Network-based binary file extraction and analysis for malware detection
First Claim
Patent Images
1. A method for network-based file analysis for malware detection by a system, the method comprising:
- receiving network content;
identifying a binary packet being assembled in accordance with one or more communication protocols from a plurality of communication protocols supported by the system and in accordance with one or more formats from a plurality of formats supported by the system, the binary packet being a portion of a binary file that is part of the network content;
extracting the binary file from the network content, the binary file comprises one or more binary packets, including the binary packet;
classifying the extracted binary file as suspicious network content or non-suspicious network content, wherein the suspicious network content has a suspicious characteristic related to malicious network content;
processing the suspicious network content using a virtual environment component configured within a virtual environment to mimic operations of a real application configured to process the suspicious network content; and
identifying the suspicious network content as malicious network content based on a behavior of the virtual environment component, the identifying of the suspicious network content as malicious network content based on the behavior of the virtual environment component comprises examining the behavior of the virtual environment component against an expected behavior.
5 Assignments
0 Petitions
Accused Products
Abstract
A system and method are disclosed for network-based file analysis for malware detection. Network content is received from a network tap. A binary packet is identified in the network content. A binary file, including the binary packet, is extracted from the network content. It is determined whether the extracted binary file is detected to be malware.
564 Citations
97 Claims
-
1. A method for network-based file analysis for malware detection by a system, the method comprising:
-
receiving network content; identifying a binary packet being assembled in accordance with one or more communication protocols from a plurality of communication protocols supported by the system and in accordance with one or more formats from a plurality of formats supported by the system, the binary packet being a portion of a binary file that is part of the network content; extracting the binary file from the network content, the binary file comprises one or more binary packets, including the binary packet; classifying the extracted binary file as suspicious network content or non-suspicious network content, wherein the suspicious network content has a suspicious characteristic related to malicious network content; processing the suspicious network content using a virtual environment component configured within a virtual environment to mimic operations of a real application configured to process the suspicious network content; and identifying the suspicious network content as malicious network content based on a behavior of the virtual environment component, the identifying of the suspicious network content as malicious network content based on the behavior of the virtual environment component comprises examining the behavior of the virtual environment component against an expected behavior. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40)
-
-
41. A system for network-based file analysis for malware detection, the system comprising:
-
one or more processors; and a memory system communicatively coupled to the one or more processors, the memory system comprises executable instructions including a binary identification module to receive and identify a binary packet assembled in accordance with one or more communication protocols from a plurality of communication protocols supported by the system in accordance with one or more formats from a plurality of formats supported by the system, the binary packet being a portion of a binary file that is part of network content; a binary extraction module communicatively coupled with the binary identification module and configured to extract the binary file including the identified binary packet from the network content; a static analysis module configured to classify the extracted binary file as suspicious network content or non-suspicious network content, wherein the suspicious network content has a suspicious characteristic related to malicious network content; and a virtual machine analysis module configured to process the suspicious network content using a virtual environment component configured within a virtual environment to mimic operations of a real application configured to process the suspicious network content, the virtual machine analysis module being further configured to identify the suspicious network content as malicious network content based on a behavior of the virtual environment component by examining the behavior of the virtual environment component against an expected behavior. - View Dependent Claims (42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74)
-
-
75. A non-transitory computer-readable storage medium having stored thereon instructions executable by a processor implemented within a system to perform a method for network-based file analysis for malware detection, the method comprising:
-
receiving network content; identifying a binary packet being assembled in accordance with one or more communication protocols from a plurality of communication protocols supported by the system in accordance with one or more formats from a plurality of formats supported by the system, the binary packet being a portion of a binary file that is part of the network content; extracting the binary file from the network content, the binary file comprises one or more binary packets, including the binary packet; classifying the extracted binary file as suspicious network content or non-suspicious network content, wherein the suspicious network content has a suspicious characteristic related to malicious network content; processing the suspicious network content using a virtual environment component configured within a virtual environment, wherein the virtual environment component comprises a virtual environment application being configured to simulate a real application configured to process the suspicious network content; and identifying the suspicious network content as malicious network content based on a behavior of the virtual environment component, the identifying of the suspicious network content as malicious network content based on the behavior of the virtual environment component comprises examining the behavior of the virtual environment component against an expected behavior. - View Dependent Claims (76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96, 97)
-
Specification