Malicious content analysis using simulated user interaction without user involvement
First Claim
1. A computer-implemented method for detecting malicious content, the method comprising:
- monitoring, by a monitoring module executed by a processor, activities behaviors of a malicious content suspect executed within a sandboxed operating environment;
detecting, while monitoring, an event triggered by the malicious content suspect to display a graphical user interface (GUI) operating as a dialog box that prompts for user interaction;
in response to detecting the event to display the GUI triggered by the malicious content suspect, simulating, by a user interaction module executed by the processor, the user interaction with the GUI without user intervention; and
analyzing, by an analysis module executed by the processor, behaviors of the malicious content suspect in response to the simulated user interaction to determine whether the malicious content suspect should be declared as malicious,wherein simulating the user interaction comprises automatically, without user intervention, sending a response representing an activation of a predetermined button of the dialog box for receipt by the malicious content suspect.
7 Assignments
0 Petitions
Accused Products
Abstract
Techniques for detecting malicious content using simulated user interactions are described herein. In one embodiment, a monitoring module monitors activities of a malicious content suspect executed within a sandboxed operating environment. In response to detection of a predetermined event triggered by the malicious content suspect requesting a user action on a graphical user interface (GUI) presented by the malicious content suspect, simulating, a user interaction module simulates a user interaction with the GUI without user intervention. An analysis module analyzes activities of the malicious content suspect in response to the simulated user interaction to determine whether the malicious content suspect should be declared as malicious.
-
Citations
44 Claims
-
1. A computer-implemented method for detecting malicious content, the method comprising:
-
monitoring, by a monitoring module executed by a processor, activities behaviors of a malicious content suspect executed within a sandboxed operating environment; detecting, while monitoring, an event triggered by the malicious content suspect to display a graphical user interface (GUI) operating as a dialog box that prompts for user interaction; in response to detecting the event to display the GUI triggered by the malicious content suspect, simulating, by a user interaction module executed by the processor, the user interaction with the GUI without user intervention; and analyzing, by an analysis module executed by the processor, behaviors of the malicious content suspect in response to the simulated user interaction to determine whether the malicious content suspect should be declared as malicious, wherein simulating the user interaction comprises automatically, without user intervention, sending a response representing an activation of a predetermined button of the dialog box for receipt by the malicious content suspect. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A computer-implemented method for detecting malicious content, the method comprising:
-
monitoring, by a monitoring module executed by a processor, behaviors of a malicious content suspect executed within a sandboxed operating environment; detecting, while monitoring, an event triggered by the malicious content suspect to display a graphical user interface (GUI) operating as a dialog box that prompt for user interaction; in response to detecting the event to display the dialog box triggered by the malicious content suspect, simulating, by a user interaction module executed by the processor, the user interaction with the GUI without user intervention; and analyzing, by an analysis module executed by the processor, behaviors of the malicious content suspect in response to the simulated user interaction to determine whether the malicious content suspect should be declared as malicious, wherein simulating the user interaction comprises automatically, without user intervention, sending a command representing an activation of a predetermined button presented by the dialog box for receipt by the malicious content suspect, the command to represent execution or storage of an attached file. - View Dependent Claims (11)
-
-
12. A computer-implemented method for detecting malicious content, the method comprising:
-
monitoring, by a monitoring module executed by a processor, behaviors of a malicious content suspect executed within a sandboxed operating environment; detecting, while monitoring, an event triggered by the malicious content suspect to display a graphical user interface (GUI) operating as a dialog box that prompt for user interaction; in response to detecting the event to display the dialog box triggered by the malicious content suspect, simulating, by a user interaction module executed by the processor, the user interaction with the GUI without user intervention; and analyzing, by an analysis module executed by the processor, behaviors of the malicious content suspect in response to the simulated user interaction to determine whether the malicious content suspect should be declared as malicious, wherein simulating the user interaction comprises intercepting a system call received from the malicious content suspect to an operating system for displaying the GUI, and returning a return code to the malicious content suspect without sending the system call to the operating system, the return code indicating a user action representing a CLOSE command to prevent the GUI from being displayed.
-
-
13. A computer-implemented method for detecting malicious content, the method comprising:
-
monitoring, by a monitoring module executed by a processor, behaviors of a malicious content suspect executed within a sandboxed operating environment; detecting, while monitoring, an event triggered by the malicious content suspect to display a graphical user interface (GUI) operating as a dialog box that prompt for user interaction; in response to detecting the event to display the dialog box triggered by the malicious content suspect, simulating, by a user interaction module executed by the processor, the user interaction with the GUI without user intervention; and analyzing, by an analysis module executed by the processor, behaviors of the malicious content suspect in response to the simulated user interaction to determine whether the malicious content suspect should be declared as malicious, wherein simulating the user interaction comprises intercepting a system call received from the malicious content suspect to an operating system for displaying the GUI, forwarding the system call to the operating system to display the GUI, transmitting, without user intervention, a command to the operating system simulating a user activation of a CLOSE button of the GUI to terminating the GUI, and returning a return code received from the operating system to the malicious content suspect, the return code representing a status of executing the simulated CLOSE command by the operating system.
-
-
14. A computer-implemented method for detecting malicious content, the method comprising:
-
monitoring, by a monitoring module executed by a processor, behaviors of a malicious content suspect executed within a sandboxed operating environment; detecting, while monitoring, an event triggered by the malicious content suspect to display a graphical user interface (GUI) operating as a dialog box that prompt for user interaction; in response to detecting the event to display the dialog box triggered by the malicious content suspect, simulating, by a user interaction module executed by the processor, the user interaction with the GUI without user intervention; and analyzing, by an analysis module executed by the processor, behaviors of the malicious content suspect in response to the simulated user interaction to determine whether the malicious content suspect should be declared as malicious, wherein simulating the user interaction comprises intercepting a system call received from the malicious content suspect to an operating system for displaying the GUI, the GUI prompting a user to select a file for access, (ii) automatically, without user intervention, selecting a file based on a type of the file being requested based on the system call, and (iii) populating and returning a returning structure of selecting the file without sending the system call to the operating system.
-
-
15. A computer-implemented method for detecting malicious content, the method comprising:
-
monitoring, by a monitoring module executed by a processor, behaviors of a malicious content suspect executed within a sandboxed operating environment; detecting, while monitoring, an event triggered by the malicious content suspect to display a graphical user interface (GUI) operating as a dialog box that prompt for user interaction; in response to detecting the event to display the dialog box triggered by the malicious content suspect, simulating, by a user interaction module executed by the processor, the user interaction with the GUI without user intervention; and analyzing, by an analysis module executed by the processor, behaviors of the malicious content suspect in response to the simulated user interaction to determine whether the malicious content suspect should be declared as malicious, wherein simulating the user interaction comprises invoking an automated scripting environment to simulate user interaction on the GUI. - View Dependent Claims (16, 17, 18, 19)
-
-
20. A non-transitory machine-readable medium having instructions stored therein, which when executed by a processor, cause the processor to perform operations comprising:
-
monitoring behaviors of a malicious content suspect executed within a sandboxed operating environment; detecting, while monitoring, an event triggered by the malicious content suspect to display a graphical user interface (GUI) operating as a dialog box that prompts for user interaction; in response to detecting the event to display the GUI triggered by the malicious content suspect, simulating the user interaction with the GUI without user intervention; and analyzing behaviors of the malicious content suspect in response to the simulated user interaction to determine whether the malicious content suspect should be declared as malicious, wherein simulating the user interaction comprises automatically, without user intervention, sending a response representing an activation of a predetermined button of the dialog box for receipt by the malicious content suspect. - View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28)
-
-
29. A non-transitory machine-readable medium having instructions stored therein, which when executed by a processor, cause the processor to perform operations comprising:
-
monitoring behaviors of a malicious content suspect executed within a sandboxed operating environment; detecting, while monitoring, an event triggered by the malicious content suspect to display a graphical user interface (GUI) operating as a dialog box that prompts for user interaction; in response to detecting the event to display the GUI triggered by the malicious content suspect, simulating the user interaction with the GUI without user intervention; and analyzing behaviors of the malicious content suspect in response to the simulated user interaction to determine whether the malicious content suspect should be declared as malicious, wherein simulating the user interaction comprises automatically, without user intervention, sending a command representing an activation of a predetermined button presented by the GUI for receipt by the malicious content suspect, the commend to represent execution or storage of an attached file. - View Dependent Claims (30)
-
-
31. A non-transitory machine-readable medium having instructions stored therein, which when executed by a processor, cause the processor to perform operations comprising:
-
monitoring behaviors of a malicious content suspect executed within a sandboxed operating environment; detecting, while monitoring, an event triggered by the malicious content suspect to display a graphical user interface (GUI) operating as a dialog box that prompts for user interaction; in response to detecting the event to display the GUI triggered by the malicious content suspect, simulating the user interaction with the GUI without user intervention; and analyzing behaviors of the malicious content suspect in response to the simulated user interaction to determine whether the malicious content suspect should be declared as malicious, wherein simulating the user interaction comprises intercepting a system call received from the malicious content suspect to an operating system for displaying the GUI, and returning a return code to the malicious content suspect without sending the system call to the operating system, the return code indicating a user action representing a CLOSE command to prevent the GUI from being displayed.
-
-
32. A non-transitory machine-readable medium having instructions stored therein, which when executed by a processor, cause the processor to perform operations comprising:
-
monitoring behaviors of a malicious content suspect executed within a sandboxed operating environment; detecting, while monitoring, an event triggered by the malicious content suspect to display a graphical user interface (GUI) operating as a dialog box that prompts for user interaction; in response to detecting the event to display the GUI triggered by the malicious content suspect, simulating the user interaction with the GUI without user intervention; and analyzing behaviors of the malicious content suspect in response to the simulated user interaction to determine whether the malicious content suspect should be declared as malicious, wherein simulating the user interaction comprises intercepting a system call received from the malicious content suspect to an operating system for displaying the GUI, forwarding the system call to the operating system to display the GUI, transmitting without user intervention a command to the operating system simulating a user activation of a CLOSE button of the GUI to terminating the GUI, and returning a return code received from the operating system to the malicious content suspect, the return code representing a status of executing the simulated CLOSE command by the operating system.
-
-
33. A non-transitory machine-readable medium having instructions stored therein, which when executed by a processor, cause the processor to perform operations comprising:
-
monitoring behaviors of a malicious content suspect executed within a sandboxed operating environment; detecting, while monitoring, an event triggered by the malicious content suspect to display a graphical user interface (GUI) operating as a dialog box that prompts for user interaction; in response to detecting the event to display the GUI triggered by the malicious content suspect, simulating the user interaction with the GUI without user intervention; and analyzing behaviors of the malicious content suspect in response to the simulated user interaction to determine whether the malicious content suspect should be declared as malicious, wherein simulating the user interaction comprises intercepting a system call received from the malicious content suspect to an operating system for displaying the GUI, the GUI prompting a user to select a file for access, automatically, without user intervention, selecting a file based on a type of the file being requested based on the system call, and populating and returning a returning structure of selecting the file without sending the system call to the operating system.
-
-
34. A non-transitory machine-readable medium having instructions stored therein, which when executed by a processor, cause the processor to perform operations comprising:
-
monitoring behaviors of a malicious content suspect executed within a sandboxed operating environment; detecting, while monitoring, an event triggered by the malicious content suspect to display a graphical user interface (GUI) operating as a dialog box that prompts for user interaction; in response to detecting the event to display the GUI triggered by the malicious content suspect, simulating the user interaction with the GUI without user intervention; and analyzing behaviors of the malicious content suspect in response to the simulated user interaction to determine whether the malicious content suspect should be declared as malicious, wherein simulating the user interaction comprises invoking an automated scripting environment to simulate user interactions on the GUI.
-
-
35. A malicious content detection system, comprising:
-
a processor; and a memory coupled to the processor, the memory to store a monitoring module that, when executed by the processor, (i) monitors behaviors of a malicious content suspect executed within a sandboxed operating environment and (ii) detects, while monitoring, an event triggered by the malicious content suspect to display a graphical user interface (GUI) operating as a dialog box that prompts for user interaction, a user interaction module in communication with the monitoring module that, when executed by the processor and in response to detecting the event to display the GUI triggered by the malicious content suspect, simulates the user interaction with the GUI without user intervention by automatically, without user intervention, sending a response representing an activation of a predetermined button of the dialog box for receipt by the malicious content suspect, and an analysis module to analyze behaviors of the malicious content suspect in response to the simulated user interaction to determine whether the malicious content suspect should be declared as malicious. - View Dependent Claims (36, 37, 38, 39, 40, 41, 42)
-
-
43. A malicious content detection system comprising:
-
a processor; and a memory coupled to the processor, the memory to store a monitoring module that, when executed by the processor, (i) monitors behaviors of a malicious content suspect executed within a sandboxed operating environment and (ii) detects, while monitoring, an event triggered by the malicious content suspect to display a graphical user interface (GUI) operating as a dialog box that prompts for user interaction, a user interaction module in communication with the monitoring module that, when executed by the processor and in response to detecting the event to display the GUI triggered by the malicious content suspect, simulates the user interaction with the GUI without user intervention by automatically, without user intervention, sending a response representing an activation of a predetermined button of dialog box for receipt by the malicious content suspect, and an analysis module to analyze behaviors of the malicious content suspect in response to the simulated user interaction to determine whether the malicious content suspect should be declared as malicious, wherein the user interaction module is configured to automatically, without user intervention, send a command representing an activation of a predetermined button presented by the GUI for receipt by the malicious content suspect, the command to represent to conduct an execution or a storage of an attached file. - View Dependent Claims (44)
-
Specification