System and method for detection of malicious hypertext transfer protocol chains
First Claim
Patent Images
1. A system configured to detect malware comprising:
- a device on a network to;
intercept one or more communication packets in transit between a first digital device and a second digital device on the network;
analyze a payload of at least one of the one or more communication packets;
detect, based on analyzing the payload, one or more hypertext transfer objects, in a chain of a plurality of hypertext transfer objects, in the payload in transit between the first digital device and the second digital device on the network;
analyze the one or more hypertext transfer objects for one or more events;
generate a list of events based on analyzing the one or more hypertext transfer objects;
determine a score based on at least one of a file format or a header within the one or more hypertext transfer objects;
determine that the one or more hypertext transfer objects is a suspicious sequence of hypertext transfer objects based on the score satisfying a threshold; and
instantiate a browser cooking environment based on determining that the one or more hypertext transfer objects is the suspicious sequence of hypertext transfer objects.
2 Assignments
0 Petitions
Accused Products
Abstract
A system configured to detect malware is described. The system configured to detect malware including a data collector configured to detect at least a first hypertext transfer object in a chain of a plurality of hypertext transfer objects. The data collector further configured to analyze at least the first hypertext transfer object for one or more events. And, the data collector configured to generate a list of events based on the analysis of at least the first hypertext transfer object.
15 Citations
25 Claims
-
1. A system configured to detect malware comprising:
a device on a network to; intercept one or more communication packets in transit between a first digital device and a second digital device on the network; analyze a payload of at least one of the one or more communication packets; detect, based on analyzing the payload, one or more hypertext transfer objects, in a chain of a plurality of hypertext transfer objects, in the payload in transit between the first digital device and the second digital device on the network; analyze the one or more hypertext transfer objects for one or more events; generate a list of events based on analyzing the one or more hypertext transfer objects; determine a score based on at least one of a file format or a header within the one or more hypertext transfer objects; determine that the one or more hypertext transfer objects is a suspicious sequence of hypertext transfer objects based on the score satisfying a threshold; and instantiate a browser cooking environment based on determining that the one or more hypertext transfer objects is the suspicious sequence of hypertext transfer objects. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
13. A non-transitory computer-readable medium storing instructions, the instructions comprising:
one or more instructions that, when executed by one or more processors, cause one or more processors to; intercept one or more communication packets in transit between a first digital device and a second digital device on a network; analyze a payload of at least one of the one or more communication packets; detect, based on analyzing the payload, one or more hypertext transfer objects, in a chain of a plurality of hypertext transfer objects, in the payload in transit between the first digital device and the second digital device on the network; analyze the one or more hypertext transfer objects for one or more events; generate a list of events based on analyzing the one or more hypertext transfer objects; determine a score based on at least one of a file format or a header within the one or more hypertext transfer objects; and determine that the one or more hypertext transfer objects is a suspicious sequence of hypertext transfer objects based on the score satisfying a threshold.
-
14. A method, comprising:
-
intercepting, by a device, one or more communication packets in transit between a first digital device and a second digital device on a network; analyzing, by the device, a payload of at least one of the one or more communication packets; detecting, by the device and based on analyzing the payload, one or more hypertext transfer objects, in a chain of a plurality of hypertext transfer objects, in the payload in transit between the first digital device and the second digital device on the network; analyzing, by the device, the one or more hypertext transfer objects for one or more events; generating, by the device, a list of events based on analyzing the one or more hypertext transfer objects; determining, by the device, a score based on at least one of a file format or a header within the one or more hypertext transfer objects; and determining, by the device, that the one or more hypertext transfer objects is a suspicious sequence of hypertext transfer objects based on the score satisfying a threshold. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
-
Specification