Systems and methods for dynamic cloud-based malware behavior analysis

摘要

A cloud-based method, a behavioral analysis system, and a cloud-based security system can include a plurality of nodes communicatively coupled to one or more users, wherein the plurality of nodes each perform inline monitoring for one of the one or more users for security comprising malware detection and preclusion; and a behavioral analysis system communicatively coupled to the plurality of nodes, wherein the behavioral analysis system performs offline analysis for any suspicious content from the one or more users which is flagged by the plurality of nodes; wherein the plurality of nodes each comprise a set of known malware signatures for the inline monitoring that is periodically updated by the behavioral analysis system based on the offline analysis for the suspicious content.

主权项

1. A cloud-based method, comprising:
receiving known malware signatures at one or more nodes in a cloud-based system; monitoring one or more users inline through the one or more nodes in the cloud-based system for regular traffic processing comprising malware detection and preclusion; determining unknown content from a user of the one or more users is suspicious of being malware; sending the unknown content to a behavioral analysis system for an offline analysis; and receiving updated known malware signatures based on the offline analysis determined based on a combined score computed from both a static analysis and a dynamic analysis, which is performed using a queue ordered based on the static analysis and based on content type that determines which operating system the unknown content must be executed on for the dynamic analysis, the dynamic analysis is performed as a sandbox analysis, running the unknown content in a virtual machine in a closed manner, performing packet capture, screenshot image capture, listing of files created, deleted, and/or downloaded while running the unknown content, and evaluating in the dynamic analysis, JavaScript Object Notation (JSON) data generated, temporary files generated, system and registry files modified, files added or deleted, external communications, security bypass, data leakage, persistence, and processor, network, memory and file system usages.