Detecting malicious network content using virtual environment components

US 8,793,787 B2
Filed: 01/23/2009
Issued: 07/29/2014
Est. Priority Date: 04/01/2004
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method for detecting malicious network content by a network content processing system, comprising:

receiving network content detected to be suspicious;

identifying a real application that is affected by the suspicious network content;

providing a virtual environment component that is associated with the identified real application and selected from a virtual environment component pool to a virtual environment;

configuring the virtual environment component within a virtual environment to mimic the identified real application to process the suspicious network content within the network content processing system, the virtual environment being one of a plurality of concurrently existing virtual environments within the network content processing system, each virtual environment of the concurrently existing virtual environments including a respective virtual environment operating system to process respective suspicious network content to detect whether the respective suspicious network content contains malicious network content;

processing the suspicious network content using the virtual environment component within the virtual environment, the virtual environment component operating as a browser application which provides the suspicious network content for rendering as at least part of a content page; and

identifying the suspicious network content as malicious network content based on a behavior of the virtual environment component.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Malicious network content is identified based on the behavior of one or more virtual environment components which process network content in a virtual environment. Network content can be monitored and analyzed using a set of heuristics. The heuristics identify suspicious network content communicated over a network. The suspicious network content can further be analyzed in a virtual environment that includes one or more virtual environment components. Each virtual environment component is configured to mimic live environment components, for example a browser application component or an operating system component. The suspicious network content is replayed in the virtual environment using one or more of the virtual environment components. The virtual environment component behavior is analyzed in view of an expected behavior to identify malicious network content. The malicious network content is then identified and processed.

569 Citations

69 Claims

1. A computer implemented method for detecting malicious network content by a network content processing system, comprising:
- receiving network content detected to be suspicious;
  
  identifying a real application that is affected by the suspicious network content;
  
  providing a virtual environment component that is associated with the identified real application and selected from a virtual environment component pool to a virtual environment;
  
  configuring the virtual environment component within a virtual environment to mimic the identified real application to process the suspicious network content within the network content processing system, the virtual environment being one of a plurality of concurrently existing virtual environments within the network content processing system, each virtual environment of the concurrently existing virtual environments including a respective virtual environment operating system to process respective suspicious network content to detect whether the respective suspicious network content contains malicious network content;
  
  processing the suspicious network content using the virtual environment component within the virtual environment, the virtual environment component operating as a browser application which provides the suspicious network content for rendering as at least part of a content page; and
  
  identifying the suspicious network content as malicious network content based on a behavior of the virtual environment component.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The computer implemented method of claim 1, wherein the suspicious network content includes one or more data packets associated with a suspicious characteristic.
  - 3. The computer implemented method of claim 2, wherein the one or more data packets comprise a copy of an original group of one or more data packets configured to be processed at least in part by a real application executing within a real environment.
  - 4. The computer implemented method of claim 1, wherein the network content is a copy of network content.
  - 5. The computer implemented method of claim 1, wherein the virtual environment component comprises the virtual environment operating system.
  - 6. The computer implemented method of claim 5, further comprising monitoring changes to the virtual environment operating system by an agent, the suspicious network content identified as malicious network content based on detected improper changes to the virtual environment operating system.
  - 7. The computer implemented method of claim 1, wherein processing the suspicious network content includes determining an observed behavior of the virtual environment component differs from an expected behavior of the virtual environment component.
  - 8. The computer implemented method of claim 7, wherein the observed behavior includes one or more actions performed by executable code contained within the suspicious network content.
  - 9. The computer implemented method of claim 1, further comprising:
    - generating a signature to identify subsequent network content that matches the malicious network content; and
      
      applying the signature to subsequently received network content.
  - 10. The computer implemented method of claim 1, wherein the virtual environment component pool is located within the network content processing system.
  - 11. The computer implemented method of claim 1 wherein the virtual environment component pool comprises at least one of i), ii) and iii) below:
    - i) each of the virtual environment operating system instances;
      
      ii) a plurality of virtual environment network instances;
      
      iii) a plurality of virtual environment agents each configurable to monitor behavior of a respective one or more virtual environment components within the virtual environment including the virtual environment component processing the suspicious network content.
  - 12. The computer implemented method of claim 1 wherein the virtual environment component is provided with a scheduler coupled to the virtual environment component pool.
  - 13. The computer implemented method of claim 12 further comprising:
    - identifying the virtual environment component for providing to the virtual environment based on information obtained from one or more of a group of sources including information in network content, information from a reporting server on one or more computers exposed to the network content, and information stored within the network content processing system.
  - 14. The computer implemented method of claim 1 wherein the virtual environment component pool comprises a plurality of virtual environment agents each configurable to monitor state of a respective one or more virtual environment components within the virtual environment.
  - 15. The computer implemented method of claim 1 wherein the virtual environment operating system is implemented as code that emulates an operating system.

16. A computer implemented method for processing network content by a network content processing system, comprising:
- receiving suspicious network content from a network interface, the suspicious network content associated with the network content communicated over a network;
  
  identifying a real application that is affected by the suspicious network content;
  
  providing a virtual environment component that is associated with the identified real application and selected from a virtual environment component pool to a virtual environment, the virtual environment component including a virtual environment operating system for the virtual environment;
  
  configuring an agent to monitor processing of the suspicious network content within the virtual environment and monitor changes to the virtual environment operating system;
  
  configuring the virtual environment component to mimic the real application to process the suspicious network content within the virtual environment, the virtual environment being one of a plurality of concurrently existing virtual environments, each virtual environment of the concurrently existing virtual environments to operate on respective suspicious network content from the network interface, each concurrently existing virtual environment including a respective virtual environment operating system to process respective suspicious network content to detect whether the respective suspicious network content contains malicious network content;
  
  detecting at least one anomaly associated with the virtual environment component using the agent, the at least one anomaly including improper changes to the virtual environment operating system of the virtual environment that identifies that the suspicious network content contains malicious network content; and
  
  generating a signature from the suspicious network content to apply to subsequent network content.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 17. The computer implemented method of claim 16, wherein the agent is further configured to monitor changes to the virtual environment operating system of the virtual environment.
  - 18. The computer implemented method of claim 16, wherein the agent is further configured to initiate generation of the signature based on detecting the at least one anomaly.
  - 19. The computer implemented method of claim 16, wherein the agent is further configured to monitor behavior of a virtual environment application within the virtual environment.
  - 20. The computer implemented method of claim 19, wherein the virtual environment application is configured to mimic a browser application.
  - 21. The computer implemented method of claim 19, wherein the virtual environment application is configured with a proxy address, wherein the agent is further configured to detect whether code within the suspicious network content and executed by the virtual environment application attempts to transmit data over a network without the proxy address.
  - 22. The computer implemented method of claim 16, wherein the virtual environment component pool is located within the network content processing system.
  - 23. The computer implemented method of claim 16 wherein the virtual environment component pool comprises at least one of i), ii) and iii) below:
    - i) each of the virtual environment operating system instances;
      
      ii) a plurality of virtual environment network instances;
      
      iii) a plurality of virtual environment agents each configurable to monitor behavior of a respective one or more virtual environment components within the virtual environment including the virtual environment component during processing of the suspicious network content.
  - 24. The computer implemented method of claim 16 wherein the virtual environment component is provided with a scheduler coupled to the virtual environment component pool.
  - 25. The computer implemented method of claim 24 further comprising:
    - identifying the virtual environment component for providing to the virtual environment based on information obtained from one or more of a group of sources including information in network content, information from a reporting server on one or more computers exposed to the network content, and information stored within the network content processing system.
  - 26. The computer implemented method of claim 16 wherein the virtual environment operating system is implemented as code that emulates an operating system.
  - 27. The computer implemented method of claim 16 wherein the virtual environment component pool comprises a plurality of virtual environment agents each configurable to monitor state of a respective one or more virtual environment components within the virtual environment.

28. A system for detecting malicious network content, comprising:
- a network interface;
  
  a first module executable by a processor that accesses suspicious network content;
  
  a scheduler that identifies a real application that is affected by the suspicious network content, provides a virtual environment component that is associated with the real application and selected from a virtual environment component pool, configures the virtual environment component to mimic the real application and operate as a browser application which provides the suspicious network content for rendering as at least part of a content page, the virtual environment component part of a virtual environment, the virtual environment being one of a plurality of concurrently existing virtual environments, each virtual environment of the concurrently existing virtual environments including a respective virtual environment operating system and to process respective suspicious network content received from the network interface to process respective suspicious network content to detect whether the respective suspicious network content contains malicious network content; and
  
  a replayer that operates in combination with the virtual environment operating system of the virtual environment to process the suspicious network content.
- View Dependent Claims (29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49)
- - 29. The system of claim 28, further comprising an agent configured to detect changes to the virtual environment component within the virtual environment.
  - 30. The system of claim 29, wherein the agent detects changes to the virtual environment operating system.
  - 31. The system of claim 29, wherein the agent is configured to detect unexpected changes by a process to the virtual environment component.
  - 32. The system of claim 29, wherein the agent is configured to detect unexpected changes to settings of the virtual environment component.
  - 33. The system of claim 29, wherein the agent is configured to detect unexpected changes by monitoring behavior of the virtual environment component including one or more of requests for data, sending or receiving data over a network, processing and/or storing data.
  - 34. The system of claim 29, wherein the agent is configured to monitor state of the virtual environment component, the state includes a snapshot of values representing settings and parameters of the virtual environment.
  - 35. The system of claim 34, wherein the values represent state and parameters including one or more of error conditions, interrupts, and availability of a buffer.
  - 36. The system of claim 29, wherein the agent resides in the virtual environment.
  - 37. The system of claim 29, wherein the agent is further configured to detect, log, store, and report behavior of the virtual environment component.
  - 38. The system of claim 29, wherein the agent is configured to detect behavior in the browser application being the virtual environment component.
  - 39. The system of claim 29, wherein, the virtual environment component operating as the browser application is configured to receive and process suspicious content data, and execute any executable code within the data.
  - 40. The system of claim 39, wherein the executable code attempts to transmit a message over a virtual network, including a request to a server.
  - 41. The system of claim 28, wherein the scheduler retrieves the virtual environment component operating as the browser application.
  - 42. The system of claim 28, wherein the scheduler enables the virtual-environment operating system.
  - 43. The system of claim 28, further comprising heuristics logic that generates a signature based on the suspicious network content and applies the signature to subsequent network content.
  - 44. The system of claim 28, wherein the virtual environment component pool is located within the system.
  - 45. The system of claim 28, wherein the virtual environment operating system is implemented as code that emulates an operating system.
  - 46. The system of claim 28, wherein the agent is configured to monitor changes made to the virtual environment operating system, including one or more of a setting changed to an improper value or an improper procedure used to change a setting to the virtual environment operating system, and to detect code associated with suspicious network content that performed the change.
  - 47. The system of claim 28, wherein the virtual environment is configured to include virtual hardware to mimic one or more of a hardware protocol, ports, and other behavior of real hardware.
  - 48. The system of claim 28, wherein the replayer replays network content in a virtual environment network by receiving and transmitting communications with the virtual environment operating system of the virtual environment over the virtual environment network.
  - 49. The system of claim 28, wherein the virtual environment is configured to process and implement transmission of the suspicious network content in a manner that simulates the processing and transmission of data by a real network.

50. A non-transitory computer readable storage medium having stored thereon instructions executable by a processor for performing a method for detecting malicious network content, the method comprising:
- receiving suspicious network content from a network interface;
  
  identifying a real application that is affected by the suspicious network content;
  
  providing a virtual environment component that is associated with the real application and selected from a virtual environment component pool to a virtual environment, the virtual environment component operating as a browser application which provides the suspicious network content for rendering as at least part of a content page;
  
  configuring the virtual environment component within the virtual environment to mimic a real application to process the suspicious network content within the network content processing system, the virtual environment being one of a plurality of concurrently existing virtual environments, each virtual environment of the concurrently existing virtual environments including a respective virtual environment operating system and being communicatively coupled to the network interface to process respective suspicious content received from the network interface to process respective suspicious network content to detect whether the respective suspicious network content contains malicious network content;
  
  processing the suspicious network content by the virtual environment component within a virtual environment; and
  
  identifying the suspicious network content as malicious network content based on a behavior for the virtual environment component.
- View Dependent Claims (51, 52, 53, 54, 55)
- - 51. The non-transitory computer readable storage medium of claim 50, wherein the suspicious network content includes one or more data packets associated with a suspicious characteristic.
  - 52. The non-transitory computer readable storage medium of claim 50, wherein the method further comprises an agent that monitors changes to the virtual-environment operating system, the suspicious network content identified as malicious network content based on detected improper changes to the virtual environment operating system.
  - 53. The non-transitory computer readable storage medium of claim 50, wherein processing the suspicious network content includes determining that an observed behavior of the virtual environment component differs from an expected behavior of the virtual environment component.
  - 54. The non-transitory computer readable storage medium of claim 50, wherein the method further comprises:
    - generating a signature to identify subsequent network content that matches the suspicious network content; and
      
      applying the signature to subsequently received network content.
  - 55. The non-transitory computer readable storage medium of claim 50, wherein the virtual environment operating system is implemented as code that emulates an operating system.

56. A computer implemented method for processing network content by a network content processing system, comprising:
- receiving suspicious network content from a network interface, the suspicious network content associated with the network content communicated over a network;
  
  identifying a real application that is affected by the suspicious network content;
  
  providing a virtual environment component that is associated with the identified real application and selected from a virtual environment component pool to a virtual environment, the virtual environment component operating as a browser application that renders the suspicious network content as at least part of a content page;
  
  configuring an agent to monitor processing of the suspicious network content within the virtual environment;
  
  configuring the virtual environment component to mimic the real application to process the suspicious network content within the virtual environment, the virtual environment being one of a plurality of concurrently existing virtual environments, each virtual environment of the concurrently existing virtual environments to operate on respective suspicious network content from the network interface, each concurrently existing virtual environment including a respective virtual environment operating system to process respective suspicious network content to detect whether the respective suspicious network content contains malicious network content;
  
  detecting at least one anomaly associated with the virtual environment component using the agent; and
  
  generating a signature from the suspicious network content to apply to subsequent network content.
- View Dependent Claims (57)
- - 57. The computer implemented method of claim 56, wherein the virtual environment operating system is implemented as code that emulates an operating system.

58. A system for detecting malicious network content, comprising:
- a network interface;
  
  a processor; and
  
  a memory coupled to the processor, the memory comprises software that, when executed by the processor, performs operations including;
  
  identifying a real application that is affected by suspicious network content received from the network interface, the suspicious network content communicated over a network;
  
  providing a virtual environment component that is associated with the identified real application and selected from a virtual environment component pool to a virtual environment, the virtual environment component being a virtual environment operating system of the virtual environment;
  
  configuring an agent to monitor processing of the suspicious network content within the virtual environment and monitor changes to the virtual environment operating system;
  
  configuring the virtual environment component to mimic the real application to process the suspicious network content within the virtual environment, the virtual environment being one of a plurality of concurrently existing virtual environments, each virtual environment associated with a respective virtual environment operating system to process suspicious network content to detect whether the suspicious network content contains malicious network content;
  
  detecting at least one anomaly associated with the virtual environment component using the agent, the at least one anomaly including improper changes to the virtual environment operating system of the virtual environment that identifies that the suspicious network content contains malicious network content; and
  
  generating a signature from the suspicious network content to apply to subsequent network content.
- View Dependent Claims (59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69)
- - 59. The system of claim 58, further comprising an agent stored within the memory, the agent being configured to detect unexpected changes to settings of the virtual environment component.
  - 60. The system of claim 58, wherein the agent is further configured to initiate generation of the signature based on detecting the at least one anomaly.
  - 61. The system of claim 58, wherein the agent is further configured to monitor behavior of a virtual environment application within the virtual environment.
  - 62. The system of claim 61, wherein the agent is configured to detect unexpected changes in the monitored behavior of the virtual environment component including one or more of requests for data, sending or receiving data over a network, processing and/or storing data.
  - 63. The system of claim 58, wherein the agent is configured to monitor state of the virtual environment component, the state includes a snapshot of values representing settings and parameters of the virtual environment.
  - 64. The system of claim 63, wherein the values represent state and parameters including one or more of error conditions, interrupts, and availability of a buffer.
  - 65. The system of claim 58, wherein the agent resides in the virtual environment.
  - 66. The system of claim 58, wherein the virtual environment is configured to include virtual hardware to mimic one or more of a hardware protocol, ports, and other behavior of real hardware.
  - 67. The system of claim 58, wherein the virtual environment application is configured to mimic a browser application.
  - 68. The system claim 58, wherein the virtual environment operating system is implemented as code that emulates an operating system.
  - 69. The system of claim 58, wherein the agent is further configured to detect, log, store, and report behavior of the virtual environment component.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Ismael, Osman Abdoul, Yie, Samuel, Manni, Jayaraman, Amin, Muhammad, Mahbod, Bahman
Primary Examiner(s)
Pwu, Jeffrey
Assistant Examiner(s)
TRUONG, THONG P

Application Number

US12/359,252
Publication Number

US 20100192223A1
Time in Patent Office

2,013 Days
Field of Search

726/1, 726/3, 726/22, 726/2
US Class Current

726/22
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2149   Restricted operating enviro...

G06F 9/455   Emulation; Interpretation; ...

H04L 2463/144   Detection or countermeasure...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

Detecting malicious network content using virtual environment components

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

569 Citations

69 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting malicious network content using virtual environment components

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

569 Citations

69 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links