Susceptible environment detection system
First Claim
1. A computerized method, comprising:
- conducting a preliminary analysis of characteristics of an object to determine whether the object is suspicious;
responsive to determining the object is suspicious, receiving context information associated with the suspicious object from a plurality of information sources, the context information with regard to the suspicious object including information that is gathered from prior analyses of objects sharing one or more characteristics associated with the suspicious object and is obtained from different information sources;
generating one or more software profiles based on the context information, wherein the one or more software profiles being used to provision one or more virtual machines, and each of the one or more software profiles include one or more applications, an operating system, and one or more software plug-ins;
analyzing the suspicious object by at least processing the suspicious object by the one or more virtual machines and obtaining results from at least the processing of the suspicious object by the one or more virtual machines to identify at least one, susceptible software environment including a susceptible software profile and one or more anomalous behaviors of the suspicious object detected during processing;
classifying the suspicious object as malware based, at least part, on the results obtaining during processing of the suspicious object by the one or more virtual machines; and
generating an alert comprising details determined at least in part from the results.
5 Assignments
0 Petitions
Accused Products
Abstract
A computerized method for detecting malware is described. The method includes conducting a preliminary analysis of characteristics of an object to determine whether the object is suspicious. Responsive to determining the object is suspicious, context information from a plurality of information sources is received. The context information including information gathered from prior analyses of the suspicious object. One or more software profiles are generated based on the context information, where the one or more software profiles being used to provision one or more virtual machines. Thereafter, the object is analyzed where the object is processed by the one or more virtual machines and results from the processing are obtained. The results identify a susceptible software environment including a susceptible software profile and one or more anomalous behaviors of the object detected during processing. The object is classified and malware and an alert is generated.
595 Citations
29 Claims
-
1. A computerized method, comprising:
-
conducting a preliminary analysis of characteristics of an object to determine whether the object is suspicious; responsive to determining the object is suspicious, receiving context information associated with the suspicious object from a plurality of information sources, the context information with regard to the suspicious object including information that is gathered from prior analyses of objects sharing one or more characteristics associated with the suspicious object and is obtained from different information sources; generating one or more software profiles based on the context information, wherein the one or more software profiles being used to provision one or more virtual machines, and each of the one or more software profiles include one or more applications, an operating system, and one or more software plug-ins; analyzing the suspicious object by at least processing the suspicious object by the one or more virtual machines and obtaining results from at least the processing of the suspicious object by the one or more virtual machines to identify at least one, susceptible software environment including a susceptible software profile and one or more anomalous behaviors of the suspicious object detected during processing; classifying the suspicious object as malware based, at least part, on the results obtaining during processing of the suspicious object by the one or more virtual machines; and generating an alert comprising details determined at least in part from the results. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A system configured to analyze an object for malware, the system comprising:
-
one or more processors; and a memory communicatively coupled to the one or more processors, the memory to store logic that, upon execution by the one or more processors, requests context information for an object determined to be suspicious from a plurality of remote sources, the context information including information gathered from prior analyses of the suspicious object at different levels of analytics on the object including a first analytic directed to an application level analysis and a second analytic directed to a network level analysis, generates one or more software profiles based, at least in part, on the context information, where the one or more software profiles being used to provision one or more virtual machines, and each of the one or more software profiles includes one or more applications, an operating system, and one or more software plug-ins, updates the remote source with information directed to specific configurations or combinations of the one or more software profiles provisioned on the one or more virtual machines during which the object is detected to be malware. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
-
-
21. A non-transitory computer readable medium including software that, when executed by one or more processor, performs operations comprising:
-
conducting a preliminary analysis of characteristics of an object to determine whether the object is suspicious; responsive to determining the object is suspicious, receiving context information associated with the suspicious object from a plurality of information sources, the context information with regard to the suspicious object including information that is gathered from prior analyses of the objects sharing one or more characteristics associated with the suspicious object and is obtained from different information sources; generating one or more software profiles based on the context information, the one or more software profiles include one or more applications, an operating system, and one or more software plug-ins and are used to provision one or more virtual machines; analyzing the suspicious object by at least processing the suspicious object by the one or more virtual machines and obtaining results from at least the processing of the suspicious object by the one or more virtual machines, to identify at least one susceptible software environment including a susceptible software profile and one or more anomalous behaviors of the suspicious object detected during processing; classifying the object as malware based, at least part, on the results obtaining during processing of the object by the one or more virtual machines; and generating an alert comprising details determined at least in part from the results. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29)
-
Specification