Detecting malicious network content

US 9,519,782 B2
Filed: 02/24/2012
Issued: 12/13/2016
Est. Priority Date: 02/24/2012
Status: Active Grant

First Claim

Patent Images

1. A method for detecting malicious content within data storage devices, the method comprising:

detecting coupling of one or more data storage devices to an interface of a digital device upon insertion of the one or more data storage devices into the interface of the digital device;

quarantining data associated with the one or more data storage devices by (i) redirecting at least a portion of the data, transmitted from the one or more data storage devices, to a controller remotely located from the digital device for analysis and (ii) intercepting access requests from the digital device to access the data;

receiving, by the controller, the redirected data from the one or more data storage devices;

selecting an analysis from a plurality of analysis types based on an estimated amount of time needed for analysis of the redirected data for malware without exceeding a predetermined time allotted for analysis;

analyzing the redirected data with the selected analysis to determine whether the one or more data storage devices store malware; and

based on the determination, identifying whether the one or more data storage devices stores malware by providing a warning signal.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for detecting malicious content on portable data storage devices or remote network servers are provided. In an exemplary embodiment, a system comprises a quarantine module configured to detect one or more portable data storage devices upon insertion of the devices into a security appliance, wherein the security appliance is configured to receive the portable data storage devices, a controller configured to receive from the security appliance, via a communication network, data associated with the portable data storage devices, an analysis module configured to analyze the data to determine whether the data includes malware, and a security module to selectively identify, based on the determination, the one or more portable data storage devices storing the malware.

Citations

56 Claims

1. A method for detecting malicious content within data storage devices, the method comprising:
- detecting coupling of one or more data storage devices to an interface of a digital device upon insertion of the one or more data storage devices into the interface of the digital device;
  
  quarantining data associated with the one or more data storage devices by (i) redirecting at least a portion of the data, transmitted from the one or more data storage devices, to a controller remotely located from the digital device for analysis and (ii) intercepting access requests from the digital device to access the data;
  
  receiving, by the controller, the redirected data from the one or more data storage devices;
  
  selecting an analysis from a plurality of analysis types based on an estimated amount of time needed for analysis of the redirected data for malware without exceeding a predetermined time allotted for analysis;
  
  analyzing the redirected data with the selected analysis to determine whether the one or more data storage devices store malware; and
  
  based on the determination, identifying whether the one or more data storage devices stores malware by providing a warning signal.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 34, 35)
- - 2. The method of claim 1, wherein at least one of the one or more storage devices is a Universal Serial Bus (USB) flash drive and the interface is a USB interface.
  - 3. The method of claim 1, wherein the digital device is configured to receive a plurality of portable data storage devices simultaneously.
  - 4. The method of claim 1, wherein in response to the identifying of the one or more data storage devices as storing the malware, the digital device provides the warning signal that includes audible sound.
  - 5. The method of claim 1, wherein the digital device provides the estimated time that is based, at least in part, on a determined latency of the communication network.
  - 6. The method of claim 1, wherein the digital device comprises a security appliance that is positioned at a selected security screening location.
  - 7. The method of claim 1, wherein the digital device includes a host device and the quarantining further comprises:
    - preventing processing by the host device of the data from the one or more data storage devices.
  - 8. The method of claim 1, wherein insertion of the one or more data storage devices into the digital device is detected based on a request by a data storage device for an internet protocol (IP) address.
  - 9. The method of claim 1, wherein the controller performs the receiving and the analyzing.
  - 10. The method of claim 9, wherein the analyzing is performed by the controller, at least in part, in a virtual analysis environment.
  - 11. The method of claim 1, wherein the redirected data associated with the one or more storage devices is received by the controller from the digital device over a communication network.
  - 12. The method of claim 1, wherein the redirecting of the data to the controller comprises redirecting the data to the controller contained in the digital device.
  - 13. The method of claim 1, wherein the selected analysis is a heuristic analysis.
  - 14. The method of claim 1, wherein the controller includes at least one digital device configured to receive and analyze the redirected data for a presence of the malware within the one or more data storage devices.
  - 15. The method of claim 1, wherein the digital device computes the estimated amount of time needed for analysis of the redirected data for malware.
  - 16. The method of claim 1, wherein the quarantining of the data associated with the one or more data storage devices occurs in response to insertion of a portable storage device of the one or more data storage devices into a corresponding slot of the digital device that is configured to receive the portable storage device.
  - 17. The method of claim 1, wherein the selecting of the analysis based on the estimated amount of time needed for analysis of the redirected data for malware comprises selecting one of a plurality of heuristic analyses.
  - 18. The method of claim 1, wherein the selecting of the analysis based on the estimated amount of time needed for analysis of the redirected data for malware comprises selecting a particular data type of the redirected data for analysis.
  - 19. The method of claim 18, wherein the selecting of the particular data type of the redirected data comprises selecting one or more particular files from a plurality of files that are part of the redirected data.
  - 20. The method of claim 1, further comprising transmitting a command to the digital device to configure security settings associated with the one or more data storage devices.
  - 21. The method of claim 1, wherein the analyzing of the redirected data comprises:
    - configuring a virtual machine to receive the redirected data, wherein the virtual machine is configured with one of a plurality of different virtual machine configurations to simulate one or more performance characteristics of a destination device intended to receive the redirected data; and
      
      analyzing a response of the virtual machine to the redirected data to identify a malware attack.
  - 22. The method of claim 1, wherein the analyzing of the redirected data comprises:
    - analyzing the redirected data with the selected analysis to identify data containing one or more suspicious characteristics, the selected analysis being a heuristic analysis;
      
      configuring a virtual machine to receive the redirected data containing one or more suspicious characteristics; and
      
      analyzing a response of the virtual machine to identify the malware within the redirected data containing one or more suspicious characteristics from the one or more data storage devices.
  - 23. The method of claim 22, wherein the analyzing of the redirected data with the selected analysis to identify data containing one or more suspicious characteristics further comprises saving a copy of the redirected data and analyzing the copy of the redirected data with the selected analysis;
    - and wherein the analyzing of the response of the virtual machine further comprises selectively identifying the one or more data storage devices as storing the malware.
  - 34. The method of claim 1, wherein the plurality of analysis types comprise a first heuristic analysis and a second heuristic analysis that is less comprehensive than the first heuristic analysis.
  - 35. The method of claim 34, wherein a copy of the redirected data is stored for later analysis in response to selection of the second heuristic analysis.

24. A method for detecting malicious content within data storage devices, the method comprising:
- detecting a connection of a portable storage device to a host device upon insertion of the portable storage device into an interface of the host device;
  
  in response to the detected connection, quarantining data stored on the portable storage device by intercepting data transmitted from the portable storage device to the host device, and wherein access requests from the host device to access the data stored on the portable storage device are intercepted to further quarantine the data from the host device;
  
  selecting an analysis from a plurality of analysis types based on an estimated amount of time needed for analysis of the intercepted data for malware without exceeding a predetermined time allotted for analysis;
  
  analyzing the intercepted data with the selected analysis at a controller in communication with the host device via a communication network to determine whether the intercepted data includes malware; and
  
  based on the determination, selectively identifying the portable storage device as storing the malware.
- View Dependent Claims (25, 26, 27, 28, 29, 30, 31, 32, 33, 36, 37, 38, 39, 40, 41, 42)
- - 25. The method of claim 24, wherein the analyzing of the intercepted data comprises:
    - analyzing the intercepted data with the selected analysis to identify the intercepted data containing one or more suspicious characteristics, the selected analysis being a heuristic analysis;
      
      configuring a virtual machine to receive the intercepted data containing the one or more suspicious characteristics; and
      
      analyzing the response of the virtual machine to the intercepted data containing the one or more suspicious characteristics to identify a malware attack.
  - 26. The method of claim 24, wherein the analyzing of the intercepted data to determine whether the intercepted data includes malware further comprises:
    - configuring a virtual machine with the one of a plurality of different virtual machine configurations to simulate one or more performance characteristics of a destination device to receive the intercepted data;
      
      transmitting the intercepted data to the configured virtual machine; and
      
      analyzing a response of the virtual machine to the intercepted data to identify a malware attack.
  - 27. The method of claim 24, wherein the controller is communicatively coupled with the host device over a communication network and the estimated time is based, at least in part, on a determined latency of the communication network.
  - 28. The method of claim 24, wherein the controller is executed within the host device.
  - 29. The method of claim 24, wherein the analyzing is performed by the controller.
  - 30. The method of claim 24, further comprising:
    - notifying the host device that the intercepted data stored on the portable storage device does not contain malware.
  - 31. The method of claim 24, wherein the intercepted data is quarantined from the host device by the controller to prevent the host device from processing the intercepted data.
  - 32. The method of claim 24, wherein the controller is configured to transmit a command to the host device to activate one or more security programs.
  - 33. The method of claim 32, wherein the one or more security programs are resident on the portable storage device and are configured to operate security functions with respect to the intercepted data.
  - 36. The method of claim 24, wherein the controller includes at least one digital device configured to receive and analyze the intercepted data for a presence of the malware within the portable data storage device.
  - 37. The method of claim 24, wherein the digital device computes the estimated amount of time needed for analysis of the intercepted data for malware.
  - 38. The method of claim 24, wherein the quarantining of the data occurs in response to insertion of the portable storage device into a corresponding slot of the host device that is configured to receive the portable storage device.
  - 39. The method of claim 24, wherein the selecting of the analysis based on the estimated amount of time needed for analysis of the intercepted data for malware comprises selecting one of a plurality of heuristic analyses to be conducted on the intercepted data.
  - 40. The method of claim 24, wherein the selecting of the analysis based on the estimated amount of time needed for analysis of the intercepted data for malware comprises selecting a particular data type of the intercepted data for analysis.
  - 41. The method of claim 40, wherein the selecting of the particular data type of the intercepted data comprises selecting one or more particular files from a plurality of files that are part of the intercepted data.
  - 42. The method of claim 41, wherein the estimated amount of time needed for analysis of the intercepted data is based, at least in part, on a latency of the first communication network.

43. A system for detecting malicious content within portable data storage devices, the system comprising:
- a quarantine module configured to detect a connection of one or more data storage devices upon insertion of the one or more data storage devices into a digital device, the digital device being configured to receive the one or more data storage devices, wherein the quarantine module is configured to quarantine all data from an IP address of the data storage devices for a period of time by redirecting transmission of the data to a controller, from the one or more data storage devices, and intercepting access requests of the digital device to access the data; and
  
  the controller communicatively coupled to the digital device via a communication network, the controller configured to receive at least the redirected data from the quarantine module, the controller includes at leasta heuristic module configured to select a heuristic analysis from a plurality of heuristic analysis types based on an estimated amount of time needed for analysis of the redirected data for malware without exceeding a predetermined time and to analyze the redirected data with the selected heuristic analysis to determine whether the redirected data includes malware; and
  
  a security module to selectively identify, based on the determination, the one or more data storage devices storing the malware.
- View Dependent Claims (44, 45, 46, 47, 48, 49)
- - 44. The system of claim 43, wherein the heuristic module configured to select a heuristic analysis from the plurality of heuristic analysis types, the plurality of analysis types comprise a first heuristic analysis and a second heuristic analysis that is less comprehensive and requires less time for analysis than the first heuristic analysis.
  - 45. The system of claim 43, wherein the estimated time is based, at least in part, on a determined latency of the communication network.
  - 46. The system of claim 43, wherein the controller includes at least one digital device configured to receive and analyze the redirected data for a presence of the malware.
  - 47. The system of claim 43, wherein the digital device computes the estimated amount of time needed for analysis of the intercepted data for malware.
  - 48. The system of claim 43, wherein the quarantine module to quarantine the data from an Internet Protocol (IP) address of a portable data storage device of the one or more data storage devices in response to the portable data storage device being inserted into a corresponding slot of the digital device configured to receive the portable data storage device.
  - 49. The system of claim 43, wherein the estimated amount of time needed for analysis of the redirected data is based, at least in part, on a latency of the communication network.

50. A non-transitory machine readable medium having embodied thereon executable code, the executable code being executed by a processor for performing a method for detecting malicious content within data storage devices, the method comprising:
- detecting coupling of one or more data storage devices to a security appliance upon insertion of the one or more data storage devices into an interface of the security appliance, the security appliance being configured with the interface to receive the one or more data storage devices;
  
  quarantining, by the security appliance, data associated with the one or more data storage devices by redirecting the data that is transmitted from the one or more data storage devices to the security appliance to a controller, and intercepting access requests from the security appliance to access the data;
  
  receiving from the security appliance, via a communication network, at least the redirected data from the security appliance;
  
  selecting an analysis from a plurality of analysis types based on an estimated amount of time needed for analysis of the redirected data for malware without exceeding a predetermined time allotted for analysis;
  
  analyzing the redirected data with the selected analysis to determine whether the data includes malware; and
  
  based on the determination, selectively identifying the one or more data storage devices storing the malware.
- View Dependent Claims (51, 52, 53, 54, 55, 56)
- - 51. The non-transitory machine readable medium of claim 50, wherein the executable code being executed by the processor for selecting the analysis from the plurality of analysis types comprises selecting one of a first heuristic analysis or a second heuristic analysis as the selected analysis from the plurality of analysis types, the plurality of analysis types include the first heuristic analysis and the second heuristic analysis that is less comprehensive and requires less time for analysis than the first heuristic analysis.
  - 52. The non-transitory computer readable medium of claim 50, wherein the security appliance computes the estimated amount of time needed for analysis of the redirected data for malware.
  - 53. The non-transitory computer readable medium of claim 50, wherein the quarantining of the data associated with the one or more data storage devices occurs in response to insertion of a portable data storage device of the one or more data storage devices into a corresponding slot of the security appliance configured to receive the portable data storage device.
  - 54. The non-transitory computer readable medium of claim 50, wherein the selecting of the analysis based on the estimated amount of time needed for analysis of the redirected data for malware comprises selecting one of a plurality of heuristic analyses.
  - 55. The non-transitory computer readable medium of claim 50, wherein the selecting of the analysis based on the estimated amount of time needed for analysis of the redirected data for malware comprises selecting a particular data type of the redirected data for analysis.
  - 56. The non-transitory computer readable medium of claim 55, wherein the selecting of the particular data type of the redirected data comprises selecting one or more particular files from a plurality of files that are part of the redirected data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
FireEye, Inc. (Alphabet Inc.)
Inventors
Aziz, Ashar, Staniford, Stuart Gresley, Amin, Muhammad, Uyeno, Henry, Yie, Samuel
Primary Examiner(s)
Poltorak, Peter

Application Number

US13/405,152
Publication Number

US 20130227691A1
Time in Patent Office

1,754 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 21/567 using dedicated hardware

H04L 63/145 the attack involving the pr...

Detecting malicious network content

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

56 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting malicious network content

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

56 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links