Systems and methods for detecting malicious PDF network content
First Claim
Patent Images
1. A method comprising:
- adapting, by a digital device, a portable document format (PDF) parser, to evaluate a PDF document received over a network;
using the PDF parser to examine, by the digital device, one or more portions of the PDF document to determine if one or more suspicious characteristics indicative of malicious network content are included in the one or more examined portions of the PDF document, wherein the one or more examined portions of the PDF document comprise less than an entirety of the PDF document; and
when the one or more examined portions of the PDF document are determined to include one or more suspicious characteristics indicative of malicious network content,providing the PDF document to one or more virtual machines associated with the digital device to verify the inclusion of malicious network content in the one or more examined portions of the PDF document by processing at least the one or more examined portions of the PDF document by the one or more virtual machines so as to determine if the PDF document includes malicious network content.
5 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods for detecting malicious PDF network content are provided herein. According to some embodiments, the methods may include at least the steps of examining received PDF network content to determine if one or more suspicious characteristics indicative of malicious network content are included in the PDF network content, providing PDF network content determined to include at least one suspicious characteristic to one or more virtual machines, and analyzing responses received from the one or more virtual machines to verify the inclusion of malicious network content in the PDF network content determined to include at least one suspicious characteristic.
660 Citations
53 Claims
-
1. A method comprising:
-
adapting, by a digital device, a portable document format (PDF) parser, to evaluate a PDF document received over a network; using the PDF parser to examine, by the digital device, one or more portions of the PDF document to determine if one or more suspicious characteristics indicative of malicious network content are included in the one or more examined portions of the PDF document, wherein the one or more examined portions of the PDF document comprise less than an entirety of the PDF document; and when the one or more examined portions of the PDF document are determined to include one or more suspicious characteristics indicative of malicious network content, providing the PDF document to one or more virtual machines associated with the digital device to verify the inclusion of malicious network content in the one or more examined portions of the PDF document by processing at least the one or more examined portions of the PDF document by the one or more virtual machines so as to determine if the PDF document includes malicious network content. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A non-transitory computer readable storage medium storing information that, when executed by a processor cause a digital device to:
-
adapt a portable document format (PDF) parser to evaluate a PDF document received over a network; parse the PDF document by the PDF parser, the parsed PDF document including a plurality of sections including a header section, a body section, a cross-reference table section and a trailer section; using the PDF parser, examine a subset of the plurality of sections of the PDF document to determine if one or more suspicious characteristics indicative of malicious network content are included in the subset of the plurality of sections of the PDF document, the subset of the plurality of sections is less than an entirety of the PDF document; and when any of the one or more examined sections included in the subset of the plurality of sections of the PDF document are determined to include one or more suspicious characteristics indicative of malicious network content, providing the PDF document to one or more virtual machines associated with the digital device to verify the inclusion of malicious network content in at least the subset of the plurality of sections of the PDF document. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
-
-
28. A non-transitory computer readable storage medium storing information that, when executed by a processor, cause a digital device to perform operations comprising:
-
adapt a portable document format (PDF) parser to evaluate a PDF document received over a network; parse the PDF document by the PDF parser, the parsed PDF document including a plurality of sections including a header section, a body section, a cross-reference table section and a trailer section; using the PDF parser, examine content associated with one or more sections of the plurality of sections of the PDF document to determine if one or more suspicious characteristics indicative of malicious network content are included in the one or more sections of the plurality of sections of the PDF document, wherein the one or more sections of the plurality of sections of the PDF document are less than an entirety of the PDF document; and when any of the one or more sections of the plurality of sections of the PDF document are determined to include one or more suspicious characteristics indicative of malicious network content, providing the PDF document to one or more virtual machines associated with the digital device to verify the inclusion of malicious network content in the one or more sections of the plurality of sections of the PDF document, wherein verification of the inclusion of the malicious network content comprises execution of a PDF reader application by the one or more virtual machines to process the content of each of the one or more sections of the plurality of sections of the PDF document so as to determine if the content includes malicious network content. - View Dependent Claims (29, 30, 31, 32, 33, 34, 35, 36)
-
-
37. A non-transitory computer readable storage medium storing information that, when executed by a processor cause a digital device to perform operations comprising:
-
adapt a portable document format (PDF) parser to evaluate a PDF document received over a network; using the PDF parser, examine a subset of data forming the PDF document received over a network to determine if one or more suspicious characteristics indicative of malicious network content are included in the subset of the data of the PDF document, the subset of the data of the PDF document is less than an entirety of the PDF document; and responsive to the subset of the data of the PDF document being determined to include one or more suspicious characteristics indicative of malicious network content, (i) configuring one or more virtual machines associated with the digital device, and (ii) providing the subset of the data of the PDF document to the one or more virtual machines associated with the digital device to verify the inclusion of malicious network content in the subset of the data of the PDF document by processing the subset of the data of the PDF document by the one or more virtual machines so as to determine if the PDF document includes malicious network content. - View Dependent Claims (38, 39, 40, 41, 42, 43, 44, 45)
-
-
46. A method comprising:
-
adapting, by a digital device, a portable document format (PDF) parser, to evaluate a PDF document received over a network; using the PDF parser, parsing the PDF document, the parsed PDF document including a plurality of sections including a header section, a body section, a cross-reference table section and a trailer section, wherein the plurality of sections is less than an entirety of the PDF document; using the PDF parser, examining one or more sections of the plurality of sections of the PDF document to determine if one or more suspicious characteristics indicative of malicious network content are included in any of the one or more examined sections of the PDF document; and when any of the one or more examined sections of the PDF document are determined to include one or more suspicious characteristics indicative of malicious network content, (i) configuring one or more virtual machines associated with the digital device, and (ii) providing one or more examined sections of the PDF document determined to include the suspicious characteristics to the one or more virtual machines associated with the digital device to verify inclusion of malicious network content in the one or more examined sections of the PDF document. - View Dependent Claims (47, 48, 49, 50, 51, 52, 53)
-
Specification