System and method for detecting malicious links in electronic messages
First Claim
1. A computer-implemented method for detecting malicious links in electronic messages by processing logic including circuitry implemented within a malware analysis system, comprising:
- receiving, by the malware analysis system from a malware detection appliance, a uniform resource locator (URL) link extracted from an electronic message of the electronic messages without receiving the electronic message in its entirety;
in response to receiving the URL link for malicious determination by the malware analysis system, conducting an analysis of the URL link to determine if the URL link corresponds to a known link signature of a plurality of known link signatures;
performing, by the malware analysis system, a link analysis using link heuristics by the malware analysis system on the URL link to determine whether the URL link is suspicious, the link analysis includes an analysis of one or more characteristics of the link;
responsive to determining the URL link is suspicious,performing an analysis on a resource specified by a portion of the suspicious URL link by the malware analysis system by at least (i) conducting an analysis of metadata for the resource while the resource resides at a website, and (ii) downloading the resource referenced by the suspicious URL link and monitoring behavior of the resource during execution with a virtual machine, andclassifying whether the suspicious URL link is a malicious link based on the analysis of the resource; and
after the classifying whether the suspicious URL link is a malicious link, generating a signature associated with the malicious link, and sending the malicious link signature to at least the malware detection appliance.
7 Assignments
0 Petitions
Accused Products
Abstract
According to one embodiment, in response to receiving a plurality of uniform resource locator (URL) links for malicious determination, any known URL links are removed from the URL links based on a list of known link signatures. For each of remaining URL links that are unknown, a link analysis is performed on the URL link based on link heuristics to determine whether the URL link is suspicious. For each of the suspicious URL links, a dynamic analysis is performed on a resource of the suspicious URL link. It is classified whether the suspicious URL link is a malicious link based on a behavior of the resource during the dynamic analysis.
-
Citations
35 Claims
-
1. A computer-implemented method for detecting malicious links in electronic messages by processing logic including circuitry implemented within a malware analysis system, comprising:
-
receiving, by the malware analysis system from a malware detection appliance, a uniform resource locator (URL) link extracted from an electronic message of the electronic messages without receiving the electronic message in its entirety; in response to receiving the URL link for malicious determination by the malware analysis system, conducting an analysis of the URL link to determine if the URL link corresponds to a known link signature of a plurality of known link signatures; performing, by the malware analysis system, a link analysis using link heuristics by the malware analysis system on the URL link to determine whether the URL link is suspicious, the link analysis includes an analysis of one or more characteristics of the link; responsive to determining the URL link is suspicious, performing an analysis on a resource specified by a portion of the suspicious URL link by the malware analysis system by at least (i) conducting an analysis of metadata for the resource while the resource resides at a website, and (ii) downloading the resource referenced by the suspicious URL link and monitoring behavior of the resource during execution with a virtual machine, and classifying whether the suspicious URL link is a malicious link based on the analysis of the resource; and after the classifying whether the suspicious URL link is a malicious link, generating a signature associated with the malicious link, and sending the malicious link signature to at least the malware detection appliance. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A system comprising:
-
a memory; and a processor coupled to the memory, the processor to (i) receive from a malware detection appliance, a uniform resource locator (URL) link extracted from an electronic message without receiving the electronic message in its entirety, (ii) determine whether the URL link of a plurality of URL links received by the system for malicious determination fails to correspond to any known link signature of a plurality of known link signatures, (iii) perform a link analysis on the URL link using link heuristics to analyze one or more characteristics of the link and determine whether the URL link is suspicious, (iv) responsive to determining the URL link is suspicious, perform an analysis on a resource specified by a portion of the suspicious URL link, the analysis on the resource includes an analysis of metadata for the resource, (v) classify whether the suspicious URL link is a malicious link based the analysis of the resource, and (vi) upon classifying the suspicious URL as a malicious link, generating a signature associated with the malicious link and sending the malicious link signature to at least the malware detection appliance. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23)
-
-
24. A non-transitory machine-readable medium having instructions stored therein, which when executed by a processor within a malware detection system, cause the processor to perform operations for detecting malicious links in electronic messages, comprising:
-
receiving a uniform resource locator (URL) link extracted from an electronic message of the electronic messages from a source without receiving the electronic message in its entirety; in response to receiving the URL link for malicious determination, conducting an analysis of at least the URL link to determine if the URL link corresponds to a known link signature of a plurality of known link signatures; performing a link analysis using link heuristics on the URL link to determine whether the URL link is suspicious, the link analysis includes an analysis of one or more characteristics of the URL link; responsive to determining the URL link is suspicious, performing an analysis on a resource specified by a portion of the suspicious URL link by at least conducting an analysis of metadata for the resource and classifying whether the suspicious URL link is a malicious link based on the analysis of the resource; and upon classifying the suspicious URL as a malicious link, generating a signature associated with the malicious link, and sending the malicious link signature to at least the source. - View Dependent Claims (25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35)
-
Specification