Malware analysis system
First Claim
Patent Images
1. A system, comprising:
- a first device comprising a first processor configured to execute a firewall, and a second device comprising a second processor configured to execute a virtual machine, wherein the executing the firewall using the first processor of the first device comprises;
using the firewall to identify an application type associated with a network traffic flow;
using the firewall to select a decoder to decode the network traffic flow based at least in part on the identified application type, wherein decoding the network traffic flow includes assembling one or more packets associated with the network traffic flow into a correct order;
using the firewall to decrypt the network traffic flow to generate a potential malware sample from at least a portion of the network traffic flow, wherein a preexisting signature does not match the potential malware sample, wherein the potential malware sample is related to a Portable Document Format (PDF) file; and
sending the potential malware sample from the firewall to the virtual machine; and
wherein the executing the virtual machine using the second processor of the second device comprises;
analyzing the potential malware sample using the virtual machine to determine if the potential malware sample is malware, wherein analyzing the potential malware using the virtual machine includes monitoring behavior of the potential malware sample during emulation using the virtual machine to identify malware, wherein the monitored behaviors that indicate potential malware include one or more of the following;
visiting a domain associated with a domain name length that exceeds a threshold, and communicating using an HTTP header associated with a shorter than threshold length;
determining a score associated with one or more network traffic behaviors associated with the potential malware sample monitored using the virtual machine;
automatically generating a signature using the virtual machine if the potential malware sample is determined to be malware, wherein the determination of whether the potential malware sample comprises malware is based at least in part on the score, wherein the signature in the event that the potential malware sample is determined to be malware is generated based at least in part on at least a cross reference table included in the PDF file; and
sending the signature from the virtual machine to the firewall, wherein the firewall is configured to enforce a security policy for network access based at least in part on the signature.
1 Assignment
0 Petitions
Accused Products
Abstract
In some embodiments, a malware analysis system includes receiving a potential malware sample from a firewall; analyzing the potential malware sample using a virtual machine to determine if the potential malware sample is malware; and automatically generating a signature if the potential malware sample is determined to be malware. In some embodiments, the potential malware sample does not match a preexisting signature, and the malware is a zero-day attack.
151 Citations
19 Claims
-
1. A system, comprising:
-
a first device comprising a first processor configured to execute a firewall, and a second device comprising a second processor configured to execute a virtual machine, wherein the executing the firewall using the first processor of the first device comprises; using the firewall to identify an application type associated with a network traffic flow; using the firewall to select a decoder to decode the network traffic flow based at least in part on the identified application type, wherein decoding the network traffic flow includes assembling one or more packets associated with the network traffic flow into a correct order; using the firewall to decrypt the network traffic flow to generate a potential malware sample from at least a portion of the network traffic flow, wherein a preexisting signature does not match the potential malware sample, wherein the potential malware sample is related to a Portable Document Format (PDF) file; and sending the potential malware sample from the firewall to the virtual machine; and wherein the executing the virtual machine using the second processor of the second device comprises; analyzing the potential malware sample using the virtual machine to determine if the potential malware sample is malware, wherein analyzing the potential malware using the virtual machine includes monitoring behavior of the potential malware sample during emulation using the virtual machine to identify malware, wherein the monitored behaviors that indicate potential malware include one or more of the following;
visiting a domain associated with a domain name length that exceeds a threshold, and communicating using an HTTP header associated with a shorter than threshold length;determining a score associated with one or more network traffic behaviors associated with the potential malware sample monitored using the virtual machine; automatically generating a signature using the virtual machine if the potential malware sample is determined to be malware, wherein the determination of whether the potential malware sample comprises malware is based at least in part on the score, wherein the signature in the event that the potential malware sample is determined to be malware is generated based at least in part on at least a cross reference table included in the PDF file; and sending the signature from the virtual machine to the firewall, wherein the firewall is configured to enforce a security policy for network access based at least in part on the signature. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A method, comprising:
-
using a firewall to identify an application type associated with a network traffic flow; using the firewall to select a decoder to decode the network traffic flow based at least in part on the identified application type, wherein decoding the network traffic flow includes assembling one or more packets associated with the network traffic flow into a correct order; using the firewall, executed by a first device, to decrypt the network traffic flow to generate a potential malware sample from at least a portion of the network traffic flow, wherein a preexisting signature does not match the potential malware sample, wherein the potential malware sample is related to a Portable Document Format (PDF) file; sending the potential malware sample from the firewall to a virtual machine, executed by a second device; analyzing the potential malware sample using the virtual machine to determine if the potential malware sample is malware, wherein analyzing the potential malware using the virtual machine includes monitoring behavior of the potential malware sample during emulation using the virtual machine to identify malware, wherein the monitored behaviors that indicate potential malware include one or more of the following;
visiting a domain associated with a domain name length that exceeds a threshold, and communicating using an HTTP header associated with a shorter than threshold length;determining a score associated with one or more network traffic behaviors associated with the potential malware sample monitored using the virtual machine; automatically generating a signature using the virtual machine if the potential malware sample is determined to be malware, wherein the determination of whether the potential malware sample comprises malware is based at least in part on the score, wherein the signature if the potential malware sample is determined to be malware is generated based at least in part on a cross reference table included in the PDF file; and sending the signature from the virtual machine to the firewall, wherein the firewall is configured to enforce a security policy for network access based at least in part on the signature. - View Dependent Claims (17)
-
-
18. A computer program product, the computer program product being embodied in a non-transitory computer readable storage medium and comprising computer instructions for:
-
using a firewall to identify an application type associated with a network traffic flow; using the firewall to select a decoder to decode the network traffic flow based at least in part on the identified application type, wherein decoding the network traffic flow includes assembling one or more packets associated with the network traffic flow into a correct order; using the firewall, executed by a first device, to decrypt the network traffic flow to generate a potential malware sample from at least a portion of the network traffic flow, wherein a preexisting signature does not match the potential malware sample, wherein the potential malware sample is related to a Portable Document Format (PDF) file; sending the potential malware sample from the firewall to a virtual machine, executed by a second device; analyzing the potential malware sample using the virtual machine to determine if the potential malware sample is malware, wherein analyzing the potential malware using the virtual machine includes monitoring behavior of the potential malware sample during emulation using the virtual machine to identify malware, wherein the monitored behaviors that indicate potential malware include one or more of the following;
connecting to a non-standard HTTP port for HTTP traffic, visiting a domain associated with a domain name length that exceeds a threshold, and communicating using an HTTP header associated with a shorter than threshold length;determining a score associated with one or more network traffic behaviors associated with the potential malware sample monitored using the virtual machine; automatically generating a signature using the virtual machine if the potential malware sample is determined to be malware, wherein the determination of whether the potential malware sample comprises malware is based at least in part on the score, wherein the signature if the potential malware sample is determined to be malware is generated based at least in part on at least one of a script or a cross reference table included in the PDF file; and sending the signature from the virtual machine to the firewall, wherein the firewall is configured to enforce a security policy for network access based at least in part on the signature. - View Dependent Claims (19)
-
Specification