System and method for detecting exfiltration content

US 9,565,202 B1
Filed: 03/13/2013
Issued: 02/07/2017
Est. Priority Date: 03/13/2013
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for detecting exfiltration content, comprising:

executing, by a processor, a malicious content suspect within a virtual machine that simulates a target operating environment associated with the malicious content suspect;

prior to outbound network traffic initiated by the malicious content suspect leaving the virtual machine, performing a packet inspection, by a packet inspector executed by the processor and running within the virtual machine, on the outbound network traffic, the packet inspection to determine whether a portion of the outbound network traffic matches one or more portions of predetermined network traffic patterns or signatures;

responsive to determining the portion of the outbound network traffic matches the one or more portions of predetermined network traffic patterns or signatures, determining whether the outbound network traffic includes at least one environmental property of the virtual machine that is unique to the virtual machine;

responsive to determining the outbound network traffic includes the at least one environmental property of the virtual machine that is unique to the virtual machine, precluding migration of the outbound network traffic outside of the virtual machine to avoid the malicious content suspect from (i) gaining access to other components or (ii) signaling that the packet inspection is being conducted; and

generating an alert by a module executed by the processor, the alert indicating that the malicious content suspect is attempting to perform an exfiltration of data based on determining that the outbound network traffic includes the at least one unique environmental property of the virtual machine.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for detecting exfiltration content are described herein. According to one embodiment, a malicious content suspect is executed within a virtual machine that simulates a target operating environment associated with the malicious content suspect. A packet inspection is performed on outbound network traffic initiated by the malicious content suspect to determine whether the outbound network traffic matches a predetermined network traffic pattern. An alert is generated indicating that the malicious content suspect should be declared as malicious, in response to determining that the outbound network traffic matches the predetermined network traffic pattern.

Citations

41 Claims

1. A computer-implemented method for detecting exfiltration content, comprising:
- executing, by a processor, a malicious content suspect within a virtual machine that simulates a target operating environment associated with the malicious content suspect;
  
  prior to outbound network traffic initiated by the malicious content suspect leaving the virtual machine, performing a packet inspection, by a packet inspector executed by the processor and running within the virtual machine, on the outbound network traffic, the packet inspection to determine whether a portion of the outbound network traffic matches one or more portions of predetermined network traffic patterns or signatures;
  
  responsive to determining the portion of the outbound network traffic matches the one or more portions of predetermined network traffic patterns or signatures, determining whether the outbound network traffic includes at least one environmental property of the virtual machine that is unique to the virtual machine;
  
  responsive to determining the outbound network traffic includes the at least one environmental property of the virtual machine that is unique to the virtual machine, precluding migration of the outbound network traffic outside of the virtual machine to avoid the malicious content suspect from (i) gaining access to other components or (ii) signaling that the packet inspection is being conducted; and
  
  generating an alert by a module executed by the processor, the alert indicating that the malicious content suspect is attempting to perform an exfiltration of data based on determining that the outbound network traffic includes the at least one unique environmental property of the virtual machine.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein the determining whether the outbound network traffic includes the at least one unique environmental property of the virtual machine comprises matching the at least one unique environmental property to any of a set of patterns that is based on a virtual machine selected to process the malicious content suspect.
  - 3. The method of claim 1, wherein the at least one unique environmental property of the virtual machine comprises an identifier of an electronic device represented by the virtual machine.
  - 4. The method of claim 3, wherein the identifier comprises a NetBIOS name associated with the virtual machine.
  - 5. The method of claim 1, wherein the performing of the packet inspection comprises performing a content search of the outbound network traffic based on a predetermined signature that was generated by encoding, using a predetermined encoding algorithm, a text string representing a unique identifier of an electronic device represented by the virtual machine comprising the at least one environmental property.
  - 6. The method of claim 1, wherein the at least one environmental property of the virtual machine is unique when an encoded or compressed form of data of the at least one environmental property fails to match generic network traffic.
  - 7. The method of claim 1, wherein a destination of the outbound network traffic is represented by a virtual network interface presented by the virtual machine, without allowing the outbound network traffic to reach an actual destination outside of a data processing system that hosts the virtual machine.
  - 8. The method of claim 1, wherein the at least one unique environmental property of the virtual machine comprises identifying information associated with hardware included in an electronic device that is represented by the virtual machine.
  - 9. The method of claim 8, wherein the identifying information comprises a serial number for a processor associated with the electronic device.
  - 10. The method of claim 8, wherein the identifying information comprises a serial number for one or more of a motherboard, a basic input/output system (BIOS), a network interface or a storage device associated with the electronic device.
  - 11. The method of claim 8, wherein the outbound network traffic comprises a network data transmitted in accordance with Hypertext Transfer Protocol (HTTP).
  - 12. The method of claim 1, wherein the packet inspection is performed by capturing the outbound network traffic upon detecting a callback made by the malicious content suspect.
  - 13. The method of claim 1, wherein the at least one environmental property comprises an identifier that is encoded and used to scan subsequent outbound network traffic.

14. A non-transitory machine-readable medium having instructions stored therein, which when executed by a processor, cause the processor to perform operations for detecting exfiltration content, comprising:
- executing a malicious content suspect within a virtual machine that simulates a target operating environment associated with the malicious content suspect;
  
  prior to outbound network traffic initiated by the malicious content suspect leaving the virtual machine, performing a packet inspection within the virtual machine on the outbound network traffic, the packet inspection to determine whether a portion of the outbound network traffic matches one or more portions of predetermined network traffic patterns or signatures;
  
  responsive to determining the portion of the outbound network traffic matches the one or more portions of predetermined network traffic patterns or signatures, determining whether the outbound network traffic includes at least one environmental property of the virtual machine that is unique to the virtual machine;
  
  responsive to determining the outbound network traffic includes the at least one environmental property of the virtual machine that is unique to the virtual machine, precluding migration of the outbound network traffic outside of the virtual machine to avoid the malicious content suspect from (i) gaining access to other components or (ii) signaling that the packet inspection is being conducted;
  
  generating an alert indicating that the malicious content suspect is attempting to perform an exfiltration of data based on determining that the outbound network traffic includes the at least one unique environmental property of the virtual machine; and
  
  transmitting the alert via an external network.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
- - 15. The medium of claim 14, wherein the determining whether the outbound network traffic includes the at least one unique environmental property of the virtual machine comprises matching the at least one unique environmental property to any of a set of patterns that is based on a virtual machine selected to process the malicious content suspect.
  - 16. The medium of claim 14, wherein the at least one unique environmental property of the virtual machine comprises an identifier of an electronic device represented by the virtual machine.
  - 17. The medium of claim 16, wherein the identifier comprises a NetBIOS name associated with the virtual machine.
  - 18. The medium of claim 14, wherein the performing of the packet inspection comprises performing a content search of the outbound network traffic based on a predetermined signature that was generated by encoding, using a predetermined encoding algorithm, a text string representing a unique identifier of an electronic device represented by the virtual machine.
  - 19. The medium of claim 14, wherein the at least one environmental property of the virtual machine is unique when an encoded or compressed form of data of the at least one environmental property fails to match generic network traffic.
  - 20. The medium of claim 14, wherein a destination of the outbound network traffic is represented by a virtual network interface presented by the virtual machine, without allowing the outbound network traffic to reach an actual destination outside of a data processing system that hosts the virtual machine.
  - 21. The medium of claim 14, wherein the virtual machine is operating as a sandboxed environment.

22. A data processing system, comprising:
- a processor; and
  
  a memory coupled to the processor for storing instructions, which when executed from the memory, cause the processor toexecute a malicious content suspect within a virtual machine that simulates a target operating environment associated with the malicious content suspect,prior to outbound network traffic initiated by the malicious content suspect leaving the virtual machine, perform a packet inspection, by a packet inspector executed by the processor and running within the virtual machine, on the outbound network traffic, the packet inspection to determine whether a portion of the outbound network traffic matches one or more portions of predetermined network traffic patterns or signatures,responsive to determining the portion of the outbound network traffic matches the one or more portions of predetermined network traffic patterns or signatures, determine whether the outbound network traffic includes at least one environmental property of the virtual machine that is unique to the virtual machine,responsive to determining the outbound network traffic includes the at least one environmental property of the virtual machine that is unique to the virtual machine, preclude migration of the outbound network traffic outside of the virtual machine to avoid the malicious content suspect from (i) gaining access to other components or (ii) signaling that the packet inspection is being conducted, andgenerating an alert by a module executed by the processor, the alert indicating that the malicious content suspect is attempting to perform an exfiltration of data based on determining that the outbound network traffic includes the at least one unique environmental property of the virtual machine.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29)
- - 23. The system of claim 22, wherein the determining whether the outbound network traffic includes the at least one unique environmental property of the virtual machine comprises matching the at least one unique environmental property to any of a set of patterns that is based on a virtual machine selected to process the malicious content suspect.
  - 24. The system of claim 23, wherein the at least one unique environmental property of the virtual machine comprises an identifier of an electronic device represented by the virtual machine.
  - 25. The system of claim 23, wherein the identifier comprises a NetBIOS name associated with the virtual machine.
  - 26. The system of claim 22, wherein performing a packet inspection comprises performing a content search of the outbound network traffic based on a predetermined signature that was generated by encoding, using a predetermined encoding algorithm, a text string representing a unique identifier of an electronic device represented by the virtual machine comprising the at least one environmental property.
  - 27. The system of claim 22, wherein the at least one environmental property of the virtual machine is unique when an encoded or compressed form of data of the at least one environmental property fails to match generic network traffic.
  - 28. The system of claim 22, wherein a destination of the outbound network traffic is represented by a virtual network interface presented by the virtual machine, without allowing the outbound network traffic to reach an actual destination outside of a data processing system that hosts the virtual machine.
  - 29. The system of claim 22, wherein the virtual machine is operating as a sandboxed environment.

30. A method for detecting malicious content undergoing exfiltration over a network, the method comprising:
- prior to outbound network traffic initiated by a malicious content suspect leaving a virtual machine of a data processing system, capturing, by a packet capturer of the data processing system, the outbound network traffic to a remote node over a network, the outbound network traffic being initiated from an application running within the data processing system and comprises network data transmitted in accordance with a predetermined network communication protocol;
  
  dynamically performing a packet inspection within the virtual machine, by a packet inspector of the data processing system, on the outbound network traffic to determine whether a portion of the outbound network traffic matches one or more portions of predetermined network traffic patterns or signatures;
  
  responsive to determining the portion of the outbound network traffic matches the one or more portions of predetermined network traffic patterns or signatures, determining whether the outbound network traffic contains machine identifying information identifying the data processing system;
  
  responsive to determining the outbound network traffic includes the at least one environmental property of the virtual machine that is unique to the virtual machine, precluding migration of the outbound network traffic outside of the virtual machine to avoid signaling that the packet inspection is being conducted, the identifying information includes an identifier of the data processing system; and
  
  generating an alert indicating that the application has attempted to commit data exfiltration, in response to determining that the outbound network traffic contains machine identifying information.
- View Dependent Claims (31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41)
- - 31. The method of claim 30, wherein the identifier of the data processing system is unique for the data processing system so that an encoded or compressed form of the identifier differs from generic network traffic.
  - 32. The method of claim 30, wherein the remote node includes a Web server.
  - 33. The method of claim 30, wherein the data processing system includes a tablet.
  - 34. The method of claim 30, wherein the data processing system includes a mobile phone.
  - 35. The method of claim 30, wherein the determining whether the outbound network traffic contain the machine identifying information comprises matching the identifier unique for the data processing system to any of a set of patterns that is based on the data processing system.
  - 36. The method of claim 30, wherein the machine identifying information comprises an unique identifier of the data processing system.
  - 37. The method of claim 30, wherein the machine identifying information comprises identifying information associated with hardware included in the data processing system.
  - 38. The method of claim 37, wherein the identifying information associated with the hardware comprises a serial number for a processor implemented within the data processing system.
  - 39. The method of claim 37, wherein the identifying information associated with the hardware comprises a serial number for one or more of:
    - a motherboard, a basic input/output system (BIOS), a network interface, or a storage device associated with the data processing system.
  - 40. The method of claim 30, wherein the outbound network traffic comprises the network data transmitted in accordance with Hypertext Transfer Protocol (HTTP).
  - 41. The method of claim 30, wherein the performing of the packet inspection comprises performing a content search of the outbound network traffic based on a predetermined pattern that was generated by encoding, using a predetermined encoding algorithm, a text string representing the identifier that is unique for the data processing system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
FireEye, Inc. (Alphabet Inc.)
Inventors
Wolf, Julia, Kindlund, Darien, Bennett, James
Primary Examiner(s)
Simitoski, Michael

Application Number

US13/801,573
Time in Patent Office

1,427 Days
Field of Search

713/188, 726/24
US Class Current

1/1
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/561   Virus type analysis

G06F 21/562   Static detection

G06F 21/565   by checking file integrity

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/567   using dedicated hardware

G06F 2221/033   Test or assess software

H04L 63/14   for detecting or protecting...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

System and method for detecting exfiltration content

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

41 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for detecting exfiltration content

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

41 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links