System and method for threat detection and identification

US 10,284,574 B1
Filed: 10/31/2014
Issued: 05/07/2019
Est. Priority Date: 04/01/2004
Status: Active Grant

First Claim

Patent Images

1. A digital device for detecting malware, comprising:

one or more processors; and

a memory coupled to the one or more processors, the memory comprises a controller that includesa heuristic module that, when executed by the one or more processors, identifies data associated with input data received by the digital device from one or more untrusted sources, the identified data associated with the input data includes at least one of (i) data within the input data or (ii) data derived from at least a portion of the input data,one or more software modules that, when executed by the one or more processors, (i) monitors information during processing of the identified data within a virtual machine, (ii) determines whether the monitored information occurring during the processing of the identified data within the virtual machine constitutes an unauthorized activity being a redirection in control flow through modification of information during processing of the identified data by the virtual machine, (iii) generates one or more unauthorized activity signatures based on the unauthorized activity, and (iv) transmits the one or more unauthorized activity signatures to a controller implemented at another digital device for use in identifying and blocking a malware attack without applying at least replaying transmission of at least a copy of the input data.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Exemplary systems and methods for malware attack detection and identification are provided. A malware detection and identification system a controller that features an analysis environment including a virtual machine. The analysis environment to (1) receive data by the virtual machine of the analysis environment and identify a portion of the data that have been received from one or more untrusted, (2) monitor state information associated with the identified portion of the data during execution by the virtual machine, (3) identify an outcome of the state information by tracking the state information during execution of the identified portion of the data by the virtual machine, and (4) determine whether the identified outcome comprises a redirection in control flow during execution by the virtual machine of the portion of the data, the redirection in the control flow constituting an unauthorized activity.

543 Citations

29 Claims

1. A digital device for detecting malware, comprising:
- one or more processors; and
  
  a memory coupled to the one or more processors, the memory comprises a controller that includesa heuristic module that, when executed by the one or more processors, identifies data associated with input data received by the digital device from one or more untrusted sources, the identified data associated with the input data includes at least one of (i) data within the input data or (ii) data derived from at least a portion of the input data,one or more software modules that, when executed by the one or more processors, (i) monitors information during processing of the identified data within a virtual machine, (ii) determines whether the monitored information occurring during the processing of the identified data within the virtual machine constitutes an unauthorized activity being a redirection in control flow through modification of information during processing of the identified data by the virtual machine, (iii) generates one or more unauthorized activity signatures based on the unauthorized activity, and (iv) transmits the one or more unauthorized activity signatures to a controller implemented at another digital device for use in identifying and blocking a malware attack without applying at least replaying transmission of at least a copy of the input data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. The digital device of claim 1, wherein the controller, when executed by the one or more processors, is further configured to analyze the identified data with a heuristic to determine if the identified data is suspicious prior to the identified data being provided to the virtual machine.
  - 3. The digital device of claim 1, wherein the controller, when executed by the one or more processors, is further configured to generate the one or more unauthorized activity signatures based on whether the monitored information corresponds to the redirection in control flow.
  - 4. The digital device of claim 3 being communicatively coupled to a router and the controller to transmit the one or more unauthorized activity signatures to the router for use by the router in blocking a propagation of malware through network data being transmitted subsequent to the input data.
  - 5. The digital device of claim 4, wherein the one or more unauthorized activity signatures transmitted by the controller to the router comprises a binary code pattern.
  - 6. The digital device of claim 1, wherein the input data is network data and the information includes either (i) a return address, or (ii) a pointer, or (iii) a pointer offset.
  - 7. The digital device of claim 6, wherein the one or more unauthorized activity signatures is utilized to block a malware attack payload within network data received subsequent to the input data.
  - 8. The digital device of claim 6, wherein the one or more unauthorized activity signatures is utilized to block a class of malware attacks.
  - 9. The digital device of claim 6, wherein the determining whether the monitored information constitutes the unauthorized activity comprises determining if an outcome of the execution of at least the portion of the identified data and the response produced by the virtual machine causes redirection of control through an access to a memory location containing the network data.
  - 10. The digital device of claim 1, wherein the determining whether the monitored information constitutes the unauthorized activity comprises determining if an outcome of the execution of at least the portion of the identified data and the response produced by the virtual machine causes redirection of control through an attack that alters a jump target.
  - 11. The digital device of claim 10, wherein the attack that alters the jump target includes an attempt to overwrite a return address operating as the jump target.
  - 12. The digital device of claim 10, wherein the attack that alters the jump target includes an attempt to overwrite either (i) a function pointer operating as the jump target or (ii) a function pointer offset operating as the jump target.
  - 13. The digital device of claim 1, wherein the controller further comprises a heuristic module that identifies the data associated with input data received by the digital device as suspicious prior to analysis by the virtual machine.
  - 14. The digital device of claim 1, wherein the modification of the information during processing of the identified data includes altering jump targets including return addresses.
  - 15. The digital device of claim 1, wherein the modification of the information during processing of the identified data includes altering one or more function pointers.
  - 16. The digital device of claim 1, wherein the modification of the information during processing of the identified data includes altering one or more function pointer offsets.
  - 17. The digital device of claim 1, wherein the unauthorized activity includes unauthorized or illegal computer activity.
  - 18. The digital device of claim 1, wherein the unauthorized activity includes an activity associated with malware.
  - 19. The digital device of claim 1, wherein the one or more unauthorized activity signatures is utilized to block a malware attack payload within network data received subsequent to the input data.
  - 20. The digital device of claim 1, wherein the one or more unauthorized activity signatures is utilized to block a class of malware attacks.

21. A malware detection and identification method, comprising:
- identifying, by a digital device, data associated with input data from one or more untrusted sources, the identified data includes at least one of (i) data within the input data or (ii) data derived from at least a portion of the input data;
  
  processing the identified data associated with the input data within a virtual machine;
  
  monitoring information during the processing of the identified data within the virtual machine by tracking execution of at least a portion of the identified data and a response produced by the virtual machine based on execution of the portion of the identified data; and
  
  determining whether the monitored information that occurs during the processing of the identified data within the virtual machine constitutes an unauthorized activity that includes a redirection in control flow by altering a jump target during processing of the identified data by the virtual machine through modification of information during processing of the identified data by the virtual machine; and
  
  generating and transmitting one or more unauthorized activity signatures based on the unauthorized activity to a second digital device for use in identifying and blocking a malware attack without applying heuristics or replaying transmission of the input data.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29)
- - 22. The method of claim 21, wherein the identifying of the data associated with input data comprises analyzing the data with a heuristic to determine if the data is suspicious prior to the data being provided to the virtual machine.
  - 23. The method of claim 21, wherein the one or more unauthorized activity signatures being based on whether the monitored information corresponds to the redirection in control flow.
  - 24. The method of claim 23, wherein the one or more unauthorized activity signatures is utilized to block a malware attack payload within network data received subsequent to the input data.
  - 25. The method of claim 21, wherein the altering of the jump target comprises an attempt to overwrite a return address operating as the jump target.
  - 26. The method of claim 21, wherein the altering of the jump target comprises an attempt to overwrite either (i) a function pointer operating as the jump target or (ii) a function pointer offset operating as the jump target.
  - 27. The method of claim 21 further comprising transmitting the one or more unauthorized activity signatures from the digital device to a router that blocks a propagation of a malware, at least one of the one or more unauthorized activity signatures comprises a binary code pattern.
  - 28. The method of claim 21, wherein the determining whether the monitored information constitutes the unauthorized activity that includes a redirection in control flow that corresponds to an activity associated with malware.
  - 29. The method of claim 21, wherein the one or more unauthorized activity signatures is utilized to block a malware attack payload within network data received subsequent to the input data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Aziz, Ashar, Lai, Wei-Lung, Manni, Jayaraman
Primary Examiner(s)
Hoffman, Brandon S

Application Number

US14/530,474
Time in Patent Office

1,649 Days
Field of Search

726 24, 726 25, 726 26, 726 30
US Class Current
CPC Class Codes

G06F 21/00   Security arrangements for p...

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 21/561   Virus type analysis

G06F 2221/034   Test or assess a computer o...

G06F 9/00   Arrangements for program co...

G06F 9/455   Emulation; Interpretation; ...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

H04L 63/1491   using deception as counterm...

System and method for threat detection and identification

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

543 Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for threat detection and identification

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

543 Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links