CN113472765A - Method for detecting malicious network content - Google Patents
Method for detecting malicious network content Download PDFInfo
- Publication number
- CN113472765A CN113472765A CN202110707296.0A CN202110707296A CN113472765A CN 113472765 A CN113472765 A CN 113472765A CN 202110707296 A CN202110707296 A CN 202110707296A CN 113472765 A CN113472765 A CN 113472765A
- Authority
- CN
- China
- Prior art keywords
- uniform resource
- resource locator
- electronic message
- malicious
- detection system
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 30
- 238000001514 detection method Methods 0.000 claims abstract description 38
- 238000012545 processing Methods 0.000 claims description 4
- 230000000903 blocking effect Effects 0.000 claims 1
- 230000004044 response Effects 0.000 description 8
- 238000010586 diagram Methods 0.000 description 7
- 230000002155 anti-virotic effect Effects 0.000 description 5
- 238000007726 management method Methods 0.000 description 5
- 241000700605 Viruses Species 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Abstract
A method for detecting malicious web content, comprising: step 1, receiving an electronic message, wherein the electronic message malware detection system can receive the electronic message through an electronic message server; step 2, scanning the electronic message and/or the attachment of the message to detect a uniform resource locator; step 3, sending the detected uniform resource locator to a malicious software detection system; step 4, identifying suspicious uniform resource locators from the detected uniform resource locators; step 5, using the virtual environment component to analyze the suspicious uniform resource locator so as to detect the malicious uniform resource locator; and 6, updating the malware detection system based on the detected malware uniform resource locator. The method can effectively prevent the attack of malicious network contents on the user.
Description
Technical Field
The invention particularly relates to a method for detecting malicious network content.
Background
Currently, malicious web content (e.g., malware or malware) may attack various devices over a communication network. For example, malware may include any program or file that is harmful to a computer user, such as a bot, computer virus, worm, trojan horse, adware, spyware, or any program that gathers information about a computer user or is otherwise not licensed to run.
Various procedures and devices have been employed to prevent problems that may be caused by malicious web content. For example, computers often include anti-virus scanning software for scanning a particular client device for viruses. The computer may also include spyware and/or adware scanning software. The scanning may be performed manually or based on a schedule specified by a user, system administrator, etc. associated with a particular computer. Unfortunately, when the scanning software detects a virus or spyware, some corruption or loss of privacy on a particular computer may have occurred. Furthermore, manually creating a new antivirus signature and updating the antivirus application may take days or weeks, at which time the malware author will have created a new version of the escape signature. In addition, polymorphic exploits are also a problem that limits the effectiveness of certain antivirus applications.
Malicious web content may be distributed over a network via a website. Malicious web content distributed in this manner may be actively downloaded and installed on a user's computer without the user's approval or knowledge, simply by accessing the website hosting the malicious web content. Websites hosting malicious web content may be referred to as malicious websites. Malicious web content may be embedded in data associated with a web page hosted by a malicious website. Malicious web content may attack or infect a user's computer before being detected by antivirus software, firewalls, intrusion detection systems, and the like.
In addition, malicious web content may be distributed via electronic messages (including email) using various forms of web-based email, and like protocols. Malicious content may be attached directly to the message. These techniques of infecting a user's computer with electronic messages are often used to target attacks on specific "high value" users in an organization.
There is a need for an improved method for detecting malicious content that propagates in electronic messages.
Disclosure of Invention
The present invention is directed to a method for detecting malicious web content, the method being implemented by a computer of a malware detection system including a hardware processor and a memory, the method comprising: step 1, receiving an electronic message, wherein the electronic message malware detection system can receive the electronic message through an electronic message server; step 2, scanning the electronic message and/or the attachment of the message to detect a uniform resource locator, wherein the uniform resource locator analyzer module scans the electronic message to detect the uniform resource locator in the header, body or other parts of the electronic message; step 3, sending the detected uniform resource locator to a malicious software detection system; step 4, identifying suspicious uniform resource locators from the detected uniform resource locators, and if the uniform resource locators are not matched with a uniform resource locator blacklist or a uniform resource locator whitelist maintained in the e-mail malware detection system, identifying the uniform resource locators as suspicious uniform resource locators; step 5, using the virtual environment component to analyze the suspicious uniform resource locator so as to detect the malicious uniform resource locator; and 6, updating the malware detection system based on the detected malware uniform resource locator.
The invention can effectively prevent the attack of malicious network contents to the user.
Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. The advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory and are intended to provide further explanation of the invention as claimed.
Drawings
The invention will now be described, by way of example, with reference to the accompanying drawings, in which:
FIG. 1 is a flow diagram for detecting malicious electronic messages;
FIG. 2 is a flow diagram of an exemplary method for identifying a suspect uniform resource locator;
FIG. 3 is a flow diagram of an exemplary method for identifying a malicious uniform resource locator;
FIG. 4 is a flow diagram of an exemplary method for updating a malware detection system.
Detailed Description
The present invention analyzes electronic messages for malware contained in the messages. Systems that analyze electronic messages typically analyze malware in attachments in a virtual environment. Unlike prior systems, the present invention can analyze the content of an electronic message to detect malware in the message content. For example, the content may include a uniform resource locator address. The uniform resource locator address can be analyzed to determine whether the uniform resource locator address is associated with malware.
In some embodiments, the present invention may analyze an electronic message to detect a uniform resource locator, identify whether the uniform resource locator is suspect, and analyze the suspect uniform resource locator to determine whether it describes a location associated with malware. Determining whether the uniform resource locator is suspect may include comparing the uniform resource locator to one or more lists of uniform resource locators. For example, the uniform resource locator may be compared to a white list of acceptable uniform resource locators, a black list of malware uniform resource locators, and/or a list with combinations of uniform resource locators. If the uniform resource locator is not found in any of the lists, the uniform resource locator is not determined to be malware and not determined to be acceptable, and thus may be determined to be suspicious.
The analysis of the suspect uniform resource locator may include replaying the suspect uniform resource locator in a virtual environment that simulates an intended computing device to receive the electronic message. Replaying the uniform resource locator may include executing, by a virtual component in the virtual environment, the uniform resource locator to request the content located from the uniform resource locator address. The virtual environment receives the content in the uniform resource locator request response, loads the received content into the virtual environment, and executes while monitoring the virtual environment. If it is determined that the replayed uniform resource locator is malicious, the malicious uniform resource locator is added to a blacklist, which is updated throughout the computer system.
Electronic message content, such as a uniform resource locator, may be identified as malicious by a first device or module that processes the electronic message to detect malware. Other first devices or modules in the system may process network traffic to detect malware. The central i device or module may communicate with a network traffic malware module and an electronic message malware module. In some embodiments, the central module may receive a uniform resource locator detected as malicious, may update a central uniform resource locator blacklist based on the received uniform resource locator, and may send the updated uniform resource locator blacklist to the network traffic malware module and the electronic message malware module. This may result in the network malware module more carefully examining Web traffic returned from requests to uniform resource locators delivered in emails, for example, making it more likely that such Web traffic will be rebroadcast in a virtual environment.
Fig. 1 is a flow chart for detecting malicious electronic messages. Which comprises the following steps: step 1, receiving an electronic message, wherein the electronic message malware detection system may receive the electronic message via an electronic message server. Step 2, scanning the electronic message and/or the attachment of the message to detect the uniform resource locator. The uniform resource locator analyzer module can scan the electronic message to detect a uniform resource locator in a header, body, or other portion of the electronic message, and can scan the attachment to detect a uniform resource locator within the attachment. For example, if the attachment is a word processor or spreadsheet document, the attachment may be scanned to detect uniform resource locators in the text of the word processor document or within cells of the spreadsheet. And 3, sending the detected uniform resource locator to a malicious software detection system. The malware detection system may be included on the electronic message malware detection system or an external detection module. For example, the electronic message malware detection system may send the detected uniform resource locator to a network malware detection system to process the uniform resource locator to determine whether the uniform resource locator is malicious. In some embodiments, in step 3, the uniform resource locator is simply stored locally at the electronic message malware detection system for further processing. And 4, identifying suspicious uniform resource locators from the detected uniform resource locators. If the uniform resource locator does not match a uniform resource locator blacklist or a uniform resource locator whitelist maintained in the email malware detection system, the uniform resource locator may be identified as a suspect uniform resource locator. Step 5, using the virtual environment component to analyze the suspicious uniform resource locator to detect the malicious uniform resource locator. Analyzing the suspect uniform resource locator may include selecting virtual components such as virtual operating systems, virtual applications, and virtual networks, populating and configuring the virtual environment with the virtual components, and processing the uniform resource locator in the virtual environment. Processing the uniform resource locator within the environment may include replaying the uniform resource locator within the virtual environment by performing a "click" operation on the uniform resource locator. A uniform resource locator may be identified as malicious if content received in response to a click operation on the uniform resource locator results in undesirable behavior in the virtual environment. Undesirable behavior may include attempting to change operating system settings or configurations, executing executable files in a virtual environment, transferring undesirable data, or other actions. In some embodiments, the undesired behavior may include unexpected behavior. If no bad behavior occurs while clicking on the uniform resource locator, the uniform resource locator is determined to be acceptable and added to the white list. And 6, updating the malware detection system based on the detected malware uniform resource locator. The updating may include communicating the malicious uniform resource locator to other parts of the system. For example, the electronic message malware detection system may transmit one or more malicious uniform resource locators to the management server, and the management server may transmit the uniform resource locators to network malware detection systems and electronic message malware detection systems within the system through the updated blacklist. The malware detection system is described in more detail below with respect to the method of FIG. 1.
FIG. 2 is a flow diagram of an exemplary method for identifying a suspect uniform resource locator. The step 4 specifically comprises the following steps: step 41, each uniform resource locator detected in the electronic message is compared to a uniform resource locator white list. A uniform resource locator white list may be maintained on the electronic message malware detection system and may include a list of acceptable uniform resource locators or uniform resource locator fields. Step 42 ignores the uniform resource locator that matches the uniform resource locator whitelist. Uniform resource locators that match the whitelist are determined to be not malicious and are therefore allowed to be delivered to their intended client devices. Step 43, comparing the detected uniform resource locator not on the white list with the uniform resource locator black list. The uniform resource locator on the blacklist is known to be malicious and should not be passed to the user associated with the client device. If the detected uniform resource locator matches a uniform resource locator on the blacklist, the uniform resource locator is blocked and reported at step 44, thereby preventing its provision to the recipient client device. The delivery of the uniform resource locator may be prevented by preventing the transmission of the entire electronic message, deleting the uniform resource locator from the electronic message, or in some other manner. Uniform resource locators that do not match the uniform resource locators on the white list or the uniform resource locators on the black list are identified as suspect uniform resource locators, step 45. The remaining uniform resource locators are characterized as suspect because they are not known to be acceptable or malicious.
FIG. 3 is a flow diagram of an exemplary method for identifying a malicious uniform resource locator. Step 45 specifically comprises the following steps: at step 451, a suspect uniform resource locator is selected for analysis in the virtual environment. Some uniform resource locators may be weighted for analysis at a higher priority. A higher priority uniform resource locator may be placed in a higher priority position in the analysis queue than a lower priority uniform resource locator. The priority may be associated with the uniform resource locator by the user, the priority may be associated with a uniform resource locator field, a keyword in the uniform resource locator, a location of the uniform resource locator in the electronic message, or other factors. At step 452, the virtual environment application, operating system, and network components are configured. These virtual components may be retrieved from the component pool by the scheduler. At step 453, the uniform resource locator is analyzed in the virtual environment in which the virtual component is configured. Analyzing the uniform resource locator may include replaying the uniform resource locator by performing a "click" operation on the uniform resource locator within the virtual environment. In performing a click operation, an application may send a content request message to a uniform resource locator and receive a response message in response to the uniform resource locator request. For example, a web browser may be executed to provide content received in response to a uniform resource locator response received by an application. Actions performed in the virtual environment in response to receiving the uniform resource locator content may be recorded and analyzed to determine whether the uniform resource locator is malicious. At step 454, a malicious uniform resource locator is identified. The identification as a malicious uniform resource locator may be based on actions or changes that occur when a suspect uniform resource locator is replayed in the virtual environment. Operations that may indicate a malicious uniform resource locator include altering an operating system configuration, executing a request or attempting to install or execute a file, or other operations performed in response to retrieving content from a uniform resource locator location.
FIG. 4 is a flow diagram of an exemplary method for updating a malware detection system. The step 6 specifically comprises the following steps: the management server receives a malicious uniform resource locator detected by the email malware detection system, step 61. Step 62, the management server aggregates the malicious uniform resource locators. And step 63, updating the uniform resource locator blacklist by using the aggregated malicious uniform resource locators. The management server may send the updated uniform resource locator blacklist to the electronic message malware detection system and the network malware detection system, step 64. The sending of the updated uniform resource locator blacklist may be performed on request, periodically or upon the occurrence of a particular event.
The foregoing description of specific embodiments of the present invention has been presented. It is to be understood that the present invention is not limited to the specific embodiments described above, and that various changes and modifications may be made by one skilled in the art within the scope of the appended claims without departing from the spirit of the invention.
Claims (7)
1. A method for detecting malicious web content, the method being implemented by a computer of a malware detection system comprising a hardware processor and a memory, the method comprising the steps of:
step 1, receiving an electronic message, wherein the electronic message malware detection system can receive the electronic message through an electronic message server;
step 2, scanning the electronic message and/or the attachment of the message to detect a uniform resource locator, wherein the uniform resource locator analyzer module scans the electronic message to detect the uniform resource locator in the header, body or other parts of the electronic message;
step 3, sending the detected uniform resource locator to a malicious software detection system;
step 4, identifying suspicious uniform resource locators from the detected uniform resource locators, and if the uniform resource locators are not matched with a uniform resource locator blacklist or a uniform resource locator whitelist maintained in the e-mail malware detection system, identifying the uniform resource locators as suspicious uniform resource locators;
step 5, using the virtual environment component to analyze the suspicious uniform resource locator so as to detect the malicious uniform resource locator;
and 6, updating the malware detection system based on the detected malware uniform resource locator.
2. The method of claim 1, wherein the malware detection system may be included on an electronic message malware detection system or an external detection module.
3. The method of claim 2, wherein analyzing the suspect uniform resource locator may include selecting a virtual component, such as a virtual operating system, a virtual application, or a virtual network, populating and configuring the virtual environment with the virtual component, and processing the uniform resource locator in the virtual environment.
4. The method of claim 3, wherein the electronic message malware detection system may transmit one or more malicious uniform resource locators to the management server, and the management server may transmit the uniform resource locators to network malware detection systems and electronic message malware detection systems within the system via the updated blacklist.
5. The method according to claim 1, wherein step 4 comprises the following steps:
step 41, comparing each uniform resource locator detected in the electronic message with a uniform resource locator white list;
step 42, ignoring the uniform resource locator matching the white list of the uniform resource locator;
step 43, comparing the detected uniform resource locator not on the white list with a uniform resource locator black list;
if the detected uniform resource locator matches a uniform resource locator on the blacklist, blocking and reporting the uniform resource locator, thereby preventing it from being provided to the recipient client device, at step 44;
uniform resource locators that do not match the uniform resource locators on the white list or the uniform resource locators on the black list are identified as suspect uniform resource locators, step 45.
6. The method of claim 5, wherein step 45 comprises the steps of:
step 451, selecting a suspicious uniform resource locator in the virtual environment for analysis;
step 452 configures virtual environment applications, operating systems, and network components; step 453, analyzing the uniform resource locator in the virtual environment configured with the virtual component;
at step 454, a malicious uniform resource locator is identified.
7. The method according to claim 1, wherein step 6 comprises the following steps:
step 61, the management server receives a malicious uniform resource locator detected by an e-mail malicious software detection system;
step 62, the management server aggregates the malicious uniform resource locators;
step 63, updating a uniform resource locator blacklist by using the aggregated malicious uniform resource locators;
the management server may send the updated uniform resource locator blacklist to the electronic message malware detection system and the network malware detection system, step 64.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110707296.0A CN113472765A (en) | 2021-06-24 | 2021-06-24 | Method for detecting malicious network content |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110707296.0A CN113472765A (en) | 2021-06-24 | 2021-06-24 | Method for detecting malicious network content |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113472765A true CN113472765A (en) | 2021-10-01 |
Family
ID=77872779
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110707296.0A Pending CN113472765A (en) | 2021-06-24 | 2021-06-24 | Method for detecting malicious network content |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113472765A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114137934A (en) * | 2021-11-23 | 2022-03-04 | 国网江西省电力有限公司电力科学研究院 | Industrial control system with intrusion detection function and detection method |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100192223A1 (en) * | 2004-04-01 | 2010-07-29 | Osman Abdoul Ismael | Detecting Malicious Network Content Using Virtual Environment Components |
| US20110314546A1 (en) * | 2004-04-01 | 2011-12-22 | Ashar Aziz | Electronic Message Analysis for Malware Detection |
| US20150007312A1 (en) * | 2013-06-28 | 2015-01-01 | Vinay Pidathala | System and method for detecting malicious links in electronic messages |
-
2021
- 2021-06-24 CN CN202110707296.0A patent/CN113472765A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100192223A1 (en) * | 2004-04-01 | 2010-07-29 | Osman Abdoul Ismael | Detecting Malicious Network Content Using Virtual Environment Components |
| US20110314546A1 (en) * | 2004-04-01 | 2011-12-22 | Ashar Aziz | Electronic Message Analysis for Malware Detection |
| US20150007312A1 (en) * | 2013-06-28 | 2015-01-01 | Vinay Pidathala | System and method for detecting malicious links in electronic messages |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114137934A (en) * | 2021-11-23 | 2022-03-04 | 国网江西省电力有限公司电力科学研究院 | Industrial control system with intrusion detection function and detection method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10757120B1 (en) | Malicious network content detection | |
| US10984097B2 (en) | Methods and apparatus for control and detection of malicious content using a sandbox environment | |
| US10505956B1 (en) | System and method for detecting malicious links in electronic messages | |
| US10523609B1 (en) | Multi-vector malware detection and analysis | |
| US8239944B1 (en) | Reducing malware signature set size through server-side processing | |
| US10893059B1 (en) | Verification and enhancement using detection systems located at the network periphery and endpoint devices | |
| US10089461B1 (en) | Page replacement code injection | |
| US8590045B2 (en) | Malware detection by application monitoring | |
| US8001606B1 (en) | Malware detection using a white list | |
| US9888016B1 (en) | System and method for detecting phishing using password prediction | |
| US8689330B2 (en) | Instant messaging malware protection | |
| US8196201B2 (en) | Detecting malicious activity | |
| US8850584B2 (en) | Systems and methods for malware detection | |
| US20130227691A1 (en) | Detecting Malicious Network Content | |
| US20100125913A1 (en) | System and Method for Run-Time Attack Prevention | |
| US20060265750A1 (en) | Method and apparatus for providing computer security | |
| US20070162975A1 (en) | Efficient collection of data | |
| US20080201722A1 (en) | Method and System For Unsafe Content Tracking | |
| US8627404B2 (en) | Detecting addition of a file to a computer system and initiating remote analysis of the file for malware | |
| US20230344861A1 (en) | Combination rule mining for malware signature generation | |
| CN113472765A (en) | Method for detecting malicious network content | |
| US20220245249A1 (en) | Specific file detection baked into machine learning pipelines | |
| Comparetti | D21 (D4. 7) Consolidated report with evaluation results | |
| WO2006124025A1 (en) | Method and apparatus for providing computer security |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20211001 |
|
| RJ01 | Rejection of invention patent application after publication |