System and method for detecting malicious links in electronic messages
First Claim
1. A computer-implemented method for detecting malicious links in electronic messages by processing logic including circuitry implemented within a malware analysis system, comprising:
- in response to receiving a plurality of uniform resource locator (URL) links for malicious determination, removing any known URL links from the plurality of URL links based on a list of known link signatures;
for each of remaining URL links that are unknown, performing a link analysis by the processing logic on a URL link of the remaining URL links based on link heuristics to determine whether the URL link is suspicious; and
responsive to determining the URL link is suspicious, performing a dynamic analysis in a virtual machine on a resource associated with the suspicious URL link and classifying whether the suspicious URL link is a malicious link based on a behavior of the resource during the dynamic analysis within the virtual machine.
7 Assignments
0 Petitions
Accused Products
Abstract
According to one embodiment, in response to receiving a plurality of uniform resource locator (URL) links for malicious determination, any known URL links are removed from the URL links based on a list of known link signatures. For each of remaining URL links that are unknown, a link analysis is performed on the URL link based on link heuristics to determine whether the URL link is suspicious. For each of the suspicious URL links, a dynamic analysis is performed on a resource of the suspicious URL link. It is classified whether the suspicious URL link is a malicious link based on a behavior of the resource during the dynamic analysis.
-
Citations
59 Claims
-
1. A computer-implemented method for detecting malicious links in electronic messages by processing logic including circuitry implemented within a malware analysis system, comprising:
-
in response to receiving a plurality of uniform resource locator (URL) links for malicious determination, removing any known URL links from the plurality of URL links based on a list of known link signatures; for each of remaining URL links that are unknown, performing a link analysis by the processing logic on a URL link of the remaining URL links based on link heuristics to determine whether the URL link is suspicious; and responsive to determining the URL link is suspicious, performing a dynamic analysis in a virtual machine on a resource associated with the suspicious URL link and classifying whether the suspicious URL link is a malicious link based on a behavior of the resource during the dynamic analysis within the virtual machine. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 34, 35, 36, 37, 38, 39)
-
-
9. A non-transitory machine-readable medium having instructions stored therein, which when executed by a processor, cause the processor to perform operations for detecting malicious links in electronic messages, comprising:
-
in response to receiving a plurality of uniform resource locator (URL) links for malicious determination, removing any known URL links from the plurality of URL links by the processor based on a list of known link signatures; for each of remaining URL links that are unknown, performing a link analysis by the processor on a URL link of the remaining URL links based on link heuristics to determine whether the URL link is suspicious; and responsive to determining that the URL link is suspicious, performing a dynamic analysis in a virtual machine on a resource associated with the suspicious URL link and classifying whether the suspicious URL link is a malicious link based on a behavior of the resource during the dynamic analysis within the virtual machine. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 40, 41, 42, 43)
-
-
17. A computer-implemented method for detecting malicious links in electronic messages, comprising:
-
in response to receiving an email having a uniform resource locator (URL) link for malicious determination, extracting the URL link from the email; determining whether the extracted URL link is a known URL link, the known link includes at least one of a known malicious link or a known non-malicious link; responsive to determining that the extracted URL link is a URL link other than the known URL link, comparing at least a portion of the extracted URL link with a list of heuristic link signatures that represents a list of patterns to determine whether the extracted URL link is suspicious; performing a dynamic analysis on the extracted URL link in a virtual machine when at least a portion of the extracted URL link matches at least one of the heuristic link signatures, including accessing and downloading a resource from a remote site using the extracted URL link from the email, executing the resource within the virtual machine using a software program that is associated with the resource, and monitoring a behavior of the resource within the virtual machine; and classifying whether the extracted URL link is a malicious link based on the behavior of the resource during the execution of the resource within the virtual machine. - View Dependent Claims (18, 19, 20, 21, 22)
-
-
23. A non-transitory machine-readable medium having instructions stored therein, which when executed by a processor, cause the processor to perform operations for detecting malicious links in electronic messages, comprising:
-
in response to receiving an email having a uniform resource locator (URL) link for malicious determination, extracting by the processor the URL link from the email; determining whether the extracted URL link is a known URL link, the known link includes at least one of a known malicious link or a known non-malicious link; responsive to determining that the extracted URL link is a URL link other than the known URL link, comparing, by the processor, at least a portion of the extracted URL link with a list of heuristic link signatures that represents a list of patterns to determine whether the extracted URL link is suspicious; performing, by the processor, a dynamic analysis on the extracted URL link in a virtual machine if at least a portion of the extracted URL link matches at least one of the heuristic link signatures, including accessing and downloading a resource from a remote site using the extracted URL link, executing the resource within the virtual machine using a software program that is associated with the resource, and monitoring a behavior of the resource within the virtual machine; and classifying whether the extracted URL link is a malicious link based on the behavior of the resource during the execution of the resource within the virtual machine. - View Dependent Claims (24, 25, 26, 27)
-
-
28. A data processing system for detecting malicious links, comprising:
-
a processor; and a memory coupled to the processor for storing instructions, which when executed from the memory by the processor, cause the processor to in response to receiving an email having a uniform resource locator (URL) link for malicious determination, extract the URL link from the email, determine whether the extracted URL link is a known URL link, the known link includes at least one of a known malicious link or a known non-malicious link; responsive to determining that the extracted URL link is a URL link other than the known URL link, compare at least a portion of the extracted URL link with a list of heuristic link signatures that represents a list of patterns to determine whether the extracted URL link is suspicious, perform a dynamic analysis on the extracted URL link in a virtual machine if at least a portion of the extracted URL link matches at least one of the heuristic link signatures, including accessing and downloading a resource from a remote site via the extracted URL link, executing the resource within the virtual machine using a software program that is associated with the resource, and monitoring a behavior of the resource within the virtual machine; and classify whether the extracted URL link is a malicious link based on the behavior of the resource during the execution of the resource within the virtual machine. - View Dependent Claims (29, 30, 31, 32, 33)
-
-
44. A malware analysis system, comprising:
-
a processor; and a memory coupled to the processor for storing instructions, which when executed by the processor, cause the processor to remove any known URL links from a plurality of uniform resource locator (URL) links received for malicious determination, for each of remaining URL links that are unknown, perform a link analysis on a URL link of the remaining URL links based on link heuristics to determine whether the URL link is suspicious, and responsive to determining the URL link is suspicious, perform a dynamic analysis in a virtual machine on a resource associated with the suspicious URL link and classify whether the suspicious URL link is a malicious link based on a behavior of the resource during the dynamic analysis within the virtual machine. - View Dependent Claims (45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59)
-
Specification