Evaluating URLS for malicious content

US 9,356,950 B2
Filed: 08/22/2014
Issued: 05/31/2016
Est. Priority Date: 05/07/2014
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving at a firewall computer system a request from a user system for a resource at a uniform resource locator (URL);

retrieving, by the firewall computer system, the resource and returning the resource to the user system;

accessing by a first virtual machine on one of the firewall computer system and a magnet computer system the resource;

detecting malicious activity corresponding to the resource in the first virtual machine;

generating a descriptor of the malicious activity;

transmitting the descriptor to the user system;

transforming the outbound traffic on the second virtual machine to obtain transformed traffic;

transmitting the transformed traffic to a destination specified in the outbound traffic; and

receiving, on the second virtual machine, a response to the transformed traffic;

wherein generating the descriptor comprises correlating the response to the transformed traffic, the malicious activity corresponding to the resource in the first virtual machine, and the malicious activity on the second virtual machine.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system includes one or more “BotMagnet” modules that are exposed to infection by malicious code. The BotMagnets may include one or more virtual machines hosing operating systems in which malicious code may be installed and executed without exposing sensitive data or other parts of a network. In particular, outbound traffic may be transmitted to a Sinkhole module that implements a service requested by the outbound traffic and transmits responses to the malicious code executing within the BotMagnet. Requests by a user system for a resource at a URL may be received by a firewall, a honey client module may access the URL and permit installation of malicious code or other malicious activities. In response to detecting malicious activities, the honey client module characterizes the malicious activity to generate a descriptor used to detect malicious code in other systems. The URL may also be blacklisted by the firewall.

38 Citations

View as Search Results

18 Claims

1. A method comprising:
- receiving at a firewall computer system a request from a user system for a resource at a uniform resource locator (URL);
  
  retrieving, by the firewall computer system, the resource and returning the resource to the user system;
  
  accessing by a first virtual machine on one of the firewall computer system and a magnet computer system the resource;
  
  detecting malicious activity corresponding to the resource in the first virtual machine;
  
  generating a descriptor of the malicious activity;
  
  transmitting the descriptor to the user system;
  
  transforming the outbound traffic on the second virtual machine to obtain transformed traffic;
  
  transmitting the transformed traffic to a destination specified in the outbound traffic; and
  
  receiving, on the second virtual machine, a response to the transformed traffic;
  
  wherein generating the descriptor comprises correlating the response to the transformed traffic, the malicious activity corresponding to the resource in the first virtual machine, and the malicious activity on the second virtual machine.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein accessing by the first virtual machine the resource comprises:
    - accessing on the first virtual machine the resource using a plurality of browsers.
  - 3. The method of claim 1, wherein accessing by the first virtual machine the resource comprises:
    - accessing on the first virtual machine the resource using a plurality of browsers each operating within a different operating system within the first virtual machine.
  - 4. The method of claim 1, further comprising, blacklisting on the firewall computer system the URL.
  - 5. The method of claim 1, wherein transforming the outbound traffic comprises setting a destination of the transformed traffic to refer to the second virtual machine.
  - 6. The method of claim 1, further comprising:
    - detecting on the user system malicious code using the descriptor; and
      
      removing the malicious code.
  - 7. The method of claim 1, detecting malicious activity corresponding to the resource in the first virtual machine further comprises permitting installation and execution of malicious code in the first virtual machine.
  - 8. The method of claim 1, further comprising blocking outbound traffic from the first virtual machine.

9. A method comprising:
- receiving at a firewall computer system a request from a user system for a resource at a uniform resource locator (URL);
  
  retrieving, by the firewall computer system, the resource and returning the resource to the user system;
  
  accessing by a first virtual machine on one of the firewall computer system and a magnet computer system the resource;
  
  detecting malicious activity corresponding to the resource in the first virtual machine;
  
  generating a descriptor of the malicious activity;
  
  transmitting the descriptor to the user system;
  
  discovering by the magnet computer system a topology of a corporate network including workstations and server systems;
  
  instantiating a plurality of honey clients in the magnet computer systems, each honey client mapped to a workstation of the corporate network and implementing a virtual machine hosting an operating and browser corresponding to the workstation to which the each honey client is mapped, the first virtual machine being a honey client of the plurality of honey clients;
  
  instantiating a plurality of sink virtual machines in the magnet computer system, each sink virtual machine mapped to a server system of the corporate network and implementing one or more services of the server system of the corporate network to which the each sink virtual machine is mapped;
  
  identifying the first virtual machine as being the honey client of the plurality of honey clients corresponding to the user system, the user system being a workstation of the workstations of the corporate network;
  
  permitting outbound traffic corresponding to the resource from the first virtual machine;
  
  routing the outbound traffic to a first sink virtual machine of the plurality of sink virtual machines;
  
  detecting malicious activity on the first sink virtual machine;
  
  wherein generating the descriptor comprises correlating the malicious activity corresponding to the resource in the first virtual machine to the malicious activity in the first sink virtual machine.

10. A system comprising:
- a firewall computer system programmed to;
  
  receive a request from a user system for a resource at a uniform resource locator (URL);
  
  retrieve the resource and return the resource to the user system;
  
  provide the URL to a honey client computer system;
  
  the honey client computer system, the honey client computer system programmed to;
  
  access by a first virtual machine the URL;
  
  detect malicious activity corresponding to the resource in the first virtual machine;
  
  generate a descriptor of the malicious activity; and
  
  transmit the descriptor to the user system;
  
  wherein the honey client computer system is further programmed to permit outbound traffic corresponding to the resource from the first virtual machine;
  
  the system further comprises a sinkhole computer system programmed to;
  
  receive the outbound traffic on a second virtual machine; and
  
  detect malicious activity on the second virtual machine;
  
  generating the descriptor comprises correlating the malicious activity corresponding to the resource in the first virtual machine to the malicious activity on the second virtual machine.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The system of claim 10, wherein accessing by the first virtual machine the resource comprises:
    - accessing on the first virtual machine the resource using a plurality of browsers.
  - 12. The system of claim 10, wherein accessing by the first virtual machine the resource comprises:
    - accessing on the first virtual machine the resource using a plurality of browsers each operating within a different operating system within the first virtual machine.
  - 13. The system of claim 10, wherein:
    - the honey client computer system is further programmed to report the URL to the firewall computer system;
      
      the firewall computer system is programmed to blacklist the URL.
  - 14. The system of claim 10, wherein the user system is programmed to:
    - detect malicious code using the descriptor; and
      
      remove the malicious code.
  - 15. The system of claim 10, wherein detecting malicious activity corresponding to the resource in the first virtual machine further comprises permitting installation and execution of malicious code in the first virtual machine.
  - 16. The system of claim 10, wherein the honey client computer system is further programmed to block outbound traffic from the first virtual machine.

17. A system comprising:
- a firewall computer system programmed to;
  
  receive a request from a user system for a resource at a uniform resource locator (URL);
  
  retrieve the resource and return the resource to the user system;
  
  provide the URL to a honey client computer system;
  
  the honey client computer system, the honey client computer system programmed to;
  
  access by a first virtual machine the URL;
  
  detect malicious activity corresponding to the resource in the first virtual machine;
  
  generate a descriptor of the malicious activity; and
  
  transmit the descriptor to the user system wherein;
  
  the sinkhole computer system is further programmed to;
  
  transform the outbound traffic on the second virtual machine to obtain transformed traffic;
  
  transmit the transformed traffic to a destination specified in the outbound traffic; and
  
  receive a response to the transformed traffic;
  
  wherein generating the descriptor comprises correlating the response to the transformed traffic, the malicious activity corresponding to the resource in the first virtual machine, and the malicious activity on the second virtual machine.
- View Dependent Claims (18)
- - 18. The system of claim 17, wherein transforming the outbound traffic comprises setting a destination of the transformed traffic to refer to the second virtual machine.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SentinelOne Inc.
Original Assignee
Attivo Networks, Inc.
Inventors
Vissamsetty, Venu, Buruganahalli, Shivakumar
Primary Examiner(s)
Song, Hosuk

Application Number

US14/466,646
Publication Number

US 20150326599A1
Time in Patent Office

648 Days
Field of Search

713/150, 713/154, 713/188, 726 11- 15, 726 22- 26, 709223-225
US Class Current

1/1
CPC Class Codes

G06F 21/552   involving long-term monitor...

H04L 2463/144   Detection or countermeasure...

H04L 2463/146   Tracing the source of attacks

H04L 63/02   for separating internal fro...

H04L 63/1433   Vulnerability analysis

H04L 63/1491   using deception as counterm...

Evaluating URLS for malicious content

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

38 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Evaluating URLS for malicious content

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

38 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links