Systems and methods for dynamic cloud-based malware behavior analysis

US 9,152,789 B2
Filed: 03/26/2014
Issued: 10/06/2015
Est. Priority Date: 05/28/2008
Status: Active Grant

First Claim

Patent Images

1. A cloud-based method, comprising:

receiving known malware signatures at one or more nodes in a cloud-based system;

monitoring one or more users inline through the one or more nodes in the cloud-based system for regular traffic processing comprising malware detection and preclusion;

determining unknown content from a user of the one or more users is suspicious of being malware;

sending the unknown content to a behavioral analysis system for an offline analysis; and

receiving updated known malware signatures based on the offline analysis determined based on a combined score computed from both a static analysis and a dynamic analysis, which is performed using a queue ordered based on the static analysis and based on content type that determines which operating system the unknown content must be executed on for the dynamic analysis, the dynamic analysis is performed as a sandbox analysis, running the unknown content in a virtual machine in a closed manner, performing packet capture, screenshot image capture, listing of files created, deleted, and/or downloaded while running the unknown content, and evaluating in the dynamic analysis, JavaScript Object Notation (JSON) data generated, temporary files generated, system and registry files modified, files added or deleted, external communications, security bypass, data leakage, persistence, and processor, network, memory and file system usages.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A cloud-based method, a behavioral analysis system, and a cloud-based security system can include a plurality of nodes communicatively coupled to one or more users, wherein the plurality of nodes each perform inline monitoring for one of the one or more users for security comprising malware detection and preclusion; and a behavioral analysis system communicatively coupled to the plurality of nodes, wherein the behavioral analysis system performs offline analysis for any suspicious content from the one or more users which is flagged by the plurality of nodes; wherein the plurality of nodes each comprise a set of known malware signatures for the inline monitoring that is periodically updated by the behavioral analysis system based on the offline analysis for the suspicious content.

Citations

15 Claims

1. A cloud-based method, comprising:
- receiving known malware signatures at one or more nodes in a cloud-based system;
  
  monitoring one or more users inline through the one or more nodes in the cloud-based system for regular traffic processing comprising malware detection and preclusion;
  
  determining unknown content from a user of the one or more users is suspicious of being malware;
  
  sending the unknown content to a behavioral analysis system for an offline analysis; and
  
  receiving updated known malware signatures based on the offline analysis determined based on a combined score computed from both a static analysis and a dynamic analysis, which is performed using a queue ordered based on the static analysis and based on content type that determines which operating system the unknown content must be executed on for the dynamic analysis, the dynamic analysis is performed as a sandbox analysis, running the unknown content in a virtual machine in a closed manner, performing packet capture, screenshot image capture, listing of files created, deleted, and/or downloaded while running the unknown content, and evaluating in the dynamic analysis, JavaScript Object Notation (JSON) data generated, temporary files generated, system and registry files modified, files added or deleted, external communications, security bypass, data leakage, persistence, and processor, network, memory and file system usages.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The cloud-based method of claim 1, further comprising:
    - performing one of blocking or allowing the unknown content to or from the user based on policy.
  - 3. The cloud-based method of claim 1, wherein the one or more users comprise a plurality of users associated with a plurality of companies, and further comprising:
    - receiving a policy setting for each of the plurality of companies, wherein the policy setting comprises whether or not to perform the offline analysis for the unknown content; and
      
      performing the regular traffic processing for the unknown content for users associated with companies with the policy setting of not performing the offline analysis, wherein the regular traffic processing comprises monitoring for malware based on the offline analysis of other users.
  - 4. The cloud-based method of claim 1, further comprising:
    - determining unknown content is suspicious based on analysis in the one or more nodes based on smart filtering determining that the unknown content is an unknown, active software file that performs some functionality on a user'"'"'s device.
  - 5. The cloud-based method of claim 1, further comprising:
    - storing the unknown content in the behavioral analysis system and maintaining an event log associated with the unknown content in the behavioral analysis system.
  - 6. The cloud-based method of claim 5, wherein the unknown content is stored in an encrypted format, and further comprising:
    - storing results data from various stages of the offline analysis of the unknown content, wherein the results data comprises static analysis results, JavaScript Object Notation (JSON) data from the dynamic analysis, packet capture data, screenshot images, and files created/deleted/downloaded during the dynamic analysis.
  - 7. The cloud-based method of claim 5, wherein the static analysis evaluates various properties of the unknown content and the dynamic analysis runs the unknown content on a virtual machine operating an appropriate operating system for the unknown content.
  - 8. The cloud-based method of claim 1, wherein the static analysis evaluates various properties of the unknown content using a set of tools based on a type of file of the unknown content, wherein the set of tools comprise any of checking third party services to match the unknown content to known viruses detected by various anti-virus engines, using a Perl Compatible Regular Expressions (PCRE) engine to check the unknown content for known signatures, identifying code signing certificates to form a whitelist of known benign content using Portable Executable (PE)/Common Object File Format (COFF) specifications, and evaluating destinations of any communications from the dynamic analysis.
  - 9. The cloud-based method of claim 1, wherein the dynamic analysis runs the unknown content on a virtual machine operating the appropriate operating system for the unknown content.
  - 10. The cloud-based method of claim 1, wherein the behavioral analysis system provides zero day/zero hour detection related to the unknown content for the cloud-based system such that responsive to determining the unknown content is malware, all nodes in the cloud-based system are updated accordingly.
  - 11. The cloud-based method of claim 1, wherein the cloud-based system is configured to monitor the one or more users without having native applications installed on each individual user device or user equipment and independent of operating system on each individual user device or user equipment.
  - 12. The cloud-based method of claim 1, wherein the combined score is automatically determined by the behavioral analysis system and modifiable by an operator of the behavioral analysis system.

13. A cloud-based security system, comprising:
- a plurality of nodes, having a plurality of hardware processors, communicatively coupled to one or more users, wherein the plurality of nodes are each formed by one or more servers and each perform inline monitoring for one of the one or more users for security comprising malware detection and preclusion, each node comprises a set of known malware signatures for the inline monitoring that is periodically updated by the behavioral analysis system based on the offline analysis for the suspicious content; and
  
  a behavioral analysis system, having a hardware processor, communicatively coupled to the plurality of nodes, wherein the behavioral analysis system performs offline analysis for any suspicious content from the one or more users which is flagged by the plurality of nodes, behavioral analysis system is configured to;
  
  perform the offline analysis as a combination of a static analysis and a dynamic analysis;
  
  perform the dynamic analysis as a sandbox analysis, running the suspicious content in a virtual machine in a closed manner, performing packet capture, screenshot image capture, and listing of files created, deleted, and/or downloaded while running the suspicious content;
  
  evaluate, in the dynamic analysis, JavaScript Object Notation (JSON) data generated, temporary files generated, system and registry files modified, files added or deleted, external communications, security bypass, data leakage, persistence, and processor, network, memory and file system usages;
  
  perform the dynamic analysis using a queue ordered based on the static analysis and based on content type, wherein the content type determines which operating system the suspicious content must be executed on for the dynamic analysis; and
  
  determine that unknown content is malware based on a combined score from both the static analysis and the dynamic analysis.
- View Dependent Claims (14, 15)
- - 14. The cloud-based security system of claim 13, wherein the static analysis evaluates various properties of the suspicious content using a set of tools based on a type of file of the suspicious content, wherein the set of tools comprise any of checking third party services to match the suspicious content to known viruses detected by various anti-virus engines, using a Perl Compatible Regular Expressions (PCRE) engine to check the suspicious content for known signatures, identifying code signing certificates to form a whitelist of known benign content using Portable Executable (PE)/Common Object File Format (COFF) specifications, and evaluating destinations of any communications from the dynamic analysis.
  - 15. The cloud-based security system of claim 13, wherein the dynamic analysis runs the suspicious content on a virtual machine operating the appropriate operating system for the suspicious content.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Zscaler Incorporated
Original Assignee
Zscaler Incorporated
Inventors
Natarajan, Sriram, Paul, Narinder, Sobrier, Julien, Sutton, Michael Andrew William, Thamilarasu, Karthikeyan, Bayar, Balakrishna
Primary Examiner(s)
TURCHEN, JAMES R

Application Number

US14/225,557
Publication Number

US 20140208426A1
Time in Patent Office

559 Days
Field of Search

726/23
US Class Current

1/1
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/562   Static detection

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

Systems and methods for dynamic cloud-based malware behavior analysis

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for dynamic cloud-based malware behavior analysis

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links