Network-based binary file extraction and analysis for malware detection
First Claim
Patent Images
1. A method for network-based file analysis for malware detection conducted by a system including one or more processors, the method comprising:
- identifying at least one binary packet in network content received over a network;
extracting a binary file from the network content, the extracting of the binary file includes placing binary packets in the network content including the at least one binary packet into an order specified by data contained within the binary packets and constructing the binary file;
determining whether the extracted binary file comprises suspicious network content by identifying one or more suspicious characteristics associated with the extracted binary file, wherein the one or more suspicious characteristics are insufficient to classify the extracted binary file malicious network content;
processing the suspicious network content using at least one virtual environment component operating within a virtual environment provided by the system, the virtual environment component comprises a virtual environment application and the virtual environment to mimic a real environment in which the network content was intended to be processed; and
classifying the suspicious network content as malicious network content based on at least one behavior of the virtual environment component detected during processing of the suspicious network content in the virtual environment by determining whether the at least one behavior of the virtual environment component comprises an anomalous behavior by examining each behavior of the at least one behavior against an expected behavior.
7 Assignments
0 Petitions
Accused Products
Abstract
A system and method are disclosed for network-based file analysis for malware detection. Network content is received from a network tap. A binary packet is identified in the network content. A binary file, including the binary packet, is extracted from the network content. It is determined whether the extracted binary file is detected to be malware.
-
Citations
76 Claims
-
1. A method for network-based file analysis for malware detection conducted by a system including one or more processors, the method comprising:
-
identifying at least one binary packet in network content received over a network; extracting a binary file from the network content, the extracting of the binary file includes placing binary packets in the network content including the at least one binary packet into an order specified by data contained within the binary packets and constructing the binary file; determining whether the extracted binary file comprises suspicious network content by identifying one or more suspicious characteristics associated with the extracted binary file, wherein the one or more suspicious characteristics are insufficient to classify the extracted binary file malicious network content; processing the suspicious network content using at least one virtual environment component operating within a virtual environment provided by the system, the virtual environment component comprises a virtual environment application and the virtual environment to mimic a real environment in which the network content was intended to be processed; and classifying the suspicious network content as malicious network content based on at least one behavior of the virtual environment component detected during processing of the suspicious network content in the virtual environment by determining whether the at least one behavior of the virtual environment component comprises an anomalous behavior by examining each behavior of the at least one behavior against an expected behavior. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34)
-
-
35. A system for network-based file analysis for malware detection, the system comprising:
-
one or more processors; and a memory system communicatively coupled to the one or more processors, the memory system comprises a binary identification module to identify a binary packet in network content received over a network; a binary extraction module configured to be communicatively coupled with the binary identification module, the binary extraction module to extract a binary file including a plurality of binary packets that comprises the identified binary packet from the network content, the extracting of the binary file includes placing the plurality of binary packets into an order specified by data contained within the plurality of binary packets and constructing the binary file; a static analysis module communicatively coupled with the binary extraction module, the static analysis module configured to determine whether the extracted binary file comprises suspicious network content by identifying one or more suspicious characteristics associated with the extracted binary file, wherein the one or more suspicious characteristics are insufficient to classify the extracted binary file as malicious network content; and a virtual machine analysis module communicatively coupled with the static analysis module, the virtual machine analysis module being further configured to process the suspicious network content using a virtual environment component operating within a virtual environment, the virtual environment component comprises a virtual environment application and the virtual environment to mimic a real environment in which the network content was intended to be processed, the virtual machine analysis module being further configured to classify the suspicious network content as malicious network content based on at least one behavior of the virtual environment component that is determined to be anomalous by examining each behavior of the at least one behavior against an expected behavior. - View Dependent Claims (36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58)
-
-
59. A non-transitory computer-readable storage medium having stored thereon instructions executable by a processor to perform a method for network-based file analysis for malware detection, the method comprising:
-
identifying at least one binary packet in network content received over a network; extracting a binary file from the network content, the extracting of the binary file includes placing binary packets in the network content including the at least one binary packet into an order specified by data contained within the binary packets and constructing the binary file; determining whether the extracted binary file comprises suspicious network content by identifying one or more suspicious characteristics associated with the extracted binary file, wherein the one or more suspicious characteristics are insufficient to classify the extracted binary file malicious network content; processing the suspicious network content using at least one virtual environment component operating within a virtual environment provided by the system, the virtual environment component comprises a virtual environment application and the virtual environment to mimic a real environment in which the network content was intended to be processed; and classifying the suspicious network content as malicious network content based on at least one behavior of the virtual environment component detected during processing of the suspicious network content in the virtual environment by determining whether the at least one behavior of the virtual environment component comprises an anomalous behavior by examining each behavior of the at least one behavior against an expected behavior. - View Dependent Claims (60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76)
-
Specification