US2019332771A1PendingUtilityA1
System and method for detection of malicious hypertext transfer protocol chains
Est. expiryFeb 23, 2034(~7.6 yrs left)· nominal 20-yr term from priority
Inventors:Alexander BurtMikola BilogorskiyMcenroe NavarajFrank JasLiang HanYucheng TingManikandan KenyanFengmin GongAli GolshanShishir Singh
H04L 63/145G06F 2221/034H04L 63/1441G06F 21/566
54
PatentIndex Score
0
Cited by
0
References
0
Claims
Abstract
A system configured to detect malware is described. The system configured to detect malware including a data collector configured to detect at least a first hypertext transfer object in a chain of a plurality of hypertext transfer objects. The data collector further configured to analyze at least the first hypertext transfer object for one or more events. And, the data collector configured to generate a list of events based on the analysis of at least the first hypertext transfer object.
Claims
exact text as granted — not AI-modified1 - 25 . (canceled)
26 . A method comprising:
analyzing, by a device, a file format or a header within a plurality of hypertext transfer objects; determining, by the device and based on analyzing the file format or the header within the plurality of hypertext transfer objects, that a sequence of the plurality of hypertext transfer objects is suspicious; and instantiating, by the device and based on determining that the sequence is suspicious, a browser cooking environment.
27 . The method of claim 26 , wherein determining that the sequence is suspicious comprises:
determining that the sequence is suspicious based on a user device running a particular operating system and the sequence comprising a particular combination of file formats and headers.
28 . The method of claim 26 , further comprising:
assigning a value for each instance of a particular file format or a particular header within the plurality of hypertext transfer objects; and determining a total value using the value for each instance of the particular file format or the particular header within the plurality of hypertext transfer objects; wherein determining that the sequence is suspicious comprises:
determining that the sequence is suspicious based on the total value satisfying a threshold.
29 . The method of claim 28 , further comprising:
assigning an additional value based on a particular combination of file formats and/or headers being found within the plurality of hypertext transfer objects; wherein determining the total value comprises:
determining the total value using the additional value.
30 . The method of claim 26 , further comprising:
parsing one or more of the plurality of hypertext transfer objects; determining one or more addresses or domain names based on parsing the one or more of the plurality of hypertext transfer objects; determining reputation information of the one or more addresses or domain names; and adding, based on determining the reputation information, the one or more addresses or domain names to a list of events associated with the sequence of the plurality of hypertext transfer objects.
31 . The method of claim 26 , further comprising:
determining network information of one or more of the plurality of hypertext transfer objects; and adding the network information to a list of events associated with the sequence of the plurality of hypertext transfer objects.
32 . The method of claim 26 , further comprising:
replaying the sequence of the plurality of hypertext transfer objects in the browser cooking environment.
33 . A device, comprising:
one or more memories; and one or more processors communicatively coupled to the one or more memories, configured to:
analyze a file format or a header within a plurality of hypertext transfer objects;
determine, based on analyzing the file format or the header within the plurality of hypertext transfer objects, that a sequence of the plurality of hypertext transfer objects is suspicious; and
instantiate, based on determining that the sequence is suspicious, a browser cooking environment.
34 . The device of claim 33 , wherein the one or more processors, when determining that the sequence is suspicious, are configured to:
determine that the sequence is suspicious based on a user device running a particular operating system and the sequence comprising a particular combination of file formats and headers.
35 . The device of claim 33 , wherein the one or more processors are further configured to:
assign a value for each instance of a particular file format or a particular header within the plurality of hypertext transfer objects; and determine a total value using the value for each instance of the particular file format or the particular header within the plurality of hypertext transfer objects; wherein the one or more processors, when determining that the sequence is suspicious, are configured to:
determine that the sequence is suspicious based on the total value satisfying a threshold.
36 . The device of claim 35 , wherein the one or more processors are further configured to:
assign an additional value based on a particular combination of file formats and/or headers being found within the plurality of hypertext transfer objects; wherein the one or more processors, when determining the total value, are configured to:
determine the total value using the additional value.
37 . The device of claim 33 , wherein the one or more processors are further configured to:
parse one or more of the plurality of hypertext transfer objects; determine one or more addresses or domain names based on parsing the one or more of the plurality of hypertext transfer objects; determine reputation information of the one or more addresses or domain names; and add, based on determining the reputation information, the one or more addresses or domain names to a list of events associated with the sequence of the plurality of hypertext transfer objects.
38 . The device of claim 33 , wherein the one or more processors are further configured to:
determine network information of one or more of the plurality of hypertext transfer objects; and add the network information to a list of events associated with the sequence of the plurality of hypertext transfer objects.
39 . The device of claim 33 , wherein the one or more processors are further configured to:
replay the sequence of the plurality of hypertext transfer objects in the browser cooking environment.
40 . A non-transitory computer-readable medium storing instructions, the instructions comprising:
one or more instructions that, when executed by one or more processors, cause the one or more processors to:
analyze a file format or a header within a plurality of hypertext transfer objects;
determine, based on analyzing the file format or the header within the plurality of hypertext transfer objects, that a sequence of the plurality of hypertext transfer objects is suspicious; and
instantiate, based on determining that the sequence is suspicious, a browser cooking environment.
41 . The non-transitory computer-readable medium of claim 40 , wherein the one or more instructions, that cause the one or more processors to determine that the sequence is suspicious, cause the one or more processors to:
determine that the sequence is suspicious based on a user device running a particular operating system and the sequence comprising a particular combination of file formats and headers.
42 . The non-transitory computer-readable medium of claim 40 , wherein the one or more instructions, when executed by the one or more processors, further cause the one or more processors to:
assign a value for each instance of a particular file format or a particular header within the plurality of hypertext transfer objects; and determine a total value using the value for each instance of the particular file format or the particular header within the plurality of hypertext transfer objects; wherein the one or more instructions, that cause the one or more processors to determine that the sequence is suspicious, cause the one or more processors to:
determine that the sequence is suspicious based on the total value satisfying a threshold.
43 . The non-transitory computer-readable medium of claim 42 , wherein the one or more instructions, when executed by the one or more processors, further cause the one or more processors to:
assign an additional value based on a particular combination of file formats and/or headers being found within the plurality of hypertext transfer objects; wherein the one or more instructions, that cause the one or more processors to determine the total value, cause the one or more processors to:
determine the total value using the additional value.
44 . The non-transitory computer-readable medium of claim 40 , wherein the one or more instructions, when executed by the one or more processors, further cause the one or more processors to:
parse one or more of the plurality of hypertext transfer objects; determine one or more addresses or domain names based on parsing the one or more of the plurality of hypertext transfer objects; determine reputation information of the one or more addresses or domain names; and add, based on determining the reputation information, the one or more addresses or domain names to a list of events associated with the sequence of the plurality of hypertext transfer objects.
45 . The non-transitory computer-readable medium of claim 40 , wherein the one or more instructions, when executed by the one or more processors, further cause the one or more processors to:
replay the sequence of the plurality of hypertext transfer objects in the browser cooking environment.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.