Malware detection using external malware detection operations

US 9,769,197 B1
Filed: 01/27/2015
Issued: 09/19/2017
Est. Priority Date: 03/31/2014
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

one or more processors; and

a memory storing instructions that, when executed by the one or more processors, cause the one or more processors to;

determine to perform an external malware detection operation to detect malware executing on a client device;

perform the external malware detection operation,the external malware detection operation being performed by a particular device, andthe external malware detection operation including a behavior invocation operation to attempt to trigger a particular behavior of an artifact indicative of a malware infection,the artifact being information stored by the client device, andthe behavior invocation operation including;

monitoring a port of the client device; and

attempting to, based on a result of monitoring the port,establish a connection with another device via the port;

monitor a result of performing the external malware detection operation;

detect that the particular behavior has occurred based on monitoring the result of performing the external malware detection operation;

provide a notification that the client device is infected with malware based on detecting that the particular behavior has occurred,the notification causing one or more network devices to block network traffic to or from the client device; and

initiate an action intended to crash the other device or to cause the other device to cease communication with the system.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system may determine to perform an external malware detection operation to detect malware executing on a client device. The system may perform the external malware detection operation. The external malware detection operation may be performed by a particular device by communicating with another device. The system may perform a communication based on performing the external malware detection operation. The system may monitor a result of performing the communication for a particular behavior indicative of a malware infection. The system may detect that the particular behavior has occurred. The system may provide a notification that the client device is infected with malware based on detecting that the particular behavior has occurred. The notification may cause one or more network devices to block network traffic to or from the client device.

10 Citations

20 Claims

1. A system, comprising:
- one or more processors; and
  
  a memory storing instructions that, when executed by the one or more processors, cause the one or more processors to;
  
  determine to perform an external malware detection operation to detect malware executing on a client device;
  
  perform the external malware detection operation,the external malware detection operation being performed by a particular device, andthe external malware detection operation including a behavior invocation operation to attempt to trigger a particular behavior of an artifact indicative of a malware infection,the artifact being information stored by the client device, andthe behavior invocation operation including;
  
  monitoring a port of the client device; and
  
  attempting to, based on a result of monitoring the port,establish a connection with another device via the port;
  
  monitor a result of performing the external malware detection operation;
  
  detect that the particular behavior has occurred based on monitoring the result of performing the external malware detection operation;
  
  provide a notification that the client device is infected with malware based on detecting that the particular behavior has occurred,the notification causing one or more network devices to block network traffic to or from the client device; and
  
  initiate an action intended to crash the other device or to cause the other device to cease communication with the system.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1, where the client device and the particular device are a same device.
  - 3. The system of claim 1, where the client device and the particular device are different devices.
  - 4. The system of claim 1,where the one or more processors are further to:
    - monitor a result of attempting to establish the connection with the other device, anddetermine that the connection could not be established based on monitoring the result; and
      
      where the one or more processors, when providing the notification that the client device is infected with malware, are to;
      
      provide the notification that the client device is infected with malware based on determining that the connection could not be established.
  - 5. The system of claim 1, where the one or more processors are further to:
    - determine a protocol associated with attempting to establish the connection with the other device;
      
      monitor a result of attempting to establish the connection with the other device to determine whether the other device supports a feature of the protocol; and
      
      determine, based on monitoring the result, that the other device does not support the feature of the protocol; and
      
      where the one or more processors, when providing the notification that the client device is infected with malware, are to;
      
      provide the notification that the client device is infected with malware based on determining that the other device does not support the feature of the protocol.
  - 6. The system of claim 1, where the communication includes a first message;
    - andwhere the one or more processors are further to;
      
      receive a second message, from the other device, intended for the client device;
      
      alter the second message to form the first message,the altered second message being capable of triggering the particular behavior;
      
      provide the first message to the client device; and
      
      receive a third message indicating that the particular behavior has occurred; and
      
      where the one or more processors, when detecting that the particular behavior has occurred, are to;
      
      detect that the particular behavior has occurred based on receiving the third message indicating that the particular behavior has occurred.
  - 7. The system of claim 1, where the one or more processors, when performing the external malware detection operation, are to:
    - perform a plurality of external malware detection operations, the plurality of external malware detection operations including at least one of;
      
      a service validation operation to test a feature of a protocol associated with a connection attempt with the other device, ora service interference operation to alter a communication to attempt to trigger the particular behavior;
      
      where the one or more processors are further to;
      
      determine a plurality of outcomes of performing respective external malware detection operations of the plurality of external malware detection operations; and
      
      determine that the client device is infected with malware based on the plurality of outcomes; and
      
      where the one or more processors, when providing the notification that the client device is infected with malware, are to;
      
      provide the notification that the client device is infected with malware based on determining that the client device is infected with malware.

8. A non-transitory computer-readable medium storing instructions, the instructions comprising:
- one or more instructions that, when executed by one or more processors, cause the one or more processors to;
  
  determine to perform an external malware detection operation to detect malware executing on a client device;
  
  perform the external malware detection operation,the external malware detection operation being performed by a particular device, andthe external malware detection operation including a behavior invocation operation to attempt to trigger a particular behavior of an artifact indicative of a malware infection,the artifact being information stored by the client device, andthe behavior invocation operation including;
  
  monitoring a port of the client device; and
  
  attempting to, based on a result of monitoring the port,establish a connection with another device via the port;
  
  monitor a result of performing the external malware detection operation;
  
  detect that the particular behavior has occurred based on monitoring the result of performing the external malware detection operation;
  
  provide a notification that the client device is infected with malware based on detecting that the particular behavior has occurred,the notification causing one or more network devices to block network traffic to or from the client device; and
  
  initiate an operation intended to crash a malicious server or to cause the malicious server to cease communication.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The non-transitory computer-readable medium of claim 8, where the client device and the particular device are a same device.
  - 10. The non-transitory computer-readable medium of claim 8, where the client device and the particular device are different devices.
  - 11. The non-transitory computer-readable medium of claim 8,where the one or more instructions, when executed by the one or more processors, further cause the one or more processors to:
    - monitor a result of attempting to establish the connection with the other device; and
      
      determine, based on monitoring the result, that the connection could not be established; and
      
      where the one or more instructions, that cause the one or more processors to provide the notification that the client device is infected with malware, cause the one or more processors to;
      
      provide the notification that the client device is infected with malware based on determining that the connection could not be established.
  - 12. The non-transitory computer-readable medium of claim 8, where the one or more instructions that, when executed by the one or more processors, further cause the one or more processors to:
    - determine a protocol associated with attempting to establish the connection with the other device;
      
      monitor a result of attempting to establish the connection with the other device to determine whether the other device supports a feature of the protocol; and
      
      determine, based on monitoring the result, that the other device does not support the feature of the protocol; and
      
      where the one or more instructions, that cause the one or more processors to provide the notification that the client device is infected with malware, cause the one or more processors to;
      
      provide the notification that the client device is infected with malware based on determining that the other device does not support the feature of the protocol.
  - 13. The non-transitory computer-readable medium of claim 8, where the communication includes a first message;
    - andwhere the one or more instructions, when executed by the one or more processors, further cause the one or more processors to;
      
      receive a second message, from the other device, intended for the client device;
      
      alter the second message to form the first message,the altered second message being capable of triggering the particular behavior;
      
      provide the first message to the client device; and
      
      receive a third message indicating that the particular behavior has occurred; and
      
      where the one or more instructions, that cause the one or more processors to detect that the particular behavior has occurred, cause the one or more processors to;
      
      detect that the particular behavior has occurred based on receiving the third message indicating that the particular behavior has occurred.
  - 14. The non-transitory computer-readable medium of claim 8, where the one or more instructions, that cause the one or more processors to perform the external malware detection operation, cause the one or more processors to:
    - perform a plurality of external malware detection operations, the plurality of external malware detection operations further including at least one of;
      
      a service validation operation to test a feature of a protocol associated with a connection attempt with the other device, ora service interference operation to alter a communication to attempt to trigger the particular behavior;
      
      where the one or more instructions, when executed by the one or more processors, further cause the one or more processors to;
      
      determine a plurality of outcomes of performing respective external malware detection operations of the plurality of external malware detection operations; and
      
      determine that the client device is infected with malware based on the plurality of outcomes; and
      
      where the one or more instructions, that cause the one or more processors to provide the notification that the client device is infected with malware, cause the one or more processors to;
      
      provide the notification that the client device is infected with malware based on determining that the client device is infected with malware.

15. A method, comprising:
- determining, by a particular device, to perform an external malware detection operation to detect malware executing on a client device;
  
  performing, by the particular device, the external malware detection operation,the external malware detection operation including a behavior invocation operation to attempt to trigger a particular behavior of an artifact indicative of a malware infection,the artifact being information stored by the client device, andthe behavior invocation operation including;
  
  monitoring a port of the client device; and
  
  attempting to, based on a result of monitoring the port, establish a connection with another device via the port;
  
  monitoring, by the particular device, a result of performing the external malware detection operation;
  
  detecting, by the particular device, that the particular behavior has occurred based on monitoring the external malware detection operation;
  
  providing, by the particular device, a notification that the client device is infected with malware based on detecting that the particular behavior has occurred,the notification causing one or more network devices to block network traffic to or from the client device; and
  
  initiating, by the particular device, an action intended to crash a malicious server or to cause the malicious server to cease communication with the particular device.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The method of claim 15, where the client device and the particular device are a same device.
  - 17. The method of claim 15, where the client device and the particular device are different devices.
  - 18. The method of claim 15, comprising:
    - monitoring a result of attempting to establish the connection with the other device; and
      
      determining that the connection could not be established based on monitoring the result; and
      
      where providing the notification that the client device is infected with malware comprises;
      
      providing the notification that the client device is infected with malware based on determining that the connection could not be established.
  - 19. The method of claim 15, further comprising:
    - determining a protocol associated with attempting to establish the connection with the other device;
      
      monitoring a result of attempting to establish the connection with the other device to determine whether the other device supports a feature of the protocol; and
      
      determining, based on monitoring the result, that the other device does not support the feature of the protocol; and
      
      where providing the notification that the client device is infected with malware comprises;
      
      providing the notification that the client device is infected with malware based on determining that the other device does not support the feature of the protocol.
  - 20. The method of claim 15, where performing the external malware detection operation comprises:
    - performing a plurality of external malware detection operations, the plurality of external malware detection operations including at least one of;
      
      a service validation operation to test a feature of a protocol associated with a connection attempt with the other device, ora service interference operation to alter a communication to attempt to trigger the particular behavior;
      
      where the method further comprises;
      
      determining a plurality of outcomes of performing respective external malware detection operations of the plurality of external malware detection operations; and
      
      determining that the client device is infected with malware based on the plurality of outcomes; and
      
      where providing the notification that the client device is infected with malware comprises;
      
      providing the notification that the client device is infected with malware based on determining that the client device is infected with malware.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Adams, Kyle, Quinlan, Daniel J.
Primary Examiner(s)
Tolentino, Roderick

Application Number

US14/606,780
Time in Patent Office

966 Days
Field of Search

726 22- 24
US Class Current
CPC Class Codes

H04L 63/1416 Event detection, e.g. attac...

H04L 63/145 the attack involving the pr...

Malware detection using external malware detection operations

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

10 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Malware detection using external malware detection operations

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

10 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others