Interactive infection visualization for improved exploit detection and signature generation for malware and malware families

US 10,027,689 B1
Filed: 09/29/2014
Issued: 07/17/2018
Est. Priority Date: 09/29/2014
Status: Active Grant

First Claim

Patent Images

1. A system for cyber-attack detection comprising:

one or more hardware processors; and

a non-transitory storage module communicatively coupled to the one or more processors, the storage module comprises logic, upon execution by the one or more processors, thataccesses a first set of information that comprises (i) information directed to a plurality of observed events, each of the observed events being observed during operation of a source device communicatively coupled to the system, and (ii) information directed to one or more relationships that identify an association between different observed events, wherein each of the one or more relationships comprises a connection that occurs during computer processing between at least two events and wherein each of the plurality of observed events is an action or operation resulting from an execution of code,generates a reference model based on the first set of information, the reference model comprises at least a first observed event, a second observed event, and a first relationship that identifies that the second observed event is based on the first observed event, wherein the first observed event and the second observed event are included in the plurality of observed events,analyzes a second set of information that is different than the first set of information, the second set of information including a third event and a second relationship,enhances the reference model by adding the third event or the second relationship to the reference model based on a correlation between the reference model and the second set of information, andgenerates an interactive graphical display of at least the reference model that includes the third event or the second relationship,wherein a combination of events and relationships comprising the reference model indicate a cyber-attack.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to one embodiment, a malware detection and visualization system comprises one or more processors; and a storage module communicatively coupled to the one or more processors, the storage module comprises logic, upon execution by the one or more processors, that accesses a first set of information that comprises (i) information directed to a plurality of observed events and (ii) information directed to one or more relationships that identify an association between different observed events of the plurality of observed events; and generates a reference model based on the first set of information, the reference model comprises at least a first event of the plurality of observed events, a second event of the plurality of observed events, and a first relationship that identifies that the second event is based on the first event, wherein at least one of (i) the plurality of observed events or (ii) the one or more relationships constitutes an anomalous behavior is provided.

Citations

52 Claims

1. A system for cyber-attack detection comprising:
- one or more hardware processors; and
  
  a non-transitory storage module communicatively coupled to the one or more processors, the storage module comprises logic, upon execution by the one or more processors, thataccesses a first set of information that comprises (i) information directed to a plurality of observed events, each of the observed events being observed during operation of a source device communicatively coupled to the system, and (ii) information directed to one or more relationships that identify an association between different observed events, wherein each of the one or more relationships comprises a connection that occurs during computer processing between at least two events and wherein each of the plurality of observed events is an action or operation resulting from an execution of code,generates a reference model based on the first set of information, the reference model comprises at least a first observed event, a second observed event, and a first relationship that identifies that the second observed event is based on the first observed event, wherein the first observed event and the second observed event are included in the plurality of observed events,analyzes a second set of information that is different than the first set of information, the second set of information including a third event and a second relationship,enhances the reference model by adding the third event or the second relationship to the reference model based on a correlation between the reference model and the second set of information, andgenerates an interactive graphical display of at least the reference model that includes the third event or the second relationship,wherein a combination of events and relationships comprising the reference model indicate a cyber-attack.
- View Dependent Claims (2, 3, 4)
- - 2. The system of claim 1, wherein the anomalous behavior includes a first file opened by a first process, wherein the first file is configured to be opened by a second process that is different from the first process and is not configured to be opened by the first process.
  - 3. The system of claim 1, wherein the generating of the reference model by the logic comprises determining that the first event of the plurality of observed events performed at least one of an action or an operation, the at least one of the action or the operation results in an observance of subsequent events of the plurality of observed events including the second event of the plurality of observed events.
  - 4. The system of claim 1, wherein the source device is one of an endpoint device, a threat detection system, or a cloud computing service.

5. A system for cyber-attack detection comprising:
- one or more hardware processors; and
  
  a non-transitory storage module communicatively coupled to the one or more processors, the storage module comprises (i) an event log to store information associated with at least a first plurality of observed events and (ii) logic that, upon execution by the one or more processors and in response to a triggering event,(a) accesses a first set of information that comprises (i) information directed to the first plurality of observed events stored in the storage, each of the first plurality of observed events being observed during operation of a source device communicatively coupled to the system, and (ii) information directed to one or more relationships that identify an association between different observed events, wherein each of the one or more relationships comprises a connection that occurs during computer processing between at least two events and wherein each of the plurality of observed events is an action or operation resulting from an execution of code,(b) accesses a reference model based on a second plurality of observed events, the reference model comprises at least a first observed event of the second plurality of observed events, a second observed event of the second plurality of observed events, and a first relationship that identifies that the second event is based on the first event, wherein the first observed event and the second observed event are included in the plurality of observed events,(c) enhances the reference model by adding a third event or a second relationship to the reference model based on a correlation between the reference model and the first set of information, the third event and the second relationship included in the first set of information, and(d) generates a graphical, interactive display of a comparison of the first plurality of observed events with the reference model that includes the third event of the second relationship, the interactive display including one or more diagrams,wherein a combination of events and relationships comprising the reference model indicate a cyber-attack.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 15, 16, 17, 20, 21, 22)
- - 6. The system of claim 5, wherein a first event of the first plurality of observed events is selectable to (i) provide metadata associated with the first event of the first plurality of observed events;
    - (ii) generate a signature of the first event of the first plurality of observed events;
      
      or (iii) generate an alert for the first event of the first plurality of observed events.
  - 7. The system of claim 6, whereinat least the first event and a second event of the first plurality of observed events are selectable via the graphical interactive display.
  - 8. The system of claim 5, wherein the plurality of diagrams include two or more nodal diagrams placed in a side-by-side manner, the nodal diagrams illustrating (i) each event of the first plurality of observed events and each relationship of the first plurality of observed events and (ii) the reference model.
  - 9. The system of claim 5, wherein the first event of the first plurality of observed events is illustrated in the one or more diagrams with a solid line, the solid line representing that the first event of the first plurality of observed events was observed with at least a first confidence.
  - 10. The system of claim 9, wherein the first event of the first plurality of observed events is illustrated in the one or more diagrams with a dotted line, the dotted line representing that the first event of the first plurality of observed events was observed with at least a second confidence but less than a first confidence, the first confidence being greater than the second confidence.
  - 11. The system of claim 5, wherein the first relationship is illustrated in the one or more diagrams with a solid line, the solid line representing that the first relationship was observed with at least a first confidence.
  - 12. The system of claim 5, wherein the first relationship is illustrated in the one or more diagrams with a dotted line, the dotted line representing that the first relationship was observed with at least a second confidence but less than a first confidence, the first confidence being greater than the second confidence.
  - 13. The computerized system of claim 5, wherein the source device is one of an endpoint device, a threat detection system, or a cloud computing service.
  - 15. The method of claim 13, wherein the signature associated with the first observed event and the second observed event further includes information associated with the relationship to identify that the first observed event is based on the second observed event.
  - 16. The method of claim 13, wherein the interactive display comprises a nodal diagram illustrating at least the first observed event, the second observed event, and the relationship in a top-down, chronological sequence.
  - 17. The method of claim 13, wherein the interactive display of the relationships comprises a nodal diagram illustrating at least the first observed event, the second observed event, and the relationship in a left-to-right, chronological sequence.
  - 20. The system of claim 17, wherein the first set of information includes at least two of (i) observations uncovered after virtual processing of a portion of network traffic under analysis by a virtual execution environment, (ii) observations uncovered after static processing of the portion of network traffic by a static analysis engine, and (iii) observations uncovered from monitored network traffic.
  - 21. The system of claim 17, wherein enhancing the first reference model is performed when the third event and the second relationship were not previously present in the first reference model.
  - 22. The system of claim 17, wherein the source device is one of an endpoint device, a threat detection system, or a cloud computing service.

14. A computerized method for malware detection comprising:
- accessing information that comprises (i) information directed to a plurality of observed events, each of the plurality of observed events being observed during operation of a source device communicatively coupled to the system, and (ii) information directed to one or more relationships identifying that a first observed event is based on a second observed event, wherein each of the one or more relationships comprises a connection that occurs during computer processing between at least two events and wherein each of the plurality of observed events is an action or operation resulting from an execution of code;
  
  generating an interactive display of at least the first observed event, the second observed event and a relationship identifying that the first observed event is based on the second observed event; and
  
  upon receiving a selection of the first observed event and the second observed event via the interactive display, generating a signature associating the first observed event and the second observed event, wherein combination of at least two of (i) the first observed event, (ii) the second observed event, or (iii) the relationship indicates known a cyber-attack.
- View Dependent Claims (18)
- - 18. The computerized method of claim 14, wherein the source device is one of an endpoint device, a threat detection system, or a cloud computing service.

19. A system for cyber-attack detection comprising:
- one or more hardware processors; and
  
  a non-transitory storage module communicatively coupled to the one or more processors, the storage module comprises(i) an event log to receive and store a first set of information associated with a plurality of observed events and one or more relationships that identify an association between different observed events, each of the observed events being observed during operation of a source device communicatively coupled to the system, wherein each of the one or more relationships comprises a connection that occurs during computer processing between at least two events and wherein each of the plurality of observed events is an action or operation resulting from an execution of code,(ii) a machine learning data store to store one or more reference models,(iii) a machine learning logic that, upon execution by the one or more processors,(a) accesses the first set of information associated with the plurality of observed events, and(b) enhances a first reference model of the one or more reference models by adding a first event or a first relationship to the first reference model based on a correlation between the first reference model and the first set of information, the first event and the first relationship included in the first set of information, wherein a combination of events and relationships comprising the first reference model indicates a cyber-attack,(c) generates display screen information including a comparison of the first set of information and the first reference model that includes the first event or the first relationship; and
  
  (iv) a display generation logic that, upon execution by the one or more processors,(a) communicates with the machine learning logic, and(b) generates an interactive display screen from the display screen information including at least the first event or the first relationship.

23. A computerized method for malware detection comprising:
- accessing a first set of information that comprises (i) information directed to a plurality of observed events, each of the observed events being observed during operation of a source device communicatively coupled to the system, and (ii) information directed to one or more relationships that identify an association between different observed events, wherein each of the one or more relationships comprises a connection that occurs during computer processing between at least two events and wherein each of the plurality of observed events is an action or operation resulting from an execution of code,generating a reference model based on the first set of information, the reference model comprises at least a first observed event, a second observed event, and a first relationship that identifies that the second observed event is based on the first observed event, wherein the first observed event and the second observed event are included in the plurality of observed events,analyzing a second set of information that is different than the first set of information, the second set of information including a third event and a second relationship,enhancing the reference model by adding the third event or the second relationship to the reference model based on a correlation between the reference model and the second set of information, andgenerating an interactive graphical display of at least the reference model that includes the third event or the second relationship,wherein a combination of events and relationships comprising the reference model indicate a cyber-attack.
- View Dependent Claims (24, 25)
- - 24. The method of claim 23, wherein the anomalous behavior includes a first file opened by a first process, wherein the first file is configured to be opened by a second process that is different from the first process and is not configured to be opened by the first process.
  - 25. The method of claim 23, wherein the generating of the reference model by the logic comprises determining that the first event of the plurality of observed events performed at least one of an action or an operation, the at least one of the action or the operation results in an observance of subsequent events of the plurality of observed events including the second event of the plurality of observed events.

26. A non-transitory computer readable medium, when processed by a hardware processor, determines whether a first set of information indicates a presence of a cyber-attack, the non-transitory computer readable medium comprising:
- a machine learning logic to;
  
  (a) access a first set of information that comprises (i) information directed to a plurality of observed events, each of the observed events being observed during operation of a source device communicatively coupled to the system, and (ii) information directed to one or more relationships that identify an association between different observed events, wherein each of the one or more relationships comprises a connection that occurs during computer processing between at least two events and wherein each of the plurality of observed events is an action or operation resulting from an execution of code,(b) generate a reference model based on the first set of information, the reference model comprises at least a first observed event, a second observed event, and a first relationship that identifies that the second observed event is based on the first observed event, wherein the first observed event and the second observed event are included in the plurality of observed events,(c) analyze a second set of information that is different than the first set of information, the second set of information including a third event and a second relationship, and(d) enhance the reference model by adding the third event or the second relationship to the reference model based on a correlation between the reference model and the second set of information; and
  
  a display generation logic to generate an interactive graphical display of at least the reference model that includes the third event or the second relationship, wherein a combination of events and relationships comprising the reference model indicate a cyber-attack.
- View Dependent Claims (27, 28)
- - 27. The non-transitory computer readable medium of claim 26, wherein the anomalous behavior includes a first file opened by a first process, wherein the first file is configured to be opened by a second process that is different from the first process and is not configured to be opened by the first process.
  - 28. The non-transitory computer readable medium of claim 26, wherein the generating of the reference model by the logic comprises determining that the first event of the plurality of observed events performed at least one of an action or an operation, the at least one of the action or the operation results in an observance of subsequent events of the plurality of observed events including the second event of the plurality of observed events.

29. A computerized method for malware detection comprising:
- accessing a first set of information that comprises (i) information directed to a first plurality of observed events stored in a storage module, each of a first plurality of observed events being observed during operation of a source device, the storage module including an event log to store the information associated with at least the first plurality of observed events, and (ii) information directed to one or more relationships that identify an association between different observed events, wherein each of the one or more relationships comprises a connection, that occurs during computer processing, between at least two events and wherein each of the plurality of observed events is an action or operation resulting from an execution of code;
  
  accessing a reference model based on a second plurality of observed events, the reference model comprises at least a first observed event of the second plurality of observed events, a second observed event of the second plurality of observed events, and a first relationship that identifies that the second event is based on the first event, wherein the first observed event and the second observed event are included in the plurality of observed events;
  
  enhancing the reference model by adding a third event or a second relationship to the reference model based on a correlation between the reference model and the first set of information, the third event and the second relationship included in the first set of information; and
  
  generating a graphical, interactive display of a comparison of the first plurality of observed events with the reference model that includes the third event of the second relationship, the interactive display including one or more diagrams, wherein a combination of events and relationships comprising the reference model indicate a cyber-attack.
- View Dependent Claims (30, 31, 32, 33, 34, 35, 36)
- - 30. The method of claim 29, wherein a first event of the first plurality of observed events is selectable to (i) provide metadata associated with the first event of the first plurality of observed events;
    - (ii) generate a signature of the first event of the first plurality of observed events;
      
      or (iii) generate an alert for the first event of the first plurality of observed events.
  - 31. The method of claim 30, wherein at least the first event and a second event of the first plurality of observed events are selectable via the graphical interactive display.
  - 32. The method of claim 29, wherein the plurality of diagrams include two or more nodal diagrams placed in a side-by-side manner, the nodal diagrams illustrating (i) each event of the first plurality of observed events and each relationship of the first plurality of observed events and (ii) the reference model.
  - 33. The method of claim 29, wherein the first event of the first plurality of observed events is illustrated in the one or more diagrams with a solid line, the solid line representing that the first event of the first plurality of observed events was observed with at least a first confidence.
  - 34. The method of claim 33, wherein the first event of the first plurality of observed events is illustrated in the one or more diagrams with a dotted line, the dotted line representing that the first event of the first plurality of observed events was observed with at least a second confidence but less than a first confidence, the first confidence being greater than the second confidence.
  - 35. The method of claim 29, wherein the first relationship is illustrated in the one or more diagrams with a solid line, the solid line representing that the first relationship was observed with at least a first confidence.
  - 36. The method of claim 29, wherein the first relationship is illustrated in the one or more diagrams with a dotted line, the dotted line representing that the first relationship was observed with at least a second confidence but less than a first confidence, the first confidence being greater than the second confidence.

37. A non-transitory computer readable medium, when processed by a hardware processor, determines whether a first set of information indicates a presence of a cyber-attack, the non-transitory computer readable medium comprising:
- an event log to store information associated with at least a first plurality of observed events;
  
  logic that;
  
  (a) accesses a first set of information that comprises (i) information directed to the first plurality of observed events stored in the event log, each of the first plurality of observed events being observed during operation of a source device, and (ii) information directed to one or more relationships that identify an association between different observed events, wherein each of the one or more relationships comprises a connection, that occurs during computer processing, between at least two events and wherein each of the plurality of observed events is an action or operation resulting from an execution of code,(b) accesses a reference model based on a second plurality of observed events, the reference model comprises at least a first observed event of the second plurality of observed events, a second observed event of the second plurality of observed events, and a first relationship that identifies that the second event is based on the first event, wherein the first observed event and the second observed event are included in the plurality of observed events, and(c) enhances the reference model by adding a third event or a second relationship to the reference model based on a correlation between the reference model and the first set of information, the third event and the second relationship included in the first set of information; and
  
  a display generation logic to generate a graphical, interactive display of a comparison of the first plurality of observed events with the reference model that includes the third event of the second relationship, the interactive display including one or more diagrams, wherein a combination of events and relationships comprising the reference model indicate a cyber-attack.
- View Dependent Claims (38, 39, 40, 41, 42, 43, 44)
- - 38. The non-transitory computer readable medium of claim 37, wherein a first event of the first plurality of observed events is selectable to (i) provide metadata associated with the first event of the first plurality of observed events;
    - (ii) generate a signature of the first event of the first plurality of observed events;
      
      or (iii) generate an alert for the first event of the first plurality of observed events.
  - 39. The non-transitory computer readable medium of claim 37, wherein at least the first event and a second event of the first plurality of observed events are selectable via the graphical interactive display.
  - 40. The non-transitory computer readable medium of claim 37, wherein the plurality of diagrams include two or more nodal diagrams placed in a side-by-side manner, the nodal diagrams illustrating (i) each event of the first plurality of observed events and each relationship of the first plurality of observed events and (ii) the reference model.
  - 41. The non-transitory computer readable medium of claim 37, wherein the first event of the first plurality of observed events is illustrated in the one or more diagrams with a solid line, the solid line representing that the first event of the first plurality of observed events was observed with at least a first confidence.
  - 42. The non-transitory computer readable medium of claim 41, wherein the first event of the first plurality of observed events is illustrated in the one or more diagrams with a dotted line, the dotted line representing that the first event of the first plurality of observed events was observed with at least a second confidence but less than a first confidence, the first confidence being greater than the second confidence.
  - 43. The non-transitory computer readable medium of claim 37, wherein the first relationship is illustrated in the one or more diagrams with a solid line, the solid line representing that the first relationship was observed with at least a first confidence.
  - 44. The non-transitory computer readable medium of claim 37, wherein the first relationship is illustrated in the one or more diagrams with a dotted line, the dotted line representing that the first relationship was observed with at least a second confidence but less than a first confidence, the first confidence being greater than the second confidence.

45. A computerized method for malware detection comprising:
- receiving and storing, by an event log, a first set of information associated with a plurality of observed events and one or more relationships that identify an association between different observed events, each of the observed events being observed during operation of a source device, wherein each of the one or more relationships comprises a connection that occurs during computer processing between at least two events and wherein each of the plurality of observed events is an action or operation resulting from an execution of code;
  
  accessing, by a machine learning logic, the first set of information associated with the plurality of observed events;
  
  enhancing, by a machine learning logic, a first reference model of one or more stored reference models by adding a first event or a first relationship to the first reference model based on a correlation between the first reference model and the first set of information, the first event and the first relationship included in the first set of information, wherein the one or more reference models including the first reference model are stored in a machine learning data store, wherein a combination of events and relationships comprising the first reference model indicates a cyber-attack;
  
  generating, by a machine learning logic, display screen information including a comparison of the first set of information and the first reference model that includes the first event or the first relationship;
  
  communicating, by a display generation logic, with the machine learning logic; and
  
  generating, by the display generation logic, an interactive display screen from the display screen information including at least the first event or the first relationship.
- View Dependent Claims (46, 47, 48)
- - 46. The computerized method of claim 45, wherein the first set of information includes at least two of (i) observations uncovered after virtual processing of a portion of network traffic under analysis by a virtual execution environment, (ii) observations uncovered after static processing of the portion of network traffic by a static analysis engine, and (iii) observations uncovered from monitored network traffic.
  - 47. The computerized method of claim 45, wherein enhancing the first reference model is performed when the third event and the second relationship were not previously present in the first reference model.
  - 48. The computerized method of claim 45, wherein the source device is one of an endpoint device, a threat detection system, or a cloud computing service.

49. A non-transitory computer readable medium, when processed by a hardware processor, determines whether a first set of information indicates a presence of a cyber-attack, the non-transitory computer readable medium comprising:
- an event log to receive and store a first set of information associated with a plurality of observed events and one or more relationships that identify an association between different observed events, each of the observed events being observed during operation of a source device, wherein each of the one or more relationships comprises a connection that occurs during computer processing between at least two events and wherein each of the plurality of observed events is an action or operation resulting from an execution of code;
  
  a machine learning data store to store one or more reference models;
  
  a machine learning logic to (a) access the information associated with the plurality of observed events, and (b) enhance a first reference model of the one or more reference models by adding a first event or a first relationship to the first reference model based on a correlation between the first reference model and the first set of information, the first event and the first relationship included in the first set of information, wherein a combination of events and relationships comprising the first reference model indicates a cyber-attack, (c) generate display screen information including a comparison of the first set of information and the first reference model that includes the third event or the second relationship; and
  
  a display generation logic to (a) communicate with the machine learning logic, and (b) generate an interactive display screen from the display screen information, including the first event or the first relationship .
- View Dependent Claims (50, 51, 52)
- - 50. The non-transitory computer readable medium of claim 49, wherein the first set of information includes at least two of (i) observations uncovered after virtual processing of a portion of network traffic under analysis by a virtual execution environment, (ii) observations uncovered after static processing of the portion of network traffic by a static analysis engine, and (iii) observations uncovered from monitored network traffic.
  - 51. The non-transitory computer readable medium of claim 50, wherein enhancing the first reference model is performed when the third event and the second relationship were not previously present in the first reference model.
  - 52. The non-transitory computer readable medium of claim 51, wherein the source device is one of an endpoint device, a threat detection system, or a cloud computing service.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
FireEye, Inc. (Alphabet Inc.)
Inventors
Rathor, Hirendra, Dalal, Kaushal, Gupta, Anil
Primary Examiner(s)
Shiferaw, Eleni A
Assistant Examiner(s)
Khan, Sher A

Application Number

US14/500,587
Time in Patent Office

1,387 Days
Field of Search
US Class Current
CPC Class Codes

G06F 11/3006   where the computing system ...

G06F 11/3447   Performance evaluation by m...

G06F 11/3476   Data logging G06F11/14, G06...

G06F 21/561   Virus type analysis

G06F 21/566   Dynamic detection, i.e. det...

G06F 2201/86   Event-based monitoring

G06F 3/0481   based on specific propertie...

G16B 20/00   ICT specially adapted for f...

H04L 63/1416   Event detection, e.g. attac...

H04L 67/10   in which an application is ...

H04L 67/75   Indicating network or usage...

Interactive infection visualization for improved exploit detection and signature generation for malware and malware families

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

52 Claims

Specification

Solutions

Use Cases

Quick Links

Interactive infection visualization for improved exploit detection and signature generation for malware and malware families

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

52 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links