System and method for detecting a file embedded in an arbitrary location and determining the reputation of the file
First Claim
Patent Images
1. A method, comprising:
- receiving a plurality of packets associated with a file at a node, which comprises a sensor that is to interact with a reputation system, wherein the file is an executable file embedded in a second file in a network flow;
identifying a file format identifier associated with a beginning of the file;
parsing the file based on the file format identifier to identify an end of the file, wherein only the file is parsed to identify the end of the file, and wherein portions of the second file that do not include the file are not parsed to identify the end of the file;
calculating a hash value from the beginning of the file to the end of the file;
sending the hash value to the reputation system;
receiving a reputation value associated with the hash value from the reputation system; and
taking a policy action based on the reputation value, wherein the policy action includes quarantining the file.
10 Assignments
0 Petitions
Accused Products
Abstract
A method is provided in one example embodiment that includes identifying a file format identifier associated with a beginning of a file, parsing the file based on the file format identifier until an end of the file is identified, and calculating a hash from the beginning of the file to the end of the file. The method may also include sending the hash to a reputation system and taking a policy action based on the hash'"'"'s reputation received from the reputation system.
15 Citations
15 Claims
-
1. A method, comprising:
-
receiving a plurality of packets associated with a file at a node, which comprises a sensor that is to interact with a reputation system, wherein the file is an executable file embedded in a second file in a network flow; identifying a file format identifier associated with a beginning of the file; parsing the file based on the file format identifier to identify an end of the file, wherein only the file is parsed to identify the end of the file, and wherein portions of the second file that do not include the file are not parsed to identify the end of the file; calculating a hash value from the beginning of the file to the end of the file; sending the hash value to the reputation system; receiving a reputation value associated with the hash value from the reputation system; and taking a policy action based on the reputation value, wherein the policy action includes quarantining the file. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. Logic encoded in one or more non-transitory media that includes code for execution and when executed by one or more processors is operable to perform operations comprising:
-
receiving a plurality of packets associated with a file at a node, which comprises a sensor that is to interact with a reputation system, wherein the file is an executable file embedded in a second file in a network flow; identifying a file format identifier associated with a beginning of the file; parsing the file based on the file format identifier to identify an end of the file, wherein only the file is parsed to identify the end of the file, and wherein portions of the second file that do not include the file are not parsed to identify the end of the file; calculating a hash value from the beginning of the file to the end of the file; sending the hash value to the reputation system; receiving a reputation value associated with the hash value; and taking a policy action based on the reputation value, wherein the policy action includes quarantining the file. - View Dependent Claims (10, 11, 12)
-
-
13. A node, comprising:
-
one or more processors; a memory; and a sensor that is to interact with a reputation system, wherein the apparatus is configured for; receiving a plurality of packets associated with a file at the node, wherein the file is an executable file embedded in a second file in a network flow; identifying a file format identifier associated with a beginning of the file; parsing the file based on the file format identifier to identify an end of the file, wherein only the file is parsed to identify the end of the file, and wherein portions of the second file that do not include the file are not parsed to identify the end of the file; calculating a hash value from the beginning of the file to the end of the file; sending the hash value to the reputation system; receiving a reputation value associated with the hash value; and taking a policy action based on the reputation value, wherein the policy action includes quarantining the file. - View Dependent Claims (14, 15)
-
Specification