Zero-day discovery system

US 10,133,863 B2
Filed: 06/24/2013
Issued: 11/20/2018
Est. Priority Date: 06/24/2013
Status: Active Grant

First Claim

Patent Images

1. A method for determining a zero-day attack by an electronic device, comprising:

determining a plurality of fortified software profiles for use in instantiating a plurality of virtual machines based on information associated with an exploit;

instantiating, by the electronic device, a first virtual machine of the plurality of virtual machines based on a first fortified software profile of the plurality of fortified software profiles and a second virtual machine of the plurality of virtual machines based on a second fortified software profile of the plurality of fortified software profiles that is different from the first fortified software profile, the first fortified software profile includes an operating system and an application and the second fortified software profile includes an update of the operating system or an update of the application;

processing content associated with the exploit on both the first virtual machine and the second virtual machine, the processing of the content being performed concurrently in which one or more of operations performed by the first virtual machine at least partially overlaps in time one or more operations performed by the second virtual machine;

determining, by the electronic device, undesired behaviors during the processing of the content associated with the exploit on both the first virtual machine and the second virtual machine;

weighting, by the electronic device, each of the undesired behaviors, determined during the processing of the content associated with the exploit, to obtain a weighted value; and

determining, by the electronic device, that the exploit is associated with the zero-day attack responsive to the weighted value exceeds a threshold value.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for determining a zero-day attack by an electronic device is described. According to one embodiment, the method comprises instantiating, by the electronic device, at least one virtual machine, the at least one virtual machine being based on a fortified software profile. The method further comprises executing content capable of behaving as an exploit on the at least one virtual machine, and determining that the exploit is associated with zero-day exploit when the exploit, upon execution of the content on the at least one virtual machine, performs an undesired behavior.

657 Citations

44 Claims

1. A method for determining a zero-day attack by an electronic device, comprising:
- determining a plurality of fortified software profiles for use in instantiating a plurality of virtual machines based on information associated with an exploit;
  
  instantiating, by the electronic device, a first virtual machine of the plurality of virtual machines based on a first fortified software profile of the plurality of fortified software profiles and a second virtual machine of the plurality of virtual machines based on a second fortified software profile of the plurality of fortified software profiles that is different from the first fortified software profile, the first fortified software profile includes an operating system and an application and the second fortified software profile includes an update of the operating system or an update of the application;
  
  processing content associated with the exploit on both the first virtual machine and the second virtual machine, the processing of the content being performed concurrently in which one or more of operations performed by the first virtual machine at least partially overlaps in time one or more operations performed by the second virtual machine;
  
  determining, by the electronic device, undesired behaviors during the processing of the content associated with the exploit on both the first virtual machine and the second virtual machine;
  
  weighting, by the electronic device, each of the undesired behaviors, determined during the processing of the content associated with the exploit, to obtain a weighted value; and
  
  determining, by the electronic device, that the exploit is associated with the zero-day attack responsive to the weighted value exceeds a threshold value.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, wherein prior to instantiating the first virtual machine based on the first fortified software profile, the method further comprisesinstantiating, by the electronic device, at least a third virtual machine based on a vulnerable software profile;
    - processing suspicious content on at least the third virtual machine;
      
      determining one or more exploits including the exploit if the suspicious content, upon execution within the third virtual machine, performs an undesired behavior.
  - 3. The method of claim 2, wherein the second fortified software profile identifying at least the application updated with one or more security patches to address known, detected exploits targeted for the application, the one or more security patches being more recent than one or more security patches for at least the application associated with the first fortified software profile.
  - 4. The method of claim 3, wherein the vulnerable software profile identifying the operating system or the application without security patches to address the known, detected exploits.
  - 5. The method of claim 3, wherein at least the second fortified software profile identifying a type of the operating system and a version number of the operating system.
  - 6. The method of claim 5, wherein at least the second fortified software profile further identifying one or more applications and a version number for each of the one or more applications.
  - 7. The method of claim 1, wherein the determining of the plurality of fortified software profiles comprises using attributes of the exploit by the electronic device to formulate software profile information that is used by logic within the electronic device for selecting the first fortified software profile and the second fortified software profile.
  - 8. The method of claim 1, wherein the update of the application in the second fortified software profile includes one or more security patches to address known, detected exploits targeted for the application.
  - 9. The method of claim 1, wherein the first fortified software profile includes a first version of the operating system or a first version of the application and the second fortified software profile identifying a most recent version of the operating system updated to address known, detected exploits targeted for the operating system or a most recent version of the application updated to address known, detected exploits targeted for the application.
  - 10. The method of claim 1, wherein the first virtual machine being based on the first fortified software profile associated with at least a first version of the operating system upgraded with one or more security patches directed to known exploits and the second virtual machine being based on the second fortified software profile associated with at least a second version of the operating system upgraded to address vulnerabilities exploited by the known exploits.
  - 11. The method of claim 1, wherein the first fortified software profile includes at least one of the operating system or the application to which a security patch has been applied to address a vulnerability to a malicious attack.
  - 12. The method of claim 1, wherein the weighting of each of the undesired behaviors is based on a likelihood of each of the undesired behaviors being associated with a system compromise.
  - 13. The method of claim 1, wherein the determining that the exploit is associated with the zero-day attack comprises detecting (i) the weighted value associated with undesired behaviors during the processing of the content associated with the exploit on the first virtual machine exceeds the threshold value and (ii) the weighted value associated with undesired behaviors during the processing of the content associated with the exploit on the second virtual machine exceeds the threshold value.
  - 14. The method of claim 1, wherein the weighting of each of the undesired behaviors is assigned based on a likelihood of the electronic device being compromised upon detecting the each of the undesired behaviors.

15. An electronic device, comprising:
- a communication interface logic adapted to receive incoming content; and
  
  one or more hardware processors in communication with the communication interface logic, the one or more hardware processors to(i) determine a plurality of fortified software profiles for use in instantiating one or more virtual machines based on information associated with an exploit,(ii) instantiate at least a first virtual machine of the one or more virtual machines based on a fortified software profile of the plurality of fortified software profiles and a second virtual machine of the one or more virtual machines based on a software profile different than the fortified software profile, wherein the software profile includes an operating system and one or more applications and the fortified software profile includes an update of the operating system or an update of the one or more applications;
  
  (iii) control execution of content associated with the exploit on the first virtual machine and the second virtual machine, the execution of the content associated with the exploit being performed concurrently in which one or more of operations performed by the first virtual machine at least partially overlaps in time one or more operations performed by the second virtual machine;
  
  (iv) determining undesired behaviors caused by the execution of the content associated with the exploit on both the first virtual machine and the second virtual machine;
  
  (v) weighting each of the undesired behaviors, determined during the execution of the content associated with the exploit, to obtain a weighted value; and
  
  (vi) determining that the exploit is associated with a zero-day attack responsive to the weighted value exceeds a threshold value.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 16. The electronic device of claim 15, wherein the one or more hardware processors further instantiating a third virtual machine based on a vulnerable software profile, processing suspicious content on the third virtual machine, determining a presence of the exploit if the suspicious content, upon execution within the third virtual machine, performs an undesired behavior, and providing the content associated with the exploit to the first virtual machine and the second virtual machine.
  - 17. The electronic device of claim 16, wherein the fortified software profile identifying at least one of (i) at least the one or more applications updated with one or more security patches to address known, detected exploits targeted for the one or more applications and (ii) a most recent version of the one or more applications updated to address known, detected exploits targeted for the one or more applications.
  - 18. The electronic device of claim 17, wherein the fortified software profile identifying a type of the operating system and a version number of the operating system.
  - 19. The electronic device of claim 18, wherein the fortified software profile further identifying the one or more applications and a version number for each of the one or more applications.
  - 20. The electronic device of claim 17, wherein the vulnerable software profile identifying the operating system or the one or more applications without security patches to address known, detected exploits.
  - 21. The electronic device of claim 15, wherein the incoming content is the content associated with the exploit.
  - 22. The electronic device of claim 15, wherein the fortified software profile identifying either (a) a most recent version of the operating system updated to address known exploits targeted for the operating system and a most recent version of the one or more applications updated to address known exploits targeted for the one or more applications or (b) the operating system updated with one or more security patches to address already known exploits targeted for the operating system and the one or more applications updated with one or more security patches to address already known exploits targeted for the one or more applications.
  - 23. The electronic device of claim 15, wherein the one or more hardware processors instantiating at least (1) the first virtual machine based on the fortified software profile associated with a first version of the operating system upgraded to address vulnerabilities exploited by previously known exploits and (2) the second virtual machine based on the software profile associated with a second version of the operating system upgraded to address vulnerabilities exploited by the previously known exploits.
  - 24. The electronic device of claim 15, wherein the one or more hardware processors instantiating at least (a) the first virtual machine based on the fortified software profile associated with a first version of the one or more applications updated to address a first group of known exploits targeted for the one or more applications and (b) the second virtual machine based on the software profile associated with a second version of the one or more applications that is updated to address a second group of known exploits targeted for the one or more applications, the first group of known exploits being a subset of the second group of known exploits.
  - 25. The electronic device of claim 15, wherein the one or more hardware processors further producing a security signature for subsequent detection of the exploit associated with the zero-day attack, the security signature includes at least one of a binary of the exploit and information associated with the undesired behaviors.
  - 26. The electronic device of claim 15, wherein the fortified software profile includes at least one of (i) the update of the operating system including the operating system to which a security patch has been applied to address a vulnerability of the operating system to a malicious attack or (ii) the update of the one or more applications including the one or more applications to which a security patch has been applied to address a vulnerability of the one or more applications to a malicious attack.
  - 27. The electronic device of claim 15, wherein the weighting of each of the undesired behaviors is based on a likelihood of each of the undesired behaviors being associated with a system compromise.
  - 28. The electronic device of claim 15, wherein the determining that the exploit is associated with the zero-day attack comprises detecting (i) the weighted value associated with undesired behaviors during the processing of the content associated with the exploit on the first virtual machine exceeds the threshold value and (ii) the weighted value associated with undesired behaviors during the processing of the content associated with the exploit on the second virtual machine exceeds the threshold value.
  - 29. The electronic device of claim 15, wherein the one or more hardware processors being further configured to assign the weighting of each of the undesired behaviors based on a likelihood of the electronic device being compromised upon detecting the each of the undesired behaviors.
  - 30. The electronic device of claim 15, wherein the update of the operating system or the update of the one or more applications comprises a software patch being applied to the operating system or the one or more applications forming the fortified software profile.

31. A non-transitory storage medium to contain software that, when executed by one or more processors within an electronic device, performs operations comprising:
- receiving content associated with an exploit propagating over a transmission medium being part of a network;
  
  determining both a first software profile for a first virtual machine based on the content associated with the exploit and a second software profile for a second virtual machine based on the content associated with the exploit, the first software profile includes an operating system and at least one application and the second software profile includes an update of the operating system or an update of the at least one application;
  
  instantiating, by the one or more processors, the first virtual machine based on the first software profile;
  
  instantiating, by the one or more processors, the second virtual machine based on the second software profile;
  
  processing the content associated with the exploit on both the first virtual machine and the second virtual machine, the processing of the content associated with the exploit being performed concurrently in which one or more of operations performed by the first virtual machine at least partially overlaps in time one or more operations performed by the second virtual machine;
  
  determining, by the one or more processors, undesired behaviors during the processing of the content associated with the exploit on both the first virtual machine and the second virtual machine;
  
  weighting, by the one or more processors, each of the undesired behaviors determined during the processing of the content associated with the exploit, to obtain a weighted value; and
  
  determining that the exploit is associated with a zero-day attack responsive to the weighted value exceeds a threshold value.
- View Dependent Claims (32, 33, 34, 35, 36, 37, 38, 39)
- - 32. The non-transitory storage medium of claim 31, wherein the first software profile and the second software profile identifying the at least one application updated with one or more security patches to address known exploits targeted for the at least one application.
  - 33. The non-transitory storage medium of claim 32, wherein the first software profile identifying the at least one application and the second software profile identifying the at least one application updated with one or more security patches to address known exploits targeted for the at least one application.
  - 34. The non-transitory storage medium of claim 31, wherein the first software profile is a version of the operating system or a first version of the at least one application and the second software profile identifying a most recent version of the operating system updated to address known exploits targeted for the operating system or a most recent version of the at least one application updated to address known exploits targeted for the at least one application.
  - 35. The non-transitory storage medium of claim 31, wherein the second software profile identifying the at least one application updated with one or more security patches to address known exploits targeted for the at least one application, the one or more security patches being more recent than one or more security patches for the at least one application associated with the first software profile.
  - 36. The non-transitory storage medium of claim 31, wherein the second software profile includes at least one of (i) the update of the operating system including the operating system to which a security patch has been applied to address a vulnerability of the operating system to a malicious attack or (ii) the update of the at least one application including the at least one application to which a security patch has been applied to address a vulnerability of the at least one application to a malicious attack.
  - 37. The non-transitory storage medium of claim 31, wherein the weighting of each of the undesired behaviors is based on a likelihood of each of the undesired behaviors being associated with a system compromise.
  - 38. The non-transitory storage medium of claim 31, wherein the determining that the exploit is associated with the zero-day attack comprises detecting (i) the weighted value associated with undesired behaviors during the processing of the content associated with the exploit on the first virtual machine exceeds the threshold value and (ii) the weighted value associated with undesired behaviors during the processing of the content associated with the exploit on the second virtual machine exceeds the threshold value.
  - 39. The non-transitory storage medium of claim 31, wherein the weighting of each of the undesired behaviors is assigned based on a likelihood of the electronic device being compromised upon detecting the each of the undesired behaviors.

40. A method for determining a zero-day attack by an electronic device, comprising:
- determining a plurality of fortified software profiles for use in instantiating one or more virtual machines based on information associated with an exploit;
  
  instantiating, by the electronic device, a first virtual machine of the one or more virtual machines based on a first fortified software profile of the plurality of fortified software profiles that includes an update of an operating system and an update of at least one application and a second virtual machine of the one or more of virtual machines based on a second fortified software profile of the plurality of fortified software profiles that is different from the first fortified software profile and the second fortified software profile includes an update of the updated operating system of the first fortified software profile or an update of the updated application of the first fortified software profile;
  
  processing content associated with the exploit on both the first virtual machine and the second virtual machine, the processing of the content associated with the exploit being performed concurrently in which one or more of operations performed by the first virtual machine at least partially overlaps in time one or more operations performed by the second virtual machine;
  
  determining, by the electronic device, undesired behaviors during the processing of the content associated with the exploit on both the first virtual machine and the second virtual machineweighting, by the electronic device, each of the undesired behaviors determined during the processing of the content associated with the exploit, to obtain a weighted value; and
  
  determining, by the electronic device, that the exploit is associated with the zero-day attack responsive to the weighted value exceeds a threshold value.
- View Dependent Claims (41, 42, 43, 44)
- - 41. The method of claim 40, wherein the first fortified software profile includes at least one of (i) the update of the operating system including the operating system to which a security patch has been applied to address a vulnerability of the operating system to a malicious attack or (ii) the update of the at least one application including the at least one application to which a security patch has been applied to address a vulnerability of the at least one application to a malicious attack.
  - 42. The method of claim 40, wherein the weighting of each of the undesired behaviors is based on a likelihood of each of the undesired behaviors being associated with a system compromise.
  - 43. The method of claim 40, wherein the determining that the exploit is associated with the zero-day attack comprises detecting (i) the weighted value associated with undesired behaviors during the processing of the content associated with the exploit on the first virtual machine exceeds the threshold value and (ii) the weighted value associated with undesired behaviors during the processing of the content associated with the exploit on the second virtual machine exceeds the threshold value.
  - 44. The method of claim 40, wherein the weighting of each of the undesired behaviors is assigned based on a likelihood of the electronic device being compromised upon detecting the each of the undesired behaviors.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Bu, Zheng, Lin, Yichong
Primary Examiner(s)
Nguyen, Trong H

Application Number

US13/925,688
Publication Number

US 20140380473A1
Time in Patent Office

1,975 Days
Field of Search

726 22- 25
US Class Current
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/567   using dedicated hardware

Zero-day discovery system

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

657 Citations

44 Claims

Specification

Solutions

Use Cases

Quick Links

Zero-day discovery system

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

657 Citations

44 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links