Detecting a malicious file infection via sandboxing
First Claim
1. A device, comprising:
- one or more processors, implemented at least partially in hardware, to;
receive a trigger to determine whether a malicious file is operating on a client device;
execute the malicious file in a testing environment,the testing environment being configured based on a configuration of the client device;
determine a network activity profile associated with the malicious file based on receiving the trigger and based on executing the malicious file in the testing environment,the network activity profile including information regarding first network activity associated with the malicious file when the malicious file is executed in the testing environment;
monitor second network activity associated with the client device;
generate a network activity score representing a measure of similarity of the second network activity to the network activity profile;
compare the network activity score to a threshold;
determine that the client device is infected with the malicious file based on the network activity score satisfying the threshold; and
provide a notification indicating that the client device is infected with the malicious file.
1 Assignment
0 Petitions
Accused Products
Abstract
A device may receive a trigger to determine whether a malicious file is operating on a client device. The device may determine a network activity profile associated with the malicious file based on receiving the trigger to determine whether the malicious file is operating on the client device. The network activity profile may include information regarding network activity associated with the malicious file when the malicious file is executed in a testing environment. The device may monitor network activity associated with the client device. The device may determine that the network activity associated with the client device matches the network activity profile associated with the malicious file based on monitoring the network activity associated with the client device. The device may provide information indicating that the network activity associated with the client device matches the network activity profile associated with the malicious file.
-
Citations
20 Claims
-
1. A device, comprising:
one or more processors, implemented at least partially in hardware, to; receive a trigger to determine whether a malicious file is operating on a client device; execute the malicious file in a testing environment, the testing environment being configured based on a configuration of the client device; determine a network activity profile associated with the malicious file based on receiving the trigger and based on executing the malicious file in the testing environment, the network activity profile including information regarding first network activity associated with the malicious file when the malicious file is executed in the testing environment; monitor second network activity associated with the client device; generate a network activity score representing a measure of similarity of the second network activity to the network activity profile; compare the network activity score to a threshold; determine that the client device is infected with the malicious file based on the network activity score satisfying the threshold; and provide a notification indicating that the client device is infected with the malicious file. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
8. A method, comprising:
-
receiving, by a device, a trigger to determine whether a malicious file is operating on a client device; executing, by the device, the malicious file in a testing environment, the testing environment being configured based on a configuration of the client device; determining, by the device, a network activity profile associated with the malicious file based on receiving the trigger and based on executing the malicious file in the testing environment, the network activity including information regarding first network activity associated with the malicious file when the malicious file is executed in the testing environment; monitoring, by the device, second network activity associated with the client device; generating, by the device, a network activity score representing a measure of similarity of the second network activity to the network activity profile; determining, by the device, that the client device is infected with the malicious file based on the network activity score satisfying a threshold; and providing, by the device, a notification indicating that the client device is infected with the malicious file. - View Dependent Claims (9, 10, 11, 12, 13)
-
-
14. A non-transitory computer-readable medium storing instructions, the instructions comprising:
one or more instructions that, when executed by one or more processors implemented at least partially in hardware, cause the one or more processors to; receive a trigger to determine whether a malicious file is operating on a client device; execute the malicious file in a testing environment, the testing environment being configured based on a configuration of the client device; determine a network activity profile associated with the malicious file based on receiving the trigger and based on executing the malicious file in the testing environment, the network activity profile including information regarding first network activity associated with the malicious file when the malicious file is executed in the testing environment; monitor second network activity associated with the client device; generate a network activity score representing a measure of similarity of the second network activity to the network activity profile; determine that the client device is infected with the malicious file based on the network activity score satisfying a threshold; and provide a notification indicating that the client device is infected with the malicious file. - View Dependent Claims (15, 16, 17, 18, 19, 20)
Specification