Network-based binary file extraction and analysis for malware detection

摘要

A system and method are disclosed for network-based file analysis for malware detection. Network content is received from a network tap. A binary packet is identified in the network content. A binary file, including the binary packet, is extracted from the network content. It is determined whether the extracted binary file is detected to be malware.

主权项

1. A method for network-based file analysis for malware detection conducted by a system including one or more processors, the method comprising:
identifying at least one binary packet in network content received over a network; extracting a binary file from the network content, the extracting of the binary file includes placing binary packets in the network content including the at least one binary packet into an order specified by data contained within the binary packets and constructing the binary file; determining whether the extracted binary file comprises suspicious network content by identifying one or more suspicious characteristics associated with the extracted binary file, wherein the one or more suspicious characteristics are insufficient to classify the extracted binary file malicious network content; processing the suspicious network content using at least one virtual environment component operating within a virtual environment provided by the system, the virtual environment component comprises a virtual environment application and the virtual environment to mimic a real environment in which the network content was intended to be processed; and classifying the suspicious network content as malicious network content based on at least one behavior of the virtual environment component detected during processing of the suspicious network content in the virtual environment by determining whether the at least one behavior of the virtual environment component comprises an anomalous behavior by examining each behavior of the at least one behavior against an expected behavior.