Malicious message analysis system

US 10,050,998 B1
Filed: 12/30/2015
Issued: 08/14/2018
Est. Priority Date: 12/30/2015
Status: Active Grant

First Claim

Patent Images

1. A computerized method configured to analyze a message by a network device, comprising:

determining context information comprising one or more combinations of attributes obtained by performing one or more analyses on information associated with the message, the one or more analyses comprises a first analysis of meta information of the message to generate a first set of attributes and at least a second analysis of an object that is part of the message to generate a second set of attributes, the second analysis being a different type of analysis than the first analysis;

correlating attributes associated with the one or more analyses, including the first set of attributes and the second set of attributes, in accordance with one or more correlation rules so as to generate a threat index, the one or more correlation rules assigning a threat index value to a plurality of combinations of one or more attributes of the first set of attributes and one or more attributes of the second set of attributes; and

generating an alert in response to determining that the threat index identifies the message is malicious, the alert being a displayed output.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computerized technique is provided to analyze a message for malware by determining context information from attributes of the message. The attributes are determined by performing one or more of a static analysis of meta information of the message (e.g., delivery protocol attributes) to generate a first result; a dynamic analysis of an object contained in the message to generate a second result; and, in some embodiments, an emulation of the object to generate a third result. The first result, second result, and third result are correlated in accordance with one or more correlation rules to generate a threat index for the message. The threat index is compared with a predetermined threshold to determine whether the message should be classified as malware and, if so, an alert is generated.

Citations

23 Claims

1. A computerized method configured to analyze a message by a network device, comprising:
- determining context information comprising one or more combinations of attributes obtained by performing one or more analyses on information associated with the message, the one or more analyses comprises a first analysis of meta information of the message to generate a first set of attributes and at least a second analysis of an object that is part of the message to generate a second set of attributes, the second analysis being a different type of analysis than the first analysis;
  
  correlating attributes associated with the one or more analyses, including the first set of attributes and the second set of attributes, in accordance with one or more correlation rules so as to generate a threat index, the one or more correlation rules assigning a threat index value to a plurality of combinations of one or more attributes of the first set of attributes and one or more attributes of the second set of attributes; and
  
  generating an alert in response to determining that the threat index identifies the message is malicious, the alert being a displayed output.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 23)
- - 2. The computerized method of claim 1, wherein the one of more analysis further comprises a dynamic analysis of an object that is part of the message, the dynamic analysis comprises processing the object within a virtual machine and monitoring for one or more behaviors of the virtual machine, wherein the one or more behaviors being the second set of attributes.
  - 3. The computerized method of claim 1, wherein the one of more analysis further comprises a static analysis being configured to inspect the object for anomalous characteristics comprising any one of selected formatting and patterns associated with malware, the anomalous characteristics being the second set of attributes.
  - 4. The computerized method of claim 2, wherein the correlating attributes associated with the one or more analyses in accordance with the one or more correlation rules comprises correlating attributes from at least the first set of attributes and at least one of the second set of attributes or a third set of attributes generated by performing a static analysis that inspects the object for anomalous characteristics comprising any one of selected formatting and patterns associated with malware.
  - 5. The computerized method of claim 1, wherein the first analysis includes a static analysis of the meta information that comprises an analysis of a header field to determine a source of the message.
  - 6. The computerized method of claim 5, wherein the analysis of the header field further comprises conducting a handshaking communication session to determine that the message is associated with a malicious attack by verifying that a sender of the message belongs to a prescribed domain identified as a domain of the sender in the message.
  - 7. The computerized method of claim 6, wherein the handshaking communication session is performed by conducting the handshaking communication session based on information within a FROM field of the message.
  - 8. The computerized method of claim 1, wherein the one or more correlation rules are directed to detection of the first set of attributes in combination with attributes from at least one or more of (i) static analysis of an object included with the message, (ii) dynamic analysis of the object, and (iii) emulation of the processing of the object.
  - 9. The computerized method of claim 1, wherein the threat index comprises an association of one or more weighting factors to place higher probative likelihood of maliciousness with respect to a combination of attributes including the first set of attributes and the second set of attributes associated with at least one of (i) static analysis of an object included with the message, (ii) dynamic analysis of the object, and (iii) emulation of the processing of the object.
  - 10. The computerized method of claim 1, wherein in further response to determining that the threat index identifies that the message is malicious, the method further comprises:
    - uploading the message to a threat intelligence network;
      
      determining if the context information may be used to generate a static signature;
      
      generating the static signature;
      
      uploading the static signature to the threat intelligence network; and
      
      deploying the static signature to one or more network devices other than the network device.
  - 11. The computerized method of claim 1, wherein the message comprises an electronic mail message.
  - 23. The computerized method of claim 1, wherein the alert includes at least one of an email message, a text message, or a display screen image.

12. A system to detect malicious messages, comprising:
- one or more processors; and
  
  a storage module communicatively coupled to the one or more processors, the storage module includinglogic to determine context information comprising one or more combinations of attributes obtained by performing one or more analyses on information associated with the message, the logic comprises a meta analyzer to analysis of meta information of the message to generate a first set of attributes and an object analyzer to analyze an object being part of the message to generate a second set of attributes, the second analysis being a different type of analysis than the first analysis,correlation logic to correlate attributes associated with the one or more analyses, including the first set of attributes and the second set of attributes, in accordance with one or more correlation rules so as to generate a threat index, the one or more correlation rules assigning a threat index value to a plurality of combinations of one or more of the first set of attributes and one or more of the second set of attributes; and
  
  classification logic to determine whether the threat index identifies that the message is malicious, andgenerate an alert in response to determining that the threat index identifies the message is malicious, the alert being a displayed output.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The system of claim 12, wherein the logic performing the one of more analysis comprises a dynamic analysis engine that is configured to process the object within a virtual machine and monitor for one or more behaviors of the virtual machine, wherein the one or more behaviors being the second set of attributes.
  - 14. The system of claim 12, wherein the logic performing the one of more analysis further comprises a static analysis engine that is configured to inspect the object for anomalous characteristics comprising selected formatting and patterns associated with malware, the anomalous characteristics being the second set of attributes.
  - 15. The system of claim 13, wherein the correlation logic to correlate attributes associated with the one or more analyses in accordance with the one or more correlation rules, the correlated attributes include at least the first set of attributes and at least one of the second set of attributes or a third set of attributes generated by performing a static analysis by the object analyzer that inspects the object for anomalous characteristics comprising any one of selected formatting and patterns associated with malware.
  - 16. The system of claim 12, wherein the meta analyzer analyzes a header field to determine a source of the message.
  - 17. The system of claim 16, wherein the meta analyzer further conducts a handshaking communication session to determine that the message is associated with a malicious attack by verifying that a sender of the message belongs to a prescribed domain identified as a domain of the sender in the message.
  - 18. The system of claim 17, wherein the handshaking communication session is performed by conducting the handshaking communication session based on information within a FROM field of the message.
  - 19. The system of claim 12, wherein the one or more correlation rules are directed to detection of the first set of attributes in combination with the second set of attributes from at least one or more of (i) static analysis of the object included with the message, (ii) dynamic analysis of the object, and (iii) emulation of the processing of the object.
  - 20. The system of claim 12, wherein the threat index comprises an association of one or more weighting factors to place higher probative likelihood of maliciousness with respect to a combination of attributes including the first set of attributes and the second set of attributes associated with at least one of (i) static analysis of the object included with the message, (ii) dynamic analysis of the object, and (iii) emulation of the processing of the object.
  - 21. The system of claim 12 further comprises logic to:
    - upload the message to a threat intelligence network;
      
      determine if the context information may be used to generate a static signature;
      
      generate the static signature;
      
      upload the static signature to the threat intelligence network; and
      
      deploy the static signature to one or more network devices other than the network device.
  - 22. The system of claim 14, wherein the message comprises an electronic mail message.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
FireEye, Inc. (Alphabet Inc.)
Inventors
Singh, Abhishek
Primary Examiner(s)
Avery, Jeremiah

Application Number

US14/985,266
Time in Patent Office

958 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04L 63/145   the attack involving the pr...

Malicious message analysis system

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Malicious message analysis system

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links