Network-based binary file extraction and analysis for malware detection

US 8,832,829 B2
Filed: 09/30/2009
Issued: 09/09/2014
Est. Priority Date: 09/30/2009
Status: Active Grant

First Claim

Patent Images

1. A method for network-based file analysis for malware detection by a system, the method comprising:

receiving network content;

identifying a binary packet being assembled in accordance with one or more communication protocols from a plurality of communication protocols supported by the system and in accordance with one or more formats from a plurality of formats supported by the system, the binary packet being a portion of a binary file that is part of the network content;

extracting the binary file from the network content, the binary file comprises one or more binary packets, including the binary packet;

classifying the extracted binary file as suspicious network content or non-suspicious network content, wherein the suspicious network content has a suspicious characteristic related to malicious network content;

processing the suspicious network content using a virtual environment component configured within a virtual environment to mimic operations of a real application configured to process the suspicious network content; and

identifying the suspicious network content as malicious network content based on a behavior of the virtual environment component, the identifying of the suspicious network content as malicious network content based on the behavior of the virtual environment component comprises examining the behavior of the virtual environment component against an expected behavior.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method are disclosed for network-based file analysis for malware detection. Network content is received from a network tap. A binary packet is identified in the network content. A binary file, including the binary packet, is extracted from the network content. It is determined whether the extracted binary file is detected to be malware.

564 Citations

97 Claims

1. A method for network-based file analysis for malware detection by a system, the method comprising:
- receiving network content;
  
  identifying a binary packet being assembled in accordance with one or more communication protocols from a plurality of communication protocols supported by the system and in accordance with one or more formats from a plurality of formats supported by the system, the binary packet being a portion of a binary file that is part of the network content;
  
  extracting the binary file from the network content, the binary file comprises one or more binary packets, including the binary packet;
  
  classifying the extracted binary file as suspicious network content or non-suspicious network content, wherein the suspicious network content has a suspicious characteristic related to malicious network content;
  
  processing the suspicious network content using a virtual environment component configured within a virtual environment to mimic operations of a real application configured to process the suspicious network content; and
  
  identifying the suspicious network content as malicious network content based on a behavior of the virtual environment component, the identifying of the suspicious network content as malicious network content based on the behavior of the virtual environment component comprises examining the behavior of the virtual environment component against an expected behavior.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40)
- - 2. The method of claim 1, wherein identifying the binary packet includes a binary identification module identifying the packet in one of multiple protocols, the binary identification module configured to recognize each of the multiple protocols.
  - 3. The method of claim 1, wherein identifying the binary packet includes a binary identification module identifying the packet in one of multiple formats, the binary identification module configured to recognize each of the multiple formats.
  - 4. The method of claim 1, wherein extracting the binary file includes utilizing Transmission Control Protocol (TCP) sequence numbers in order to put binary packets in a correct order.
  - 5. The method of claim 4, wherein the TCP sequence numbers are used for binary packet ordering to simulate correct transmission of binary packets of the extracted binary file to a virtual machine of the virtual environment.
  - 6. The method of claim 1, wherein classifying the extracted binary file as suspicious network content or non-suspicious network content comprises performing static analysis based on heuristics on the extracted binary file to classify the extracted binary file.
  - 7. The method of claim 6, wherein performing static analysis includes determining if obfuscation is present.
  - 8. The method of claim 6, wherein performing static analysis includes examining a size of the extracted binary file.
  - 9. The method of claim 1, further comprising performing pre-verification on the extracted binary file that, prior to processing the suspicious network content within the virtual environment, determines whether the extracted binary file matches a known malware.
  - 10. The method of claim 9, wherein the pre-verification on the extracted binary file is conducted after the extracted binary file is classified as suspicious network content.
  - 11. The method of claim 1, wherein the classifying of the extracted binary file comprises determining whether information within the extracted binary file matches information within a known malware, the information within the known malware comprises at least one of binary file header data, signature data or binary files previously classified as malicious.
  - 12. The method of claim 1, wherein the one or more communication protocols include Hypertext Transfer Protocol (HTTP).
  - 13. The method of claim 12, wherein the one or more formats include Multipurpose Internet Mail Extensions (MIME).
  - 14. The method of claim 1, wherein the one or more communication protocols include File Transfer Protocol (FTP).
  - 15. The method of claim 1, wherein the one or more formats include a particular data compression format.
  - 16. The method of claim 1, wherein the one or more formats include a particular encoding format.
  - 17. The method of claim 16, wherein the binary file is an executable binary file.
  - 18. The method of claim 1, wherein the binary file is an executable binary file.
  - 19. The method of claim 18, wherein the virtual environment component is further configured to execute the executable binary file.
  - 20. The method of claim 1, wherein identifying a binary packet further comprises identifying the binary packet based on packet header data.
  - 21. The method of claim 1, wherein the classifying the extracted binary file as suspicious network content or non-suspicious network content comprises classifying the extracted binary file as one of suspicious network content and non-suspicious network content, wherein the extracted binary file is classified as suspicious network content when the extracted binary file has a suspicious characteristic related to malicious network content and does not match a known malware.
  - 22. The method of claim 1, wherein the virtual environment component includes a virtual environment operating system that is configured to perform in a similar manner as a real operating system and detect attempted changes and actual changes to an operating system which are unexpected.
  - 23. The method of claim 1, wherein the classifying of the extracted binary file comprises determining whether the extracted binary file matches a known malware, which includes one or more malicious binary files, by calculation and comparison of one or more checksums.
  - 24. The method of claim 1, wherein prior to the processing of the suspicious network content, the method comprises the classifying of the extracted binary file by determining whether the extracted binary file has the suspicious characteristic related to malicious network content and performing a pre-verification operation on the extracted binary file to determine whether the extracted binary file matches a known malware.
  - 25. The method of claim 24, wherein the known malware is a known malicious binary file.
  - 26. The method of claim 24, wherein the classifying of the extracted binary file is conducted by a static analysis module executed by one or more processors implemented within the system.
  - 27. The method of claim 24 further comprising declaring the suspicious network content as malicious network content when the extracted binary file matches the known malware, wherein the classifying of the extracted binary file is conducted by a static analysis module executed by one or more processors implemented within the system.
  - 28. The method of claim 27 further comprising placing the extracted binary file under quarantine and providing only the suspicious network content for processing by the virtual environment component.
  - 29. The method of claim 1, wherein the examining the behavior of the virtual environment component against the expected behavior comprises comparing the behavior of the virtual environment component observed during processing of the suspicious network content to the expected behavior of the virtual environment component.
  - 30. The method of claim 29, wherein the expected behavior includes a particular process changing an operating system parameter and the behavior observed during processing of the suspicious network content is an attempt to change the operating system parameter without using the particular process.
  - 31. The method of claim 29, wherein the behavior observed during processing of the suspicious network content includes an attempt to change to an operating system setting and the expected behavior has no change in the operating system setting.
  - 32. The method of claim 1, wherein the expected behavior includes one or more stored behavior patterns associated with the virtual environment component and the behavior of the virtual environment component differs from the one or more stored behavior patterns.
  - 33. The method of claim 32, wherein the one or more stored behavior patterns for the virtual environment component being a virtual environment network browser indicates that at least one particular request to transmit over a network is directed toward a specified proxy address.
  - 34. The method of claim 32, wherein the one or more stored behavior patterns identifies parameters values that are to remain unchanged.
  - 35. The method of claim 32, wherein the one or more stored behavior patterns identifies code that is to be invoked when attempting to change a particular parameter.
  - 36. The method of claim 1, wherein the examining of the behavior of the virtual environment component against the expected behavior occurs during replay in which (i) at least the virtual environment component is (a) retrieved from a virtual environment component pool operating as a data store containing one or more applications or one or more operating systems, (b) configured to mimic the real application in which the network content was intended to be processed and (c) provided to the virtual environment, and (ii) the information associated with the extracted binary file is executed by the virtual environment component within the virtual environment.
  - 37. The method of claim 1, wherein the extracting the binary file, classifying the extracted binary file as suspicious network content, processing the suspicious network content, and identifying the suspicious network content as malicious network content is conducted automatically without user intervention.
  - 38. The method of claim 1, wherein the virtual environment component comprises a virtual environment application being configured to perform as the real application.
  - 39. The method of claim 38, wherein the virtual environment component comprises a browser application.
  - 40. The method of claim 1, wherein the virtual environment component comprises a virtual environment operating system that is an actual operating system that mimics operations of the real application being an actual operating system.

41. A system for network-based file analysis for malware detection, the system comprising:
- one or more processors; and
  
  a memory system communicatively coupled to the one or more processors, the memory system comprises executable instructions includinga binary identification module to receive and identify a binary packet assembled in accordance with one or more communication protocols from a plurality of communication protocols supported by the system in accordance with one or more formats from a plurality of formats supported by the system, the binary packet being a portion of a binary file that is part of network content;
  
  a binary extraction module communicatively coupled with the binary identification module and configured to extract the binary file including the identified binary packet from the network content;
  
  a static analysis module configured to classify the extracted binary file as suspicious network content or non-suspicious network content, wherein the suspicious network content has a suspicious characteristic related to malicious network content; and
  
  a virtual machine analysis module configured to process the suspicious network content using a virtual environment component configured within a virtual environment to mimic operations of a real application configured to process the suspicious network content, the virtual machine analysis module being further configured to identify the suspicious network content as malicious network content based on a behavior of the virtual environment component by examining the behavior of the virtual environment component against an expected behavior.
- View Dependent Claims (42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74)
- - 42. The system of claim 41, wherein the binary extraction module extracts a binary file utilizing Transmission Control Protocol (TCP) sequence numbers in order to put binary packets of the extracted binary file in a correct order.
  - 43. The system of claim 41, wherein the static analysis module is communicatively coupled with the binary extraction module.
  - 44. The system of claim 43, wherein the static analysis module is configured to determine based on heuristics if an extracted binary file is suspicious or non-suspicious.
  - 45. The system of claim 41, wherein the static analysis module is further configured to determine if obfuscation is present.
  - 46. The system of claim 41, further comprising a pre-verification module operating with the static analysis module to classify the extracted binary file as malicious network content upon determining that the extracted binary file matches a known malware.
  - 47. The system of claim 46, wherein the pre-verification module is configured to perform pre-verification on the extracted binary file classified as the suspicious network content in order to determine if the extracted binary file matches the known malware by information within the extracted binary file matching at least one of binary file header data, signature data or binary files already classified as malicious.
  - 48. The system of claim 46, wherein the pre-verification module re-classifies the extracted binary file as malicious network content upon determining that the extracted binary file matches the known malware or otherwise retain classification of the extracted binary file as suspicious network content.
  - 49. The system of claim 46, wherein the pre-verification module determining whether the extracted binary file matches the known malware that includes one or more malicious binary files by calculating and comparing one or more checksums of the extracted binary file to one or more stored checksums.
  - 50. The system of claim 46, wherein pre-verification module operating on the suspicious network content provided by the static analysis module.
  - 51. The system of claim 46, wherein the static analysis module is a separate module from the pre-verification module.
  - 52. The system of claim 46, wherein the pre-verification module further placing the extracted binary file under quarantine and providing only the suspicious network content for processing by the virtual environment component of the virtual machine analysis module.
  - 53. The system of claim 46, wherein the pre-verification module is operable separate from the static analysis module.
  - 54. The system of claim 41, wherein the virtual environment component is retrieved from a virtual environment component pool, the virtual environment component pool being a data store that contains different component types including one or more applications or one or more operating systems.
  - 55. The system of claim 54, wherein the virtual environment component pool is located within the system.
  - 56. The method of claim 41 wherein the static analysis module declaring the suspicious network content as malicious network content when the extracted binary file matches a known malware, wherein the classifying of the extracted binary file is conducted by the static analysis module executed by one or more processors implemented within the system.
  - 57. The system of claim 56, wherein the known malware is a known malicious binary file.
  - 58. The system of claim 41, wherein the static analysis module is configured to classify the extracted binary file as suspicious network content or non-suspicious network content by classifying the extracted binary file as one of suspicious network content and non-suspicious network content when the extracted binary file has a suspicious characteristic related to malicious network content and does not match a known malware.
  - 59. The system of claim 41, wherein the virtual environment component includes a virtual environment operating system that is configured to perform as an operating system and detect attempted changes and actual changes to the operating system which are unexpected.
  - 60. The system of claim 41, wherein the static analysis module declaring the suspicious network content as malicious network content when the extracted binary file matches a known malware, wherein the classifying of the extracted binary file is conducted by the static analysis module executed by one or more processors implemented within the system.
  - 61. The system of claim 41, wherein the virtual machine analysis module examining the behavior of the virtual environment component against the expected behavior comprises comparing the behavior of the virtual environment component observed during processing of the suspicious network content to the expected behavior of the virtual environment component.
  - 62. The system of claim 61, wherein the expected behavior includes a particular process changing an operating system parameter and the behavior observed during processing of the suspicious network content is an attempt to change the operating system parameter without using the particular process.
  - 63. The system of claim 61, wherein the behavior observed during processing of the suspicious network content includes an attempt to change to an operating system setting and the expected behavior has no change to the operating system setting.
  - 64. The system of claim 41, wherein the expected behavior includes one or more stored behavior patterns associated with the virtual environment component and the behavior of the virtual environment component differs from the one or more stored behavior patterns.
  - 65. The system of claim 64, wherein the one or more stored behavior patterns for the virtual environment component being a virtual environment network browser indicates that at least one particular request to transmit over a network is directed toward a specified proxy address.
  - 66. The system of claim 64, wherein the one or more stored behavior patterns identifies parameters values that are to remain unchanged.
  - 67. The system of claim 64, wherein the one or more stored behavior patterns identifies code that is to be invoked when attempting to change a particular parameter.
  - 68. The system of claim 41, wherein the virtual machine analysis module examining of the behavior of the virtual environment component against the expected behavior occurs during replay in which (i) at least the virtual environment component is retrieved from a virtual environment component pool operating as a data store containing one or more applications or one or more operating systems, configured to mimic the real application in which the network content was intended to be processed, and provided to the virtual environment, and (ii) the information associated with the extracted binary file is executed by the virtual environment component within the virtual environment.
  - 69. The system of claim 41, wherein the binary identification module, the binary extraction module, the static analysis module and the virtual machine analysis module operate automatically without user intervention.
  - 70. The system of claim 41, wherein the virtual environment component being implemented as a specific instance of the application.
  - 71. The system of claim 41, wherein the virtual environment component being implemented as a specific instance of the application.
  - 72. The system of claim 41, wherein the virtual environment component comprises a virtual environment application being configured to perform as the real application.
  - 73. The system of claim 72, wherein the virtual environment component comprises a browser application.
  - 74. The system of claim 41, wherein the virtual environment component comprises a virtual environment operating system that is an actual operating system that mimics operations of the real application being an actual operating system.

75. A non-transitory computer-readable storage medium having stored thereon instructions executable by a processor implemented within a system to perform a method for network-based file analysis for malware detection, the method comprising:
- receiving network content;
  
  identifying a binary packet being assembled in accordance with one or more communication protocols from a plurality of communication protocols supported by the system in accordance with one or more formats from a plurality of formats supported by the system, the binary packet being a portion of a binary file that is part of the network content;
  
  extracting the binary file from the network content, the binary file comprises one or more binary packets, including the binary packet;
  
  classifying the extracted binary file as suspicious network content or non-suspicious network content, wherein the suspicious network content has a suspicious characteristic related to malicious network content;
  
  processing the suspicious network content using a virtual environment component configured within a virtual environment, wherein the virtual environment component comprises a virtual environment application being configured to simulate a real application configured to process the suspicious network content; and
  
  identifying the suspicious network content as malicious network content based on a behavior of the virtual environment component, the identifying of the suspicious network content as malicious network content based on the behavior of the virtual environment component comprises examining the behavior of the virtual environment component against an expected behavior.
- View Dependent Claims (76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96, 97)
- - 76. The non-transitory computer-readable storage medium of claim 75 wherein the processor, upon execution of the stored instructions, further performing operations comprising retrieving the virtual environment component from a virtual environment component pool, the virtual environment component pool being a data store that contains different component types including one or more applications or one or more operating systems.
  - 77. The non-transitory computer-readable storage medium of claim 76, wherein the virtual environment component pool is located within the system.
  - 78. The non-transitory computer-readable storage medium of claim 75, wherein the processor, upon execution of the stored instructions, classifying the extracted binary file as one of suspicious network content and non-suspicious network content, wherein the extracted binary file is classified as suspicious network content when the extracted binary file has a suspicious characteristic related to malicious network content and does not match a known malware.
  - 79. The non-transitory computer-readable storage medium of claim 78, wherein the processor, upon execution of the stored instructions, processing the suspicious network content using a virtual environment component configured within a virtual environment while the non-suspicious network content is not executed within the virtual environment.
  - 80. The non-transitory computer-readable storage medium of claim 75, wherein the virtual environment component includes a virtual environment operating system that is configured to perform as an operating system and detect attempted changes and actual changes to the operating system which are unexpected.
  - 81. The non-transitory computer-readable storage medium of claim 75 wherein the processor, upon execution of the stored instructions, classifying of the extracted binary file by determining whether the extracted binary file matches a known malware, which includes one or more malicious binary files, through calculation and comparison of one or more checksums.
  - 82. The non-transitory computer-readable storage medium of claim 75 wherein the processor, upon execution of the stored instructions, classifying of the extracted binary file by determining whether the suspicious network content has the suspicious characteristic related to malicious network content and performing a pre-verification operation on the extracted binary file to determine whether the extracted binary file matches a known malware.
  - 83. The non-transitory computer-readable storage medium of claim 82, wherein the known malware is a known malicious binary file.
  - 84. The non-transitory computer-readable storage medium of claim 75 wherein the processor, upon execution of a pre-verification module, further comprising declaring the suspicious network content as malicious network content when the extracted binary file matches a known malware, wherein the classifying of the extracted binary file is conducted by a static analysis module executed by the processor of the system.
  - 85. The non-transitory computer-readable storage medium of claim 75, wherein the classifying of the extracted binary file is conducted by a static analysis module executed by the processor implemented within the system.
  - 86. The non-transitory computer-readable storage medium of claim 84 wherein the processor, upon execution of a pre-verification module, further comprising placing the extracted binary file under quarantine and providing only the suspicious network content for processing by the virtual environment component.
  - 87. The non-transitory computer-readable storage medium of claim 75, wherein the processor, upon execution of the stored instructions to examine the behavior of the virtual environment component against the expected behavior, comprises comparing the behavior of the virtual environment component observed during processing of the suspicious network content to the expected behavior of the virtual environment component.
  - 88. The non-transitory computer-readable storage medium of claim 87, wherein the expected behavior includes a particular process changing an operating system parameter and the behavior observed during processing of the suspicious network content is an attempt to change the operating system parameter without using the particular process.
  - 89. The non-transitory computer-readable storage medium of claim 87, wherein the behavior observed during processing of the suspicious network content includes an attempt to change to an operating system setting and the expected behavior has no change in the operating system setting.
  - 90. The non-transitory computer-readable storage medium of claim 75, wherein the expected behavior includes one or more stored behavior patterns associated with the virtual environment component and the behavior of the virtual environment component differs from the one or more stored behavior patterns.
  - 91. The non-transitory computer-readable storage medium of claim 90, wherein the one or more stored behavior patterns for the virtual environment component being a virtual environment network browser indicates that at least one particular request to transmit over a network is directed toward a specified proxy address.
  - 92. The non-transitory computer-readable storage medium of claim 90, wherein the one or more stored behavior patterns identifies parameters values that are to remain unchanged.
  - 93. The non-transitory computer-readable storage medium of claim 90, wherein the one or more stored behavior patterns identifies code that is to be invoked when attempting to change a particular parameter.
  - 94. The non-transitory computer-readable storage medium of claim 75, wherein the processor examining the behavior of the virtual environment component against the expected behavior during replay in which (i) at least the virtual environment component is retrieved from a virtual environment component pool operating as a data store containing one or more applications or one or more operating systems, configured to mimic the real application in which the network content was intended to be processed, and provided to the virtual environment, and (ii) the information associated with the extracted binary file is executed by the virtual environment component within the virtual environment.
  - 95. The non-transitory computer-readable storage medium of claim 75, wherein the extracting of the binary file, classifying the extracted binary file as suspicious network content, processing the suspicious network content, and identifying the suspicious network content as malicious network content is conducted automatically without user intervention.
  - 96. The non-transitory computer-readable storage medium of claim 75, wherein the virtual environment application being implemented as a specific instance of the application.
  - 97. The non-transitory computer-readable storage medium of claim 96, wherein the virtual environment application comprises a browser application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Manni, Jayaraman, Aziz, Ashar, Gong, Fengmin, Loganathan, Upendran, Amin, Muhammad
Primary Examiner(s)
Pham, Luu
Assistant Examiner(s)
Tolentino, Roderick

Application Number

US12/571,294
Publication Number

US 20110078794A1
Time in Patent Office

1,805 Days
Field of Search

726 22- 25
US Class Current

726/22
CPC Class Codes

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/567   using dedicated hardware

H04L 63/14   for detecting or protecting...

H04L 63/1408   by monitoring network traff...

Network-based binary file extraction and analysis for malware detection

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

564 Citations

97 Claims

Specification

Solutions

Use Cases

Quick Links

Network-based binary file extraction and analysis for malware detection

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

564 Citations

97 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links