System and method for detecting malicious links in electronic messages

US 9,300,686 B2
Filed: 07/18/2013
Issued: 03/29/2016
Est. Priority Date: 06/28/2013
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for detecting malicious links in electronic messages by processing logic including circuitry implemented within a malware analysis system, comprising:

in response to receiving a plurality of uniform resource locator (URL) links for malicious determination, removing any known URL links from the plurality of URL links based on a list of known link signatures;

for each of remaining URL links that are unknown, performing a link analysis by the processing logic on a URL link of the remaining URL links based on link heuristics to determine whether the URL link is suspicious; and

responsive to determining the URL link is suspicious, performing a dynamic analysis in a virtual machine on a resource associated with the suspicious URL link and classifying whether the suspicious URL link is a malicious link based on a behavior of the resource during the dynamic analysis within the virtual machine.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to one embodiment, in response to receiving a plurality of uniform resource locator (URL) links for malicious determination, any known URL links are removed from the URL links based on a list of known link signatures. For each of remaining URL links that are unknown, a link analysis is performed on the URL link based on link heuristics to determine whether the URL link is suspicious. For each of the suspicious URL links, a dynamic analysis is performed on a resource of the suspicious URL link. It is classified whether the suspicious URL link is a malicious link based on a behavior of the resource during the dynamic analysis.

Citations

59 Claims

1. A computer-implemented method for detecting malicious links in electronic messages by processing logic including circuitry implemented within a malware analysis system, comprising:
- in response to receiving a plurality of uniform resource locator (URL) links for malicious determination, removing any known URL links from the plurality of URL links based on a list of known link signatures;
  
  for each of remaining URL links that are unknown, performing a link analysis by the processing logic on a URL link of the remaining URL links based on link heuristics to determine whether the URL link is suspicious; and
  
  responsive to determining the URL link is suspicious, performing a dynamic analysis in a virtual machine on a resource associated with the suspicious URL link and classifying whether the suspicious URL link is a malicious link based on a behavior of the resource during the dynamic analysis within the virtual machine.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 34, 35, 36, 37, 38, 39)
- - 2. The method of claim 1, wherein the plurality of URL links are received from one or more malware detection appliances over the Internet, and wherein the one or more malware detection appliances are deployed in one or more local area networks (LANs).
  - 3. The method of claim 2, wherein each of the malware detection appliances comprises a hardware processor that is configured torecognize a URL embedded within an email,extract the URL from the email, andtransmit the extracted URL to the malware analysis system over the Internet as part of the plurality of URL links, without transmitting remaining content of the email.
  - 4. The method of claim 2, wherein the performing of the link analysis comprises:
    - determining a domain name included in each of the plurality of URL links;
      
      determining whether a number of occurrences of a first domain name in URL links of the plurality of URL links exceeds a predetermined threshold, the URL links include the URL link; and
      
      designating each of the URL links, including the URL link, as suspicious when the number of occurrences of the first domain name in the URL links exceeds the predetermined threshold.
  - 5. The method of claim 2, wherein the performing of the link analysis comprises:
    - determining whether a number of occurrences of a first uniform resource identifier (URI) in URL links of the plurality of URL links exceeds a predetermined threshold, the URL links include the URL link; and
      
      designating each of the URL links that includes the first URI as suspicious, if the number of occurrences of the first URI in the URL links exceeds the predetermined threshold.
  - 6. The method of claim 2, wherein the performing of the link analysis comprises:
    - accessing the resource from a remote resource location via the URL link; and
      
      classifying whether the URL link is suspicious or malicious based on an analysis of information associated with the resource at the remote resource location.
  - 7. The method of claim 6, wherein the URL link is classified as suspicious or malicious based on a combination of a type and a size of the resource identified in the information associated with the resource.
  - 8. The method of claim 1, further comprising:
    - generating a link signature for each of the links that have been classified as malicious; and
      
      transmitting link signatures of the classified malicious links to one or more malware detection appliances so that the malware detection appliances can detect subsequent malicious links locally based on the link signatures.
  - 34. The method of claim 1, wherein the performing of the link analysis comprises determining whether a number of occurrences of a first domain name included as part of the plurality of URL links exceeds a predetermined threshold;
    - anddesignating the URL link including the first domain name as suspicious, if the number of occurrences of the first domain name included as part of the plurality of URL links exceeds the predetermined threshold.
  - 35. The method of claim 1, wherein the performing of the link analysis comprises determining whether a number of occurrences of a first uniform resource identifier (URI) included as part of the plurality of URL links exceeds a predetermined threshold;
    - anddesignating the URL link including the first URI as suspicious, if the number of occurrences of the first URI included as part of the plurality of URL links exceeds the predetermined threshold.
  - 36. The method of claim 1, wherein the resource is content retrieved from a website referenced by the URL link.
  - 37. The method of claim 4 further comprising:
    - responsive to determining by the processing logic during the link analysis that the URL link is malicious, generating a link signature for the URL link.
  - 38. The method of claim 37 further comprising:
    - responsive to generating the link signature for the URL link, transmitting the link signature to one or more malware detection appliances for use in local detection of malicious URL links.
  - 39. The method of claim 1, wherein the known URL links include at least one of known malicious URL links or known non-malicious URL links.

9. A non-transitory machine-readable medium having instructions stored therein, which when executed by a processor, cause the processor to perform operations for detecting malicious links in electronic messages, comprising:
- in response to receiving a plurality of uniform resource locator (URL) links for malicious determination, removing any known URL links from the plurality of URL links by the processor based on a list of known link signatures;
  
  for each of remaining URL links that are unknown, performing a link analysis by the processor on a URL link of the remaining URL links based on link heuristics to determine whether the URL link is suspicious; and
  
  responsive to determining that the URL link is suspicious, performing a dynamic analysis in a virtual machine on a resource associated with the suspicious URL link and classifying whether the suspicious URL link is a malicious link based on a behavior of the resource during the dynamic analysis within the virtual machine.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 40, 41, 42, 43)
- - 10. The medium of claim 9, wherein the plurality of URL links are received from one or more malware detection appliances over the Internet, and wherein the one or more malware detection appliances are deployed in one or more local area networks (LANs).
  - 11. The medium of claim 10, wherein each of the malware detection appliances is configured torecognize a URL link embedded within an email,extract the URL from the email, andtransmit the extracted URL to the malware analysis system over the Internet as part of the plurality of URL links, without transmitting remaining content of the email.
  - 12. The medium of claim 10, wherein the performing of the link analysis comprises:
    - determining a domain name included in each of the plurality of URL links;
      
      determining whether a number of occurrences of a first domain name in URL links of the remaining URL links exceeds a predetermined threshold, the URL links include the URL link; and
      
      designating each of the URL links that includes the first domain name as suspicious, if the number of occurrences of the first domain name in the URL links exceeds the predetermined threshold.
  - 13. The medium of claim 10, wherein the performing of the link analysis comprises:
    - determining whether a number of occurrences of a first uniform resource identifier (URI) in URL links of the remaining URL links exceeds a predetermined threshold; and
      
      designating each of the URL links that includes the first URI as suspicious, if the number of occurrences of the first URI in the URL links exceeds the predetermined threshold.
  - 14. The medium of claim 10, wherein the performing of the link analysis comprises:
    - accessing the resource of a remote resource location via the URL link; and
      
      classifying whether the URL link is suspicious or malicious based on a response received from the remote resource location.
  - 15. The medium of claim 14, wherein the URL link is classified as suspicious or malicious based on the response including information associated with a type of resource, metadata associated with the resource, and information associated with a size of the resource.
  - 16. The medium of claim 9, wherein the operations further comprises:
    - generating a link signature for each of the remaining URL links that have been classified as malicious; and
      
      transmitting link signatures of the classified malicious links to one or more malware detection appliances, the one or more malware detection appliances to detect subsequent malicious links locally based on the link signatures.
  - 40. The medium of claim 9, wherein the resource is content retrieved from a website referenced by the URL link.
  - 41. The medium of claim 9 having instructions stored therein, which when executed by the processor, further cause the processor to perform operations comprising:
    - responsive to determining by the processor during the link analysis that the URL link is malicious, generating a link signature for the URL link.
  - 42. The medium of claim 41 having instructions stored therein, which when executed by the processor, further cause the processor to perform operations comprising:
    - responsive to generating the link signature for the URL link, transmitting the link signature to one or more malware detection appliances for use in local detection of malicious URL links.
  - 43. The medium of claim 9 having instructions stored therein, which when executed by a processor, cause the processor to remove any known URL links, wherein the known URL links include at least one of known malicious URL links or known non-malicious URL links.

17. A computer-implemented method for detecting malicious links in electronic messages, comprising:
- in response to receiving an email having a uniform resource locator (URL) link for malicious determination, extracting the URL link from the email;
  
  determining whether the extracted URL link is a known URL link, the known link includes at least one of a known malicious link or a known non-malicious link;
  
  responsive to determining that the extracted URL link is a URL link other than the known URL link, comparing at least a portion of the extracted URL link with a list of heuristic link signatures that represents a list of patterns to determine whether the extracted URL link is suspicious;
  
  performing a dynamic analysis on the extracted URL link in a virtual machine when at least a portion of the extracted URL link matches at least one of the heuristic link signatures, includingaccessing and downloading a resource from a remote site using the extracted URL link from the email,executing the resource within the virtual machine using a software program that is associated with the resource, andmonitoring a behavior of the resource within the virtual machine; and
  
  classifying whether the extracted URL link is a malicious link based on the behavior of the resource during the execution of the resource within the virtual machine.
- View Dependent Claims (18, 19, 20, 21, 22)
- - 18. The method of claim 17, wherein the heuristic link signatures are generated based on data previously collected from a plurality of malware detection systems using machine learning techniques.
  - 19. The method of claim 18, wherein the heuristic link signatures are updated periodically based on data periodically collected from the plurality of malware detection systems.
  - 20. The method of claim 18, wherein the heuristic link signatures represent patterns of likely malicious links based on previous malware detection operations.
  - 21. The method of claim 17, further comprising performing a static analysis on metadata of the email to determine whether the email is a suspicious email, wherein the dynamic analysis is performed on the extracted URL link if the email is determined to be suspicious.
  - 22. The method of claim 21, wherein the metadata of the email includes at least one of TO, FROM, and SUBJECT fields.

23. A non-transitory machine-readable medium having instructions stored therein, which when executed by a processor, cause the processor to perform operations for detecting malicious links in electronic messages, comprising:
- in response to receiving an email having a uniform resource locator (URL) link for malicious determination, extracting by the processor the URL link from the email;
  
  determining whether the extracted URL link is a known URL link, the known link includes at least one of a known malicious link or a known non-malicious link;
  
  responsive to determining that the extracted URL link is a URL link other than the known URL link, comparing, by the processor, at least a portion of the extracted URL link with a list of heuristic link signatures that represents a list of patterns to determine whether the extracted URL link is suspicious;
  
  performing, by the processor, a dynamic analysis on the extracted URL link in a virtual machine if at least a portion of the extracted URL link matches at least one of the heuristic link signatures, includingaccessing and downloading a resource from a remote site using the extracted URL link,executing the resource within the virtual machine using a software program that is associated with the resource, andmonitoring a behavior of the resource within the virtual machine; and
  
  classifying whether the extracted URL link is a malicious link based on the behavior of the resource during the execution of the resource within the virtual machine.
- View Dependent Claims (24, 25, 26, 27)
- - 24. The medium of claim 23, wherein the heuristic link signatures are generated based on data previously collected from a plurality of malware detection systems using machine learning techniques.
  - 25. The medium of claim 24, wherein the heuristic link signatures are updated periodically based on data periodically collected from the malware detection systems.
  - 26. The medium of claim 24, wherein the heuristic link signatures represent patterns of likely malicious links based on previous malware detection operations.
  - 27. The medium of claim 23, wherein the method further comprises performing a static analysis on metadata of the email to determine whether the email is a suspicious email, wherein the dynamic analysis is performed on the extracted URL link if the email is determined to be suspicious.

28. A data processing system for detecting malicious links, comprising:
- a processor; and
  
  a memory coupled to the processor for storing instructions, which when executed from the memory by the processor, cause the processor toin response to receiving an email having a uniform resource locator (URL) link for malicious determination, extract the URL link from the email,determine whether the extracted URL link is a known URL link, the known link includes at least one of a known malicious link or a known non-malicious link;
  
  responsive to determining that the extracted URL link is a URL link other than the known URL link, compare at least a portion of the extracted URL link with a list of heuristic link signatures that represents a list of patterns to determine whether the extracted URL link is suspicious,perform a dynamic analysis on the extracted URL link in a virtual machine if at least a portion of the extracted URL link matches at least one of the heuristic link signatures, includingaccessing and downloading a resource from a remote site via the extracted URL link,executing the resource within the virtual machine using a software program that is associated with the resource, andmonitoring a behavior of the resource within the virtual machine; and
  
  classify whether the extracted URL link is a malicious link based on the behavior of the resource during the execution of the resource within the virtual machine.
- View Dependent Claims (29, 30, 31, 32, 33)
- - 29. The data processing system of claim 28, wherein the heuristic link signatures are generated based on data previously collected from a plurality of malware detection systems using machine learning techniques.
  - 30. The data processing system of claim 29, wherein the heuristic link signatures are updated periodically based on data periodically collected from the plurality of malware detection systems.
  - 31. The data processing system of claim 29, wherein the heuristic link signatures represent patterns of likely malicious links based on previous malware detection operations.
  - 32. The data processing system of claim 28, wherein the memory includes further instructions which, when executed by the processor, cause the processor to perform a static analysis on metadata of the email to determine whether the email is a suspicious email, wherein the dynamic analysis is performed on the extracted URL link if the email is determined to be suspicious.
  - 33. The data processing system of claim 32, wherein the metadata of the email includes at least one of TO, FROM, and SUBJECT fields.

44. A malware analysis system, comprising:
- a processor; and
  
  a memory coupled to the processor for storing instructions, which when executed by the processor, cause the processor toremove any known URL links from a plurality of uniform resource locator (URL) links received for malicious determination,for each of remaining URL links that are unknown, perform a link analysis on a URL link of the remaining URL links based on link heuristics to determine whether the URL link is suspicious, andresponsive to determining the URL link is suspicious, perform a dynamic analysis in a virtual machine on a resource associated with the suspicious URL link and classify whether the suspicious URL link is a malicious link based on a behavior of the resource during the dynamic analysis within the virtual machine.
- View Dependent Claims (45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59)
- - 45. The malware analysis system of claim 44, wherein the plurality of URL links are received from one or more malware detection appliances over the Internet, and wherein the one or more malware detection appliances are deployed in one or more local area networks (LANs).
  - 46. The malware analysis system of claim 45, wherein each of the malware detection appliances comprises a hardware processor that is configured torecognize a URL embedded within an email,extract the URL from the email, andtransmit the extracted URL to the malware analysis system over the Internet as part of the plurality of URL links, without transmitting remaining content of the email.
  - 47. The malware analysis system of claim 45, wherein the memory includes instructions which, when executed by the processor, cause the processor to perform the link analysis by at least:
    - determining whether a first domain name of the URL link occurs frequently amongst the remaining URL links; and
      
      designating each of the URL links that includes the first domain name as suspicious, if the first domain name occurs frequently amongst the remaining URL links.
  - 48. The malware analysis system of claim 45, wherein the memory includes instructions which, when executed by the processor, cause the processor to perform the link analysis by at least:
    - determining whether a first uniform resource identifier (URI) of the URL link occurs frequently amongst the remaining URL links; and
      
      designating each of the URL links that includes the first URI as suspicious, if the first URI occurs frequently amongst the remaining URL links.
  - 49. The malware analysis system of claim 45, wherein the memory includes instructions which, when executed by the processor, cause the processor to perform the link analysis by at least:
    - accessing the resource from a remote resource location via the URL link; and
      
      classifying whether the URL link is suspicious or malicious based on an analysis of information associated with the resource at the remote resource location.
  - 50. The malware analysis system of claim 49, wherein the memory includes instructions which, when executed by the processor, cause the processor to perform the link analysis by classifying the URL link as suspicious or malicious based on analysis of the information that includes one or more of (1) information that identifies a type of the resource, and (ii) information that identifies a size of the resource.
  - 51. The malware analysis system of claim 49, wherein the memory includes instructions which, when executed by the processor, cause the processor to perform one or more operations responsive to determining that the URL link is suspicious, including:
    - generating a link signature for each of the remaining URL links that have been classified as malicious; and
      
      transmitting link signatures of the classified malicious links to one or more malware detection appliances, such that the one or more malware detection appliances can detect subsequent malicious links locally based on the link signatures.
  - 52. The malware analysis system of claim 44, wherein the resource is content retrieved from a website referenced by the URL link.
  - 53. The malware analysis system of claim 44, wherein the memory includes instructions which, when executed by the processor, cause the processor to perform operations comprising:
    - responsive to determining by the processor during the link analysis that the URL link is malicious, generating a link signature for the URL link.
  - 54. The malware analysis system of claim 53, wherein the memory includes instructions which, when executed by the processor, cause the processor to perform operations comprising:
    - responsive to generating the link signature for the URL link, transmitting the link signature to one or more malware detection appliances for use in local detection of malicious URL links.
  - 55. The malware analysis system of claim 44, wherein the processor to remove any known URL links from the plurality of URL links by analysis of the plurality of URL links and a list of known link signatures.
  - 56. The malware analysis system of claim 47, wherein the memory includes instructions that, when executed by the processor, further cause the processor to determine whether the first domain name of the URL link occurs frequently by determining whether a number of occurrences of the first domain name in the remaining URL links exceeds a predetermined threshold.
  - 57. The malware analysis system of claim 48, wherein the memory includes instructions that, when executed by the processor, further cause the processor to determine whether the first URI of the URL link occurs frequently by determining whether a number of occurrences of the first URI in the remaining URL links exceeds a predetermined threshold.
  - 58. The malware analysis system of claim 44, wherein the memory includes instructions which, when executed by the processor, cause the processor to perform the link analysis by at least:
    - determining whether a number of occurrences of a first domain name included as part of the remaining URL links exceeds a predetermined threshold; and
      
      designating the URL link including the first domain name as suspicious, if the number of occurrences of the first domain name included as part of the remaining URL links exceeds the predetermined threshold.
  - 59. The malware analysis system of claim 44, wherein the memory includes instructions which, when executed by the processor, cause the processor to perform the link analysis by at least:
    - determining whether a number of occurrences of a first uniform resource identifier (URI) included as part of the remaining URL links exceeds a predetermined threshold; and
      
      designating the URL link including the first URI as suspicious, if the number of occurrences of the first URI included as part of the remaining URL links exceeds the predetermined threshold.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
FireEye, Inc. (Alphabet Inc.)
Inventors
Pidathala, Vinay, Uyeno, Henry
Primary Examiner(s)
Armouche, Hadi
Assistant Examiner(s)
HOLMES, ANGELA R

Application Number

US13/945,394
Publication Number

US 20150007312A1
Time in Patent Office

985 Days
Field of Search

726/22, 726 24- 25
US Class Current

1/1
CPC Class Codes

G06F 21/562   Static detection

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04L 63/145   the attack involving the pr...

H04L 63/1475   Passive attacks, e.g. eaves...

System and method for detecting malicious links in electronic messages

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

59 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for detecting malicious links in electronic messages

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

59 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links