Systems and methods for malware detection

US 8,850,584 B2
Filed: 02/04/2011
Issued: 09/30/2014
Est. Priority Date: 02/08/2010
Status: Active Grant

First Claim

Patent Images

1. A computer system comprising:

a processor configured to execute an anti-malware engine, the anti-malware engine operable to receive an outbound request from at least one client computer, the at least one client computer communicatively coupled to the anti-malware engine via a first computer network, the outbound request comprising a transmission of an outbound data message from the first computer network and directed toward a second computer network, the transmission occurring after a received inbound data message addressed to the at least one client computer has been processed by the anti-malware engine, the anti-malware engine further operable to provide anti-malware protection for the at least one client computer,wherein the anti-malware engine is further operable to determine if the outbound request is classified as malware by determining whether the outbound request includes one or more valid tags embedded within links inside the outbound data message associated with the outbound request, the one or more valid tags previously embedded within each of one or more links by the anti-malware engine via processing and modifying the received inbound message addressed to the at least one client computer on the first computer network, the processing and modifying performed prior to the inbound message reaching the at least one client computer, each of the one or more links comprising a uniform resource identifier.

View all claims

13 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Various embodiments include a computer system comprising a computer network including at least one client computer, the at least one client computer operable to generate a request, and an anti-malware engine coupled to the computer system and operable to provide anti-malware protection for the computer network, wherein the anti-malware engine is operable to receive the request generated by the at least one client, and to determine if the request is classified as malware by determining whether the request includes one or more valid tags.

35 Citations

View as Search Results

26 Claims

1. A computer system comprising:
- a processor configured to execute an anti-malware engine, the anti-malware engine operable to receive an outbound request from at least one client computer, the at least one client computer communicatively coupled to the anti-malware engine via a first computer network, the outbound request comprising a transmission of an outbound data message from the first computer network and directed toward a second computer network, the transmission occurring after a received inbound data message addressed to the at least one client computer has been processed by the anti-malware engine, the anti-malware engine further operable to provide anti-malware protection for the at least one client computer,wherein the anti-malware engine is further operable to determine if the outbound request is classified as malware by determining whether the outbound request includes one or more valid tags embedded within links inside the outbound data message associated with the outbound request, the one or more valid tags previously embedded within each of one or more links by the anti-malware engine via processing and modifying the received inbound message addressed to the at least one client computer on the first computer network, the processing and modifying performed prior to the inbound message reaching the at least one client computer, each of the one or more links comprising a uniform resource identifier.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computer system of claim 1, wherein the anti-malware engine is further operable to determine that the outbound request does not include the one or more valid tags, and to classify the request as malware if the request comprises an HTTP POST request.
  - 3. The computer system of claim 1, wherein the anti-malware engine is further operable to determine that the outbound request does not include the one or more valid tags, and to classify the request as malware if the request comprises an HTTP GET request that meets one or more predetermined criteria.
  - 4. The computer system of claim 1, further including:
    - a database including a whitelist coupled to the anti-malware engine, the anti-malware engine further operable to determine if a suspicious request is included in the whitelist, and if the suspicious request is included in the whitelist, to allow further processing of the suspicious request, wherein the outbound request is considered suspicious when the outbound request has not been determined to include one or more valid tags.
  - 5. The computer system of claim 4, wherein the whitelist includes a list of known and trustworthy download Universal Resource Locators.
  - 6. The computer system of claim 1, wherein the anti-malware engine, upon determination that the outbound request includes one or more valid tags, is further operable to:
    - remove the at least one or more tags from the links inside the outbound data message associated with the outbound request; and
      
      forward the outbound request having had the at least one or more valid tags removed, the forwarding to solicit a response to the outbound request.
  - 7. The computer system of claim 1, wherein the anti-malware engine is further operable to receive the inbound message directed to the first computer network, to scan the received inbound message for links, and if links are found in the received inbound message, to add one or more valid tags to the message before forwarding the received inbound message to the first computer network.
  - 8. The computer system of claim 1, wherein at least one of the one or more valid tags includes a hash value of an original Universal Resource Locator included in at least one of the one or more links, plus a nonce generated by the anti-malware engine.

9. A computer system comprising:
- a processor configured to execute an anti-malware engine, the anti-malware engine configured to provide anti-malware protection for at least one client computer and operable to;
  
  receive a request from at least one client computer communicatively coupled to the anti-malware engine via a first computer network;
  
  forward the request from the at least on client computer to a second computer on a second computer network;
  
  receive, in response to the forwarded request, received content at the anti-malware engine from the second computer network that is directed to the at least one client computer; and
  
  determine if the received content is to be classified as malware, and if the received content is not determined to be classified as malware, to scan the received content for one or more links, and if the one or more links are found, to add at least one valid tag to at least one of the one or more links by altering the at least one link inside the received content before forwarding the received content on to the at least one client computer, each of the one or more links comprising a uniform resource identifier.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The computer system of claim 9, wherein the one or more links found in the received content includes a plurality of links, and wherein the anti-malware engine is operable to apply heuristics to determine a reduced number of links to which valid tags are to be added, the reduced number less than a total number of the plurality of links included in the received content.
  - 11. The computer system of claim 10, wherein the reduced number of links includes links that are visible or that are made visible dynamically at runtime.
  - 12. The computer system of claim 10, wherein the reduced number of links includes links that are user clickable.
  - 13. The computer system of claim 10, wherein the reduced number of links includes links that include an .exe file extension.
  - 14. The computer system of claim 9, wherein the anti-malware engine is coupled to a cache memory, the anti-malware engine operable to pre-fetch and store in the cache memory a linked content, the linked content comprising content pointed to by one or more links included in the received content.
  - 15. The computer system of claim 9, wherein the anti-malware engine is operable to determine a media type for the received content, and to use the media type as a heuristic to reduce a total number of links of the one or more links included in the received content to which valid tags will be added.

16. A method comprising:
- receiving at an anti-malware engine an outbound request for outbound transmission of data from a protected computer network to a second computer network, the anti-malware engine executing on a processor communicatively coupled to the protected computer network and the second computer network, the request originating from a device connected to the anti-malware engine via the protected computer network;
  
  inspecting the received outbound request for the presence of one or more valid tags, the one or more valid tags comprising tags previously added to one or more links contained inside a prior inbound message addressed to a receiving computer on the protected computer network, the adding occurring prior to receipt of the inbound message at the receiving computer, the one or more links comprising a uniform resource identifier;
  
  classifying the received outbound request as malware or not malware based upon at least one valid tag being found in the received outbound request;
  
  removing the at least one valid tag from the outbound request classified as not malware; and
  
  forwarding the received outbound request, after removal of the at least one valid tag, toward the second computer network.
- View Dependent Claims (17, 18, 19, 20, 21)
- - 17. The method of claim 16, further comprising:
    - determining that the received outbound request includes at least one of the one or more valid tags; and
      
      storing the removed at least one of the one or more valid tags in data fields associated with a transaction associated with the received outbound request.
  - 18. The method of claim 17, further including:
    - receiving an inbound response to the forwarded received outbound request;
      
      applying anti-malware detection processing to the inbound response to determine if the inbound response is to be classified as malware; and
      
      if the inbound response is not to be classified as malware, scanning the inbound response for links, and if one or more links are found in the inbound response, adding at least one valid tag to at least one of the one or more links in the inbound response before forwarding the inbound response to the protected computer network.
  - 19. The method of claim 18, wherein the one or more links in the inbound response includes a plurality of links, and wherein adding the at least one valid tag to at least one of the one or more links found in the inbound response includes applying heuristics to reduce a total number of links of the plurality links found in the inbound response to which valid tags will be added.
  - 20. The method of claim 16, wherein classifying the received outbound request as malware further includes:
    - processing the received outbound request to determine a source of the received outbound request within the protected computer network.
  - 21. The method of claim 20, further including:
    - determining that the received outbound request does not include at least one valid tag;
      
      comparing an address associated with the received outbound request to a whitelist; and
      
      forwarding the received outbound request if the associated address is included in the whitelist.

22. A non-transitory computer memory storing instructions that when executed by a processor cause the processor to:
- receive content directed toward a protected computer network;
  
  determine if the content comprises original content, or if the content comprises a response to a request previously forwarded from the protected computer network to a second network; and
  
  if the content comprises original content, processing the content using an anti-malware engine executing on the processor to determine if the content is to be classified as malware, and if the content is not to be classified as malware, scanning the content for links comprising a uniform resource identifier, and if at least one link is found, adding a valid tag to the at least one link found in the content by altering the at least one link inside the content before forwarding the content to the protected computer network, wherein the valid tag adds information to the at least one link to indicate that the at least one link has been previously processed as part of original content processing for inbound original content.
- View Dependent Claims (23, 24, 25, 26)
- - 23. The non-transitory computer memory of claim 22, wherein adding a valid tag to at least one link found in the content includes:
    - determining that the content includes a plurality of links, andusing heuristics to determine a reduced number of links of the plurality of links to which valid tags are to be applied, wherein each of the reduced number of links has a single valid tag added.
  - 24. The non-transitory computer memory of claim 22, further including instructions to cause the processor to:
    - determine that the content is to be classified as malware; and
      
      block the content from being forwarded to the protected computer network.
  - 25. The non-transitory computer memory of claim 24, further including instructions to cause the processor to:
    - report the classification of the content as malware to a user interface.
  - 26. The non-transitory computer memory of claim 24, further including instructions to cause the processor to:
    - determine that the content that is to be classified as malware is a reply to a particular request originating from the protected computer network;
      
      identify a source of the request located within the protected computer network; and
      
      isolate the source of the request from the protected computer network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Skyhigh Security LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Alme, Christoph, Pekrul, Micha
Primary Examiner(s)
Bates, Kevin
Assistant Examiner(s)
McCray, Clarence D

Application Number

US13/021,585
Publication Number

US 20110197281A1
Time in Patent Office

1,334 Days
Field of Search

726/24, 726/22
US Class Current

726/24
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/564   by virus signature recognition

H04L 63/145   the attack involving the pr...

Systems and methods for malware detection

First Claim

13 Assignments

0 Petitions

Accused Products

Abstract

35 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for malware detection

First Claim

13 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

35 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links