Detecting a malicious file infection via sandboxing

US 9,680,845 B2
Filed: 03/31/2015
Issued: 06/13/2017
Est. Priority Date: 03/31/2015
Status: Active Grant

First Claim

Patent Images

1. A device, comprising:

one or more processors, implemented at least partially in hardware, to;

receive a trigger to determine whether a malicious file is operating on a client device;

execute the malicious file in a testing environment,the testing environment being configured based on a configuration of the client device;

determine a network activity profile associated with the malicious file based on receiving the trigger and based on executing the malicious file in the testing environment,the network activity profile including information regarding first network activity associated with the malicious file when the malicious file is executed in the testing environment;

monitor second network activity associated with the client device;

generate a network activity score representing a measure of similarity of the second network activity to the network activity profile;

compare the network activity score to a threshold;

determine that the client device is infected with the malicious file based on the network activity score satisfying the threshold; and

provide a notification indicating that the client device is infected with the malicious file.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A device may receive a trigger to determine whether a malicious file is operating on a client device. The device may determine a network activity profile associated with the malicious file based on receiving the trigger to determine whether the malicious file is operating on the client device. The network activity profile may include information regarding network activity associated with the malicious file when the malicious file is executed in a testing environment. The device may monitor network activity associated with the client device. The device may determine that the network activity associated with the client device matches the network activity profile associated with the malicious file based on monitoring the network activity associated with the client device. The device may provide information indicating that the network activity associated with the client device matches the network activity profile associated with the malicious file.

Citations

20 Claims

1. A device, comprising:
- one or more processors, implemented at least partially in hardware, to;
  
  receive a trigger to determine whether a malicious file is operating on a client device;
  
  execute the malicious file in a testing environment,the testing environment being configured based on a configuration of the client device;
  
  determine a network activity profile associated with the malicious file based on receiving the trigger and based on executing the malicious file in the testing environment,the network activity profile including information regarding first network activity associated with the malicious file when the malicious file is executed in the testing environment;
  
  monitor second network activity associated with the client device;
  
  generate a network activity score representing a measure of similarity of the second network activity to the network activity profile;
  
  compare the network activity score to a threshold;
  
  determine that the client device is infected with the malicious file based on the network activity score satisfying the threshold; and
  
  provide a notification indicating that the client device is infected with the malicious file.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The device of claim 1, where the one or more processors are further to:
    - establish the testing environment; and
      
      identify the first network activity associated with the malicious file based on network activity observed when executing the malicious file in the testing environment,the observed network activity including network activity associated with at least one of;
      
      one or more network addresses, orone or more ports; and
      
      where the one or more processors, when determining the network activity profile, are to;
      
      determine the network activity profile based on identifying the first network activity associated with the malicious file.
  - 3. The device of claim 1, where the testing environment is a sandboxing environment.
  - 4. The device of claim 1, where the one or more processors are further to:
    - analyze the malicious file to determine one or more network addresses identified in the malicious file; and
      
      where the one or more processors, when determining the network activity profile, are further to;
      
      determine the network activity profile based on at least one of;
      
      the one or more network addresses identified in the malicious file, orone or more ports identified in the malicious file.
  - 5. The device of claim 1, where the client device is a first client device;
    - where the one or more processors are further to;
      
      determine that a file, downloaded to a second client device, is the malicious file,the first client device and the second client device being located on a customer network; and
      
      where the one or more processors, when receiving the trigger to determine whether the malicious file is operating on the first client device, are to;
      
      receive the trigger to determine whether the malicious file is operating on the first client device based on determining that the file, downloaded to the second client device, is the malicious file.
  - 6. The device of claim 1, where the one or more processors are further to:
    - establish a data structure storing dummy user information; and
      
      determine whether the malicious file exfiltrates the dummy user information to a particular server.
  - 7. The device of claim 1, where the threshold is a first threshold;
    - andwhere the one or more processors are further to;
      
      determine a whitelist comprising a set of network addresses;
      
      determine a quantity of requests to the set of network addresses;
      
      compare the quantity of requests to a second threshold; and
      
      determine that a denial of service attack is being attempted based on the quantity of requests satisfying the second threshold.

8. A method, comprising:
- receiving, by a device, a trigger to determine whether a malicious file is operating on a client device;
  
  executing, by the device, the malicious file in a testing environment,the testing environment being configured based on a configuration of the client device;
  
  determining, by the device, a network activity profile associated with the malicious file based on receiving the trigger and based on executing the malicious file in the testing environment,the network activity including information regarding first network activity associated with the malicious file when the malicious file is executed in the testing environment;
  
  monitoring, by the device, second network activity associated with the client device;
  
  generating, by the device, a network activity score representing a measure of similarity of the second network activity to the network activity profile;
  
  determining, by the device, that the client device is infected with the malicious file based on the network activity score satisfying a threshold; and
  
  providing, by the device, a notification indicating that the client device is infected with the malicious file.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The method of claim 8, further comprising:
    - monitoring the first network activity associated with the malicious file while executing the malicious file in the testing environment,the testing environment being a sandboxing environment;
      
      where determining the network activity profile comprises determining the network activity profile based on monitoring the first network activity associated with malicious file; and
      
      where the method further comprises;
      
      storing information associated with the network activity profile.
  - 10. The method of claim 8, further comprising:
    - performing a port scan on the client device; and
      
      where determining that the client device is infected comprises;
      
      determining that the client device is infected based on results of the port scan on the client device matching another port scan performed when testing the malicious file in the testing environment.
  - 11. The method of claim 8, further comprising:
    - causing a remediation action to be performed on the client device based on determining that the client device is infected,the remediation action being associated with remediating the malicious file.
  - 12. The method of claim 8, further comprising:
    - obtaining a whitelist,the whitelist being associated with specifying network activity associated with operation of the client device when the malicious file is not operating on the client device; and
      
      filtering out network activity associated with the whitelist from the second network activity associated with the client device.
  - 13. The method of claim 8, further comprising:
    - generating a training data set using information associated with one or more client devices on which the malicious file is known to be operating; and
      
      utilizing the training data set to train one or more machine learning algorithms.

14. A non-transitory computer-readable medium storing instructions, the instructions comprising:
- one or more instructions that, when executed by one or more processors implemented at least partially in hardware, cause the one or more processors to;
  
  receive a trigger to determine whether a malicious file is operating on a client device;
  
  execute the malicious file in a testing environment,the testing environment being configured based on a configuration of the client device;
  
  determine a network activity profile associated with the malicious file based on receiving the trigger and based on executing the malicious file in the testing environment,the network activity profile including information regarding first network activity associated with the malicious file when the malicious file is executed in the testing environment;
  
  monitor second network activity associated with the client device;
  
  generate a network activity score representing a measure of similarity of the second network activity to the network activity profile;
  
  determine that the client device is infected with the malicious file based on the network activity score satisfying a threshold; and
  
  provide a notification indicating that the client device is infected with the malicious file.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The non-transitory computer-readable medium of claim 14, where the one or more instructions, when executed by the one or more processors, further cause the one or more processors to:
    - establish the testing environment; and
      
      identify the first network activity associated with the malicious file based on network activity observed when executing the malicious file in the testing environment; and
      
      where the one or more instructions, that cause the one or more processors to determine the network activity profile, cause the one or more processors to;
      
      determine the network activity profile based on identifying the first network activity associated with the malicious file.
  - 16. The non-transitory computer-readable medium of claim 15, where the one or more instructions, when executed by the one or more processors, further cause the one or more processors to:
    - provoke a network activity reaction, associated with the malicious file, on the client device when monitoring the second network activity associated with the client device; and
      
      determine that the second network activity matches the network activity profile based on provoking the network activity reaction, associated with the malicious file, on the client device.
  - 17. The non-transitory computer-readable medium of claim 14, where the testing environment is a sandboxing environment.
  - 18. The non-transitory computer-readable medium of claim 14, where the one or more instructions, when executed by the one or more processors, further cause the one or more processors to:
    - analyze the malicious file to determine one or more network addresses identified in the malicious file; and
      
      where the one or more instructions, that cause the one or more processors to determine the network activity profile, cause the one or more processors to;
      
      determine the network activity profile based on the one or more network addresses identified in the malicious file.
  - 19. The non-transitory computer-readable medium of claim 14, where the one or more instructions, when executed by the one or more processors, further cause the one or more processors to:
    - determine that the malicious file is stored in a data structure associated with the client device;
      
      determine that the malicious file is executing or has executed on the client device based on determining that the malicious file is stored in the data structure associated with the client device and based on determining that the second network activity associated with the client device matches the network activity profile associated with the malicious file; and
      
      provide information indicating that the malicious file is executing or has executed on the client device.
  - 20. The non-transitory computer-readable medium of claim 14, where the client device is a first client device;
    - andwhere the one or more instructions, when executed by the one or more processors, further cause the one or more processors to;
      
      determine that a file, downloaded to a second client device, is the malicious file,the first client device and the second client device being located on a customer network; and
      
      determine whether the malicious file is operating on the first client device based on determining that the file, downloaded to the second client device, is the malicious file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Conlon, Declan, Langton, Jacob Asher, Quinlan, Daniel J., Adams, Kyle
Primary Examiner(s)
To, Baotran N

Application Number

US14/675,422
Publication Number

US 20160294851A1
Time in Patent Office

805 Days
Field of Search

726 23
US Class Current
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/566   Dynamic detection, i.e. det...

H04L 43/0876   Network utilisation, e.g. v...

H04L 63/0227   Filtering policies mail mes...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 67/303   Terminal profiles

Detecting a malicious file infection via sandboxing

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting a malicious file infection via sandboxing

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links