Correlation and consolidation of analytic data for holistic view of malware attack
First Claim
1. An electronic device for detecting and providing a holistic view of a malware attack across a plurality of networked electronic devices, the electronic device comprising:
- a processor; and
a storage device communicatively coupled to the processor, the storage device comprisescorrelation logic being processed by the processor, the correlation logic to detect relationships between one or more analysis attributes including at least (i) a first analysis attribute received from a first electronic device of the plurality of networked electronic devices remotely located from the electronic device, and (ii) a second analysis attribute received from a second electronic device of the plurality of networked electronic devices remotely located from the electronic device, wherein the first analysis attribute being data representative of a first anomalous behavior detected during processing of a first network content within a first virtual machine and the second analysis attribute being data representative of a second anomalous behavior,consolidation logic being processed by the processor, the consolidation logic to consolidate one or more input attributes associated with at least the first analysis attribute and the second analysis attribute in response to detected similarities between the first analysis attribute and the second analysis attribute, anddisplay logic being processed by the processor, the display logic to generate display information including the consolidated one or more input attributes.
7 Assignments
0 Petitions
Accused Products
Abstract
In communication with security appliances, an electronic device for providing a holistic view of a malware attack is described. The electronic device features one or more processors and a storage device. The storage device includes aggregation logic, correlation logic, consolidation logic, and display logic: The aggregation logic is configured to receive input attributes and analysis attributes from each of the security appliances. The correlation logic attempts to find relationships between analysis attributes provided from each security appliance. The consolidation logic receives at least (i) a first analysis attribute from a first security appliance and (ii) a second analysis attribute from a second security appliance in response to the first analysis attribute corresponding to the second analysis attribute. The display logic generates display information including the consolidated input attributes.
-
Citations
20 Claims
-
1. An electronic device for detecting and providing a holistic view of a malware attack across a plurality of networked electronic devices, the electronic device comprising:
-
a processor; and a storage device communicatively coupled to the processor, the storage device comprises correlation logic being processed by the processor, the correlation logic to detect relationships between one or more analysis attributes including at least (i) a first analysis attribute received from a first electronic device of the plurality of networked electronic devices remotely located from the electronic device, and (ii) a second analysis attribute received from a second electronic device of the plurality of networked electronic devices remotely located from the electronic device, wherein the first analysis attribute being data representative of a first anomalous behavior detected during processing of a first network content within a first virtual machine and the second analysis attribute being data representative of a second anomalous behavior, consolidation logic being processed by the processor, the consolidation logic to consolidate one or more input attributes associated with at least the first analysis attribute and the second analysis attribute in response to detected similarities between the first analysis attribute and the second analysis attribute, and display logic being processed by the processor, the display logic to generate display information including the consolidated one or more input attributes. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A method for providing a holistic view of a malware attack, comprising:
-
receiving analytic data from each of a plurality of electronic devices, the analytic data comprises one or more input attributes being information used in routing of suspicious network content over a network and one or more analysis attributes being a portion of the suspicious network content; detecting relationships between one or more analysis attributes including at least (i) a first analysis attribute received from a first electronic device of the plurality of electronic devices and (ii) a second analysis attribute from a second electronic device of the plurality of electronic devices, wherein the first analysis attribute is data representative of a first anomalous behavior detected during processing of a first network content within a virtual machine of the first electronic device and the second analysis attribute being data representative of a second anomalous behavior detecting during processing of a second network content within a virtual machine of the second electronic device; consolidating the one or more input attributes associated with at least the first analysis attribute and the second analysis attribute in response to a detected relationship between the first analysis attribute and the second analysis attribute; and generating display information including the consolidated one or more input attributes. - View Dependent Claims (13, 14, 15, 16)
-
-
17. A method for providing a holistic view of a malware attack, comprising:
-
receiving analytic data from each of a plurality of electronic devices, the analytic data comprises at least analysis attributes from a first electronic device and analysis attributes from a second electronic device; comparing the analysis attributes from the first electronic device to the analysis attributes from the second electronic device, wherein the analysis attributes from the first electronic device is data representative of a first anomalous behavior detected during processing of a first network content within a virtual machine of the first electronic device and the second analysis attribute being data representative of a second anomalous behavior detecting during processing of a second network content within a virtual machine of the second electronic device; responsive to a first analysis attribute of the analysis attributes from the first electronic device matching a second analysis attribute of the analysis attributes from the second electronic device, consolidating one or more input attributes associated with the first analysis attribute and the second analysis attribute; and generating display information including the consolidated one or more input attributes. - View Dependent Claims (18, 19, 20)
-
Specification