Evaluating URLS for malicious content
First Claim
1. A method comprising:
- receiving at a firewall computer system a request from a user system for a resource at a uniform resource locator (URL);
retrieving, by the firewall computer system, the resource and returning the resource to the user system;
accessing by a first virtual machine on one of the firewall computer system and a magnet computer system the resource;
detecting malicious activity corresponding to the resource in the first virtual machine;
generating a descriptor of the malicious activity;
transmitting the descriptor to the user system;
transforming the outbound traffic on the second virtual machine to obtain transformed traffic;
transmitting the transformed traffic to a destination specified in the outbound traffic; and
receiving, on the second virtual machine, a response to the transformed traffic;
wherein generating the descriptor comprises correlating the response to the transformed traffic, the malicious activity corresponding to the resource in the first virtual machine, and the malicious activity on the second virtual machine.
3 Assignments
0 Petitions
Accused Products
Abstract
A system includes one or more “BotMagnet” modules that are exposed to infection by malicious code. The BotMagnets may include one or more virtual machines hosing operating systems in which malicious code may be installed and executed without exposing sensitive data or other parts of a network. In particular, outbound traffic may be transmitted to a Sinkhole module that implements a service requested by the outbound traffic and transmits responses to the malicious code executing within the BotMagnet. Requests by a user system for a resource at a URL may be received by a firewall, a honey client module may access the URL and permit installation of malicious code or other malicious activities. In response to detecting malicious activities, the honey client module characterizes the malicious activity to generate a descriptor used to detect malicious code in other systems. The URL may also be blacklisted by the firewall.
38 Citations
18 Claims
-
1. A method comprising:
-
receiving at a firewall computer system a request from a user system for a resource at a uniform resource locator (URL); retrieving, by the firewall computer system, the resource and returning the resource to the user system; accessing by a first virtual machine on one of the firewall computer system and a magnet computer system the resource; detecting malicious activity corresponding to the resource in the first virtual machine; generating a descriptor of the malicious activity; transmitting the descriptor to the user system; transforming the outbound traffic on the second virtual machine to obtain transformed traffic; transmitting the transformed traffic to a destination specified in the outbound traffic; and receiving, on the second virtual machine, a response to the transformed traffic; wherein generating the descriptor comprises correlating the response to the transformed traffic, the malicious activity corresponding to the resource in the first virtual machine, and the malicious activity on the second virtual machine. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method comprising:
-
receiving at a firewall computer system a request from a user system for a resource at a uniform resource locator (URL); retrieving, by the firewall computer system, the resource and returning the resource to the user system; accessing by a first virtual machine on one of the firewall computer system and a magnet computer system the resource; detecting malicious activity corresponding to the resource in the first virtual machine; generating a descriptor of the malicious activity; transmitting the descriptor to the user system; discovering by the magnet computer system a topology of a corporate network including workstations and server systems; instantiating a plurality of honey clients in the magnet computer systems, each honey client mapped to a workstation of the corporate network and implementing a virtual machine hosting an operating and browser corresponding to the workstation to which the each honey client is mapped, the first virtual machine being a honey client of the plurality of honey clients; instantiating a plurality of sink virtual machines in the magnet computer system, each sink virtual machine mapped to a server system of the corporate network and implementing one or more services of the server system of the corporate network to which the each sink virtual machine is mapped;
identifying the first virtual machine as being the honey client of the plurality of honey clients corresponding to the user system, the user system being a workstation of the workstations of the corporate network;permitting outbound traffic corresponding to the resource from the first virtual machine; routing the outbound traffic to a first sink virtual machine of the plurality of sink virtual machines; detecting malicious activity on the first sink virtual machine; wherein generating the descriptor comprises correlating the malicious activity corresponding to the resource in the first virtual machine to the malicious activity in the first sink virtual machine.
-
-
10. A system comprising:
-
a firewall computer system programmed to; receive a request from a user system for a resource at a uniform resource locator (URL); retrieve the resource and return the resource to the user system; provide the URL to a honey client computer system; the honey client computer system, the honey client computer system programmed to; access by a first virtual machine the URL; detect malicious activity corresponding to the resource in the first virtual machine; generate a descriptor of the malicious activity; and transmit the descriptor to the user system; wherein the honey client computer system is further programmed to permit outbound traffic corresponding to the resource from the first virtual machine; the system further comprises a sinkhole computer system programmed to; receive the outbound traffic on a second virtual machine; and detect malicious activity on the second virtual machine; generating the descriptor comprises correlating the malicious activity corresponding to the resource in the first virtual machine to the malicious activity on the second virtual machine. - View Dependent Claims (11, 12, 13, 14, 15, 16)
-
-
17. A system comprising:
-
a firewall computer system programmed to; receive a request from a user system for a resource at a uniform resource locator (URL); retrieve the resource and return the resource to the user system; provide the URL to a honey client computer system; the honey client computer system, the honey client computer system programmed to; access by a first virtual machine the URL; detect malicious activity corresponding to the resource in the first virtual machine; generate a descriptor of the malicious activity; and transmit the descriptor to the user system wherein; the sinkhole computer system is further programmed to; transform the outbound traffic on the second virtual machine to obtain transformed traffic; transmit the transformed traffic to a destination specified in the outbound traffic; and receive a response to the transformed traffic; wherein generating the descriptor comprises correlating the response to the transformed traffic, the malicious activity corresponding to the resource in the first virtual machine, and the malicious activity on the second virtual machine. - View Dependent Claims (18)
-
Specification