Malware and exploit campaign detection system and method

US 10,084,817 B2
Filed: 09/10/2014
Issued: 09/25/2018
Est. Priority Date: 09/11/2013
Status: Active Grant

First Claim

Patent Images

1. A malware and exploit campaign detection system, comprising:

a plurality of computer systems;

a capture stack that is configured to issue a uniform resource locator to each computer system to download a piece of malicious code;

a replay stack that is configured to test the piece of malicious code in a live environment and generate data about the replay of the piece of malicious code;

a proxy stack that is configured to perform testing of the piece of malicious code without accessing the uniform resource locator, wherein the testing includes a formulation of remote parameters of an original malicious website, pulling and reassembling the archive of the original malicious website, unpacking the archive, and launching a fully-functional copy of the original malicious website; and

a master hypervisor controller that controls the capture stack, the replay stack and the proxy stack.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A malware and exploit campaign detection system and method are provided that cannot be detected by the malware or exploit campaign. The system may provide threat feed data to the vendors that produce in-line network security and end point protection (anti virus) technologies. The system may also be used as a testing platform for 3^rdparty products. Due to the massive footprint of the system'"'"'s cloud infrastructure and disparate network connections and geo-location obfuscation techniques, NSS can locate and monitor malware across the globe and provide detailed threat analysis for each specific region, as they often support and host different malware/cybercrime campaigns.

98 Citations

View as Search Results

14 Claims

1. A malware and exploit campaign detection system, comprising:
- a plurality of computer systems;
  
  a capture stack that is configured to issue a uniform resource locator to each computer system to download a piece of malicious code;
  
  a replay stack that is configured to test the piece of malicious code in a live environment and generate data about the replay of the piece of malicious code;
  
  a proxy stack that is configured to perform testing of the piece of malicious code without accessing the uniform resource locator, wherein the testing includes a formulation of remote parameters of an original malicious website, pulling and reassembling the archive of the original malicious website, unpacking the archive, and launching a fully-functional copy of the original malicious website; and
  
  a master hypervisor controller that controls the capture stack, the replay stack and the proxy stack.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system of claim 1, wherein the capture stack, the replay stack and the proxy stack run in parallel.
  - 3. The system of claim 1 further comprising a zero day module that identifies zero day attacks.
  - 4. The system of claim 1 further comprising Structured Query Language (SQL) servers configured to store data of the computer system.
  - 5. The system of claim 1 further comprising a transfer server.
  - 6. The system of claim 1, wherein the capture stack is configured to create a copy of the piece of malicious code and catalogs operating system changes caused by the piece of malicious code.
  - 7. The system of claim 1, wherein the capture stack is configured to capture communications with the plurality of computer systems.
  - 8. The system of claim 1, wherein each stack is one or more server computers.
  - 9. The system of claim 8, wherein each stack has a virtual machine.

10. A malware and exploit campaign detection method, method comprising:
- providing a plurality of computer systems;
  
  executing a capturing process, wherein the capturing process issues a uniform resource locator to each computer system to download a piece of malicious code;
  
  executing a replay process, wherein the replay process tests the piece of malicious code in a live environment and generates data about the replay process of the piece of malicious code;
  
  executing a proxying process, the proxying process performs testing of the piece of malicious code without accessing the uniform resource locator, wherein the proxying process includes a formulation of remote parameters of an original malicious website, pulling and reassembling the archive of the original malicious website, unpacking the archive, and launching a fully-functional copy of the original malicious website; and
  
  controlling, using a master hypervisor controller, the capture process, the replay process and the proxy process.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The method of claim 10 further comprising executing the capture process, the replay process and the proxy process in parallel.
  - 12. The method of claim 10 further comprising identifying, using a zero day module, zero day attacks.
  - 13. The method of claim 10, wherein executing the capturing process further comprises creating a copy of the piece of malicious code and cataloging operating system changes caused by the piece of malicious code.
  - 14. The method of claim 10, wherein executing the capturing process further comprises capturing communications with the plurality of computer systems.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NSS Labs, Inc.
Original Assignee
NSS Labs, Inc.
Inventors
Saher, Mohamed, Pathak, Jayendra
Primary Examiner(s)
Homayounmehr, Farid
Assistant Examiner(s)
Bucknor, Olanrewaju J.

Application Number

US14/482,696
Publication Number

US 20150074810A1
Time in Patent Office

1,476 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 16/951   Indexing; Web crawling tech...

G06F 21/53   by executing in a restricte...

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/0272   Virtual private networks

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1466   Active attacks involving in...

H04L 63/1491   using deception as counterm...

Malware and exploit campaign detection system and method

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

98 Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Malware and exploit campaign detection system and method

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

98 Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links