Systems and methods for dynamic cloud-based malware behavior analysis
First Claim
1. A cloud-based method, comprising:
- receiving known malware signatures at one or more nodes in a cloud-based system;
monitoring one or more users inline through the one or more nodes in the cloud-based system for regular traffic processing comprising malware detection and preclusion;
determining unknown content from a user of the one or more users is suspicious of being malware;
sending the unknown content to a behavioral analysis system for an offline analysis; and
receiving updated known malware signatures based on the offline analysis determined based on a combined score computed from both a static analysis and a dynamic analysis, which is performed using a queue ordered based on the static analysis and based on content type that determines which operating system the unknown content must be executed on for the dynamic analysis, the dynamic analysis is performed as a sandbox analysis, running the unknown content in a virtual machine in a closed manner, performing packet capture, screenshot image capture, listing of files created, deleted, and/or downloaded while running the unknown content, and evaluating in the dynamic analysis, JavaScript Object Notation (JSON) data generated, temporary files generated, system and registry files modified, files added or deleted, external communications, security bypass, data leakage, persistence, and processor, network, memory and file system usages.
2 Assignments
0 Petitions
Accused Products
Abstract
A cloud-based method, a behavioral analysis system, and a cloud-based security system can include a plurality of nodes communicatively coupled to one or more users, wherein the plurality of nodes each perform inline monitoring for one of the one or more users for security comprising malware detection and preclusion; and a behavioral analysis system communicatively coupled to the plurality of nodes, wherein the behavioral analysis system performs offline analysis for any suspicious content from the one or more users which is flagged by the plurality of nodes; wherein the plurality of nodes each comprise a set of known malware signatures for the inline monitoring that is periodically updated by the behavioral analysis system based on the offline analysis for the suspicious content.
-
Citations
15 Claims
-
1. A cloud-based method, comprising:
-
receiving known malware signatures at one or more nodes in a cloud-based system; monitoring one or more users inline through the one or more nodes in the cloud-based system for regular traffic processing comprising malware detection and preclusion; determining unknown content from a user of the one or more users is suspicious of being malware; sending the unknown content to a behavioral analysis system for an offline analysis; and receiving updated known malware signatures based on the offline analysis determined based on a combined score computed from both a static analysis and a dynamic analysis, which is performed using a queue ordered based on the static analysis and based on content type that determines which operating system the unknown content must be executed on for the dynamic analysis, the dynamic analysis is performed as a sandbox analysis, running the unknown content in a virtual machine in a closed manner, performing packet capture, screenshot image capture, listing of files created, deleted, and/or downloaded while running the unknown content, and evaluating in the dynamic analysis, JavaScript Object Notation (JSON) data generated, temporary files generated, system and registry files modified, files added or deleted, external communications, security bypass, data leakage, persistence, and processor, network, memory and file system usages. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A cloud-based security system, comprising:
-
a plurality of nodes, having a plurality of hardware processors, communicatively coupled to one or more users, wherein the plurality of nodes are each formed by one or more servers and each perform inline monitoring for one of the one or more users for security comprising malware detection and preclusion, each node comprises a set of known malware signatures for the inline monitoring that is periodically updated by the behavioral analysis system based on the offline analysis for the suspicious content; and a behavioral analysis system, having a hardware processor, communicatively coupled to the plurality of nodes, wherein the behavioral analysis system performs offline analysis for any suspicious content from the one or more users which is flagged by the plurality of nodes, behavioral analysis system is configured to; perform the offline analysis as a combination of a static analysis and a dynamic analysis; perform the dynamic analysis as a sandbox analysis, running the suspicious content in a virtual machine in a closed manner, performing packet capture, screenshot image capture, and listing of files created, deleted, and/or downloaded while running the suspicious content; evaluate, in the dynamic analysis, JavaScript Object Notation (JSON) data generated, temporary files generated, system and registry files modified, files added or deleted, external communications, security bypass, data leakage, persistence, and processor, network, memory and file system usages; perform the dynamic analysis using a queue ordered based on the static analysis and based on content type, wherein the content type determines which operating system the suspicious content must be executed on for the dynamic analysis; and determine that unknown content is malware based on a combined score from both the static analysis and the dynamic analysis. - View Dependent Claims (14, 15)
-
Specification