Correlation and consolidation of analytic data for holistic view of malware attack

US 10,122,746 B1
Filed: 05/01/2017
Issued: 11/06/2018
Est. Priority Date: 03/14/2013
Status: Active Grant

First Claim

Patent Images

1. An electronic device for detecting and providing a holistic view of a malware attack across a plurality of networked electronic devices, the electronic device comprising:

a processor; and

a storage device communicatively coupled to the processor, the storage device comprisescorrelation logic being processed by the processor, the correlation logic to detect relationships between one or more analysis attributes including at least (i) a first analysis attribute received from a first electronic device of the plurality of networked electronic devices remotely located from the electronic device, and (ii) a second analysis attribute received from a second electronic device of the plurality of networked electronic devices remotely located from the electronic device, wherein the first analysis attribute being data representative of a first anomalous behavior detected during processing of a first network content within a first virtual machine and the second analysis attribute being data representative of a second anomalous behavior,consolidation logic being processed by the processor, the consolidation logic to consolidate one or more input attributes associated with at least the first analysis attribute and the second analysis attribute in response to detected similarities between the first analysis attribute and the second analysis attribute, anddisplay logic being processed by the processor, the display logic to generate display information including the consolidated one or more input attributes.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In communication with security appliances, an electronic device for providing a holistic view of a malware attack is described. The electronic device features one or more processors and a storage device. The storage device includes aggregation logic, correlation logic, consolidation logic, and display logic: The aggregation logic is configured to receive input attributes and analysis attributes from each of the security appliances. The correlation logic attempts to find relationships between analysis attributes provided from each security appliance. The consolidation logic receives at least (i) a first analysis attribute from a first security appliance and (ii) a second analysis attribute from a second security appliance in response to the first analysis attribute corresponding to the second analysis attribute. The display logic generates display information including the consolidated input attributes.

Citations

20 Claims

1. An electronic device for detecting and providing a holistic view of a malware attack across a plurality of networked electronic devices, the electronic device comprising:
- a processor; and
  
  a storage device communicatively coupled to the processor, the storage device comprisescorrelation logic being processed by the processor, the correlation logic to detect relationships between one or more analysis attributes including at least (i) a first analysis attribute received from a first electronic device of the plurality of networked electronic devices remotely located from the electronic device, and (ii) a second analysis attribute received from a second electronic device of the plurality of networked electronic devices remotely located from the electronic device, wherein the first analysis attribute being data representative of a first anomalous behavior detected during processing of a first network content within a first virtual machine and the second analysis attribute being data representative of a second anomalous behavior,consolidation logic being processed by the processor, the consolidation logic to consolidate one or more input attributes associated with at least the first analysis attribute and the second analysis attribute in response to detected similarities between the first analysis attribute and the second analysis attribute, anddisplay logic being processed by the processor, the display logic to generate display information including the consolidated one or more input attributes.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The electronic device of claim 1, wherein the correlation logic to detect the relationships between the one or more analysis attributes provided from each of the plurality of networked electronic devices by at least identifying that the first network content including the first analysis attribute received from the first electronic device is the same as or related to a second network content including the second analysis attribute received from the second electronic device.
  - 3. The electronic device of claim 1, wherein the first analysis attribute comprises at least one of (i) information directed to a portion of the first network content that is analyzed for malware within the first electronic device and (ii) at least the first anomalous behavior observed during malware detection analysis of the information.
  - 4. The electronic device of claim 2 wherein the first network content includes an electronic mail message that is analyzed for malware by the first electronic device and the second network content includes network traffic that is analyzed for malware by the second electronic device.
  - 5. The electronic device of claim 1, wherein the one or more input attributes associated with the first analysis attribute comprises at least one of (i) information identifying a destination of the first network content and (ii) information identifying a source of the first network content.
  - 6. The electronic device of claim 1, wherein the correlation logic to find the relationships between at least the first analysis attribute and the second analysis attribute by at least comparing similarities between an artifact being part of the network content and a behavior observed during analysis of the artifact.
  - 7. The electronic device of claim 6, wherein artifact including a Uniform Resource Locator (URL) or a document while the observed behavior includes a registry change or a file change.
  - 8. The electronic device of claim 6, wherein the display logic, when executed by the processor, generates the display information that includes one or more images representing that the first analysis attribute detected by the first electronic device originated from the second network content analyzed by the second electronic device.
  - 9. The electronic device of claim 1 being communicatively coupled to the first electronic device operating as a web-based security appliance that inspects ingress data traffic and provides at least the first attribute to the electronic device based on an analysis of the ingress data traffic.
  - 10. The electronic device of claim 9 being communicatively coupled to the second electronic device operating as a communication-based security appliance that analyzes an incoming communication message and provides at least the second attribute to the electronic device, the incoming communication message includes an electronic mail message or a text message.
  - 11. The electronic device of claim 9 being communicatively coupled to the second electronic device operating as a storage-based security appliance that analyzes a file and provides at least the second attribute associated with the file to the electronic device.

12. A method for providing a holistic view of a malware attack, comprising:
- receiving analytic data from each of a plurality of electronic devices, the analytic data comprises one or more input attributes being information used in routing of suspicious network content over a network and one or more analysis attributes being a portion of the suspicious network content;
  
  detecting relationships between one or more analysis attributes including at least (i) a first analysis attribute received from a first electronic device of the plurality of electronic devices and (ii) a second analysis attribute from a second electronic device of the plurality of electronic devices, wherein the first analysis attribute is data representative of a first anomalous behavior detected during processing of a first network content within a virtual machine of the first electronic device and the second analysis attribute being data representative of a second anomalous behavior detecting during processing of a second network content within a virtual machine of the second electronic device;
  
  consolidating the one or more input attributes associated with at least the first analysis attribute and the second analysis attribute in response to a detected relationship between the first analysis attribute and the second analysis attribute; and
  
  generating display information including the consolidated one or more input attributes.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The method of claim 12, wherein the display information further includes the first analysis attribute and the second analysis attribute.
  - 14. The method of claim 12, wherein the first analysis attribute comprises at least one of (i) information directed to a portion of the first network content that is analyzed for malware within the first electronic device and (ii) one or more anomalous behaviors including the first anomalous behavior observed during malware detection analysis of the information.
  - 15. The method of claim 14 wherein the network content includes an electronic mail message that is analyzed for malware by the first electronic device.
  - 16. The method of claim 12, wherein the detecting of the relationship between the first analysis attribute and the second analysis attribute comprises (i) conducting a hash operation on the first analysis attribute to produce a first hash value being the data representative of the first anomalous behavior, (ii) conducting a hash operation on the second analysis attribute to produce a second hash value being the data representative of the second anomalous behavior, and (iii) determining whether the first hash value matches the second hash value.

17. A method for providing a holistic view of a malware attack, comprising:
- receiving analytic data from each of a plurality of electronic devices, the analytic data comprises at least analysis attributes from a first electronic device and analysis attributes from a second electronic device;
  
  comparing the analysis attributes from the first electronic device to the analysis attributes from the second electronic device, wherein the analysis attributes from the first electronic device is data representative of a first anomalous behavior detected during processing of a first network content within a virtual machine of the first electronic device and the second analysis attribute being data representative of a second anomalous behavior detecting during processing of a second network content within a virtual machine of the second electronic device;
  
  responsive to a first analysis attribute of the analysis attributes from the first electronic device matching a second analysis attribute of the analysis attributes from the second electronic device, consolidating one or more input attributes associated with the first analysis attribute and the second analysis attribute; and
  
  generating display information including the consolidated one or more input attributes.
- View Dependent Claims (18, 19, 20)
- - 18. The method of claim 17, wherein the first analysis attribute matches the second analysis attribute when a hash value produced from the first analysis attribute matches a hash value produced from the second analysis attribute.
  - 19. The method of claim 17, wherein the first analysis attribute matches the second analysis attribute when content associated with the first analysis attribute is identical to content associated with the second analysis attribute.
  - 20. The method of claim 17, wherein the first analysis attribute comprises at least one of (i) information directed to a portion of network content that is analyzed for malware within the first electronic device and (ii) one or more anomalous behaviors observed during malware detection analysis of the information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
FireEye, Inc. (Alphabet Inc.)
Inventors
Manni, Jayaraman, Eun, Philip, Berrow, Michael M.
Primary Examiner(s)
Mehrmanesh, Amir

Application Number

US15/583,725
Time in Patent Office

554 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/554   involving event detection a...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1483   service impersonation, e.g....

Correlation and consolidation of analytic data for holistic view of malware attack

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Correlation and consolidation of analytic data for holistic view of malware attack

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links