Malware detection using internal malware detection operations

US 9,413,782 B1
Filed: 01/27/2015
Issued: 08/09/2016
Est. Priority Date: 03/31/2014
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

one or more processors; and

a memory storing instructions that, when executed by the one or more processors, cause the one or more processors to;

determine to perform an internal malware detection operation to detect malware executing on a client device;

perform the internal malware detection operation,the internal malware detection operation being performed locally on a particular device without requiring communication with another device, andthe internal malware detection operation including at least one of;

an artifact persistence operation to delete a first artifact and determine whether the first artifact has been recreated,an artifact decoy operation to create a second artifact and determine whether the second artifact has been modified, oran artifact integrity operation to detect that a third artifact has been modified in a particular manner;

modify an environment executing on the particular device, to form a modified environment, based on performing the internal malware detection operation;

monitor the modified environment for a particular behavior indicative of a malware infection;

detect that the particular behavior has occurred; and

provide a notification that the client device is infected with malware based on detecting that the particular behavior has occurred,the notification causing one or more network devices to block network traffic to or from the client device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system may determine to perform an internal malware detection operation to detect malware executing on a client device. The system may perform the internal malware detection operation. The internal malware detection operation may be performed locally on a particular device without requiring communication with another device. The system may modify an environment executing on the particular device, to form a modified environment, based on performing the internal malware detection operation. The system may monitor the modified environment for a particular behavior indicative of a malware infection. The system may detect that the particular behavior has occurred. The system may provide a notification that the client device is infected with malware based on detecting that the particular behavior has occurred. The notification may cause one or more network devices to block network traffic to or from the client device.

22 Citations

View as Search Results

20 Claims

1. A system, comprising:
- one or more processors; and
  
  a memory storing instructions that, when executed by the one or more processors, cause the one or more processors to;
  
  determine to perform an internal malware detection operation to detect malware executing on a client device;
  
  perform the internal malware detection operation,the internal malware detection operation being performed locally on a particular device without requiring communication with another device, andthe internal malware detection operation including at least one of;
  
  an artifact persistence operation to delete a first artifact and determine whether the first artifact has been recreated,an artifact decoy operation to create a second artifact and determine whether the second artifact has been modified, oran artifact integrity operation to detect that a third artifact has been modified in a particular manner;
  
  modify an environment executing on the particular device, to form a modified environment, based on performing the internal malware detection operation;
  
  monitor the modified environment for a particular behavior indicative of a malware infection;
  
  detect that the particular behavior has occurred; and
  
  provide a notification that the client device is infected with malware based on detecting that the particular behavior has occurred,the notification causing one or more network devices to block network traffic to or from the client device.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1, where the client device and the particular device are a same device.
  - 3. The system of claim 1, where the client device and the particular device are different devices.
  - 4. The system of claim 1, where the one or more processors, when performing the artifact persistence operation, are to:
    - monitor a particular location within the environment;
      
      detect that the first artifact has been created in the particular location based on monitoring the particular location; and
      
      delete the first artifact;
      
      where the one or more processors, when monitoring the modified environment for the particular behavior, are to;
      
      monitor the environment to determine whether the first artifact has been recreated within a threshold amount of time;
      
      where the one or more processors, when detecting that the particular behavior has occurred, are to;
      
      detect that the first artifact has been recreated within the threshold amount of time; and
      
      where the one or more processors, when providing the notification that the client device is infected with malware, are to;
      
      provide the notification that the client device is infected with malware based on detecting that the first artifact has been recreated within the threshold amount of time.
  - 5. The system of claim 1, where the one or more processors, when performing the artifact decoy operation, are to:
    - create the second artifact in a particular location of the environment;
      
      where the one or more processors, when monitoring the modified environment for the particular behavior, are to;
      
      monitor the environment to determine whether the second artifact has been modified;
      
      where the one or more processors, when detecting that the particular behavior has occurred, are to;
      
      detect that the second artifact has been modified; and
      
      where the one or more processors, when providing the notification that the client device is infected with malware, are to;
      
      provide the notification that the client device is infected with malware based on detecting that the second artifact has been modified.
  - 6. The system of claim 1, where the one or more processors, when performing the artifact integrity operation, are to:
    - monitor the environment to determine whether the third artifact has been modified in the particular manner;
      
      where the one or more processors, when detecting that the particular behavior has occurred, are to;
      
      detect that the third artifact has been modified in the particular manner; and
      
      where the one or more processors, when providing the notification that the client device is infected with malware, are to;
      
      provide the notification that the client device is infected with malware based on detecting that the third artifact has been modified in the particular manner.
  - 7. The system of claim 1, where the internal malware detection operation further includes:
    - an illogical behavior operation to determine whether an illogical behavior has occurred;
      
      where the one or more processors are further to;
      
      determine an outcome of performing a respective internal malware detection operation; and
      
      determine that the client device is infected with malware based on the outcome; and
      
      where the one or more processors, when providing the notification that the client device is infected with malware, are to;
      
      provide the notification that the client device is infected with malware based on determining that the client device is infected with malware.

8. A non-transitory computer-readable medium storing instructions, the instructions comprising:
- one or more instructions that, when executed by one or more processors, cause the one or more processors to;
  
  determine to perform an internal malware detection operation to detect malware executing on a client device;
  
  perform the internal malware detection operation,the internal malware detection operation being performed locally on a particular device without requiring communication with another device;
  
  monitor a particular location within an environment executing on the particular device;
  
  detect that an artifact has been created in the particular location of the environment;
  
  delete the artifact;
  
  monitor the particular location to determine whether the artifact has been recreated within a threshold amount of time;
  
  detect that the artifact has been recreated within the threshold amount of time andprovide a notification that the client device is infected with malware based on detecting that the artifact has been recreated within the threshold amount of timethe notification causing one or more network devices to block network traffic to or from the client device.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer-readable medium of claim 8, where the client device and the particular device are a same device.
  - 10. The computer-readable medium of claim 8, where the client device and the particular device are different devices.
  - 11. The computer-readable medium of claim 8, where the artifact is a first artifact and the particular location is a first particular location;
    - where the one or more instructions, when executed by the one or more processors, further cause the one or more processors to;
      
      create a second artifact in a second particular location of the environment;
      
      monitor the second particular location to determine whether the second artifact has been modified;
      
      detect that the second artifact has been modified; and
      
      provide the notification that the client device is infected with malware based on detecting that the second artifact has been modified.
  - 12. The computer-readable medium of claim 8, where the artifact is a first artifact and the particular location is a first particular location;
    - where the one or more instructions, when executed by the one or more processors, further cause the one or more processors to;
      
      monitor the environment to determine whether a second artifact has been modified in a particular manner;
      
      detect that the second artifact has been modified in the particular manner; and
      
      provide the notification that the client device is infected with malware based on detecting that the second artifact has been modified in the particular manner.
  - 13. The computer-readable medium of claim 12, where the second artifact is a system file log;
    - andwhere the one or more instructions, when detecting that the second artifact has been modified in the particular manner, cause the one or more processors to;
      
      detect that a fake log in the system file has been edited or deleted.
  - 14. The computer-readable medium of claim 8, where the artifact is a first artifact;
    - where the internal malware detection operation includes at least one of;
      
      an artifact decoy operation to create a second artifact and determine whether the second artifact has been modified,an artifact integrity operation to detect that a third artifact has been modified in a particular manner, oran illogical behavior operation to determine whether an illogical behavior has occurred;
      
      where the one or more instructions, when executed by the one or more processors, further cause the one or more processors to;
      
      determine an outcome of performing a respective internal malware detection operation; and
      
      determine that the client device is infected with malware based on the outcome; and
      
      where the one or more instructions, that cause the one or more processors to provide the notification that the client device is infected with malware, cause the one or more processors to;
      
      provide the notification that the client device is infected with malware based on determining that the client device is infected with malware.

15. A method, comprising:
- determining, by a particular device, to perform an internal malware detection operation to detect malware executing on a client device;
  
  performing, by the particular device, the internal malware detection operation,the internal malware detection operation being performed locally on the particular device without requiring communication with another device, andperforming the internal malware detection operation comprising;
  
  monitoring, by the particular device, a particular location within an environment executing on the particular device,detecting, by the particular device, that an artifact has been created in the particular location based on monitoring the particular location,modifying, by the particular device, the environment to form a modified environment based on performing the internal malware detection operation,modifying the environment comprising;
  
  deleting the artifact,monitoring, by the particular device, the modified environment for a particular behavior indicative of a malware infection,monitoring the modified environment for the particular behavior indicative of the malware infection comprising;
  
  monitoring the modified environment to determine whether the artifact has been recreated within a threshold amount of time;
  
  detecting, by the particular device, that the particular behavior has occurred,detecting that the particular behavior has occurred comprising;
  
  detecting that the artifact has been recreated within the threshold amount of time; and
  
  providing, by the particular device, a notification that the client device is infected with malware based on detecting that the particular behavior has occurred,providing the notification that the client device is infected with malware based on detecting that the particular behavior has occurred comprising;
  
  providing the notification that the client device is infected with malware based on detecting that the artifact has been recreated within the threshold amount of time, andthe notification causing one or more network devices to block network traffic to or from the client device.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The method of claim 15, where the particular location is a first particular location;
    - andwhere performing the internal malware detection operation further comprises;
      
      monitoring a second particular location,determining that a shortcut has been created in the particular location,determining that the shortcut points to a file stored in a recycle bin, andproviding a notification that the client device is infected with malware based on determining that the shortcut points to the file stored in the recycle bin.
  - 17. The method of claim 15, where the client device and the particular device are a same device.
  - 18. The method of claim 15, where the client device and the particular device are different devices.
  - 19. The method of claim 15, where the artifact is a first artifact and the particular location is a first particular location;
    - where modifying the environment further comprises;
      
      creating a second artifact in a second particular location of the environment;
      
      where monitoring the modified environment for the particular behavior further comprises;
      
      monitoring the environment to determine whether the second artifact has been modified;
      
      where detecting that the particular behavior has occurred further comprises;
      
      detecting that the second artifact has been modified; and
      
      where providing the notification that the client device is infected with malware further comprises;
      
      providing the notification that the client device is infected with malware based on detecting that the second artifact has been modified.
  - 20. The method of claim 15, where the artifact is a first artifact;
    - where performing the internal malware detection operation further comprises at least one of;
      
      an artifact decoy operation to create a second artifact and determine whether the second artifact has been modified,an artifact integrity operation to detect that a third artifact has been modified in a particular manner, oran illogical behavior operation to determine whether an illogical behavior has occurred;
      
      where the method further comprises;
      
      determining an outcome of performing a respective internal malware detection operation; and
      
      determining that the client device is infected with malware based on the outcome; and
      
      where providing the notification that the client device is infected with malware further comprises;
      
      providing the notification that the client device is infected with malware based on determining that the client device is infected with malware.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Adams, Kyle, Quinlan, Daniel J.
Primary Examiner(s)
Tolentino, Roderick

Application Number

US14/606,752
Time in Patent Office

560 Days
Field of Search

726 22- 24
US Class Current

1/1
CPC Class Codes

H04L 63/1416 Event detection, e.g. attac...

H04L 63/145 the attack involving the pr...

Malware detection using internal malware detection operations

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

22 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Malware detection using internal malware detection operations

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

22 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others