System and method for detecting malicious activity based on at least one environmental property

US 9,934,381 B1
Filed: 02/06/2017
Issued: 04/03/2018
Est. Priority Date: 03/13/2013
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for detecting exfiltration of data, comprising:

executing a malicious content suspect within a virtual machine;

performing a packet inspection on outbound network traffic by a packet inspector running within the virtual machine prior to the outbound network traffic leaving the virtual machine, the packet inspection to determine whether a portion of outbound network traffic matches one or more portions of predetermined network traffic patterns or signatures;

determining whether the outbound network traffic includes at least one environmental property of the virtual machine that is unique to or distinctive of the virtual machine after determining the portion of the outbound network traffic matches the one or more portions of predetermined network traffic patterns or signatures, the at least one environmental property is unique to or distinctive of the virtual machine in that the at least one environmental property pertains to the virtual machine so as to allow the match to indicate that the malicious content suspect is attempting to perform an exfiltration of data;

precluding migration of the outbound network traffic outside of the virtual machine upon determining that the outbound network traffic includes the at least one environmental property of the virtual machine that is unique to or distinctive of the virtual machine; and

transmitting an alert indicating that the malicious content suspect is attempting to perform the exfiltration of data upon determining that the outbound network traffic includes the at least one environmental property of the virtual machine.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for detecting exfiltration content are described herein. According to one embodiment, a malicious content suspect is executed and a packet inspection of outbound network traffic is performed by a packet inspector running within the virtual machine. Occurring before the outbound network traffic leaving the virtual machine, the packet inspector determines whether a portion of outbound network traffic matches one or more portions of predetermined network traffic patterns or signatures. If so, a determination is made whether the outbound network traffic includes at least one environmental property of the virtual machine that is unique or almost unique to the virtual machine. If so, migration of the outbound network traffic outside of the virtual machine is precluded and an alert is transmitted. The alert includes the malicious content suspect that is attempting to perform an exfiltration of data.

543 Citations

24 Claims

1. A computer-implemented method for detecting exfiltration of data, comprising:
- executing a malicious content suspect within a virtual machine;
  
  performing a packet inspection on outbound network traffic by a packet inspector running within the virtual machine prior to the outbound network traffic leaving the virtual machine, the packet inspection to determine whether a portion of outbound network traffic matches one or more portions of predetermined network traffic patterns or signatures;
  
  determining whether the outbound network traffic includes at least one environmental property of the virtual machine that is unique to or distinctive of the virtual machine after determining the portion of the outbound network traffic matches the one or more portions of predetermined network traffic patterns or signatures, the at least one environmental property is unique to or distinctive of the virtual machine in that the at least one environmental property pertains to the virtual machine so as to allow the match to indicate that the malicious content suspect is attempting to perform an exfiltration of data;
  
  precluding migration of the outbound network traffic outside of the virtual machine upon determining that the outbound network traffic includes the at least one environmental property of the virtual machine that is unique to or distinctive of the virtual machine; and
  
  transmitting an alert indicating that the malicious content suspect is attempting to perform the exfiltration of data upon determining that the outbound network traffic includes the at least one environmental property of the virtual machine.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the determining whether the outbound network traffic includes the at least one environmental property of the virtual machine comprises matching the at least one environmental property to any of a set of patterns associated with the virtual machine selected to process the malicious content suspect.
  - 3. The method of claim 1, wherein the at least one environmental property of the virtual machine comprises an identifier of an electronic device represented by the virtual machine.
  - 4. The method of claim 1, wherein the at least one environmental property of the virtual machine comprises information that distinguishes hardware included in an electronic device represented by the virtual machine from other hardware.
  - 5. The method of claim 1, wherein the alert being transmitted over a network.
  - 6. The method of claim 1, wherein the malicious content suspect is extracted from the outbound network traffic by a packet capturer of a guest operating system that hosts the virtual machine.
  - 7. The method of claim 6, wherein the packet capturer being implemented as part of a firewall of the guest operating system.
  - 8. The method of claim 1, wherein a destination of the outbound network traffic is represented by a virtual network interface presented by the virtual machine, without allowing the outbound network traffic to reach an actual destination outside of a data processing system that hosts the virtual machine.
  - 9. The method of claim 1, wherein the at least one environmental property includes at least one of (i) a computer name or NetBIOS name, (ii) a serial number of a hardware component, (iii) an identifier of a software application, or (iv) information identifying a user of an electronic device represented by the virtual machine.

10. A non-transitory machine-readable medium having instructions stored therein, which when executed by a processor, cause the processor to perform operations for detecting exfiltration, comprising:
- executing a malicious content suspect within a virtual machine;
  
  prior to outbound network traffic initiated by the malicious content suspect leaving the virtual machine, performing a packet inspection within the virtual machine on the outbound network traffic by analyzing a portion of the outbound network traffic in comparison to one or more portions of predetermined network traffic patterns or signatures;
  
  determining whether the outbound network traffic includes at least one environmental property of the virtual machine that is unique to or distinctive of the virtual machine after determining the portion of the outbound network traffic matches the one or more portions of predetermined network traffic patterns or signatures, the at least one environmental property is unique to or distinctive of the virtual machine in that the at least one environmental property pertains to the virtual machine so as to allow the match to indicate that the malicious content suspect is attempting to perform an exfiltration of data; and
  
  responsive to determining the outbound network traffic includes the at least one environmental property of the virtual machine that is unique to or distinctive of the virtual machine, precluding migration of the outbound network traffic outside of the virtual machine, and transmitting an alert over a network, the alert indicating that the malicious content suspect is attempting to perform the exfiltration of data.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The non-transitory machine-readable medium of claim 10, wherein the determining whether the outbound network traffic includes the at least one environmental property of the virtual machine comprises matching the at least one environmental property to any of a set of patterns associated with the virtual machine selected to process the malicious content suspect.
  - 12. The non-transitory machine-readable medium of claim 10, wherein the at least one environmental property of the virtual machine comprises an identifier of an electronic device represented by the virtual machine.
  - 13. The non-transitory machine-readable medium of claim 10, wherein the performing of the packet inspection comprises performing a search of data that is part of the outbound network traffic based on a predetermined signature that was generated by encoding, using a predetermined encoding algorithm, a text string representing a unique identifier of an electronic device represented by the virtual machine.
  - 14. The non-transitory machine-readable medium of claim 10, wherein the at least one environmental property of the virtual machine is unique when an encoded or compressed form of data of the at least one environmental property fails to match generic network traffic.
  - 15. The non-transitory machine-readable medium of claim 10 being implemented as part of a firewall.

16. A data processing system, comprising:
- a processor; and
  
  a memory coupled to the processor for storing instructions, which when executed from the memory, cause the processor toexecute a malicious content suspect within a virtual machine,prior to outbound network traffic initiated by the malicious content suspect leaving the virtual machine, perform a packet inspection, by a packet inspector executed by the processor and running within the virtual machine, on the outbound network traffic, the packet inspection to determine whether a portion of the outbound network traffic matches one or more portions of predetermined network traffic patterns or signatures,determine whether the outbound network traffic includes at least one environmental property of the virtual machine that is unique to or distinctive of the virtual machine after determining that the portion of the outbound network traffic matches the one or more portions of predetermined network traffic patterns or signatures, andpreclude migration of the outbound network traffic outside of the virtual machine and transmitting an alert indicating that the malicious content suspect is attempting to perform an exfiltration of data upon determining that the outbound network traffic includes the at least one environmental property of the virtual machine that is unique to or distinctive of the virtual machine.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24)
- - 17. The system of claim 16, wherein the determining whether the outbound network traffic includes the at least one environmental property of the virtual machine comprises matching the at least one environmental property to any of a set of patterns associated with the virtual machine selected to process the malicious content suspect.
  - 18. The system of claim 16, wherein the alert being transmitted to a controller, the controller is implemented as part of a virtual machine monitor (VMM).
  - 19. The system of claim 18, wherein the controller includes a scheduler that selects a configuration of the virtual machine, the configuration includes a selection of at least a particular version of an operating system includes a selection of a particular version of a particular operating system and one or more of version of application software to operate with the particular version of the operating system.
  - 20. The system of claim 16, wherein the at least one environmental property of the virtual machine comprises an identifier of an electronic device represented by the virtual machine.
  - 21. The system of claim 16, wherein the performing of the packet inspection comprises performing a search of data that is part of the outbound network traffic based on a predetermined signature that was generated by encoding, using a predetermined encoding algorithm, a text string representing a unique identifier of an electronic device represented by the virtual machine comprising the at least one environmental property.
  - 22. The system of claim 16, wherein the at least one environmental property of the virtual machine is unique or distinctive when an encoded or compressed form of data of the at least one environmental property fails to match generic network traffic.
  - 23. The system of claim 16, wherein the at least one environmental property is unique to or distinctive of the virtual machine in that the at least one environmental property pertains to the virtual machine so as to allow the match to indicate that the malicious content suspect is attempting to perform an exfiltration of data.
  - 24. The system of claim 23, wherein the at least one environmental property includes at least one of (i) a computer name or NetBIOS name, (ii) a serial number of a hardware component, (iii) an identifier of a software application, or (iv) information identifying a user of an electronic device represented by the virtual machine.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Kindlund, Darien, Wolf, Julia, Bennett, James
Primary Examiner(s)
Simitoski, Michael

Application Number

US15/425,954
Time in Patent Office

421 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/561   Virus type analysis

G06F 21/562   Static detection

G06F 21/565   by checking file integrity

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/567   using dedicated hardware

G06F 2221/033   Test or assess software

H04L 63/14   for detecting or protecting...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

System and method for detecting malicious activity based on at least one environmental property

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

543 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for detecting malicious activity based on at least one environmental property

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

543 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links