Susceptible environment detection system

US 10,445,502 B1
Filed: 11/17/2017
Issued: 10/15/2019
Est. Priority Date: 12/31/2015
Status: Active Grant

First Claim

Patent Images

1. A computerized method, comprising:

conducting a preliminary analysis of characteristics of an object to determine whether the object is suspicious;

responsive to determining the object is suspicious, receiving context information associated with the suspicious object from a plurality of information sources, the context information with regard to the suspicious object including information that is gathered from prior analyses of objects sharing one or more characteristics associated with the suspicious object and is obtained from different information sources;

generating one or more software profiles based on the context information, wherein the one or more software profiles being used to provision one or more virtual machines, and each of the one or more software profiles include one or more applications, an operating system, and one or more software plug-ins;

analyzing the suspicious object by at least processing the suspicious object by the one or more virtual machines and obtaining results from at least the processing of the suspicious object by the one or more virtual machines to identify at least one, susceptible software environment including a susceptible software profile and one or more anomalous behaviors of the suspicious object detected during processing;

classifying the suspicious object as malware based, at least part, on the results obtaining during processing of the suspicious object by the one or more virtual machines; and

generating an alert comprising details determined at least in part from the results.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computerized method for detecting malware is described. The method includes conducting a preliminary analysis of characteristics of an object to determine whether the object is suspicious. Responsive to determining the object is suspicious, context information from a plurality of information sources is received. The context information including information gathered from prior analyses of the suspicious object. One or more software profiles are generated based on the context information, where the one or more software profiles being used to provision one or more virtual machines. Thereafter, the object is analyzed where the object is processed by the one or more virtual machines and results from the processing are obtained. The results identify a susceptible software environment including a susceptible software profile and one or more anomalous behaviors of the object detected during processing. The object is classified and malware and an alert is generated.

595 Citations

29 Claims

1. A computerized method, comprising:
- conducting a preliminary analysis of characteristics of an object to determine whether the object is suspicious;
  
  responsive to determining the object is suspicious, receiving context information associated with the suspicious object from a plurality of information sources, the context information with regard to the suspicious object including information that is gathered from prior analyses of objects sharing one or more characteristics associated with the suspicious object and is obtained from different information sources;
  
  generating one or more software profiles based on the context information, wherein the one or more software profiles being used to provision one or more virtual machines, and each of the one or more software profiles include one or more applications, an operating system, and one or more software plug-ins;
  
  analyzing the suspicious object by at least processing the suspicious object by the one or more virtual machines and obtaining results from at least the processing of the suspicious object by the one or more virtual machines to identify at least one, susceptible software environment including a susceptible software profile and one or more anomalous behaviors of the suspicious object detected during processing;
  
  classifying the suspicious object as malware based, at least part, on the results obtaining during processing of the suspicious object by the one or more virtual machines; and
  
  generating an alert comprising details determined at least in part from the results.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The computerized method of claim 1, wherein the conducting of the preliminary analysis comprises at least analyzing whether the characteristics of the object correspond to characteristics or anomalous features of an object indicative of maliciousness without execution of the object.
  - 3. The computerized method of claim 1, wherein the receiving of the context information comprises providing metadata associated with the suspicious object to information source logic storing the contextual information and receiving the contextual information based, at least in part, on the provided metadata.
  - 4. The computerized method of claim 3, wherein the context information includes a type of file extension utilized by the object.
  - 5. The computerized method of claim 3, wherein the context information includes a score assigned to a particular characteristics of the object, the score identifying a level of suspiciousness of the object.
  - 6. The computerized method of claim 3, wherein the contextual information comprises a consolidation of metadata.
  - 7. The computerized method of claim 1, wherein the context information includes a score assigned to a particular characteristics of the object, the score being used to determine a priority in the provision of the one or more virtual machines.
  - 8. The computerized method of claim 1, wherein the conducting of the preliminary analysis comprises extracting metadata associated with the object by extraction logic, the extraction logic including a plurality of extraction rules controlling operations of a hardware processor.
  - 9. The computerized method of claim 8, wherein the plurality of extraction rules are based on machine learning or experiential knowledge and are updated from a remote source.
  - 10. The computerized method of claim 9 further comprising:
    - updating the remote source with information directed to specific configurations or combinations of the one or more software profiles provisioned on the one or more virtual machines during which the object is detected to be malware.
  - 11. The computerized method of claim 1, wherein the plurality of information sources provide context information directed to different views of an analysis of the object.
  - 12. The computerized method of claim 11, wherein the context information associated with a first view is directed to an application level analysis while context information associated with a second view is directed to a network level analysis.

13. A system configured to analyze an object for malware, the system comprising:
- one or more processors; and
  
  a memory communicatively coupled to the one or more processors, the memory to store logic that, upon execution by the one or more processors,requests context information for an object determined to be suspicious from a plurality of remote sources, the context information including information gathered from prior analyses of the suspicious object at different levels of analytics on the object including a first analytic directed to an application level analysis and a second analytic directed to a network level analysis,generates one or more software profiles based, at least in part, on the context information, where the one or more software profiles being used to provision one or more virtual machines, and each of the one or more software profiles includes one or more applications, an operating system, and one or more software plug-ins,updates the remote source with information directed to specific configurations or combinations of the one or more software profiles provisioned on the one or more virtual machines during which the object is detected to be malware.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The system of claim 13, wherein the memory further includes logic that, that, during execution by the one or more processors, conducts an analysis of characteristics of the object by identifying at least characteristics of the object indicative of maliciousness without execution of the object.
  - 15. The system of claim 13, wherein the memory further includes logic that, that during execution by the one or more processors, requests the context information by at least providing metadata associated with the suspicious object to information source logic storing the contextual information and receiving the contextual information based, at least in part, on the provided metadata.
  - 16. The system of claim 15, wherein the context information includes a type of file extension utilized by the object.
  - 17. The system of claim 15, wherein the context information includes a score assigned to a particular characteristics of the object, the score identifying a level of suspiciousness of the object.
  - 18. The system of claim 15, the contextual information comprises a consolidation of metadata.
  - 19. The system of claim 13, wherein the context information includes a score assigned to a particular characteristics of the object, the score being used to determine a priority in the provision of the one or more virtual machines.
  - 20. The system of claim 13, wherein the memory further includes logic that, upon execution by the one or more processors, conducts the analysis of characteristics of the object by identifying at least characteristics of the object indicative of maliciousness without execution of the object.

21. A non-transitory computer readable medium including software that, when executed by one or more processor, performs operations comprising:
- conducting a preliminary analysis of characteristics of an object to determine whether the object is suspicious;
  
  responsive to determining the object is suspicious, receiving context information associated with the suspicious object from a plurality of information sources, the context information with regard to the suspicious object including information that is gathered from prior analyses of the objects sharing one or more characteristics associated with the suspicious object and is obtained from different information sources;
  
  generating one or more software profiles based on the context information, the one or more software profiles include one or more applications, an operating system, and one or more software plug-ins and are used to provision one or more virtual machines;
  
  analyzing the suspicious object by at least processing the suspicious object by the one or more virtual machines and obtaining results from at least the processing of the suspicious object by the one or more virtual machines, to identify at least one susceptible software environment including a susceptible software profile and one or more anomalous behaviors of the suspicious object detected during processing;
  
  classifying the object as malware based, at least part, on the results obtaining during processing of the object by the one or more virtual machines; and
  
  generating an alert comprising details determined at least in part from the results.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29)
- - 22. The non-transitory computer readable medium of claim 21, wherein the conducting of the preliminary analysis comprises at least analyzing whether the characteristics of the object correspond to characteristics or anomalous features of an object indicative of maliciousness without execution of the object.
  - 23. The non-transitory computer readable medium of claim 21, wherein the receiving of the context information comprises providing metadata associated with the suspicious object to information source logic storing the contextual information and receiving the contextual information based, at least in part, on the provided metadata.
  - 24. The non-transitory computer readable medium of claim 23, wherein the context information includes a type of file extension utilized by the object.
  - 25. The non-transitory computer readable medium of claim 23, wherein the context information includes a score assigned to a particular characteristics of the object, the score identifying a level of suspiciousness of the object.
  - 26. The non-transitory computer readable medium of claim 23, wherein the contextual information comprises a consolidation of metadata.
  - 27. The non-transitory computer readable medium of claim 21, wherein the context information includes a score assigned to a particular characteristics of the object, the score being used to determine a priority in the provision of the one or more virtual machines.
  - 28. The non-transitory computer readable medium of claim 21, wherein the conducting of the preliminary analysis comprises extracting metadata associated with the object by extraction logic, the extraction logic including a plurality of extraction rules controlling operations of a hardware processor.
  - 29. The non-transitory computer readable medium of claim 28, wherein the plurality of extraction rules are based on machine learning or experiential knowledge and are updated from a remote source.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Desphande, Shivani, Khalid, Yasir
Primary Examiner(s)
Vaughan, Michael R

Application Number

US15/817,009
Time in Patent Office

697 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/033   Test or assess software

Susceptible environment detection system

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

595 Citations

29 Claims

Specification

Use Cases

Quick Links

Others

Susceptible environment detection system

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

595 Citations

29 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others