Malicious message analysis system
First Claim
1. A computerized method configured to analyze a message by a network device, comprising:
- determining context information comprising one or more combinations of attributes obtained by performing one or more analyses on information associated with the message, the one or more analyses comprises a first analysis of meta information of the message to generate a first set of attributes and at least a second analysis of an object that is part of the message to generate a second set of attributes, the second analysis being a different type of analysis than the first analysis;
correlating attributes associated with the one or more analyses, including the first set of attributes and the second set of attributes, in accordance with one or more correlation rules so as to generate a threat index, the one or more correlation rules assigning a threat index value to a plurality of combinations of one or more attributes of the first set of attributes and one or more attributes of the second set of attributes; and
generating an alert in response to determining that the threat index identifies the message is malicious, the alert being a displayed output.
7 Assignments
0 Petitions
Accused Products
Abstract
A computerized technique is provided to analyze a message for malware by determining context information from attributes of the message. The attributes are determined by performing one or more of a static analysis of meta information of the message (e.g., delivery protocol attributes) to generate a first result; a dynamic analysis of an object contained in the message to generate a second result; and, in some embodiments, an emulation of the object to generate a third result. The first result, second result, and third result are correlated in accordance with one or more correlation rules to generate a threat index for the message. The threat index is compared with a predetermined threshold to determine whether the message should be classified as malware and, if so, an alert is generated.
-
Citations
23 Claims
-
1. A computerized method configured to analyze a message by a network device, comprising:
-
determining context information comprising one or more combinations of attributes obtained by performing one or more analyses on information associated with the message, the one or more analyses comprises a first analysis of meta information of the message to generate a first set of attributes and at least a second analysis of an object that is part of the message to generate a second set of attributes, the second analysis being a different type of analysis than the first analysis; correlating attributes associated with the one or more analyses, including the first set of attributes and the second set of attributes, in accordance with one or more correlation rules so as to generate a threat index, the one or more correlation rules assigning a threat index value to a plurality of combinations of one or more attributes of the first set of attributes and one or more attributes of the second set of attributes; and generating an alert in response to determining that the threat index identifies the message is malicious, the alert being a displayed output. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 23)
-
-
12. A system to detect malicious messages, comprising:
-
one or more processors; and a storage module communicatively coupled to the one or more processors, the storage module including logic to determine context information comprising one or more combinations of attributes obtained by performing one or more analyses on information associated with the message, the logic comprises a meta analyzer to analysis of meta information of the message to generate a first set of attributes and an object analyzer to analyze an object being part of the message to generate a second set of attributes, the second analysis being a different type of analysis than the first analysis, correlation logic to correlate attributes associated with the one or more analyses, including the first set of attributes and the second set of attributes, in accordance with one or more correlation rules so as to generate a threat index, the one or more correlation rules assigning a threat index value to a plurality of combinations of one or more of the first set of attributes and one or more of the second set of attributes; and classification logic to determine whether the threat index identifies that the message is malicious, and generate an alert in response to determining that the threat index identifies the message is malicious, the alert being a displayed output. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
Specification