System and method for network behavior detection
First Claim
1. A computer-implemented method for detecting malicious behavior, comprising:
- processing a malicious content suspect within a virtual machine that simulates a target operating environment associated with the malicious content suspect;
receiving a communication response object as a result of processing the malicious content suspect;
parsing the communication response object into at least a first sub-object and a second sub-object;
sending the first sub-object to a first communication behavior detector in response to determining the first sub-object is a compatible input for the first communication behavior detector;
sending the second sub-object to a second communication behavior detector in response to determining the second sub-object is a compatible input for the second communication behavior detector;
determining, by the first communication behavior detector, a first behavior match result for the first sub-object of the communication response object;
determining, by the second communication behavior detector, a second behavior match result for the second sub-object of the communication response object;
aggregating the first behavior match result with the second behavior match result, wherein a malicious behavior score is calculated according to an aggregated result from all matches; and
classifying the malicious content suspect according to the malicious behavior score.
5 Assignments
0 Petitions
Accused Products
Abstract
Techniques for detecting malicious behavior of content or objects are described herein. According to one embodiment, a malicious content suspect is executed within a virtual machine that simulates a target operating environment associated with the malicious content suspect. A communication response object is received as a result of processing the malicious content suspect. A first behavior match result for a first sub-object of the communication response object is determined. A second behavior match result for a second sub-object of the communication response object is also determined. The first and second behavior match results are aggregated and a malicious behavior score is calculated according to the aggregated result from all matches. The malicious content suspect is classified according to the malicious behavior score.
548 Citations
35 Claims
-
1. A computer-implemented method for detecting malicious behavior, comprising:
-
processing a malicious content suspect within a virtual machine that simulates a target operating environment associated with the malicious content suspect; receiving a communication response object as a result of processing the malicious content suspect; parsing the communication response object into at least a first sub-object and a second sub-object; sending the first sub-object to a first communication behavior detector in response to determining the first sub-object is a compatible input for the first communication behavior detector; sending the second sub-object to a second communication behavior detector in response to determining the second sub-object is a compatible input for the second communication behavior detector; determining, by the first communication behavior detector, a first behavior match result for the first sub-object of the communication response object; determining, by the second communication behavior detector, a second behavior match result for the second sub-object of the communication response object; aggregating the first behavior match result with the second behavior match result, wherein a malicious behavior score is calculated according to an aggregated result from all matches; and classifying the malicious content suspect according to the malicious behavior score. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A computer-implemented method for detecting malicious behavior, comprising:
-
processing a malicious content suspect within a virtual machine that simulates a target operating environment associated with the malicious content suspect; receiving a communication response object as a result of processing the malicious content suspect; determining, by a communication behavior analyzer, a first behavior match result for a first sub-object of the communication response object, and a second behavior match result for a second sub-object of the communication response object; receiving an execution response object as a result of processing the malicious content suspect; determining, by an execution behavior analyzer, a third behavior match result for the execution response object; aggregating the first behavior match result with the second behavior match result and the third behavior match result, wherein a malicious behavior score is calculated according to an aggregated result of at least the first behavior match result, the second behavior match result and the third behavior match result; classifying the malicious content suspect according to the malicious behavior score.
-
-
13. A non-transitory machine-readable medium having instructions stored therein, which when executed by a processor, cause the processor to detect malicious behavior detection, comprising:
-
a communication behavior analyzer, when executed by the processor, to receive a communication response object as a result of processing of a malicious content suspect within a virtual machine, the communication behavior analyzer comprises a parser to parse the communication response object into at least a first sub-object and a second sub-object, provide the first sub-object to a first communication behavior detector in response to determining the first sub-object is a compatible input for the first communication behavior detector, and provide the second sub-object to a second communication behavior detector in response to determining the second sub-object is a compatible input for the second communication behavior detector, a first communication behavior detector to determine a first behavior match result for the first sub-object of the communication response object; a second communication behavior detector to determine a second behavior match result for the second sub-object of the communication response object; an aggregator, when executed by the processor, to aggregate the first behavior match result with the second behavior match result, wherein a malicious behavior score is calculated according to an aggregated result from all matches; and a classifier, when executed by the processor, to classify the malicious content suspect according to the malicious behavior score. - View Dependent Claims (14, 15, 16, 17, 18)
-
-
19. A non-transitory machine-readable medium having instructions stored therein, which when executed by a processor, cause the processor to detect malicious behavior detection, comprising:
-
a communication behavior analyzer that, when executed by the processor, is configured to receive a communication response object as a result of processing of a malicious content suspect within a virtual machine, determine a first behavior match result for a first sub-object of the communication response object, and a second behavior match result for a second sub-object of the communication response object; an execution behavior analyzer that, when executed by the processor, is configured to receive an execution response object as a result of processing the malicious content suspect and determine a third behavior match result for the execution response object; an aggregator, when executed by the processor, to aggregate the first behavior match result with the second behavior match result and the third behavior match result, wherein a malicious behavior score is calculated according to an aggregated result from all matches; and a classifier, when executed by the processor, to classify the malicious content suspect according to the malicious behavior score.
-
-
20. A data processing system, comprising:
-
a hardware processor; and a memory coupled to the processor for storing instructions that, when executed by the processor, causes the processor to; process a malicious content suspect within a virtual machine that simulates a target operating environment associated with the malicious content suspect; receive a communication response object as a result of processing the malicious content suspect; parse the communication response object into at least a first sub-object and a second sub-object; provide the first sub-object to a first communication behavior detector in response to determining the first sub-object is a compatible input for the first communication behavior detector; provide the second sub-object to a second communication behavior detector in response to determining the second sub-object is a compatible input for the second communication behavior detector; determine a first behavior match result for the first sub-object of the communication response object, and a second behavior match result for a second sub-object of the communication response object; aggregate the first behavior match result with the second behavior match result, wherein a malicious behavior score is calculated according to an aggregated result from all matches; and classify the malicious content suspect according to the malicious behavior score. - View Dependent Claims (21, 22, 23, 24, 25)
-
-
26. A system for detecting malicious behavior, comprising:
-
a hardware processor; a memory communicatively coupled to the hardware processor, the memory comprises a communication behavior analyzer that, when executed by the processor, receives a communication response object as a result of processing of a malicious content suspect within a virtual machine, the communication behavior analyzer comprises a parser to parse the communication response object into at least a first sub-object and a second sub-object, provide the first sub-object to a first communication behavior detector in response to determining the first sub-object is a compatible input for the first communication behavior detector, and provide the second sub-object to a second communication behavior detector in response to determining the second sub-object is a compatible input for the second communication behavior detector, a first communication behavior detector to determine a first behavior match result for the first sub-object of the communication response object, and a second communication behavior detector to determine a second behavior match result for the second sub-object of the communication response object; an aggregator, when executed by the processor, to aggregate the first behavior match result with the second behavior match result, wherein a malicious behavior score is calculated according to an aggregated result from all matches; and a classifier, when executed by the processor, to classify the malicious content suspect according to the malicious behavior score. - View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 34, 35)
-
Specification