Systems and methods for scheduling analysis of network content for malware
First Claim
1. A computer implemented method of analyzing items of network content to determine whether the items of network content contain malicious network content, the method comprising:
- A) determining whether a probability score corresponding to each of a first plurality of items of network content satisfies an analysis threshold, the probability score is related to a probability that the corresponding item of network content includes malicious network content;
B) determining, in accordance with a first processing order, at least a second plurality of items of network content that are a subset of the first plurality of items of network content, each of the second plurality of items of network content is associated with a corresponding probability score that satisfies the analysis threshold;
C) generating, by a controller, a second order of processing of each of the second plurality of items of network content being associated with a corresponding probability score that satisfies the analysis threshold, the second order of processing differs from the first order of processing and is based, at least in part, on the corresponding probability scores, the controller comprising a digital device providing a virtual machine; and
D) processing the second plurality of items of network content in the virtual machine in accordance with the second order of processing for subsequent analysis of behavior of the virtual machine to detect whether one or more of the items of network content include malicious network content.
6 Assignments
0 Petitions
Accused Products
Abstract
A system is described for scheduling the processing of items of suspicious network content to determine whether these items contain malicious network content. The system features a memory and an analyzer that may comprise a processor-based digital device in which at least one virtual machine (VM) and a scheduler operates. The scheduler is configured to generate an order of processing of a plurality of items of network content by the processor based on a plurality of probability scores, each corresponding to an item of network content. The analyzer is configured to process the items of network content in at least the virtual machine by replaying these items in accordance with the order of processing. The virtual machine is configured with a software profile corresponding to each of the processed items and being adapted to monitor behavior of each of the items during processing, thereby to detect malicious network content.
-
Citations
48 Claims
-
1. A computer implemented method of analyzing items of network content to determine whether the items of network content contain malicious network content, the method comprising:
-
A) determining whether a probability score corresponding to each of a first plurality of items of network content satisfies an analysis threshold, the probability score is related to a probability that the corresponding item of network content includes malicious network content; B) determining, in accordance with a first processing order, at least a second plurality of items of network content that are a subset of the first plurality of items of network content, each of the second plurality of items of network content is associated with a corresponding probability score that satisfies the analysis threshold; C) generating, by a controller, a second order of processing of each of the second plurality of items of network content being associated with a corresponding probability score that satisfies the analysis threshold, the second order of processing differs from the first order of processing and is based, at least in part, on the corresponding probability scores, the controller comprising a digital device providing a virtual machine; and D) processing the second plurality of items of network content in the virtual machine in accordance with the second order of processing for subsequent analysis of behavior of the virtual machine to detect whether one or more of the items of network content include malicious network content. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A computer implemented method of analyzing items of content to determine whether the items of content contain malicious content, the method comprising:
-
A) determining whether a probability score corresponding to each of a received plurality of items of content satisfies a predetermined threshold the probability score is related to a probability that the corresponding item of content includes malicious content; B) determining, in accordance with a first processing order, at least a second plurality of items of content that are a subset of the received plurality of items of content, each of the second plurality of items of content is associated with a corresponding probability score that satisfies a predetermined threshold and is associated with a probability that at least one feature associated with the corresponding item of content includes malicious content; C) generating, by a controller, a second order of processing for the second plurality of items of content based on the probability scores for the second plurality of items of content, the controller comprising a digital device providing a virtual machine; and D) processing the second plurality of items of content in the virtual machine in accordance with the second order of processing that differs from the first order of processing of the second plurality of items of content; and E) monitoring behavior of the virtual machine in response to processing of the second plurality of items of content in accordance with the second order of processing to detect whether one or more items of the second plurality of items of content include malicious content. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22)
-
-
23. A system operable for processing of items of content to determine whether the items of content contains malicious content, the system comprising:
-
A) a memory that is configured to store a second plurality of items of content which are a subset of a first plurality of items of content and each of the second plurality of items of content having been previously determined, in accordance with a first order of processing, to be associated with a probability score that satisfies an analysis threshold, the probability score relates to a probability that the associated item of content includes malicious content; B) a controller comprising a processor that is configured to process at least one virtual machine and a scheduler; C) wherein the scheduler is operatively coupled with the memory and is configured to generate a second order of processing for each of the second plurality of items of content based, at least in part, on the associated probability scores of the second plurality of items of content, the second order of processing differs from the first order of processing; and D) wherein the controller is configured to process the second plurality of items of content in the at least one virtual machine in accordance with the second order of processing for subsequent analysis of one or more behaviors of the at least one virtual machine to detect whether one or more of the second plurality of items of content include malicious content. - View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39)
-
-
40. A computer implemented method of analyzing received data to determine whether the received data contains malicious data, the method comprising:
-
A) determining, in accordance with a first order of processing, whether a probability score corresponding to each of a first plurality of received data satisfies an analysis threshold, the probability score is related to a probability that the corresponding received data includes malicious data content; B) identifying at least a second plurality of received data that are a subset of the first plurality of received data and are stored in a memory, each of the second plurality of received data is associated with a corresponding probability score that satisfies the analysis threshold; C) generating a second order of processing of each of the second plurality of received data by a controller that differs from the first order of processing of the second plurality of received data when determining whether the probability score for each of the first plurality of received data satisfies the analysis threshold, the second order of processing being based, at least in part, on the corresponding probability scores, the controller comprising a digital device providing a virtual machine; and D) processing the second plurality of received data in the virtual machine in accordance with the second order of processing for subsequent analysis of a behavior of the virtual machine to detect whether the second plurality of received data includes malicious data. - View Dependent Claims (41, 42, 43, 44, 45, 46, 47, 48)
-
Specification