspicious network content contains malicious network content; detecting at least one anomaly associated with the virtual environment component using the agent; and generating a signature from the suspicious network content to apply to subsequent network content. - View Dependent Claims (57)
-
-
58. A system for detecting malicious network content, comprising:
-
a network interface; a processor; and a memory coupled to the processor, the memory comprises software that, when executed by the processor, performs operations including; identifying a real application that is affected by suspicious network content received from the network interface, the suspicious network content communicated over a network; providing a virtual environment component that is associated with the identified real application and selected from a virtual environment component pool to a virtual environment, the virtual environment component being a virtual environment operating system of the virtual environment; configuring an agent to monitor processing of the suspicious network content within the virtual environment and monitor changes to the virtual environment operating system; configuring the virtual environment component to mimic the real application to process the suspicious network content within the virtual environment, the virtual environment being one of a plurality of concurrently existing virtual environments, each virtual environment associated with a respective virtual environment operating system to process suspicious network content to detect whether the suspicious network content contains malicious network content; detecting at least one anomaly associated with the virtual environment component using the agent, the at least one anomaly including improper changes to the virtual environment operating system of the virtual environment that identifies that the suspicious network content contains malicious network content; and generating a signature from the suspicious network content to apply to subsequent network content. - View Dependent Claims (59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69)
-
Specification