Detecting Malicious Network Content Using Virtual Environment Components

US 20100192223A1
Filed: 01/23/2009
Published: 07/29/2010
Est. Priority Date: 04/01/2004
Status: Active Grant

First Claim

Patent Images

1. A method for detecting malicious network content by a network content processing system, comprising:

receiving network content detected to be suspicious;

configuring a virtual environment component within a virtual environment to mimic a real application configured to process the suspicious network content, the virtual environment configured within the network content processing system;

processing the suspicious network content using the virtual environment component within the virtual environment; and

identifying the suspicious network content as malicious network content based on a behavior of the virtual environment component.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Malicious network content is identified based on the behavior of one or more virtual environment components which process network content in a virtual environment. Network content can be monitored and analyzed using a set of heuristics. The heuristics identify suspicious network content communicated over a network. The suspicious network content can further be analyzed in a virtual environment that includes one or more virtual environment components. Each virtual environment component is configured to mimic live environment components, for example a browser application component or an operating system component. The suspicious network content is replayed in the virtual environment using one or more of the virtual environment components. The virtual environment component behavior is analyzed in view of an expected behavior to identify malicious network content. The malicious network content is then identified and processed.

438 Citations

30 Claims

1. A method for detecting malicious network content by a network content processing system, comprising:
- receiving network content detected to be suspicious;
  
  configuring a virtual environment component within a virtual environment to mimic a real application configured to process the suspicious network content, the virtual environment configured within the network content processing system;
  
  processing the suspicious network content using the virtual environment component within the virtual environment; and
  
  identifying the suspicious network content as malicious network content based on a behavior of the virtual environment component.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the suspicious network content includes one or more data packets associated with a suspicious characteristic.
  - 3. The method of claim 2, the one or more data packets comprising a copy of an original group of one or more data packets configured to be processed at least in part by the real application executing within a real environment.
  - 4. The method of claim 1, wherein the network content is a copy of network content processed by a real application.
  - 5. The method of claim 1, wherein the virtual environment component is a browser application.
  - 6. The method of claim 5, wherein the virtual environment browser application renders the suspicious network content as at least part of a content page.
  - 7. The method of claim 1, wherein the virtual environment component is a virtual operating system.
  - 8. The method of claim 7, further comprising monitoring changes to the virtual environment operating system by an agent, the suspicious network content identified as malicious network content based on detected improper changes to the virtual environment operating system.
  - 9. The method of claim 1, wherein processing the suspicious network content includes determining an observed behavior of the virtual environment component differs from an expected behavior of the virtual environment component.
  - 10. The method of claim 9, wherein the observed behavior includes one or more actions performed by executable code contained within the suspicious network content.
  - 11. The method of claim 1, further comprising:
    - generating a signature to identify network content that matches the malicious network content; and
      
      applying the signature to subsequently received network content.

12. A computer implemented method for processing network content, comprising:
- receiving suspicious network content, the suspicious network content detected within a copy of network content communicated over a network;
  
  configuring an agent to monitor processing of the suspicious network content within a virtual environment;
  
  configuring at least one virtual environment component to process the suspicious network content within the virtual environment;
  
  detecting an anomaly associated with the virtual environment component using the agent; and
  
  generating a signature from the suspicious network content to apply to subsequent network content.
- View Dependent Claims (13, 14, 15, 16, 17, 18)
- - 13. The computer implemented method of claim 12, wherein the agent is further configured to monitor changes to a virtual environment operating system within the virtual embodiment.
  - 14. The computer implemented method of claim 12, wherein the agent is further configured to initiate generation of the signature based on detecting the anomaly.
  - 15. The computer implemented method of claim 12, wherein the agent is further configured to monitor behavior of a virtual environment application within the virtual embodiment.
  - 16. The computer implemented method of claim 15, wherein the virtual environment application is configured to mimic a real application which sends and receives data over a network.
  - 17. The computer implemented method of claim 15, wherein the virtual environment application is configured to mimic a browser application.
  - 18. The computer implemented method of claim 15, wherein the virtual environment browser application is configured with a proxy address,wherein the agent is further configured to detect whether code within the suspicious network content and executed by the virtual environment browser application attempts to transmit data over a network without the proxy address.

19. A computer readable storage medium having stored thereon instructions executable by a processor for performing a method for detecting malicious network content, the method comprising:
- receiving suspicious network content;
  
  configuring a virtual environment component within a virtual environment to mimic a real application configured to process the suspicious network content, the virtual environment configured within the network content processing system;
  
  processing the suspicious network content by the virtual environment component within a virtual environment; and
  
  identifying the suspicious network content as malicious network content based on a behavior for the virtual environment component.
- View Dependent Claims (20, 21, 22, 23, 24)
- - 20. The computer readable storage medium of claim 19, wherein the suspicious network content includes one or more data packets associated with a suspicious characteristic.
  - 21. The computer readable storage medium of claim 19, wherein the virtual environment component is a browser application.
  - 22. The computer readable storage medium of claim 19, wherein the method further comprises an agent that monitors changes to a virtual environment operating system, the suspicious network content identified as malicious network content based on detected improper changes to the virtual environment operating system.
  - 23. The computer readable storage medium of claim 19, wherein processing the suspicious network content includes determining an observed behavior of the virtual environment component differs from an expected behavior of the virtual environment component.
  - 24. The computer readable storage medium of claim 19, wherein the method further comprises:
    - generating a signature to identify network content that matches the suspicious network content; and
      
      applying the signature to subsequently received network content.

25. A system for detecting malicious network content comprising:
- a first module that accesses suspicious network content;
  
  a pool of virtual environment components;
  
  a scheduler that retrieves a virtual environment component from the virtual environment pool, the virtual environment component configured to mimic a real application;
  
  a replayer that processes the suspicious network content using the retrieved virtual environment component within a virtual environment.
- View Dependent Claims (26, 27, 28, 29, 30)
- - 26. The system of claim 25, further comprising an agent configured to detect changes to a virtual environment component within the virtual environment.
  - 27. The system of claim 26, wherein the agent detects changes to a virtual environment operating system.
  - 28. The system of claim 25, wherein the scheduler retrieves a virtual environment browser application.
  - 29. The system of claim 25, wherein the scheduler retrieves a virtual environment operating system
  - 30. The system of claim 25, further comprising heuristics logic that generates a signature based on the suspicious network content and applies the signature to subsequent network content.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Amin, Muhammad, Mahbod, Bahman, Yie, Samuel, Ismael, Osman Abdoul, Manni, Jayaraman

Granted Patent

US 8,793,787 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2149   Restricted operating enviro...

G06F 9/455   Emulation; Interpretation; ...

H04L 2463/144   Detection or countermeasure...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

Detecting Malicious Network Content Using Virtual Environment Components

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

438 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting Malicious Network Content Using Virtual Environment Components

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

438 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links