System and method for network behavior detection

US 9,241,010 B1
Filed: 03/20/2014
Issued: 01/19/2016
Est. Priority Date: 03/20/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for detecting malicious behavior, comprising:

processing a malicious content suspect within a virtual machine that simulates a target operating environment associated with the malicious content suspect;

receiving a communication response object as a result of processing the malicious content suspect;

parsing the communication response object into at least a first sub-object and a second sub-object;

sending the first sub-object to a first communication behavior detector in response to determining the first sub-object is a compatible input for the first communication behavior detector;

sending the second sub-object to a second communication behavior detector in response to determining the second sub-object is a compatible input for the second communication behavior detector;

determining, by the first communication behavior detector, a first behavior match result for the first sub-object of the communication response object;

determining, by the second communication behavior detector, a second behavior match result for the second sub-object of the communication response object;

aggregating the first behavior match result with the second behavior match result, wherein a malicious behavior score is calculated according to an aggregated result from all matches; and

classifying the malicious content suspect according to the malicious behavior score.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for detecting malicious behavior of content or objects are described herein. According to one embodiment, a malicious content suspect is executed within a virtual machine that simulates a target operating environment associated with the malicious content suspect. A communication response object is received as a result of processing the malicious content suspect. A first behavior match result for a first sub-object of the communication response object is determined. A second behavior match result for a second sub-object of the communication response object is also determined. The first and second behavior match results are aggregated and a malicious behavior score is calculated according to the aggregated result from all matches. The malicious content suspect is classified according to the malicious behavior score.

548 Citations

35 Claims

1. A computer-implemented method for detecting malicious behavior, comprising:
- processing a malicious content suspect within a virtual machine that simulates a target operating environment associated with the malicious content suspect;
  
  receiving a communication response object as a result of processing the malicious content suspect;
  
  parsing the communication response object into at least a first sub-object and a second sub-object;
  
  sending the first sub-object to a first communication behavior detector in response to determining the first sub-object is a compatible input for the first communication behavior detector;
  
  sending the second sub-object to a second communication behavior detector in response to determining the second sub-object is a compatible input for the second communication behavior detector;
  
  determining, by the first communication behavior detector, a first behavior match result for the first sub-object of the communication response object;
  
  determining, by the second communication behavior detector, a second behavior match result for the second sub-object of the communication response object;
  
  aggregating the first behavior match result with the second behavior match result, wherein a malicious behavior score is calculated according to an aggregated result from all matches; and
  
  classifying the malicious content suspect according to the malicious behavior score.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the first communication behavior detector determines whether information within the first sub-object matches one or more identifiers associated with malicious activity.
  - 3. The method of claim 1, wherein the first behavior match result is determined by comparing a behavior characteristic of the first sub-object to an identifier.
  - 4. The method of claim 3, wherein the identifier is one or more of:
    - a suspicious Dynamic Domain Name System (DDNS) identifier,an email communication identifier, ora network traffic pattern related to data theft.
  - 5. The method of claim 1, wherein the malicious behavior score is related to a probability that the communication response object indicates the malicious content suspect should be classified as malware.
  - 6. The method of claim 1, further comprising:
    - classifying the malicious content suspect as malware in response to determining the malicious behavior score reaches a predetermined threshold; and
      
      creating, in response classifying the malicious content suspect as malware, one or more of;
      
      a malware alert notification, or a malicious fingerprint.
  - 7. The method of claim 3, wherein the identifier comprises one or more suspicious Dynamic Domain Name System (DDNS) identifiers.
  - 8. The method of claim 3, wherein the identifier comprises one or more identifiers that correspond to free Dynamic Domain Name System (DDNS) servers.
  - 9. The method of claim 3, wherein the identifier comprises one or more content exfiltration identifiers.
  - 10. The method of claim 3, wherein the one or more content exfiltration identifiers comprises at least an identifier that identifies a software product operating within the virtual machine.
  - 11. The method of claim 3, wherein the one or more content exfiltration identifiers comprises at least an identifier that identifies a serial number of a hardware component.

12. A computer-implemented method for detecting malicious behavior, comprising:
- processing a malicious content suspect within a virtual machine that simulates a target operating environment associated with the malicious content suspect;
  
  receiving a communication response object as a result of processing the malicious content suspect;
  
  determining, by a communication behavior analyzer, a first behavior match result for a first sub-object of the communication response object, and a second behavior match result for a second sub-object of the communication response object;
  
  receiving an execution response object as a result of processing the malicious content suspect;
  
  determining, by an execution behavior analyzer, a third behavior match result for the execution response object;
  
  aggregating the first behavior match result with the second behavior match result and the third behavior match result, wherein a malicious behavior score is calculated according to an aggregated result of at least the first behavior match result, the second behavior match result and the third behavior match result;
  
  classifying the malicious content suspect according to the malicious behavior score.

13. A non-transitory machine-readable medium having instructions stored therein, which when executed by a processor, cause the processor to detect malicious behavior detection, comprising:
- a communication behavior analyzer, when executed by the processor, to receive a communication response object as a result of processing of a malicious content suspect within a virtual machine, the communication behavior analyzer comprisesa parser to parse the communication response object into at least a first sub-object and a second sub-object, provide the first sub-object to a first communication behavior detector in response to determining the first sub-object is a compatible input for the first communication behavior detector, and provide the second sub-object to a second communication behavior detector in response to determining the second sub-object is a compatible input for the second communication behavior detector,a first communication behavior detector to determine a first behavior match result for the first sub-object of the communication response object;
  
  a second communication behavior detector to determine a second behavior match result for the second sub-object of the communication response object;
  
  an aggregator, when executed by the processor, to aggregate the first behavior match result with the second behavior match result, wherein a malicious behavior score is calculated according to an aggregated result from all matches; and
  
  a classifier, when executed by the processor, to classify the malicious content suspect according to the malicious behavior score.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The medium of claim 13, wherein the first communication behavior detector determines whether information within the first sub-object matches one or more identifiers associated with malicious activity.
  - 15. The medium of claim 13, wherein the first communication behavior detector of the communication behavior analyzer to determine the first behavior match result by comparing a behavior characteristic of a sub-object to an identifier.
  - 16. The medium of claim 15, wherein the identifier is one or more of:
    - a suspicious Dynamic Domain Name System (DDNS) identifier,an email communication identifier, ora network traffic pattern related to data theft.
  - 17. The medium of claim 13, wherein the malicious behavior score is related to a probability that the communication response object indicates the malicious content suspect should be classified as malware.
  - 18. The medium of claim 13, further comprising:
    - a reporting module, when exposed by the processor to create, in response classifying the malicious content suspect as malware in response to the classifier determining that the malicious behavior score reaches a predetermined threshold, one or more of;
      
      a malware alert notification, or a malicious fingerprint.

19. A non-transitory machine-readable medium having instructions stored therein, which when executed by a processor, cause the processor to detect malicious behavior detection, comprising:
- a communication behavior analyzer that, when executed by the processor, is configured to receive a communication response object as a result of processing of a malicious content suspect within a virtual machine, determine a first behavior match result for a first sub-object of the communication response object, and a second behavior match result for a second sub-object of the communication response object;
  
  an execution behavior analyzer that, when executed by the processor, is configured to receive an execution response object as a result of processing the malicious content suspect and determine a third behavior match result for the execution response object;
  
  an aggregator, when executed by the processor, to aggregate the first behavior match result with the second behavior match result and the third behavior match result, wherein a malicious behavior score is calculated according to an aggregated result from all matches; and
  
  a classifier, when executed by the processor, to classify the malicious content suspect according to the malicious behavior score.

20. A data processing system, comprising:
- a hardware processor; and
  
  a memory coupled to the processor for storing instructions that, when executed by the processor, causes the processor to;
  
  process a malicious content suspect within a virtual machine that simulates a target operating environment associated with the malicious content suspect;
  
  receive a communication response object as a result of processing the malicious content suspect;
  
  parse the communication response object into at least a first sub-object and a second sub-object;
  
  provide the first sub-object to a first communication behavior detector in response to determining the first sub-object is a compatible input for the first communication behavior detector;
  
  provide the second sub-object to a second communication behavior detector in response to determining the second sub-object is a compatible input for the second communication behavior detector;
  
  determine a first behavior match result for the first sub-object of the communication response object, and a second behavior match result for a second sub-object of the communication response object;
  
  aggregate the first behavior match result with the second behavior match result, wherein a malicious behavior score is calculated according to an aggregated result from all matches; and
  
  classify the malicious content suspect according to the malicious behavior score.
- View Dependent Claims (21, 22, 23, 24, 25)
- - 21. The system of claim 20, wherein each behavior match result is determined by comparing a behavior characteristic of a sub-object to an identifier.
  - 22. The system of claim 21, wherein the identifier is one or more of:
    - a suspicious Dynamic Domain Name System (DDNS) identifier,an email communication identifier, ora network traffic pattern related to data theft.
  - 23. The system of claim 20, wherein the malicious behavior score is related to a probability that the communication response object indicates the malicious content suspect should be classified as malware.
  - 24. The system of claim 20, wherein the memory further comprises instructions that, when executed by the processor, cause the processor to:
    - receive an execution response object as a result of processing the malicious content suspect;
      
      determine a third behavior match result for the execution response object; and
      
      aggregate the third behavior match result with the aggregated results.
  - 25. The system of claim 20, wherein the memory further comprises instructions that, when executed by the processor, cause the processor to:
    - classify the malicious content suspect as malware in response to determining the malicious behavior score reaches a predetermined threshold; and
      
      create, in response classifying the malicious content suspect as malware, one or more of;
      
      a malware alert notification, or a malicious fingerprint.

26. A system for detecting malicious behavior, comprising:
- a hardware processor;
  
  a memory communicatively coupled to the hardware processor, the memory comprisesa communication behavior analyzer that, when executed by the processor, receives a communication response object as a result of processing of a malicious content suspect within a virtual machine, the communication behavior analyzer comprisesa parser to parse the communication response object into at least a first sub-object and a second sub-object, provide the first sub-object to a first communication behavior detector in response to determining the first sub-object is a compatible input for the first communication behavior detector, and provide the second sub-object to a second communication behavior detector in response to determining the second sub-object is a compatible input for the second communication behavior detector,a first communication behavior detector to determine a first behavior match result for the first sub-object of the communication response object, anda second communication behavior detector to determine a second behavior match result for the second sub-object of the communication response object;
  
  an aggregator, when executed by the processor, to aggregate the first behavior match result with the second behavior match result, wherein a malicious behavior score is calculated according to an aggregated result from all matches; and
  
  a classifier, when executed by the processor, to classify the malicious content suspect according to the malicious behavior score.
- View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 34, 35)
- - 27. The system of claim 26, wherein the first communication behavior detector, when executed by the processor, determines whether information within the first sub-object matches one or more identifiers associated with malicious activity.
  - 28. The system of claim 26, wherein the first communication behavior detector, when executed by the processor, determines the first behavior match result by comparing a behavior characteristic of a sub-object to an identifier.
  - 29. The system of claim 28, wherein the identifier is one or more of:
    - a suspicious Dynamic Domain Name System (DDNS) identifier,an email communication identifier, ora network traffic pattern related to data theft.
  - 30. The system of claim 26, wherein the malicious behavior score is related to a probability that the communication response object indicates the malicious content suspect should be classified as malware.
  - 31. The system of claim 28, wherein the identifier comprises one or more suspicious Dynamic Domain Name System (DDNS) identifiers.
  - 32. The system of claim 28, wherein the identifier comprises one or more identifiers that correspond to free Dynamic Domain Name System (DDNS) servers.
  - 33. The system of claim 28, wherein the identifier comprises one or more content exfiltration identifiers.
  - 34. The system of claim 33, wherein the one or more content exfiltration identifiers comprises at least an identifier that identifies a software product operating within the virtual machine.
  - 35. The system of claim 33, wherein the one or more content exfiltration identifiers comprises at least an identifier that identifies a serial number of a hardware component.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Bennett, James, Bu, Zheng
Primary Examiner(s)
SCOTT, RANDY A

Application Number

US14/221,199
Time in Patent Office

670 Days
Field of Search

726/2, 726/5, 726/12, 726/24
US Class Current

1/1
CPC Class Codes

G06F 16/285   Clustering or classification

G06F 2009/45587   Isolation or security of vi...

G06F 21/53   by executing in a restricte...

G06F 40/205   Parsing

G06F 9/45558   Hypervisor-specific managem...

H04L 61/4511   using domain name system [DNS]

H04L 61/5076   Update or notification mech...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/145   the attack involving the pr...

System and method for network behavior detection

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

548 Citations

35 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for network behavior detection

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

548 Citations

35 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links