System and method for detecting malicious links in electronic messages

US 9,888,019 B1
Filed: 03/28/2016
Issued: 02/06/2018
Est. Priority Date: 06/28/2013
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for detecting malicious links in electronic messages by processing logic including circuitry implemented within a malware analysis system, comprising:

receiving, by the malware analysis system from a malware detection appliance, a uniform resource locator (URL) link extracted from an electronic message of the electronic messages without receiving the electronic message in its entirety;

in response to receiving the URL link for malicious determination by the malware analysis system, conducting an analysis of the URL link to determine if the URL link corresponds to a known link signature of a plurality of known link signatures;

performing, by the malware analysis system, a link analysis using link heuristics by the malware analysis system on the URL link to determine whether the URL link is suspicious, the link analysis includes an analysis of one or more characteristics of the link;

responsive to determining the URL link is suspicious,performing an analysis on a resource specified by a portion of the suspicious URL link by the malware analysis system by at least (i) conducting an analysis of metadata for the resource while the resource resides at a website, and (ii) downloading the resource referenced by the suspicious URL link and monitoring behavior of the resource during execution with a virtual machine, andclassifying whether the suspicious URL link is a malicious link based on the analysis of the resource; and

after the classifying whether the suspicious URL link is a malicious link, generating a signature associated with the malicious link, and sending the malicious link signature to at least the malware detection appliance.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to one embodiment, in response to receiving a plurality of uniform resource locator (URL) links for malicious determination, any known URL links are removed from the URL links based on a list of known link signatures. For each of remaining URL links that are unknown, a link analysis is performed on the URL link based on link heuristics to determine whether the URL link is suspicious. For each of the suspicious URL links, a dynamic analysis is performed on a resource of the suspicious URL link. It is classified whether the suspicious URL link is a malicious link based on a behavior of the resource during the dynamic analysis.

671 Citations

35 Claims

1. A computer-implemented method for detecting malicious links in electronic messages by processing logic including circuitry implemented within a malware analysis system, comprising:
- receiving, by the malware analysis system from a malware detection appliance, a uniform resource locator (URL) link extracted from an electronic message of the electronic messages without receiving the electronic message in its entirety;
  
  in response to receiving the URL link for malicious determination by the malware analysis system, conducting an analysis of the URL link to determine if the URL link corresponds to a known link signature of a plurality of known link signatures;
  
  performing, by the malware analysis system, a link analysis using link heuristics by the malware analysis system on the URL link to determine whether the URL link is suspicious, the link analysis includes an analysis of one or more characteristics of the link;
  
  responsive to determining the URL link is suspicious,performing an analysis on a resource specified by a portion of the suspicious URL link by the malware analysis system by at least (i) conducting an analysis of metadata for the resource while the resource resides at a website, and (ii) downloading the resource referenced by the suspicious URL link and monitoring behavior of the resource during execution with a virtual machine, andclassifying whether the suspicious URL link is a malicious link based on the analysis of the resource; and
  
  after the classifying whether the suspicious URL link is a malicious link, generating a signature associated with the malicious link, and sending the malicious link signature to at least the malware detection appliance.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein the receiving of the URL link from the malware detection appliance over a network comprises (i) recognizing the URL link being embedded within the electronic message by the malware detection appliance, (ii) extracting the URL link from the electronic message by the malware detection appliance, and (iii) transmitting the URL link from the malware detection appliance to the malware analysis system over the network, without transmitting other content of the electronic message to the malware analysis system.
  - 3. The method of claim 2, wherein the performing of the link analysis comprises:
    - determining a first domain name included in the URL link;
      
      determining whether a number of occurrences of the first domain name in a plurality of URL links including the URL link received by the malware analysis system exceeds a predetermined threshold; and
      
      designating the URL link and any other URL link of the plurality of URL links that include the first domain name as suspicious when the number of occurrences of the first domain name in the plurality of URL links exceeds the predetermined threshold.
  - 4. The method of claim 1, wherein the performing of the link analysis comprises:
    - determining whether a number of occurrences of a first uniform resource identifier (URI) in a plurality of URL links including the URL link received by the malware analysis system from the malicious detection appliance exceeds a predetermined threshold; and
      
      designating at least the URL link of the plurality of links including the first URI as suspicious when the number of occurrences of the first URI in the plurality of URL links exceeds the predetermined threshold.
  - 5. The method of claim 1, wherein the performing of the link analysis comprises determining whether a pattern of characters is present in the URL link, and if so, determining that the URL link is suspicious.
  - 6. The method of claim 1, wherein the performing of the link analysis includes an examination of whether the URL link includes an Internet protocol (IP) address instead of a host name.
  - 7. The method of claim 1, wherein prior to receiving the URL link, the method further comprising:
    - receiving the electronic messages including a plurality of URL links by the malware detection appliance;
      
      extracting the URL link by the malware detection appliance;
      
      comparing the URL link with a second plurality of known link signatures stored locally by the malware detection appliance.
  - 8. The method of claim 1, wherein the performing of the analysis on the resource comprises accessing the resource as specified by a uniform resource identifier (URI) of the URL link and examining the metadata of the resource including at least a size of the resource to determine whether the size is smaller or larger than an expected size.
  - 9. The method of claim 1, wherein the analysis of the metadata includes an analysis of a size and type of the resource as specified by at least a uniform resource identifier (URI) of the URL link.
  - 10. The method of claim 1, wherein the performing of the link analysis using link heuristics by the malware analysis system is in response to the URL link failing to correspond to the known link signature.
  - 11. The method of claim 1, wherein the performing of the analysis on the resource further comprises determining whether the suspicious URL is active.
  - 12. The method of claim 11, wherein the resource is content of the website referenced by the suspicious URL.
  - 13. The method of claim 11, wherein the resource is a file referenced by the suspicious URL.

14. A system comprising:
- a memory; and
  
  a processor coupled to the memory, the processor to (i) receive from a malware detection appliance, a uniform resource locator (URL) link extracted from an electronic message without receiving the electronic message in its entirety, (ii) determine whether the URL link of a plurality of URL links received by the system for malicious determination fails to correspond to any known link signature of a plurality of known link signatures, (iii) perform a link analysis on the URL link using link heuristics to analyze one or more characteristics of the link and determine whether the URL link is suspicious, (iv) responsive to determining the URL link is suspicious, perform an analysis on a resource specified by a portion of the suspicious URL link, the analysis on the resource includes an analysis of metadata for the resource, (v) classify whether the suspicious URL link is a malicious link based the analysis of the resource, and (vi) upon classifying the suspicious URL as a malicious link, generating a signature associated with the malicious link and sending the malicious link signature to at least the malware detection appliance.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 15. The system of claim 14, wherein the processor to perform the link analysis by determining a domain name included in the URL link;
    - determining whether a number of occurrences of the domain name in the plurality of URL links that includes the URL link exceeds a predetermined threshold; and
      
      designating the URL link and any other URL link of the plurality of URL links as suspicious when the number of occurrences of the domain name in the plurality of URL links exceeds the predetermined threshold.
  - 16. The system of claim 14, wherein the processor to perform the link analysis bydetermining whether a number of occurrences of a first uniform resource identifier (URI) in the plurality of URL links exceeds a predetermined threshold, the plurality of URL links include the URL link received from the malicious detection appliance;
    - anddesignating the URL link and any other URL link of the plurality of URL links that includes the first URI as suspicious when the number of occurrences of the first URI in the plurality of URL links exceeds the predetermined threshold.
  - 17. The system of claim 14, wherein the processor to perform the link analysis bydetermining whether a pattern of characters is present in the URL link, and if so, determining that the URL link is suspicious.
  - 18. The system of claim 14, wherein the processor to perform the link analysis by conducting an analysis as to whether the URL link includes an Internet protocol (IP) address instead of a host name.
  - 19. The system of claim 14, wherein the processor to perform the analysis on the resource by accessing the resource as specified by a uniform resource identifier (URI) of the URL link and examining the metadata of the resource including at least a size of the resource to determine whether the size is smaller or larger than an expected size.
  - 20. The system of claim 14, wherein the processor to perform the analysis on the resource that includes conducting a dynamic analysis on the resource being content received from a server based on the portion of the suspicious URL link and processing the resource in a virtual operating environment including one or more virtual machines to verify that the URL link is malicious.
  - 21. The system of claim 14, wherein the processor to further perform the analysis on the resource by downloading the resource referenced by the suspicious URL link and monitoring behavior of the resource during execution with a virtual machine.
  - 22. The system of claim 21, wherein the processor to further perform the analysis on the resource by determining whether the suspicious URL is active before conducting the analysis of the metadata for the resource.
  - 23. The system of claim 14, wherein the processor to conduct the analysis of the metadata includes by analyzing at least a size and a type of the resource as specified by the portion of the of the suspicious URL link including an uniform resource identifier (URI) of the suspicious URL link.

24. A non-transitory machine-readable medium having instructions stored therein, which when executed by a processor within a malware detection system, cause the processor to perform operations for detecting malicious links in electronic messages, comprising:
- receiving a uniform resource locator (URL) link extracted from an electronic message of the electronic messages from a source without receiving the electronic message in its entirety;
  
  in response to receiving the URL link for malicious determination, conducting an analysis of at least the URL link to determine if the URL link corresponds to a known link signature of a plurality of known link signatures;
  
  performing a link analysis using link heuristics on the URL link to determine whether the URL link is suspicious, the link analysis includes an analysis of one or more characteristics of the URL link;
  
  responsive to determining the URL link is suspicious, performing an analysis on a resource specified by a portion of the suspicious URL link by at least conducting an analysis of metadata for the resource and classifying whether the suspicious URL link is a malicious link based on the analysis of the resource; and
  
  upon classifying the suspicious URL as a malicious link, generating a signature associated with the malicious link, and sending the malicious link signature to at least the source.
- View Dependent Claims (25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35)
- - 25. The medium of claim 24, wherein the receiving of the URL link by the malware detection system comprises (i) recognizing the URL link being embedded within the electronic message by the source being a malware detection appliance, (ii) extracting the URL link from the electronic message by the malware detection appliance, and (iii) transmitting the URL link from the malware detection appliance to the malware analysis system over the network, without transmitting other content of the electronic message to the malware analysis system.
  - 26. The medium of claim 25, wherein the performing of the link analysis comprises:
    - determining a first domain name included in the URL link;
      
      determining whether a number of occurrences of the first domain name in a plurality of URL links including the URL link exceeds a predetermined threshold; and
      
      designating the URL link and any other URL link of the plurality of URL links that include the first domain name as suspicious when the number of occurrences of the first domain name in the plurality of URL links exceeds the predetermined threshold.
  - 27. The medium of claim 24, wherein the performing of the link analysis comprises:
    - determining whether a number of occurrences of a first uniform resource identifier (URI) in a plurality of URL links including the URL link received by the malware detection system from the source exceeds a predetermined threshold; and
      
      designating at least the URL link of the plurality of links including the first URI as suspicious when the number of occurrences of the first URI in the plurality of URL links exceeds the predetermined threshold.
  - 28. The medium of claim 24, wherein the performing of the link analysis by the malware analysis system comprises determining whether a pattern of characters is present in the URL link, and if so, determining that the URL link is suspicious.
  - 29. The medium of claim 24 including instructions that, when executed by the processor within the malware detection system, cause the processor to perform the analysis of the metadata by analyzing a size and type of the resource.
  - 30. The medium of claim 24 including instructions that, upon execution by the processor within the malware detection system, cause the processor to perform the analysis on the resource by conducting the analysis of the metadata for the resource while the resource resides at a website.
  - 31. The medium of claim 24 including instructions that, upon execution by the processor within the malware detection system, cause the processor to perform the analysis on the resource that further comprises determining whether the suspicious URL is active before conducting the analysis of the metadata for the resource.
  - 32. The medium of claim 24 including instructions that, upon execution by the processor within the malware detection system, cause the processor to download the resource referenced by the suspicious URL link and monitor behavior of the resource during execution with a virtual machine.
  - 33. The method of claim 32, wherein the resource is a file referenced by the suspicious URL.
  - 34. The medium of claim 24, wherein the resource is content of the website referenced by the suspicious URL.
  - 35. The medium of claim 24, wherein the processor to conduct the analysis of the metadata by at least analyzing at least a size and a type of the resource as specified by the portion of the of the suspicious URL link including an uniform resource identifier (URI) of the suspicious URL link.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Pidathala, Vinay, Uyeno, Henry
Primary Examiner(s)
Armouche, Hadi
Assistant Examiner(s)
Holmes, Angela

Application Number

US15/083,171
Time in Patent Office

680 Days
Field of Search

726 22
US Class Current
CPC Class Codes

G06F 21/562   Static detection

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04L 63/145   the attack involving the pr...

H04L 63/1475   Passive attacks, e.g. eaves...

System and method for detecting malicious links in electronic messages

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

671 Citations

35 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for detecting malicious links in electronic messages

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

671 Citations

35 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links