System and method for detection of malicious hypertext transfer protocol chains

US 9,953,163 B2
Filed: 02/20/2015
Issued: 04/24/2018
Est. Priority Date: 02/23/2014
Status: Expired due to Fees

First Claim

Patent Images

1. A system configured to detect malware comprising:

a device on a network to;

intercept one or more communication packets in transit between a first digital device and a second digital device on the network;

analyze a payload of at least one of the one or more communication packets;

detect, based on analyzing the payload, one or more hypertext transfer objects, in a chain of a plurality of hypertext transfer objects, in the payload in transit between the first digital device and the second digital device on the network;

analyze the one or more hypertext transfer objects for one or more events;

generate a list of events based on analyzing the one or more hypertext transfer objects;

determine a score based on at least one of a file format or a header within the one or more hypertext transfer objects;

determine that the one or more hypertext transfer objects is a suspicious sequence of hypertext transfer objects based on the score satisfying a threshold; and

instantiate a browser cooking environment based on determining that the one or more hypertext transfer objects is the suspicious sequence of hypertext transfer objects.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system configured to detect malware is described. The system configured to detect malware including a data collector configured to detect at least a first hypertext transfer object in a chain of a plurality of hypertext transfer objects. The data collector further configured to analyze at least the first hypertext transfer object for one or more events. And, the data collector configured to generate a list of events based on the analysis of at least the first hypertext transfer object.

15 Citations

View as Search Results

25 Claims

1. A system configured to detect malware comprising:
- a device on a network to;
  
  intercept one or more communication packets in transit between a first digital device and a second digital device on the network;
  
  analyze a payload of at least one of the one or more communication packets;
  
  detect, based on analyzing the payload, one or more hypertext transfer objects, in a chain of a plurality of hypertext transfer objects, in the payload in transit between the first digital device and the second digital device on the network;
  
  analyze the one or more hypertext transfer objects for one or more events;
  
  generate a list of events based on analyzing the one or more hypertext transfer objects;
  
  determine a score based on at least one of a file format or a header within the one or more hypertext transfer objects;
  
  determine that the one or more hypertext transfer objects is a suspicious sequence of hypertext transfer objects based on the score satisfying a threshold; and
  
  instantiate a browser cooking environment based on determining that the one or more hypertext transfer objects is the suspicious sequence of hypertext transfer objects.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The system of claim 1, wherein the one or more hypertext transfer objects include a body.
  - 3. The system of claim 2, wherein the device, when analyzing the one or more hypertext transfer objects, is to:
    - analyze the one or more hypertext transfer objects by performing a frequency analysis of the body.
  - 4. The system of claim 3, wherein the frequency analysis includes determining a correlation between at least one of:
    - a group of special characters,a number of language blocks, oran entropy calculation.
  - 5. The system of claim 1, wherein the device, when analyzing the one or more hypertext transfer objects, is to:
    - analyze the one or more hypertext transfer objects by correlating a unique resource identifier with a body file type.
  - 6. The system of claim 1, wherein the device is further to:
    - determine whether the one or more hypertext transfer objects include one or more calls to at least one of a web counter and one or more web analytics engines; and
      
      wherein the device, when determining that the one or more hypertext transfer objects is the suspicious sequence of hypertext transfer objects, is to;
      
      determine that the one or more hypertext transfer objects is the suspicious sequence of hypertext transfer objects based on determining that the one or more hypertext transfer objects include the one or more calls.
  - 7. The system of claim 1, wherein the device is further to:
    - determine one or more vulnerabilities of an application based on a user-agent field in the header; and
      
      wherein the device, when determining that the one or more hypertext transfer objects is the suspicious sequence of hypertext transfer objects, is to;
      
      determine that the one or more hypertext transfer objects is the suspicious sequence of hypertext transfer objects based on determining the one or more vulnerabilities.
  - 8. The system of claim 1, wherein the device is further to:
    - determine a reputation of a domain name in the one or more hypertext transfer objects, andwherein the device, when determining that the one or more hypertext transfer objects is the suspicious sequence of hypertext transfer objects, is to;
      
      determine that the one or more hypertext transfer objects is the suspicious sequence of hypertext transfer objects based on determining the reputation.
  - 9. The system of claim 1, wherein the device is further to:
    - determine network information of the one or more hypertext transfer objects,the network information including at least one of an Internet protocol address or a port number; and
      
      wherein the device, when determining that the one or more hypertext transfer objects is the suspicious sequence of hypertext transfer objects, is to;
      
      determine that the one or more hypertext transfer objects is the suspicious sequence of hypertext transfer objects based on determining the network information.
  - 10. The system of claim 1, wherein the device is further to:
    - generate a data model based on the list of events.
  - 11. The system of claim 1, wherein the device is further to:
    - classify the chain of the plurality of hypertext transfer objects based on the list of events.
  - 12. The system of claim 1, wherein the device is further to:
    - generate a data model based on the list of events; and
      
      classify the of the plurality of hypertext transfer objects chain based on the data model.

13. A non-transitory computer-readable medium storing instructions, the instructions comprising:
- one or more instructions that, when executed by one or more processors, cause one or more processors to;
  
  intercept one or more communication packets in transit between a first digital device and a second digital device on a network;
  
  analyze a payload of at least one of the one or more communication packets;
  
  detect, based on analyzing the payload, one or more hypertext transfer objects, in a chain of a plurality of hypertext transfer objects, in the payload in transit between the first digital device and the second digital device on the network;
  
  analyze the one or more hypertext transfer objects for one or more events;
  
  generate a list of events based on analyzing the one or more hypertext transfer objects;
  
  determine a score based on at least one of a file format or a header within the one or more hypertext transfer objects; and
  
  determine that the one or more hypertext transfer objects is a suspicious sequence of hypertext transfer objects based on the score satisfying a threshold.

14. A method, comprising:
- intercepting, by a device, one or more communication packets in transit between a first digital device and a second digital device on a network;
  
  analyzing, by the device, a payload of at least one of the one or more communication packets;
  
  detecting, by the device and based on analyzing the payload, one or more hypertext transfer objects, in a chain of a plurality of hypertext transfer objects, in the payload in transit between the first digital device and the second digital device on the network;
  
  analyzing, by the device, the one or more hypertext transfer objects for one or more events;
  
  generating, by the device, a list of events based on analyzing the one or more hypertext transfer objects;
  
  determining, by the device, a score based on at least one of a file format or a header within the one or more hypertext transfer objects; and
  
  determining, by the device, that the one or more hypertext transfer objects is a suspicious sequence of hypertext transfer objects based on the score satisfying a threshold.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 15. The method of claim 14, wherein the one or more hypertext transfer objects includes a body.
  - 16. The method of claim 15, wherein analyzing the one or more hypertext transfer objects includes:
    - analyzing the one or more hypertext transfer objects by performing a frequency analysis of the body.
  - 17. The method of claim 16, wherein performing the frequency analysis includes:
    - determining a correlation between at least one of;
      
      a group of special characters,a number of language blocks, oran entropy calculation.
  - 18. The method of claim 14, wherein analyzing the one or more hypertext transfer objects includes:
    - correlating a unique resource identifier with a body file type.
  - 19. The method of claim 14, further comprising:
    - determining whether the one or more hypertext transfer objects include one or more references to at least one of a web counter and one or more web analytics engines; and
      
      wherein determining that the one or more hypertext transfer objects is the suspicious sequence of hypertext transfer objects comprises;
      
      determining that the one or more hypertext transfer objects is the suspicious sequence of hypertext transfer objects based on determining that the one or more hypertext transfer objects include the one or more references.
  - 20. The method of claim 14, further comprising:
    - determining one or more vulnerabilities of an application based on a user-agent field in the header; and
      
      wherein determining that the one or more hypertext transfer objects is the suspicious sequence of hypertext transfer objects comprises;
      
      determining that the one or more hypertext transfer objects is the suspicious sequence of hypertext transfer objects based on determining the one or more vulnerabilities.
  - 21. The method of claim 14, further comprising:
    - determining a reputation of a domain name in the one or more hypertext transfer objects; and
      
      wherein determining that the one or more hypertext transfer objects is the suspicious sequence of hypertext transfer objects comprises;
      
      determining that the one or more hypertext transfer objects is the suspicious sequence of hypertext transfer objects based on determining the reputation.
  - 22. The method of claim 14, further comprising,determining network information of the one or more hypertext transfer objects,the network information including at least one of an Internet protocol address or a port number;
    - andwherein determining that the one or more hypertext transfer objects is the suspicious sequence of hypertext transfer objects comprises;
      
      determining that the one or more hypertext transfer objects is the suspicious sequence of hypertext transfer objects based on determining the network information.
  - 23. The method of claim 14, further comprising:
    - generating a data model based on the list of events.
  - 24. The method of claim 14, further comprising:
    - classifying the chain of the plurality of hypertext transfer objects based on the list of events.
  - 25. The method of claim 14, further comprising:
    - generating a data model based on the list of events; and
      
      classifying the chain based on the data model.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cyphort Inc. (Juniper Networks Incorporated)
Original Assignee
Cyphort Inc. (Juniper Networks Incorporated)
Inventors
Burt, Alexander, Bilogorskiy, Mikola, Navaraj, McEnroe, Jas, Frank, Han, Liang, Ting, Yucheng, Kenyan, Manikandan, Gong, Fengmin, Golshan, Ali, Singh, Shishir
Primary Examiner(s)
Dinh, Minh

Application Number

US14/627,686
Publication Number

US 20150242628A1
Time in Patent Office

1,159 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/034   Test or assess a computer o...

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

System and method for detection of malicious hypertext transfer protocol chains

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

15 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for detection of malicious hypertext transfer protocol chains

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

15 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links