Interactive infection visualization for improved exploit detection and signature generation for malware and malware families
First Claim
1. A system for cyber-attack detection comprising:
- one or more hardware processors; and
a non-transitory storage module communicatively coupled to the one or more processors, the storage module comprises logic, upon execution by the one or more processors, thataccesses a first set of information that comprises (i) information directed to a plurality of observed events, each of the observed events being observed during operation of a source device communicatively coupled to the system, and (ii) information directed to one or more relationships that identify an association between different observed events, wherein each of the one or more relationships comprises a connection that occurs during computer processing between at least two events and wherein each of the plurality of observed events is an action or operation resulting from an execution of code,generates a reference model based on the first set of information, the reference model comprises at least a first observed event, a second observed event, and a first relationship that identifies that the second observed event is based on the first observed event, wherein the first observed event and the second observed event are included in the plurality of observed events,analyzes a second set of information that is different than the first set of information, the second set of information including a third event and a second relationship,enhances the reference model by adding the third event or the second relationship to the reference model based on a correlation between the reference model and the second set of information, andgenerates an interactive graphical display of at least the reference model that includes the third event or the second relationship,wherein a combination of events and relationships comprising the reference model indicate a cyber-attack.
7 Assignments
0 Petitions
Accused Products
Abstract
According to one embodiment, a malware detection and visualization system comprises one or more processors; and a storage module communicatively coupled to the one or more processors, the storage module comprises logic, upon execution by the one or more processors, that accesses a first set of information that comprises (i) information directed to a plurality of observed events and (ii) information directed to one or more relationships that identify an association between different observed events of the plurality of observed events; and generates a reference model based on the first set of information, the reference model comprises at least a first event of the plurality of observed events, a second event of the plurality of observed events, and a first relationship that identifies that the second event is based on the first event, wherein at least one of (i) the plurality of observed events or (ii) the one or more relationships constitutes an anomalous behavior is provided.
-
Citations
52 Claims
-
1. A system for cyber-attack detection comprising:
-
one or more hardware processors; and a non-transitory storage module communicatively coupled to the one or more processors, the storage module comprises logic, upon execution by the one or more processors, that accesses a first set of information that comprises (i) information directed to a plurality of observed events, each of the observed events being observed during operation of a source device communicatively coupled to the system, and (ii) information directed to one or more relationships that identify an association between different observed events, wherein each of the one or more relationships comprises a connection that occurs during computer processing between at least two events and wherein each of the plurality of observed events is an action or operation resulting from an execution of code, generates a reference model based on the first set of information, the reference model comprises at least a first observed event, a second observed event, and a first relationship that identifies that the second observed event is based on the first observed event, wherein the first observed event and the second observed event are included in the plurality of observed events, analyzes a second set of information that is different than the first set of information, the second set of information including a third event and a second relationship, enhances the reference model by adding the third event or the second relationship to the reference model based on a correlation between the reference model and the second set of information, and generates an interactive graphical display of at least the reference model that includes the third event or the second relationship, wherein a combination of events and relationships comprising the reference model indicate a cyber-attack. - View Dependent Claims (2, 3, 4)
-
-
5. A system for cyber-attack detection comprising:
-
one or more hardware processors; and a non-transitory storage module communicatively coupled to the one or more processors, the storage module comprises (i) an event log to store information associated with at least a first plurality of observed events and (ii) logic that, upon execution by the one or more processors and in response to a triggering event, (a) accesses a first set of information that comprises (i) information directed to the first plurality of observed events stored in the storage, each of the first plurality of observed events being observed during operation of a source device communicatively coupled to the system, and (ii) information directed to one or more relationships that identify an association between different observed events, wherein each of the one or more relationships comprises a connection that occurs during computer processing between at least two events and wherein each of the plurality of observed events is an action or operation resulting from an execution of code, (b) accesses a reference model based on a second plurality of observed events, the reference model comprises at least a first observed event of the second plurality of observed events, a second observed event of the second plurality of observed events, and a first relationship that identifies that the second event is based on the first event, wherein the first observed event and the second observed event are included in the plurality of observed events, (c) enhances the reference model by adding a third event or a second relationship to the reference model based on a correlation between the reference model and the first set of information, the third event and the second relationship included in the first set of information, and (d) generates a graphical, interactive display of a comparison of the first plurality of observed events with the reference model that includes the third event of the second relationship, the interactive display including one or more diagrams, wherein a combination of events and relationships comprising the reference model indicate a cyber-attack. - View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 15, 16, 17, 20, 21, 22)
-
-
14. A computerized method for malware detection comprising:
-
accessing information that comprises (i) information directed to a plurality of observed events, each of the plurality of observed events being observed during operation of a source device communicatively coupled to the system, and (ii) information directed to one or more relationships identifying that a first observed event is based on a second observed event, wherein each of the one or more relationships comprises a connection that occurs during computer processing between at least two events and wherein each of the plurality of observed events is an action or operation resulting from an execution of code; generating an interactive display of at least the first observed event, the second observed event and a relationship identifying that the first observed event is based on the second observed event; and upon receiving a selection of the first observed event and the second observed event via the interactive display, generating a signature associating the first observed event and the second observed event, wherein combination of at least two of (i) the first observed event, (ii) the second observed event, or (iii) the relationship indicates known a cyber-attack. - View Dependent Claims (18)
-
-
19. A system for cyber-attack detection comprising:
-
one or more hardware processors; and a non-transitory storage module communicatively coupled to the one or more processors, the storage module comprises (i) an event log to receive and store a first set of information associated with a plurality of observed events and one or more relationships that identify an association between different observed events, each of the observed events being observed during operation of a source device communicatively coupled to the system, wherein each of the one or more relationships comprises a connection that occurs during computer processing between at least two events and wherein each of the plurality of observed events is an action or operation resulting from an execution of code, (ii) a machine learning data store to store one or more reference models, (iii) a machine learning logic that, upon execution by the one or more processors, (a) accesses the first set of information associated with the plurality of observed events, and (b) enhances a first reference model of the one or more reference models by adding a first event or a first relationship to the first reference model based on a correlation between the first reference model and the first set of information, the first event and the first relationship included in the first set of information, wherein a combination of events and relationships comprising the first reference model indicates a cyber-attack, (c) generates display screen information including a comparison of the first set of information and the first reference model that includes the first event or the first relationship; and (iv) a display generation logic that, upon execution by the one or more processors, (a) communicates with the machine learning logic, and (b) generates an interactive display screen from the display screen information including at least the first event or the first relationship.
-
-
23. A computerized method for malware detection comprising:
-
accessing a first set of information that comprises (i) information directed to a plurality of observed events, each of the observed events being observed during operation of a source device communicatively coupled to the system, and (ii) information directed to one or more relationships that identify an association between different observed events, wherein each of the one or more relationships comprises a connection that occurs during computer processing between at least two events and wherein each of the plurality of observed events is an action or operation resulting from an execution of code, generating a reference model based on the first set of information, the reference model comprises at least a first observed event, a second observed event, and a first relationship that identifies that the second observed event is based on the first observed event, wherein the first observed event and the second observed event are included in the plurality of observed events, analyzing a second set of information that is different than the first set of information, the second set of information including a third event and a second relationship, enhancing the reference model by adding the third event or the second relationship to the reference model based on a correlation between the reference model and the second set of information, and generating an interactive graphical display of at least the reference model that includes the third event or the second relationship, wherein a combination of events and relationships comprising the reference model indicate a cyber-attack. - View Dependent Claims (24, 25)
-
-
26. A non-transitory computer readable medium, when processed by a hardware processor, determines whether a first set of information indicates a presence of a cyber-attack, the non-transitory computer readable medium comprising:
-
a machine learning logic to; (a) access a first set of information that comprises (i) information directed to a plurality of observed events, each of the observed events being observed during operation of a source device communicatively coupled to the system, and (ii) information directed to one or more relationships that identify an association between different observed events, wherein each of the one or more relationships comprises a connection that occurs during computer processing between at least two events and wherein each of the plurality of observed events is an action or operation resulting from an execution of code, (b) generate a reference model based on the first set of information, the reference model comprises at least a first observed event, a second observed event, and a first relationship that identifies that the second observed event is based on the first observed event, wherein the first observed event and the second observed event are included in the plurality of observed events, (c) analyze a second set of information that is different than the first set of information, the second set of information including a third event and a second relationship, and (d) enhance the reference model by adding the third event or the second relationship to the reference model based on a correlation between the reference model and the second set of information; and a display generation logic to generate an interactive graphical display of at least the reference model that includes the third event or the second relationship, wherein a combination of events and relationships comprising the reference model indicate a cyber-attack. - View Dependent Claims (27, 28)
-
-
29. A computerized method for malware detection comprising:
-
accessing a first set of information that comprises (i) information directed to a first plurality of observed events stored in a storage module, each of a first plurality of observed events being observed during operation of a source device, the storage module including an event log to store the information associated with at least the first plurality of observed events, and (ii) information directed to one or more relationships that identify an association between different observed events, wherein each of the one or more relationships comprises a connection, that occurs during computer processing, between at least two events and wherein each of the plurality of observed events is an action or operation resulting from an execution of code; accessing a reference model based on a second plurality of observed events, the reference model comprises at least a first observed event of the second plurality of observed events, a second observed event of the second plurality of observed events, and a first relationship that identifies that the second event is based on the first event, wherein the first observed event and the second observed event are included in the plurality of observed events; enhancing the reference model by adding a third event or a second relationship to the reference model based on a correlation between the reference model and the first set of information, the third event and the second relationship included in the first set of information; and generating a graphical, interactive display of a comparison of the first plurality of observed events with the reference model that includes the third event of the second relationship, the interactive display including one or more diagrams, wherein a combination of events and relationships comprising the reference model indicate a cyber-attack. - View Dependent Claims (30, 31, 32, 33, 34, 35, 36)
-
-
37. A non-transitory computer readable medium, when processed by a hardware processor, determines whether a first set of information indicates a presence of a cyber-attack, the non-transitory computer readable medium comprising:
-
an event log to store information associated with at least a first plurality of observed events; logic that; (a) accesses a first set of information that comprises (i) information directed to the first plurality of observed events stored in the event log, each of the first plurality of observed events being observed during operation of a source device, and (ii) information directed to one or more relationships that identify an association between different observed events, wherein each of the one or more relationships comprises a connection, that occurs during computer processing, between at least two events and wherein each of the plurality of observed events is an action or operation resulting from an execution of code, (b) accesses a reference model based on a second plurality of observed events, the reference model comprises at least a first observed event of the second plurality of observed events, a second observed event of the second plurality of observed events, and a first relationship that identifies that the second event is based on the first event, wherein the first observed event and the second observed event are included in the plurality of observed events, and (c) enhances the reference model by adding a third event or a second relationship to the reference model based on a correlation between the reference model and the first set of information, the third event and the second relationship included in the first set of information; and a display generation logic to generate a graphical, interactive display of a comparison of the first plurality of observed events with the reference model that includes the third event of the second relationship, the interactive display including one or more diagrams, wherein a combination of events and relationships comprising the reference model indicate a cyber-attack. - View Dependent Claims (38, 39, 40, 41, 42, 43, 44)
-
-
45. A computerized method for malware detection comprising:
-
receiving and storing, by an event log, a first set of information associated with a plurality of observed events and one or more relationships that identify an association between different observed events, each of the observed events being observed during operation of a source device, wherein each of the one or more relationships comprises a connection that occurs during computer processing between at least two events and wherein each of the plurality of observed events is an action or operation resulting from an execution of code; accessing, by a machine learning logic, the first set of information associated with the plurality of observed events; enhancing, by a machine learning logic, a first reference model of one or more stored reference models by adding a first event or a first relationship to the first reference model based on a correlation between the first reference model and the first set of information, the first event and the first relationship included in the first set of information, wherein the one or more reference models including the first reference model are stored in a machine learning data store, wherein a combination of events and relationships comprising the first reference model indicates a cyber-attack; generating, by a machine learning logic, display screen information including a comparison of the first set of information and the first reference model that includes the first event or the first relationship; communicating, by a display generation logic, with the machine learning logic; and generating, by the display generation logic, an interactive display screen from the display screen information including at least the first event or the first relationship. - View Dependent Claims (46, 47, 48)
-
-
49. A non-transitory computer readable medium, when processed by a hardware processor, determines whether a first set of information indicates a presence of a cyber-attack, the non-transitory computer readable medium comprising:
-
an event log to receive and store a first set of information associated with a plurality of observed events and one or more relationships that identify an association between different observed events, each of the observed events being observed during operation of a source device, wherein each of the one or more relationships comprises a connection that occurs during computer processing between at least two events and wherein each of the plurality of observed events is an action or operation resulting from an execution of code; a machine learning data store to store one or more reference models; a machine learning logic to (a) access the information associated with the plurality of observed events, and (b) enhance a first reference model of the one or more reference models by adding a first event or a first relationship to the first reference model based on a correlation between the first reference model and the first set of information, the first event and the first relationship included in the first set of information, wherein a combination of events and relationships comprising the first reference model indicates a cyber-attack, (c) generate display screen information including a comparison of the first set of information and the first reference model that includes the third event or the second relationship; and a display generation logic to (a) communicate with the machine learning logic, and (b) generate an interactive display screen from the display screen information, including the first event or the first relationship . - View Dependent Claims (50, 51, 52)
-
Specification