Systems and methods for scheduling analysis of network content for malware

US 8,990,939 B2
Filed: 06/24/2013
Issued: 03/24/2015
Est. Priority Date: 11/03/2008
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method of analyzing items of network content to determine whether the items of network content contain malicious network content, the method comprising:

A) determining whether a probability score corresponding to each of a first plurality of items of network content satisfies an analysis threshold, the probability score is related to a probability that the corresponding item of network content includes malicious network content;

B) determining, in accordance with a first processing order, at least a second plurality of items of network content that are a subset of the first plurality of items of network content, each of the second plurality of items of network content is associated with a corresponding probability score that satisfies the analysis threshold;

C) generating, by a controller, a second order of processing of each of the second plurality of items of network content being associated with a corresponding probability score that satisfies the analysis threshold, the second order of processing differs from the first order of processing and is based, at least in part, on the corresponding probability scores, the controller comprising a digital device providing a virtual machine; and

D) processing the second plurality of items of network content in the virtual machine in accordance with the second order of processing for subsequent analysis of behavior of the virtual machine to detect whether one or more of the items of network content include malicious network content.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system is described for scheduling the processing of items of suspicious network content to determine whether these items contain malicious network content. The system features a memory and an analyzer that may comprise a processor-based digital device in which at least one virtual machine (VM) and a scheduler operates. The scheduler is configured to generate an order of processing of a plurality of items of network content by the processor based on a plurality of probability scores, each corresponding to an item of network content. The analyzer is configured to process the items of network content in at least the virtual machine by replaying these items in accordance with the order of processing. The virtual machine is configured with a software profile corresponding to each of the processed items and being adapted to monitor behavior of each of the items during processing, thereby to detect malicious network content.

Citations

48 Claims

1. A computer implemented method of analyzing items of network content to determine whether the items of network content contain malicious network content, the method comprising:
- A) determining whether a probability score corresponding to each of a first plurality of items of network content satisfies an analysis threshold, the probability score is related to a probability that the corresponding item of network content includes malicious network content;
  
  B) determining, in accordance with a first processing order, at least a second plurality of items of network content that are a subset of the first plurality of items of network content, each of the second plurality of items of network content is associated with a corresponding probability score that satisfies the analysis threshold;
  
  C) generating, by a controller, a second order of processing of each of the second plurality of items of network content being associated with a corresponding probability score that satisfies the analysis threshold, the second order of processing differs from the first order of processing and is based, at least in part, on the corresponding probability scores, the controller comprising a digital device providing a virtual machine; and
  
  D) processing the second plurality of items of network content in the virtual machine in accordance with the second order of processing for subsequent analysis of behavior of the virtual machine to detect whether one or more of the items of network content include malicious network content.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein the second order of processing of the second plurality of items of network content is further based on a priority level generated from a plurality of the probability scores associated with the second plurality of items of network content.
  - 3. The method of claim 1, wherein the second order of processing of the second plurality of items of network content is further based on priority levels, and the priority level of each of the second plurality of items of network content is based on the corresponding probability score.
  - 4. The method of claim 3, wherein the priority level of each item of the second plurality of items of network content is based on one or more identified suspicious features associated with the corresponding item of the second plurality of items of network content.
  - 5. The method of claim 1, wherein the analysis threshold includes a dynamically adaptive threshold based on an availability of the virtual machine.
  - 6. The method of claim 5, wherein the dynamically adaptive threshold is dynamically revised according to a quantity of packets of network content to be processed.
  - 7. The method of claim 1, further comprising terminating the processing by the virtual machine when the probability score of the corresponding item of the second plurality of items of network content does not satisfy a revised dynamically adaptive threshold applicable during the processing.
  - 8. The method of claim 1, further comprising terminating the processing by the virtual machine when a minimum period of execution time has passed.
  - 9. The method of claim 1, further comprising storing the first plurality of items of network content awaiting processing in a memory;
    - anddeleting any of the stored items of the first plurality of network content when the probability score corresponding thereto does not satisfy the analysis threshold.
  - 10. The method of claim 1, wherein the determining whether the probability score for each of the first plurality of items of network content comprises inspecting the first plurality of items of network content;
    - identifying suspicious features of the first plurality of items of network content; and
      
      generating the probability scores for the first plurality of items of network content based on at least the suspicious features.
  - 11. The method of claim 1, wherein the plurality of items of network content correspond to a plurality of data packets.
  - 12. The method of claim 1, wherein the controller includes a malicious network content detection system that comprises at least a scheduler and an analysis environment including the virtual machine.

13. A computer implemented method of analyzing items of content to determine whether the items of content contain malicious content, the method comprising:
- A) determining whether a probability score corresponding to each of a received plurality of items of content satisfies a predetermined threshold the probability score is related to a probability that the corresponding item of content includes malicious content;
  
  B) determining, in accordance with a first processing order, at least a second plurality of items of content that are a subset of the received plurality of items of content, each of the second plurality of items of content is associated with a corresponding probability score that satisfies a predetermined threshold and is associated with a probability that at least one feature associated with the corresponding item of content includes malicious content;
  
  C) generating, by a controller, a second order of processing for the second plurality of items of content based on the probability scores for the second plurality of items of content, the controller comprising a digital device providing a virtual machine; and
  
  D) processing the second plurality of items of content in the virtual machine in accordance with the second order of processing that differs from the first order of processing of the second plurality of items of content; and
  
  E) monitoring behavior of the virtual machine in response to processing of the second plurality of items of content in accordance with the second order of processing to detect whether one or more items of the second plurality of items of content include malicious content.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 14. The method of claim 13, further comprising, prior to the generating of the second order of processing, inspecting the received plurality of items of content comprising packets where the received plurality of items of content is greater than or equal in number to the second plurality of items of content;
    - using heuristics in identifying suspicious features associated with the received plurality of items of content; and
      
      generating the probability score corresponding to each of the received plurality of items of content based on at least the associated suspicious features.
  - 15. The method of claim 14, wherein the associated suspicious features for a first item of content of the received plurality of items of content are directed to a sequence of characters.
  - 16. The method of claim 13, wherein the probability score is dynamically adaptive based on available virtual machines.
  - 17. The method of claim 13, wherein each of the probability scores is based on one or more heuristic scores, each of the heuristic scores is associated with the at least one feature of a corresponding one of the second plurality of items of content.
  - 18. The method of claim 13, wherein the generating of the second order of processing of the second plurality of items of content further comprises excluding one or more of the received plurality of items of content based on a determination by the controller that one or more of the received plurality of items of content is not malicious content.
  - 19. The method of claim 13, wherein the plurality of items of content correspond to a plurality of data packets.
  - 20. The method of claim 13, wherein the at least one feature associated with each of the received plurality of items of content includes a characteristic of data within each of the received plurality of items of content, the characteristic of the data includes a sequence of the data.
  - 21. The method of claim 13, wherein the at least one feature associated with each of the received plurality of items of content includes a characteristic of data within each of the received plurality of items of content, the characteristic of the data includes a sequence of characters associated with at least a portion of the content.
  - 22. The method of claim 13, wherein the at least one feature associated with each of the received plurality of items of content includes a characteristic of data within each of the received plurality of items of content, the characteristic of the data includes one or more keywords within the data.

23. A system operable for processing of items of content to determine whether the items of content contains malicious content, the system comprising:
- A) a memory that is configured to store a second plurality of items of content which are a subset of a first plurality of items of content and each of the second plurality of items of content having been previously determined, in accordance with a first order of processing, to be associated with a probability score that satisfies an analysis threshold, the probability score relates to a probability that the associated item of content includes malicious content;
  
  B) a controller comprising a processor that is configured to process at least one virtual machine and a scheduler;
  
  C) wherein the scheduler is operatively coupled with the memory and is configured to generate a second order of processing for each of the second plurality of items of content based, at least in part, on the associated probability scores of the second plurality of items of content, the second order of processing differs from the first order of processing; and
  
  D) wherein the controller is configured to process the second plurality of items of content in the at least one virtual machine in accordance with the second order of processing for subsequent analysis of one or more behaviors of the at least one virtual machine to detect whether one or more of the second plurality of items of content include malicious content.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39)
- - 24. The system of claim 23, wherein the second order of processing of the second plurality of items of content is further based on a priority level generated from a second plurality of the probability scores corresponding to the second plurality of items of content.
  - 25. The system of claim 23, wherein the second order of processing of the plurality of items of content is further based on a priority level for each of the second plurality of items of content;
    - and the scheduler is configured to generate the priority level for each of the second plurality of items based on at least one suspicious feature associated with each of the second plurality of items of content.
  - 26. The system of claim 23, wherein the scheduler is configured to load and configure the at least one virtual machine from a virtual machine pool, and dispatch the at least one virtual machine to an analysis environment to process each of the plurality of items of content to be analyzed.
  - 27. The system of claim 23, wherein the second order of processing of the plurality of items of content is further based on a priority level for each of the second plurality of items of content;
    - each of the second plurality of items of content being associated with a number of suspicious features, each of the suspicious features having an associated probability score; and
      
      the second order of processing reflects the probability scores of the suspicious features of the second plurality of items of content.
  - 28. The system of claim 23, wherein at least one of the second plurality of probability scores is dynamically adaptive based on available virtual machines.
  - 29. The system of claim 23, wherein the memory comprises a queue of the second plurality of items of content arranged in accordance with the second order of processing by the at least one virtual machine.
  - 30. The system of claim 29, wherein the scheduler is configured to delete or reprioritize one or more of the items of content in the queue to set the second order of processing of the plurality of items of content.
  - 31. The system of claim 23, wherein each of the second plurality of items of content to be analyzed by the at least one virtual machine is analyzed for an amount of time, the amount of time being based at least in part on a number of items of the plurality of items of content awaiting processing by the at least one virtual machine.
  - 32. The system of claim 31, wherein the scheduler is configured to determine the amount of time.
  - 33. The system of claim 23, wherein the at least one virtual machine comprises a plurality of virtual machines;
    - and the scheduler causes the plurality of virtual machines to process the plurality of items of content simultaneously.
  - 34. The system of claim 23, wherein the second plurality of items of content correspond to a plurality of data packets.
  - 35. The system of claim 23, wherein the processor is further configured to process a heuristic module that determines the plurality of probability scores corresponding to the second plurality of items of content.
  - 36. The system of claim 23, wherein each of the second plurality of probability scores is based, at least in part, on one or more features associated with a corresponding item of the second plurality of items of content and reflects a probability that the corresponding item of content comprises malicious content.
  - 37. The system of claim 36, wherein the one or more features include a characteristic of data within at least the corresponding item of content, the characteristic of the data includes a sequence of the data.
  - 38. The system of claim 36, wherein the one or more features include a characteristic of data within at least the corresponding item of content, the characteristic of the data includes a sequence of characters associated with at least a portion of the content.
  - 39. The system of claim 36, wherein the one or more features include a characteristic of data within at least the corresponding item of content, the characteristic of the data includes one or more keywords within the data.

40. A computer implemented method of analyzing received data to determine whether the received data contains malicious data, the method comprising:
- A) determining, in accordance with a first order of processing, whether a probability score corresponding to each of a first plurality of received data satisfies an analysis threshold, the probability score is related to a probability that the corresponding received data includes malicious data content;
  
  B) identifying at least a second plurality of received data that are a subset of the first plurality of received data and are stored in a memory, each of the second plurality of received data is associated with a corresponding probability score that satisfies the analysis threshold;
  
  C) generating a second order of processing of each of the second plurality of received data by a controller that differs from the first order of processing of the second plurality of received data when determining whether the probability score for each of the first plurality of received data satisfies the analysis threshold, the second order of processing being based, at least in part, on the corresponding probability scores, the controller comprising a digital device providing a virtual machine; and
  
  D) processing the second plurality of received data in the virtual machine in accordance with the second order of processing for subsequent analysis of a behavior of the virtual machine to detect whether the second plurality of received data includes malicious data.
- View Dependent Claims (41, 42, 43, 44, 45, 46, 47, 48)
- - 41. The method of claim 40, wherein at least a first data of the second plurality of received data includes a feature and the probability score associated with the first data that is based, at least in part, on the feature.
  - 42. The method of claim 41, wherein the feature includes a sequence of data, the sequence of data is assigned a probability score during heuristic analysis of the first data.
  - 43. The method of claim 42, wherein upon the probability score of the first data including the probability score assigned to the sequence of data satisfies the analysis threshold, the first data is subsequently processed as part of the second plurality of received data in the virtual machine.
  - 44. The method of claim 41, whereinthe feature includes a sequence of characters associated with at least a portion of the first data, the sequence of characters is assigned a probability score during heuristic analysis of the first data;
    - andthe first data is subsequently processed as part of the second plurality of received data in the virtual machine when the probability score of the first data, including the probability score assigned to the sequence of characters, is determined to satisfy the analysis threshold.
  - 45. The method of claim 41, whereinthe feature includes one or more keywords within the first data of the second plurality of received data, the one or more keywords is assigned a probability score during heuristic analysis of the first data;
    - andthe first data is subsequently processed as part of the second plurality of received data in the virtual machine when the probability score of the first data, including the probability score assigned to the one or more keywords, is determined to satisfy the analysis threshold.
  - 46. The method of claim 41, wherein the first data comprises a first data packet of a plurality of data packets corresponding to the second plurality of received data, the feature comprises a portion of data within the first data packet.
  - 47. The method of claim 41, wherein the first order of processing comprises an order of receipt of the second plurality of received data by the controller, and the controller to change a processing order of the second plurality of received data in the virtual machine from the first order of processing to the second order of processing.
  - 48. The method of claim 40, wherein the first plurality of received data comprises a first plurality of data packets and the second plurality of received data comprises a second plurality of data packets that are lesser in number than the first plurality of data packets.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
FireEye, Inc. (Alphabet Inc.)
Inventors
Staniford, Stuart Gresley, Aziz, Ashar
Primary Examiner(s)
LESNIEWSKI, VICTOR D

Application Number

US13/925,733
Publication Number

US 20130291109A1
Time in Patent Office

638 Days
Field of Search
US Class Current

726/22
CPC Class Codes

G06F 21/561   Virus type analysis

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/567   using dedicated hardware

G06F 9/45533   Hypervisors; Virtual machin...

H04L 2463/144   Detection or countermeasure...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

Systems and methods for scheduling analysis of network content for malware

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

48 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for scheduling analysis of network content for malware

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

48 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links