System and method for detecting exfiltration content
First Claim
1. A computer-implemented method for detecting exfiltration content, comprising:
- executing, by a processor, a malicious content suspect within a virtual machine that simulates a target operating environment associated with the malicious content suspect;
prior to outbound network traffic initiated by the malicious content suspect leaving the virtual machine, performing a packet inspection, by a packet inspector executed by the processor and running within the virtual machine, on the outbound network traffic, the packet inspection to determine whether a portion of the outbound network traffic matches one or more portions of predetermined network traffic patterns or signatures;
responsive to determining the portion of the outbound network traffic matches the one or more portions of predetermined network traffic patterns or signatures, determining whether the outbound network traffic includes at least one environmental property of the virtual machine that is unique to the virtual machine;
responsive to determining the outbound network traffic includes the at least one environmental property of the virtual machine that is unique to the virtual machine, precluding migration of the outbound network traffic outside of the virtual machine to avoid the malicious content suspect from (i) gaining access to other components or (ii) signaling that the packet inspection is being conducted; and
generating an alert by a module executed by the processor, the alert indicating that the malicious content suspect is attempting to perform an exfiltration of data based on determining that the outbound network traffic includes the at least one unique environmental property of the virtual machine.
7 Assignments
0 Petitions
Accused Products
Abstract
Techniques for detecting exfiltration content are described herein. According to one embodiment, a malicious content suspect is executed within a virtual machine that simulates a target operating environment associated with the malicious content suspect. A packet inspection is performed on outbound network traffic initiated by the malicious content suspect to determine whether the outbound network traffic matches a predetermined network traffic pattern. An alert is generated indicating that the malicious content suspect should be declared as malicious, in response to determining that the outbound network traffic matches the predetermined network traffic pattern.
-
Citations
41 Claims
-
1. A computer-implemented method for detecting exfiltration content, comprising:
-
executing, by a processor, a malicious content suspect within a virtual machine that simulates a target operating environment associated with the malicious content suspect; prior to outbound network traffic initiated by the malicious content suspect leaving the virtual machine, performing a packet inspection, by a packet inspector executed by the processor and running within the virtual machine, on the outbound network traffic, the packet inspection to determine whether a portion of the outbound network traffic matches one or more portions of predetermined network traffic patterns or signatures; responsive to determining the portion of the outbound network traffic matches the one or more portions of predetermined network traffic patterns or signatures, determining whether the outbound network traffic includes at least one environmental property of the virtual machine that is unique to the virtual machine; responsive to determining the outbound network traffic includes the at least one environmental property of the virtual machine that is unique to the virtual machine, precluding migration of the outbound network traffic outside of the virtual machine to avoid the malicious content suspect from (i) gaining access to other components or (ii) signaling that the packet inspection is being conducted; and generating an alert by a module executed by the processor, the alert indicating that the malicious content suspect is attempting to perform an exfiltration of data based on determining that the outbound network traffic includes the at least one unique environmental property of the virtual machine. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A non-transitory machine-readable medium having instructions stored therein, which when executed by a processor, cause the processor to perform operations for detecting exfiltration content, comprising:
-
executing a malicious content suspect within a virtual machine that simulates a target operating environment associated with the malicious content suspect; prior to outbound network traffic initiated by the malicious content suspect leaving the virtual machine, performing a packet inspection within the virtual machine on the outbound network traffic, the packet inspection to determine whether a portion of the outbound network traffic matches one or more portions of predetermined network traffic patterns or signatures; responsive to determining the portion of the outbound network traffic matches the one or more portions of predetermined network traffic patterns or signatures, determining whether the outbound network traffic includes at least one environmental property of the virtual machine that is unique to the virtual machine; responsive to determining the outbound network traffic includes the at least one environmental property of the virtual machine that is unique to the virtual machine, precluding migration of the outbound network traffic outside of the virtual machine to avoid the malicious content suspect from (i) gaining access to other components or (ii) signaling that the packet inspection is being conducted; generating an alert indicating that the malicious content suspect is attempting to perform an exfiltration of data based on determining that the outbound network traffic includes the at least one unique environmental property of the virtual machine; and transmitting the alert via an external network. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
-
-
22. A data processing system, comprising:
-
a processor; and a memory coupled to the processor for storing instructions, which when executed from the memory, cause the processor to execute a malicious content suspect within a virtual machine that simulates a target operating environment associated with the malicious content suspect, prior to outbound network traffic initiated by the malicious content suspect leaving the virtual machine, perform a packet inspection, by a packet inspector executed by the processor and running within the virtual machine, on the outbound network traffic, the packet inspection to determine whether a portion of the outbound network traffic matches one or more portions of predetermined network traffic patterns or signatures, responsive to determining the portion of the outbound network traffic matches the one or more portions of predetermined network traffic patterns or signatures, determine whether the outbound network traffic includes at least one environmental property of the virtual machine that is unique to the virtual machine, responsive to determining the outbound network traffic includes the at least one environmental property of the virtual machine that is unique to the virtual machine, preclude migration of the outbound network traffic outside of the virtual machine to avoid the malicious content suspect from (i) gaining access to other components or (ii) signaling that the packet inspection is being conducted, and generating an alert by a module executed by the processor, the alert indicating that the malicious content suspect is attempting to perform an exfiltration of data based on determining that the outbound network traffic includes the at least one unique environmental property of the virtual machine. - View Dependent Claims (23, 24, 25, 26, 27, 28, 29)
-
-
30. A method for detecting malicious content undergoing exfiltration over a network, the method comprising:
-
prior to outbound network traffic initiated by a malicious content suspect leaving a virtual machine of a data processing system, capturing, by a packet capturer of the data processing system, the outbound network traffic to a remote node over a network, the outbound network traffic being initiated from an application running within the data processing system and comprises network data transmitted in accordance with a predetermined network communication protocol; dynamically performing a packet inspection within the virtual machine, by a packet inspector of the data processing system, on the outbound network traffic to determine whether a portion of the outbound network traffic matches one or more portions of predetermined network traffic patterns or signatures; responsive to determining the portion of the outbound network traffic matches the one or more portions of predetermined network traffic patterns or signatures, determining whether the outbound network traffic contains machine identifying information identifying the data processing system; responsive to determining the outbound network traffic includes the at least one environmental property of the virtual machine that is unique to the virtual machine, precluding migration of the outbound network traffic outside of the virtual machine to avoid signaling that the packet inspection is being conducted, the identifying information includes an identifier of the data processing system; and generating an alert indicating that the application has attempted to commit data exfiltration, in response to determining that the outbound network traffic contains machine identifying information. - View Dependent Claims (31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41)
-
Specification