Malware detector
First Claim
1. An apparatus, comprising:
- a) a monitor module implemented in at least one of a memory or a processing device, the monitor module configured to examine a datum originating from at least one application running on a computing machine and being sent towards a remote server;
b) a protocol determination module configured to identify a network protocol type used for said datum generated from said at least one application;
c) a challenge generation module configured to;
i) produce an active content challenge for said at least one application based upon said network protocol type; and
ii) send said active content challenge to said at least one application;
d) a response determination module configured to make a determination if an automatic non-user-interactive application response is received in response to said active content challenge from said at least one application; and
e) a data control module configured to;
i) send said datum to said remote server when the automatic non-user-interactive application response is a valid automatic non-user-interactive application response; and
ii) block said datum from being sent to said remote server when the automatic non-user-interactive application response is an invalid automatic non-user-interactive application response.
3 Assignments
0 Petitions
Accused Products
Abstract
A transparent proxy for malware detection includes a monitor module, a protocol determination module, a challenge generation module, a response determination module, and a data control module. The monitor module examines data originating from an application towards a remote server. The protocol determination module identifies the protocol type used for the data. The challenge generation module produces a challenge for the application based upon the protocol type, sends the challenge to the application, and maintains a state related to the data and the challenge. The response determination module makes a determination if an automatic non-interactive application response is received in response to the challenge from the application. The data control module allows the first data to continue to the remote server when the determination is valid. The data control module reports malware detection and blocks the data to continue to the remote server when the determination is invalid.
34 Citations
23 Claims
-
1. An apparatus, comprising:
-
a) a monitor module implemented in at least one of a memory or a processing device, the monitor module configured to examine a datum originating from at least one application running on a computing machine and being sent towards a remote server; b) a protocol determination module configured to identify a network protocol type used for said datum generated from said at least one application; c) a challenge generation module configured to; i) produce an active content challenge for said at least one application based upon said network protocol type; and ii) send said active content challenge to said at least one application; d) a response determination module configured to make a determination if an automatic non-user-interactive application response is received in response to said active content challenge from said at least one application; and e) a data control module configured to; i) send said datum to said remote server when the automatic non-user-interactive application response is a valid automatic non-user-interactive application response; and ii) block said datum from being sent to said remote server when the automatic non-user-interactive application response is an invalid automatic non-user-interactive application response. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 22)
-
-
15. An apparatus, comprising:
-
a) a monitor module implemented in at least one of a memory or a processing device, the monitor module configured to examine a datum originating from at least one application running on a computing machine and being sent towards a remote server, said at least one application expecting a server response from said remote server; b) a protocol determination module configured to identify a network protocol type used for said datum generated from said at least one application; c) a challenge generation module configured to; i) produce an active content challenge for said at least one application based upon said network protocol type; and ii) send said active content challenge to said at least one application d) a response determination module configured to make a determination if an automatic non-user-interactive application response is received in response to said active content challenge from said at least one application; and e) a data control module configured to; i) send said server response from said remote server to said at least one application when the automatic non-user-interactive application response indicates legitimate behavior by said at least one application; and ii) block said server response from said remote server from being received by said at least one application when the automatic non-user-interactive application response indicates illegitimate behavior by said at least one application. - View Dependent Claims (16, 17)
-
-
18. A non-transitory processor-readable medium storing code representing instructions to be executed by a processor, the code comprising code to cause the processor to:
-
examine a datum originating from at least one application running on a computing machine and being sent towards a remote server to identify a network protocol type used for said datum generated from said at least one application; produce a non-user-involved active content challenge for said at least one application based upon said network protocol type, the non-user-involved active content challenge configured to test an expected function of said at least one application; send said non-user-involved active content challenge to said at least one application; determine if an automatic non-user-interactive application response is received in response to said non-user-involved active content challenge from said at least one application; send said datum to said remote server when the automatic non-user-interactive application response indicates an expected function by said at least one application; and block said datum from being sent to said remote server when the automatic non-user-interactive application response indicates an unexpected function by said at least one application. - View Dependent Claims (19, 20, 21, 23)
-
Specification