System and method for detecting malicious activity based on at least one environmental property
First Claim
1. A computer-implemented method for detecting exfiltration of data, comprising:
- executing a malicious content suspect within a virtual machine;
performing a packet inspection on outbound network traffic by a packet inspector running within the virtual machine prior to the outbound network traffic leaving the virtual machine, the packet inspection to determine whether a portion of outbound network traffic matches one or more portions of predetermined network traffic patterns or signatures;
determining whether the outbound network traffic includes at least one environmental property of the virtual machine that is unique to or distinctive of the virtual machine after determining the portion of the outbound network traffic matches the one or more portions of predetermined network traffic patterns or signatures, the at least one environmental property is unique to or distinctive of the virtual machine in that the at least one environmental property pertains to the virtual machine so as to allow the match to indicate that the malicious content suspect is attempting to perform an exfiltration of data;
precluding migration of the outbound network traffic outside of the virtual machine upon determining that the outbound network traffic includes the at least one environmental property of the virtual machine that is unique to or distinctive of the virtual machine; and
transmitting an alert indicating that the malicious content suspect is attempting to perform the exfiltration of data upon determining that the outbound network traffic includes the at least one environmental property of the virtual machine.
8 Assignments
0 Petitions
Accused Products
Abstract
Techniques for detecting exfiltration content are described herein. According to one embodiment, a malicious content suspect is executed and a packet inspection of outbound network traffic is performed by a packet inspector running within the virtual machine. Occurring before the outbound network traffic leaving the virtual machine, the packet inspector determines whether a portion of outbound network traffic matches one or more portions of predetermined network traffic patterns or signatures. If so, a determination is made whether the outbound network traffic includes at least one environmental property of the virtual machine that is unique or almost unique to the virtual machine. If so, migration of the outbound network traffic outside of the virtual machine is precluded and an alert is transmitted. The alert includes the malicious content suspect that is attempting to perform an exfiltration of data.
-
Citations
24 Claims
-
1. A computer-implemented method for detecting exfiltration of data, comprising:
-
executing a malicious content suspect within a virtual machine; performing a packet inspection on outbound network traffic by a packet inspector running within the virtual machine prior to the outbound network traffic leaving the virtual machine, the packet inspection to determine whether a portion of outbound network traffic matches one or more portions of predetermined network traffic patterns or signatures; determining whether the outbound network traffic includes at least one environmental property of the virtual machine that is unique to or distinctive of the virtual machine after determining the portion of the outbound network traffic matches the one or more portions of predetermined network traffic patterns or signatures, the at least one environmental property is unique to or distinctive of the virtual machine in that the at least one environmental property pertains to the virtual machine so as to allow the match to indicate that the malicious content suspect is attempting to perform an exfiltration of data; precluding migration of the outbound network traffic outside of the virtual machine upon determining that the outbound network traffic includes the at least one environmental property of the virtual machine that is unique to or distinctive of the virtual machine; and transmitting an alert indicating that the malicious content suspect is attempting to perform the exfiltration of data upon determining that the outbound network traffic includes the at least one environmental property of the virtual machine. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A non-transitory machine-readable medium having instructions stored therein, which when executed by a processor, cause the processor to perform operations for detecting exfiltration, comprising:
-
executing a malicious content suspect within a virtual machine; prior to outbound network traffic initiated by the malicious content suspect leaving the virtual machine, performing a packet inspection within the virtual machine on the outbound network traffic by analyzing a portion of the outbound network traffic in comparison to one or more portions of predetermined network traffic patterns or signatures; determining whether the outbound network traffic includes at least one environmental property of the virtual machine that is unique to or distinctive of the virtual machine after determining the portion of the outbound network traffic matches the one or more portions of predetermined network traffic patterns or signatures, the at least one environmental property is unique to or distinctive of the virtual machine in that the at least one environmental property pertains to the virtual machine so as to allow the match to indicate that the malicious content suspect is attempting to perform an exfiltration of data; and responsive to determining the outbound network traffic includes the at least one environmental property of the virtual machine that is unique to or distinctive of the virtual machine, precluding migration of the outbound network traffic outside of the virtual machine, and transmitting an alert over a network, the alert indicating that the malicious content suspect is attempting to perform the exfiltration of data. - View Dependent Claims (11, 12, 13, 14, 15)
-
-
16. A data processing system, comprising:
-
a processor; and a memory coupled to the processor for storing instructions, which when executed from the memory, cause the processor to execute a malicious content suspect within a virtual machine, prior to outbound network traffic initiated by the malicious content suspect leaving the virtual machine, perform a packet inspection, by a packet inspector executed by the processor and running within the virtual machine, on the outbound network traffic, the packet inspection to determine whether a portion of the outbound network traffic matches one or more portions of predetermined network traffic patterns or signatures, determine whether the outbound network traffic includes at least one environmental property of the virtual machine that is unique to or distinctive of the virtual machine after determining that the portion of the outbound network traffic matches the one or more portions of predetermined network traffic patterns or signatures, and preclude migration of the outbound network traffic outside of the virtual machine and transmitting an alert indicating that the malicious content suspect is attempting to perform an exfiltration of data upon determining that the outbound network traffic includes the at least one environmental property of the virtual machine that is unique to or distinctive of the virtual machine. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24)
-
Specification