Malware detection using internal and/or external malware detection operations

US 9,769,198 B1
Filed: 01/27/2015
Issued: 09/19/2017
Est. Priority Date: 03/31/2014
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

one or more processors to;

determine to perform an internal malware detection operation and an external malware detection operation that detects malware executing on a client device;

perform the internal malware detection operation,the internal malware detection operation including modifying an environment, to form a modified environment,the internal malware detection operation including an artifact persistence operation to delete stored information and determine whether the deleted stored information has been recreated;

perform the external malware detection operation,the external malware detection operation including performing a communication with another device;

monitor the modified environment for a first behavior indicative of the malware executing on the client device without monitoring the communication with the other device,the first behavior including the deleted stored information being recreated within a threshold amount of time;

recreate the deleted stored information if the deleted stored information is not recreated within the threshold amount of time;

monitor a result of performing the communication for a second behavior indicative of the malware executing on the client device;

detect that the first behavior or the second behavior has occurred based on monitoring the modified environment and monitoring the result,the first behavior being detected if the deleted stored information is recreated within the threshold amount of time;

determine that the client device is infected with malware based on detecting the first behavior or the second behavior has occurred,the client device being determined to be infected with malware if the deleted stored information is recreated within the threshold amount of time; and

provide a notification that the client device is infected with the malware based on determining that the client device is infected with malware,the notification causing one or more network devices to block network traffic to or from the client device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system may determine to perform an internal and an external malware detection operation to detect a malware infection associated with a client device. The system may perform the internal operation by modifying an environment, executing on a particular device, to form a modified environment. The system may perform the external operation by performing a communication from the particular device. The system may monitor the modified environment for a first behavior indicative of the malware infection, and may monitor a result of performing the communication for a second behavior indicative of the malware infection. The system may detect that the first or second behavior has occurred. The system may provide a notification that the client device is infected with malware based on detecting that the first or second behavior has occurred. The notification may cause one or more network devices to block network traffic to or from the client device.

10 Citations

View as Search Results

19 Claims

1. A system, comprising:
- one or more processors to;
  
  determine to perform an internal malware detection operation and an external malware detection operation that detects malware executing on a client device;
  
  perform the internal malware detection operation,the internal malware detection operation including modifying an environment, to form a modified environment,the internal malware detection operation including an artifact persistence operation to delete stored information and determine whether the deleted stored information has been recreated;
  
  perform the external malware detection operation,the external malware detection operation including performing a communication with another device;
  
  monitor the modified environment for a first behavior indicative of the malware executing on the client device without monitoring the communication with the other device,the first behavior including the deleted stored information being recreated within a threshold amount of time;
  
  recreate the deleted stored information if the deleted stored information is not recreated within the threshold amount of time;
  
  monitor a result of performing the communication for a second behavior indicative of the malware executing on the client device;
  
  detect that the first behavior or the second behavior has occurred based on monitoring the modified environment and monitoring the result,the first behavior being detected if the deleted stored information is recreated within the threshold amount of time;
  
  determine that the client device is infected with malware based on detecting the first behavior or the second behavior has occurred,the client device being determined to be infected with malware if the deleted stored information is recreated within the threshold amount of time; and
  
  provide a notification that the client device is infected with the malware based on determining that the client device is infected with malware,the notification causing one or more network devices to block network traffic to or from the client device.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1, where the client device and the system are a same device, andthe environment that is modified is executing on the same device.
  - 3. The system of claim 1, where the client device and the system are different devices.
  - 4. The system of claim 1, where the one or more processors, when performing the internal malware detection operation, are to:
    - perform a plurality of internal malware detection operations, the plurality of internal malware detection operations including;
      
      the artifact persistence operation, andan artifact decoy operation to create a second artifact and determine whether the second artifact has been modified,where the one or more processors are further configured to;
      
      determine a plurality of outcomes of performing respective internal malware detection operations of the plurality of internal malware detection operations;
      
      where the one or more processors, when determining that the client device is infected with the malware, are configured to;
      
      determine that the client device is infected with the malware based on the plurality of outcomes; and
      
      where the one or more processors, when providing the notification that the client device is infected with the malware, are configured to;
      
      provide the notification that the client device is infected with the malware based on determining that the client device is infected with the malware.
  - 5. The system of claim 1, where the one or more processors, when performing the external malware detection operation, are to:
    - perform a plurality of external malware detection operations, the plurality of external malware detection operations including at least one of;
      
      a behavior invocation operation to determine whether an attempted connection with the other device has been established,a service validation operation to test a feature of a protocol associated with a connection attempt with the other device, ora service interference operation to alter a communication to attempt to trigger a particular behavior;
      
      where the one or more processors are further to;
      
      determine a plurality of outcomes of performing respective external malware detection operations of the plurality of external malware detection operations;
      
      where the one or more processors, when determining that the client device is infected with the malware, are configured to;
      
      determine that the client device is infected with the malware based on the plurality of outcomes; and
      
      where the one or more processors, when providing the notification that the client device is infected with the malware, are to;
      
      provide the notification that the client device is infected with the malware based on determining that the client device is infected with the malware.
  - 6. The system of claim 1, where the one or more processors are further to:
    - calculate a malware detection score based on detecting that the first behavior or the second behavior has occurred;
      
      determine that the malware detection score satisfies a threshold value; and
      
      where the one or more processors, when providing the notification that the client device is infected with the malware, are to;
      
      provide the notification that the client device is infected with the malware based on determining that the malware detection score satisfies the threshold value.
  - 7. The system of claim 1, where the one or more processors are further to:
    - calculate a first malware detection score based on detecting that the first behavior has occurred;
      
      calculate a second malware detection score based on detecting that the second behavior has occurred;
      
      calculate an overall malware detection score based on the first malware detection score and the second malware detection score;
      
      determine that the overall malware detection score satisfies a threshold value;
      
      andwhere the one or more processors, when providing the notification that the client device is infected with the malware, are to;
      
      provide the notification that the client device is infected with the malware based on determining that the overall malware detection score satisfies the threshold value.

8. A computer-readable medium storing instructions, the instructions comprising:
- one or more instructions that, when executed by one or more processors of a particular device, cause the one or more processors to;
  
  determine to perform an internal malware detection operation and an external malware detection operation that detects malware executing on a client device;
  
  perform the internal malware detection operation,the internal malware detection operation including modifying an environment, to form a modified environment;
  
  perform the external malware detection operation,the internal malware detection operation including an artifact persistence operation to delete stored information and determine whether the deleted stored information has been recreated;
  
  the external malware detection operation including performing a communication with another device;
  
  monitor the modified environment for a first behavior indicative of the malware executing on the client device without monitoring the communication with the other device,the first behavior including the deleted stored information being recreated within a threshold amount of time;
  
  recreate the deleted stored information if the deleted stored information is not recreated within the threshold amount of time;
  
  monitor a result of performing the communication for a second behavior indicative of the malware executing on the client device;
  
  detect that the first behavior or the second behavior has occurred based on monitoring the modified environment and monitoring the result,the first behavior being detected if the deleted stored information is recreated within the threshold amount of time;
  
  determine that the client device is infected with malware based on detecting the first behavior or the second behavior has occurred,the client device being determined to be infected with malware if the deleted stored information is recreated within the threshold amount of time; and
  
  provide a notification that the client device is infected with the malware based on determining that the client device is infected with malware,the notification causing one or more network devices to block network traffic to or from the client device.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer-readable medium of claim 8, where the client device and the particular device are a same device.
  - 10. The computer-readable medium of claim 8, where the client device and the particular device are different devices.
  - 11. The computer-readable medium of claim 8, where the one or more instructions, that cause the one or more processors to perform the internal malware detection operation, cause the one or more processors to:
    - perform a plurality of internal malware detection operations, the plurality of internal malware detection operations including;
      
      the artifact persistence operation, andan artifact decoy operation to create a second artifact and determine whether the second artifact has been modified,an artifact integrity operation to detect that a third artifact has been modified in a particular manner, oran illogical behavior operation to determine whether an illogical behavior has occurred;
      
      where the one or more instructions, when executed by the one or more processors, further cause the one or more processors to;
      
      determine a plurality of outcomes of performing respective internal malware detection operations of the plurality of internal malware detection operations;
      
      where the one or more instructions, that cause the one or more processors to determine that the client device is infected with the malware, cause the one or more processors to;
      
      determine that the client device is infected with the malware based on the plurality of outcomes; and
      
      where the one or more instructions, that cause the one or more processors to provide the notification that the client device is infected with the malware, cause the one or more processors to;
      
      provide the notification that the client device is infected with the malware based on determining that the client device is infected with the malware.
  - 12. The computer-readable medium of claim 8, where the one or more instructions, that cause the one or more processors to perform the external malware detection operation, cause the one or more processors to:
    - perform a plurality of external malware detection operations, the plurality of external malware detection operations including at least one of;
      
      a behavior invocation operation to determine whether an attempted connection with the other device has been established,a service validation operation to test a feature of a protocol associated with a connection attempt with the other device, ora service interference operation to alter a communication to attempt to trigger a particular behavior;
      
      where the one or more instructions, when executed by the one or more processors, further cause the one or more processors to;
      
      determine a plurality of outcomes of performing respective external malware detection operations of the plurality of external malware detection operations;
      
      where the one or more instructions, that cause the one or more processors to determine that the client device is infected with the malware, cause the one or more processors to;
      
      determine that the client device is infected with the malware based on the plurality of outcomes; and
      
      where the one or more instructions, that cause the one or more processors to provide the notification that the client device is infected with the malware, cause the one or more processors to;
      
      provide the notification that the client device is infected with the malware based on determining that the client device is infected with the malware.
  - 13. The computer-readable medium of claim 8, where the one or more instructions, when executed by the one or more processors, further cause the one or more processors to:
    - calculate a malware detection score based on detecting that the first behavior or the second behavior has occurred;
      
      determine that the malware detection score satisfies a threshold value; and
      
      where the one or more instructions, that cause the one or more processors to provide the notification that the client device is infected with malware, cause the one or more processors to;
      
      provide the notification that the client device is infected with the malware based on determining that the malware detection score satisfies the threshold value.
  - 14. The computer-readable medium of claim 8, where the one or more instructions, when executed by the one or more processors, further cause the one or more processors to:
    - calculate a first malware detection score based on detecting that the first behavior has occurred;
      
      calculate a second malware detection score based on detecting that the second behavior has occurred;
      
      calculate an overall malware detection score based on the first malware detection score and the second malware detection score;
      
      determine that the overall malware detection score satisfies a threshold value; and
      
      where the one or more instructions, that cause the one or more processors to provide the notification that the client device is infected with the malware, cause the one or more processors to;
      
      provide the notification that the client device is infected with the malware based on determining that the overall malware detection score satisfies the threshold value.

15. A method, comprising:
- determining, by a particular device, to perform an internal malware detection operation and an external malware detection operation that detects malware executing on a client device;
  
  performing, by the particular device, the internal malware detection operation,the internal malware detection operation including modifying an environment, to form a modified environment;
  
  the internal malware detection operation including an artifact persistence operation to delete stored information and determine whether the deleted stored information has been recreated;
  
  performing, by the particular device, the external malware detection operation,the external malware detection operation including performing a communication with another device;
  
  monitoring, by the particular device, the modified environment for a first behavior indicative of the malware executing on the client device without monitoring the communication with the other device,the first behavior including the deleted stored information being recreated within a threshold amount of time;
  
  monitoring, by the particular device, a result of performing the communication for a second behavior indicative of the malware executing on the client device;
  
  detecting, by the particular device, that the first behavior or the second behavior has occurred based on monitoring the modified environment and monitoring the result,the first behavior being detected if the deleted stored information is recreated within the threshold amount of time;
  
  recreating, by the particular device, the deleted stored information if the deleted stored information is not recreated within the threshold amount of time;
  
  determining, by the particular device, that the client device is infected with malware based on detecting the first behavior or the second behavior has occurred,the client device being determined to be infected with malware if the deleted stored information is recreated within the threshold amount of time; and
  
  providing, by the particular device, a notification that the client device is infected with the malware based on determining that the client device is infected with malware,the notification causing one or more network devices to block network traffic to or from the client device.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The method of claim 15, where the client device and the particular device are a same device.
  - 17. The method of claim 15, where performing the internal malware detection operation comprises:
    - performing a plurality of internal malware detection operations, the plurality of internal malware detection operations including at least one of;
      
      an artifact decoy operation to create a second artifact and determine whether the second artifact has been modified,an artifact integrity operation to detect that a third artifact has been modified in a particular manner, oran illogical behavior operation to determine whether an illogical behavior has occurred;
      
      where the method further comprises;
      
      determining a plurality of outcomes of performing respective internal malware detection operations of the plurality of internal malware detection operations;
      
      where determining that the client device is infected with the malware comprises;
      
      determining that the client device is infected with the malware based on the plurality of outcomes; and
      
      where providing the notification that the client device is infected with the malware comprises;
      
      providing the notification that the client device is infected with the malware based on determining that the client device is infected with the malware.
  - 18. The method of claim 15, where performing the external malware detection operation comprises:
    - performing a plurality of external malware detection operations, the plurality of external malware detection operations including at least one of;
      
      a behavior invocation operation to determine whether an attempted connection with the other device has been established,a service validation operation to test a feature of a protocol associated with a connection attempt with the other device, ora service interference operation to alter a communication to attempt to trigger a particular behavior;
      
      where the method further comprises;
      
      determining a plurality of outcomes of performing respective external malware detection operations of the plurality of external malware detection operations;
      
      where determining that the client device is infected with the malware comprises;
      
      determining that the client device is infected with the malware based on the plurality of outcomes; and
      
      where providing the notification that the client device is infected with malware comprises;
      
      providing the notification that the client device is infected with the malware based on determining that the client device is infected with the malware.
  - 19. The method of claim 15, further comprising:
    - calculating a first malware detection score based on detecting that the first behavior has occurred;
      
      calculating a second malware detection score based on detecting that the second behavior has occurred;
      
      calculating an overall malware detection score based on the first malware detection score and the second malware detection score;
      
      determining that the overall malware detection score satisfies a threshold value; and
      
      where providing the notification that the client device is infected with malware comprises;
      
      providing the notification that the client device is infected with malware based on determining that the overall malware detection score satisfies the threshold value.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Adams, Kyle, Quinlan, Daniel J.
Primary Examiner(s)
SHAW, PETER C

Application Number

US14/606,807
Time in Patent Office

966 Days
Field of Search

726 23
US Class Current
CPC Class Codes

H04L 63/1416 Event detection, e.g. attac...

H04L 63/145 the attack involving the pr...

Malware detection using internal and/or external malware detection operations

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

10 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Malware detection using internal and/or external malware detection operations

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

10 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links