Systems and methods for detecting malicious PDF network content

US 9,118,715 B2
Filed: 05/10/2012
Issued: 08/25/2015
Est. Priority Date: 11/03/2008
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

adapting, by a digital device, a portable document format (PDF) parser, to evaluate a PDF document received over a network;

using the PDF parser to examine, by the digital device, one or more portions of the PDF document to determine if one or more suspicious characteristics indicative of malicious network content are included in the one or more examined portions of the PDF document, wherein the one or more examined portions of the PDF document comprise less than an entirety of the PDF document; and

when the one or more examined portions of the PDF document are determined to include one or more suspicious characteristics indicative of malicious network content,providing the PDF document to one or more virtual machines associated with the digital device to verify the inclusion of malicious network content in the one or more examined portions of the PDF document by processing at least the one or more examined portions of the PDF document by the one or more virtual machines so as to determine if the PDF document includes malicious network content.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for detecting malicious PDF network content are provided herein. According to some embodiments, the methods may include at least the steps of examining received PDF network content to determine if one or more suspicious characteristics indicative of malicious network content are included in the PDF network content, providing PDF network content determined to include at least one suspicious characteristic to one or more virtual machines, and analyzing responses received from the one or more virtual machines to verify the inclusion of malicious network content in the PDF network content determined to include at least one suspicious characteristic.

660 Citations

53 Claims

1. A method comprising:
- adapting, by a digital device, a portable document format (PDF) parser, to evaluate a PDF document received over a network;
  
  using the PDF parser to examine, by the digital device, one or more portions of the PDF document to determine if one or more suspicious characteristics indicative of malicious network content are included in the one or more examined portions of the PDF document, wherein the one or more examined portions of the PDF document comprise less than an entirety of the PDF document; and
  
  when the one or more examined portions of the PDF document are determined to include one or more suspicious characteristics indicative of malicious network content,providing the PDF document to one or more virtual machines associated with the digital device to verify the inclusion of malicious network content in the one or more examined portions of the PDF document by processing at least the one or more examined portions of the PDF document by the one or more virtual machines so as to determine if the PDF document includes malicious network content.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein the examining further comprises:
    - determining a score associated with the one or more suspicious characteristics for the PDF document, the score indicative of a probability that the PDF document includes malicious network content; and
      
      identifying the PDF document as suspicious if the score satisfies a threshold value.
  - 3. The method of claim 2, wherein the score is determined by an approximate Bayesian probability analysis using a corpus of malicious network content and a corpus of non-malicious network content.
  - 4. The method of claim 1, wherein a body portion of the PDF document is examined and the entirety of the PDF document is not examined prior to providing the PDF document to the one or more virtual machines.
  - 5. The method of claim 4, wherein the examining the PDF document includes applying heuristics to determine if at least one suspicious characteristic indicative of malicious network content is included in the PDF document.
  - 6. The method of claim 1, further comprising preventing the delivery of the PDF document verified to include malicious network content to a web browser application from which the delivery was requested.
  - 7. The method of claim 1, wherein the examining of the one or more portions of the PDF document further comprises:
    - examining at least one of a header section or a body section of the PDF document; and
      
      when the body section or the header section of the PDF document is determined to include one or more suspicious characteristics indicative of malicious network content, providing the PDF document to the one or more virtual machines associated with the digital device to verify the inclusion of malicious network content in the PDF document.
  - 8. The method of claim 7, wherein the examining of the one or more portions of the PDF document further comprises examining Javascript code within the body section of the PDF document.
  - 9. The method of claim 1, wherein the one or more virtual machines includes two or more augmented finite state machines, the two or more augmented finite state machines each including a configuration that includes at least one set of operating system instructions, at least one set of web browser instructions, and at least one set of PDF reader instructions, the configuration of each of the two or more augmented finite state machines being different from one another.
  - 10. The method of claim 1, wherein the examining of the one or more portions of the PDF document further comprises:
    - examining one or more of a header section, a body section, a trailer section, or a cross-reference table section of the PDF document; and
      
      providing the PDF document to the one or more virtual machines associated with the digital device to verify the inclusion of malicious network content in the PDF document when one or more of the body section, the header section, the trailer section or the cross-reference table section of the PDF document is determined to include one or more suspicious characteristics indicative of malicious network content.
  - 11. The method of claim 1, wherein responsive to the one or more examined portions of the PDF document being determined to include one or more suspicious characteristics indicative of malicious network content, the method further comprising configuring the one or more virtual machines associated with the digital device based at least on data associated with the PDF document.
  - 12. The method of claim 11, wherein the one or more virtual machines are configured based on one or more PDF specification version numbers of the PDF document.
  - 13. The method of claim 12, wherein the one or more PDF specification version numbers of the PDF document identify a plurality of PDF reader applications.

14. A non-transitory computer readable storage medium storing information that, when executed by a processor cause a digital device to:
- adapt a portable document format (PDF) parser to evaluate a PDF document received over a network;
  
  parse the PDF document by the PDF parser, the parsed PDF document including a plurality of sections including a header section, a body section, a cross-reference table section and a trailer section;
  
  using the PDF parser, examine a subset of the plurality of sections of the PDF document to determine if one or more suspicious characteristics indicative of malicious network content are included in the subset of the plurality of sections of the PDF document, the subset of the plurality of sections is less than an entirety of the PDF document; and
  
  when any of the one or more examined sections included in the subset of the plurality of sections of the PDF document are determined to include one or more suspicious characteristics indicative of malicious network content,providing the PDF document to one or more virtual machines associated with the digital device to verify the inclusion of malicious network content in at least the subset of the plurality of sections of the PDF document.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 15. The non-transitory computer readable storage medium of claim 14, wherein the examining further comprises:
    - determining a score associated with the one or more suspicious characteristics for the PDF document, the score indicative of a probability that the PDF document includes malicious network content; and
      
      identifying the PDF document as suspicious if the score satisfies a threshold value.
  - 16. The non-transitory computer readable storage medium of claim 15, wherein the score is determined by an approximate Bayesian probability analysis using a corpus of malicious network content and a corpus of non-malicious network content.
  - 17. The non-transitory computer readable storage medium of claim 15, wherein the body section of the PDF document is examined while at least one section of the plurality of sections of the PDF document is not examined prior to providing the PDF document to the one or more virtual machines.
  - 18. The non-transitory computer readable storage medium of claim 17, wherein the examining the subset of the plurality of sections of the PDF document includes applying heuristics to determine if at least one suspicious characteristic indicative of malicious network content is included in the subset of the plurality of sections of the PDF document.
  - 19. The non-transitory computer readable storage medium of claim 14, wherein the one or more virtual machines includes two or more augmented finite state machines, the two or more augmented finite state machines each including a configuration that includes at least one set of operating system instructions, at least one set of web browser instructions, and at least one set of PDF reader instructions, the configuration of each of the two or more augmented finite state machines being different from one another.
  - 20. The non-transitory computer readable storage medium of claim 14, further comprising associating the subset of the plurality of sections of the PDF document verified to include malicious network content with one or more domains from which the subset of the plurality of sections of the PDF document verified to include malicious network content was obtained, such that the one or more domains are a suspicious characteristic indicative of malicious network content.
  - 21. The non-transitory computer readable storage medium of claim 14, further comprising preventing the delivery of the PDF document verified to include malicious network content to a web browser application from which the delivery was requested.
  - 22. The non-transitory computer readable storage medium of claim 14, further comprising intercepting the PDF document before the examining of the PDF document.
  - 23. The non-transitory computer readable storage medium of claim 14, wherein the subset of the plurality of sections of the PDF document comprises at least one and no more than three of the header section, the body section, the cross-reference table section and the trailer section of the PDF document.
  - 24. The non-transitory computer readable storage medium of claim 14 further comprising configuring the one or more virtual machines associated with the digital device based on at least one or more PDF specification version numbers of the PDF document when any of the one or more examined sections included in the subset of the plurality of sections of the PDF document are determined to include one or more suspicious characteristics indicative of malicious network content.
  - 25. The non-transitory computer readable storage medium of claim 24, wherein the one or more PDF specification version numbers of the PDF document include a first version number and a second version number, the first version number being different than the second version number.
  - 26. The non-transitory computer readable storage medium of claim 24, wherein the one or more PDF specification version numbers of the PDF document identify a plurality of PDF reader applications.
  - 27. The non-transitory computer readable storage medium of claim 24, wherein the one or more PDF specification version numbers of the PDF document are included in the header of the PDF document.

28. A non-transitory computer readable storage medium storing information that, when executed by a processor, cause a digital device to perform operations comprising:
- adapt a portable document format (PDF) parser to evaluate a PDF document received over a network;
  
  parse the PDF document by the PDF parser, the parsed PDF document including a plurality of sections including a header section, a body section, a cross-reference table section and a trailer section;
  
  using the PDF parser, examine content associated with one or more sections of the plurality of sections of the PDF document to determine if one or more suspicious characteristics indicative of malicious network content are included in the one or more sections of the plurality of sections of the PDF document, wherein the one or more sections of the plurality of sections of the PDF document are less than an entirety of the PDF document; and
  
  when any of the one or more sections of the plurality of sections of the PDF document are determined to include one or more suspicious characteristics indicative of malicious network content,providing the PDF document to one or more virtual machines associated with the digital device to verify the inclusion of malicious network content in the one or more sections of the plurality of sections of the PDF document, wherein verification of the inclusion of the malicious network content comprises execution of a PDF reader application by the one or more virtual machines to process the content of each of the one or more sections of the plurality of sections of the PDF document so as to determine if the content includes malicious network content.
- View Dependent Claims (29, 30, 31, 32, 33, 34, 35, 36)
- - 29. The non-transitory computer readable storage medium of claim 28, wherein the examining further comprises:
    - determining a score associated with the one or more suspicious characteristics for the PDF document, the score indicative of a probability that the PDF document includes malicious network content; and
      
      identifying the PDF document as suspicious if the score satisfies a threshold value.
  - 30. The non-transitory computer readable storage medium of claim 29, wherein the score is determined by an approximate Bayesian probability analysis using a corpus of malicious network content and a corpus of non-malicious network content.
  - 31. The non-transitory computer-readable storage medium of claim 29, wherein execution of the information by the processor causes the digital device to further perform operations comprising increasing at least one of a priority level and the score associated with the one or more suspicious characteristics associated with the content for the one or more sections of the plurality of sections of the PDF document when the PDF document includes more than one suspicious characteristic.
  - 32. The non-transitory computer readable storage medium of claim 28, wherein the examining the content for the one or more sections of the plurality of sections of the PDF document includes applying heuristics to determine if at least one suspicious characteristic indicative of malicious network content is included in the content of the one or more sections of the plurality of sections of the PDF document.
  - 33. The non-transitory computer readable storage medium of claim 28, wherein the one or more virtual machines includes two or more augmented finite state machines, the two or more augmented finite state machines each including a configuration that includes at least one set of operating system instructions, at least one set of web browser instructions, and at least one set of PDF reader instructions, the configuration of each of the two or more augmented finite state machines being different from one another.
  - 34. The non-transitory computer readable storage medium of claim 28, wherein execution of the information by the processor causes the digital device to further perform operations comprising preventing the delivery of the PDF document verified to include malicious network content to a web browser application from which the delivery was requested.
  - 35. The non-transitory computer readable storage medium of claim 28, wherein execution of the information by the processor causes the digital device to further perform operations comprising intercepting the PDF document propagating over the network before the examining of the content associated with the one or more sections of the plurality of sections of the PDF document.
  - 36. The non-transitory computer readable storage medium of claim 28, wherein the one or more examined sections of the PDF document includes a body section of the PDF document.

37. A non-transitory computer readable storage medium storing information that, when executed by a processor cause a digital device to perform operations comprising:
- adapt a portable document format (PDF) parser to evaluate a PDF document received over a network;
  
  using the PDF parser, examine a subset of data forming the PDF document received over a network to determine if one or more suspicious characteristics indicative of malicious network content are included in the subset of the data of the PDF document, the subset of the data of the PDF document is less than an entirety of the PDF document; and
  
  responsive to the subset of the data of the PDF document being determined to include one or more suspicious characteristics indicative of malicious network content, (i) configuring one or more virtual machines associated with the digital device, and (ii) providing the subset of the data of the PDF document to the one or more virtual machines associated with the digital device to verify the inclusion of malicious network content in the subset of the data of the PDF document by processing the subset of the data of the PDF document by the one or more virtual machines so as to determine if the PDF document includes malicious network content.
- View Dependent Claims (38, 39, 40, 41, 42, 43, 44, 45)
- - 38. The non-transitory computer readable storage medium of claim 37, wherein the examining of the subset of the data further comprises:
    - determining a score associated with the one or more suspicious characteristics for the PDF document, the score indicative of a probability that the PDF document includes malicious network content; and
      
      identifying the PDF document as suspicious if the score satisfies a threshold value.
  - 39. The non-transitory computer readable storage medium of claim 38, wherein a body section of the subset of the data of the PDF document is examined while the entirety of the PDF document is not examined prior to providing the PDF document to the one or more virtual machines.
  - 40. The non-transitory computer readable storage medium of claim 37, wherein the examining the subset of the data of the PDF document includes applying heuristics to determine if at least one suspicious characteristic indicative of malicious network content is included in the subset of the data of the PDF document.
  - 41. The non-transitory computer readable storage medium of claim 37, wherein execution of the information by the processor causes the digital device to further perform operations comprising preventing the delivery of the subset of the data of the PDF document verified to include malicious network content to a web browser application from which the delivery was requested.
  - 42. The non-transitory computer readable storage medium of claim 37, wherein the configuring the one or more virtual machines associated with the digital device is based on at least one or more PDF specification version numbers of the PDF document when the subset of the data of the PDF document is determined to include one or more suspicious characteristics.
  - 43. The non-transitory computer readable storage medium of claim 42, wherein the one or more PDF specification version numbers of the PDF document include a first version number and a second version number, the first version number being different than the second version number.
  - 44. The non-transitory computer readable storage medium of claim 42, wherein the one or more PDF specification version numbers of the PDF document identify a plurality of PDF reader applications.
  - 45. The non-transitory computer readable storage medium of claim 37, wherein the examining of the subset of the data of the PDF document comprises examining contents of a body section of the PDF document.

46. A method comprising:
- adapting, by a digital device, a portable document format (PDF) parser, to evaluate a PDF document received over a network;
  
  using the PDF parser, parsing the PDF document, the parsed PDF document including a plurality of sections including a header section, a body section, a cross-reference table section and a trailer section, wherein the plurality of sections is less than an entirety of the PDF document;
  
  using the PDF parser, examining one or more sections of the plurality of sections of the PDF document to determine if one or more suspicious characteristics indicative of malicious network content are included in any of the one or more examined sections of the PDF document; and
  
  when any of the one or more examined sections of the PDF document are determined to include one or more suspicious characteristics indicative of malicious network content,(i) configuring one or more virtual machines associated with the digital device, and(ii) providing one or more examined sections of the PDF document determined to include the suspicious characteristics to the one or more virtual machines associated with the digital device to verify inclusion of malicious network content in the one or more examined sections of the PDF document.
- View Dependent Claims (47, 48, 49, 50, 51, 52, 53)
- - 47. The method of claim 46, wherein the examining of the one or more sections of the PDF document further comprises:
    - determining a score associated with the one or more suspicious characteristics for the PDF document, the score indicative of a probability that the PDF document includes malicious network content; and
      
      identifying the PDF document as suspicious if the score satisfies a threshold value.
  - 48. The method of claim 47, wherein the score is determined by an approximate Bayesian probability analysis using a corpus of malicious network content and a corpus of non-malicious network content.
  - 49. The method of claim 47, further comprising increasing at least one of a priority level and the score associated with the one or more suspicious characteristics of the PDF document upon determining more than one suspicious characteristic are included within the PDF document.
  - 50. The method of claim 46, wherein the examining the one or more sections of the PDF document includes examining at least a body section of the PDF document for suspicious characteristics without examining the entirety of the PDF document.
  - 51. The method of claim 46, wherein the one or more virtual machines include two or more augmented finite state machines, the two or more augmented finite state machines each including a configuration that includes at least one set of operating system instructions, at least one set of web browser instructions, and at least one set of PDF reader instructions, the configuration of each of the two or more augmented finite state machines being different from one another.
  - 52. The method of claim 46, further comprising associating the one or more examined sections of the PDF document verified to include malicious network content with one or more domains from which the one or more examined sections of the PDF document verified to include malicious network content was obtained, such that the one or more domains are a suspicious characteristic indicative of malicious network content.
  - 53. The method of claim 46, further comprising preventing the delivery of the PDF document verified to include malicious network content to a web browser application from which the delivery was requested.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Staniford, Stuart Gresley, Aziz, Ashar
Primary Examiner(s)
LESNIEWSKI, VICTOR D

Application Number

US13/469,046
Publication Number

US 20120222121A1
Time in Patent Office

1,202 Days
Field of Search

713/187, 713/188, 726/22, 726/23, 726/24, 726/25
US Class Current

1/1
CPC Class Codes

G06F 21/562   Static detection

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/033   Test or assess software

H04L 2463/144   Detection or countermeasure...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

H04L 63/1491   using deception as counterm...

Systems and methods for detecting malicious PDF network content

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

660 Citations

53 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for detecting malicious PDF network content

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

660 Citations

53 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links