Malware analysis system

US 9,047,441 B2
Filed: 05/24/2011
Issued: 06/02/2015
Est. Priority Date: 05/24/2011
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a first device comprising a first processor configured to execute a firewall, and a second device comprising a second processor configured to execute a virtual machine, wherein the executing the firewall using the first processor of the first device comprises;

using the firewall to identify an application type associated with a network traffic flow;

using the firewall to select a decoder to decode the network traffic flow based at least in part on the identified application type, wherein decoding the network traffic flow includes assembling one or more packets associated with the network traffic flow into a correct order;

using the firewall to decrypt the network traffic flow to generate a potential malware sample from at least a portion of the network traffic flow, wherein a preexisting signature does not match the potential malware sample, wherein the potential malware sample is related to a Portable Document Format (PDF) file; and

sending the potential malware sample from the firewall to the virtual machine; and

wherein the executing the virtual machine using the second processor of the second device comprises;

analyzing the potential malware sample using the virtual machine to determine if the potential malware sample is malware, wherein analyzing the potential malware using the virtual machine includes monitoring behavior of the potential malware sample during emulation using the virtual machine to identify malware, wherein the monitored behaviors that indicate potential malware include one or more of the following;

visiting a domain associated with a domain name length that exceeds a threshold, and communicating using an HTTP header associated with a shorter than threshold length;

determining a score associated with one or more network traffic behaviors associated with the potential malware sample monitored using the virtual machine;

automatically generating a signature using the virtual machine if the potential malware sample is determined to be malware, wherein the determination of whether the potential malware sample comprises malware is based at least in part on the score, wherein the signature in the event that the potential malware sample is determined to be malware is generated based at least in part on at least a cross reference table included in the PDF file; and

sending the signature from the virtual machine to the firewall, wherein the firewall is configured to enforce a security policy for network access based at least in part on the signature.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In some embodiments, a malware analysis system includes receiving a potential malware sample from a firewall; analyzing the potential malware sample using a virtual machine to determine if the potential malware sample is malware; and automatically generating a signature if the potential malware sample is determined to be malware. In some embodiments, the potential malware sample does not match a preexisting signature, and the malware is a zero-day attack.

151 Citations

View as Search Results

19 Claims

1. A system, comprising:
- a first device comprising a first processor configured to execute a firewall, and a second device comprising a second processor configured to execute a virtual machine, wherein the executing the firewall using the first processor of the first device comprises;
  
  using the firewall to identify an application type associated with a network traffic flow;
  
  using the firewall to select a decoder to decode the network traffic flow based at least in part on the identified application type, wherein decoding the network traffic flow includes assembling one or more packets associated with the network traffic flow into a correct order;
  
  using the firewall to decrypt the network traffic flow to generate a potential malware sample from at least a portion of the network traffic flow, wherein a preexisting signature does not match the potential malware sample, wherein the potential malware sample is related to a Portable Document Format (PDF) file; and
  
  sending the potential malware sample from the firewall to the virtual machine; and
  
  wherein the executing the virtual machine using the second processor of the second device comprises;
  
  analyzing the potential malware sample using the virtual machine to determine if the potential malware sample is malware, wherein analyzing the potential malware using the virtual machine includes monitoring behavior of the potential malware sample during emulation using the virtual machine to identify malware, wherein the monitored behaviors that indicate potential malware include one or more of the following;
  
  visiting a domain associated with a domain name length that exceeds a threshold, and communicating using an HTTP header associated with a shorter than threshold length;
  
  determining a score associated with one or more network traffic behaviors associated with the potential malware sample monitored using the virtual machine;
  
  automatically generating a signature using the virtual machine if the potential malware sample is determined to be malware, wherein the determination of whether the potential malware sample comprises malware is based at least in part on the score, wherein the signature in the event that the potential malware sample is determined to be malware is generated based at least in part on at least a cross reference table included in the PDF file; and
  
  sending the signature from the virtual machine to the firewall, wherein the firewall is configured to enforce a security policy for network access based at least in part on the signature.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The system recited in claim 1, wherein the potential malware sample does not match the preexisting signature, and the malware is a zero-day attack.
  - 3. The system recited in claim 1, wherein the first device associated with the firewall comprises a security appliance, and the second device associated with the virtual machine comprises a virtual machine appliance.
  - 4. The system recited in claim 1, wherein the firewall is a host-based firewall executed on the first device, and the second device associated with the virtual machine comprises a virtual machine appliance.
  - 5. The system recited in claim 1, wherein the second device associated with the virtual machine comprises a security cloud service.
  - 6. The system recited in claim 1, wherein the firewall is configured to enforce the signature includes the firewall being configured to add the signature to one or more firewall policies.
  - 7. The system recited in claim 1, wherein the first device associated with the firewall comprises a gateway security device, a security appliance, a network routing device, or a general purpose computer executing a host-based firewall.
  - 8. The system recited in claim 1, wherein the executing the virtual machine using the second processor of the second device further comprises:
    - sending the signature to a cloud security service.
  - 9. The system recited in claim 1, wherein the executing the virtual machine using the second processor of the second device further comprises:
    - monitoring behavior of the potential malware sample during emulation using the virtual machine to identify malware based on heuristics.
  - 10. The system recited in claim 1, wherein the executing the virtual machine using the second processor of the second device further comprises:
    - monitoring behavior of the potential malware sample during emulation using the virtual machine to identify malware, wherein the monitored behaviors that indicate potential malware include one or more of the following;
      
      visiting a non-existent domain, downloading executable files with non-standard executable file extensions, performing a DNS query for an email server, communicating using a post method in HTTP traffic, connecting to a non-standard IRC port for IRC traffic, communicating using intrusion prevention system evasion techniques, and communicating unclassified traffic over an HTTP port.
  - 11. The system recited in claim 1, wherein the executing the virtual machine using the second processor of the second device further comprises:
    - monitoring behavior of the potential malware sample during emulation using the virtual machine to identify malware, wherein the monitored behaviors that indicate potential malware include one or more of the following;
      
      visiting a dynamic DNS domain, visiting a fast-flux domain, and visiting a recently created domain.
  - 12. The system recited in claim 1, wherein the executing the virtual machine using the second processor of the second device further comprises:
    - monitoring behavior of the potential malware sample during emulation using the virtual machine to identify a malicious domain, wherein the monitored visited domain related behavior indicates a potentially malicious domain based on one or more of the following;
      
      whether a visited domain is a dynamic DNS domain, whether a visited domain is a fast-flux domain, and whether a visited domain is a recently created domain.
  - 13. The system recited in claim 1,wherein automatically generating the signature comprises generating a file-based signature using a hash function or a digest of file header information.
  - 14. The system recited in claim 1, wherein the executing the firewall using the first processor of the first device further comprises:
    - sending log information related to the potential malware to the virtual machine, wherein the log information includes one or more of the following;
      
      session information, the identified application type, URL category information, and vulnerability alert information.
  - 15. The system of claim 1, wherein the executing the firewall using the first processor of the first device further comprises:
    - sending log information related to the potential malware to the virtual machine, wherein the virtual machine performs post analysis using the log information to determine if the potential malware sample is malware, wherein the log information includes the identified application type associated with the network traffic flow.

16. A method, comprising:
- using a firewall to identify an application type associated with a network traffic flow;
  
  using the firewall to select a decoder to decode the network traffic flow based at least in part on the identified application type, wherein decoding the network traffic flow includes assembling one or more packets associated with the network traffic flow into a correct order;
  
  using the firewall, executed by a first device, to decrypt the network traffic flow to generate a potential malware sample from at least a portion of the network traffic flow, wherein a preexisting signature does not match the potential malware sample, wherein the potential malware sample is related to a Portable Document Format (PDF) file;
  
  sending the potential malware sample from the firewall to a virtual machine, executed by a second device;
  
  analyzing the potential malware sample using the virtual machine to determine if the potential malware sample is malware, wherein analyzing the potential malware using the virtual machine includes monitoring behavior of the potential malware sample during emulation using the virtual machine to identify malware, wherein the monitored behaviors that indicate potential malware include one or more of the following;
  
  visiting a domain associated with a domain name length that exceeds a threshold, and communicating using an HTTP header associated with a shorter than threshold length;
  
  determining a score associated with one or more network traffic behaviors associated with the potential malware sample monitored using the virtual machine;
  
  automatically generating a signature using the virtual machine if the potential malware sample is determined to be malware, wherein the determination of whether the potential malware sample comprises malware is based at least in part on the score, wherein the signature if the potential malware sample is determined to be malware is generated based at least in part on a cross reference table included in the PDF file; and
  
  sending the signature from the virtual machine to the firewall, wherein the firewall is configured to enforce a security policy for network access based at least in part on the signature.
- View Dependent Claims (17)
- - 17. The method recited in claim 16, further comprising:
    - monitoring behavior of the potential malware sample during emulation using the virtual machine to identify malware based on heuristics.

18. A computer program product, the computer program product being embodied in a non-transitory computer readable storage medium and comprising computer instructions for:
- using a firewall to identify an application type associated with a network traffic flow;
  
  using the firewall to select a decoder to decode the network traffic flow based at least in part on the identified application type, wherein decoding the network traffic flow includes assembling one or more packets associated with the network traffic flow into a correct order;
  
  using the firewall, executed by a first device, to decrypt the network traffic flow to generate a potential malware sample from at least a portion of the network traffic flow, wherein a preexisting signature does not match the potential malware sample, wherein the potential malware sample is related to a Portable Document Format (PDF) file;
  
  sending the potential malware sample from the firewall to a virtual machine, executed by a second device;
  
  analyzing the potential malware sample using the virtual machine to determine if the potential malware sample is malware, wherein analyzing the potential malware using the virtual machine includes monitoring behavior of the potential malware sample during emulation using the virtual machine to identify malware, wherein the monitored behaviors that indicate potential malware include one or more of the following;
  
  connecting to a non-standard HTTP port for HTTP traffic, visiting a domain associated with a domain name length that exceeds a threshold, and communicating using an HTTP header associated with a shorter than threshold length;
  
  determining a score associated with one or more network traffic behaviors associated with the potential malware sample monitored using the virtual machine;
  
  automatically generating a signature using the virtual machine if the potential malware sample is determined to be malware, wherein the determination of whether the potential malware sample comprises malware is based at least in part on the score, wherein the signature if the potential malware sample is determined to be malware is generated based at least in part on at least one of a script or a cross reference table included in the PDF file; and
  
  sending the signature from the virtual machine to the firewall, wherein the firewall is configured to enforce a security policy for network access based at least in part on the signature.
- View Dependent Claims (19)
- - 19. The computer program product recited in claim 18, further comprising computer instructions for:
    - monitoring behavior of the potential malware sample during emulation using the virtual machine to identify malware based on heuristics.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palo Alto Networks Incorporated
Original Assignee
Palo Alto Networks Incorporated
Inventors
Xie, Huagang, Wang, Xinran, Liu, Jiangxia
Primary Examiner(s)
Patel, Ashok
Assistant Examiner(s)
GRACIA, GARY S

Application Number

US13/115,032
Publication Number

US 20120304244A1
Time in Patent Office

1,470 Days
Field of Search

726/1, 726/3, 726/11, 726/12, 726/22, 726/24, 726/25
US Class Current

1/1
CPC Class Codes

G06F 21/00   Security arrangements for p...

G06F 21/53   by executing in a restricte...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0263   Rule management

H04L 63/0428   wherein the data content is...

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

Malware analysis system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

151 Citations

19 Claims

Specification

Use Cases

Quick Links

Others

Malware analysis system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

151 Citations

19 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others