Malware analysis system

摘要

In some embodiments, a malware analysis system includes receiving a potential malware sample from a firewall; analyzing the potential malware sample using a virtual machine to determine if the potential malware sample is malware; and automatically generating a signature if the potential malware sample is determined to be malware. In some embodiments, the potential malware sample does not match a preexisting signature, and the malware is a zero-day attack.

主权项

1. A system, comprising:
a first device comprising a first processor configured to execute a firewall, and a second device comprising a second processor configured to execute a virtual machine, wherein the executing the firewall using the first processor of the first device comprises:
identifying an application type associated with a network traffic flow;selecting a decoder to decode the network traffic flow based at least in part on the identified application type, wherein decoding the network traffic flow includes assembling one or more packets associated with the network traffic flow into a correct order;using the firewall to generate a potential malware sample from at least a portion of the network traffic flow;determining that the potential malware sample does not match a preexisting signature;determining whether to perform virtual machine emulation malware analysis on the potential malware sample based at least in part on a policy associated with the virtual machine emulation malware analysis, wherein the policy is associated with the application type associated with the potential malware sample;in response to the determination to perform the virtual machine emulation malware analysis on the potential malware sample, sending the potential malware sample from the firewall to the virtual machine; andsending log information related to the potential malware sample to the virtual machine, wherein the log information includes session information, application identification information, URL category information or vulnerability alert information; and wherein the executing the virtual machine using the second processor of the second device comprises:
using the virtual machine to monitor behavior of the potential malware sample during emulation to identify malware;automatically generating a signature using the virtual machine in the event that the potential malware sample is determined to be malware;sending the signature from the virtual machine to the firewall, wherein the firewall is configured to enforce a security policy for network access based at least in part on the signature, wherein the signature is also distributed to at least one or more of: a security device and a security service; andperforming post analysis using the log information to determine if the potential malware sample is malware.