Malware detection verification and enhancement by coordinating endpoint and malware detection systems

US 10,462,173 B1
Filed: 06/26/2017
Issued: 10/29/2019
Est. Priority Date: 06/30/2016
Status: Active Grant

First Claim

Patent Images

1. A system to determine maliciousness of an object, comprising:

a first endpoint, including at least one processor, configured with a first software profile, further configured to detect one or more features exhibited by an object during processing by the first endpoint and determine if the features detected are suspicious;

a malware detection system, including at least one processor, communicatively coupled directly or indirectly to the first endpoint over a network, the malware detection system configured to process a received object in a virtual machine of one or more virtual machines that operate within the malware detection system to detect one or more features in response to the first endpoint determining the features of the object are suspicious, the virtual machine being provisioned with the first software profile;

a security logic engine configured to (i) receive information associated with features detected, during processing of the object, by the first endpoint and by the virtual machine of the malware detection system, (ii) correlate the received information associated with the received features, (iii) generate a first determination of maliciousness of the object, and (iv) in response to the generation of the first determination of maliciousness of the object, issue an alert,wherein the security logic engine is further configured to direct the malware detection system to process the object within a second virtual machine of the one or more virtual machines that is provisioned with a second software profile, in response to receipt of information associated with features from a second endpoint with the second software profile.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Computerized techniques to determine and verify maliciousness of an object are described. An endpoint device, during normal processing of an object, identifies the object as suspicious in response to detected features of the object and coordinates further analysis with a malware detection system. The malware detection system processes the object, collects features related to processing, and analyzes the features of the suspicious object to classify as malicious or benign. Correlation of the features captured by the endpoint device and the malware detection system may verify a classification by the malware detection system of maliciousness of the content. The malware detection system may communicate with the one or more endpoint devices to influence detection and reporting of behaviors by those device(s).

Citations

19 Claims

1. A system to determine maliciousness of an object, comprising:
- a first endpoint, including at least one processor, configured with a first software profile, further configured to detect one or more features exhibited by an object during processing by the first endpoint and determine if the features detected are suspicious;
  
  a malware detection system, including at least one processor, communicatively coupled directly or indirectly to the first endpoint over a network, the malware detection system configured to process a received object in a virtual machine of one or more virtual machines that operate within the malware detection system to detect one or more features in response to the first endpoint determining the features of the object are suspicious, the virtual machine being provisioned with the first software profile;
  
  a security logic engine configured to (i) receive information associated with features detected, during processing of the object, by the first endpoint and by the virtual machine of the malware detection system, (ii) correlate the received information associated with the received features, (iii) generate a first determination of maliciousness of the object, and (iv) in response to the generation of the first determination of maliciousness of the object, issue an alert,wherein the security logic engine is further configured to direct the malware detection system to process the object within a second virtual machine of the one or more virtual machines that is provisioned with a second software profile, in response to receipt of information associated with features from a second endpoint with the second software profile.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system of claim 1, wherein the malware detection system is further configured to:
    - determine the second software profile based on the object; and
      
      provision the virtual machine with the second software profile.
  - 3. The system of claim 2, wherein the security logic engine is further configured to:
    - receive information associated with the features detected by the second endpoint configured with the second software profile;
      
      combine the features detected by the second endpoint with the features detected by the first endpoint and the virtual machine of the malware detection system; and
      
      correlate and classify the combined features and generate a second determination of maliciousness of the object.
  - 4. The system of claim 3, wherein the security logic engine verifies the maliciousness of the object if the first determination of maliciousness and second determination of maliciousness correspond.
  - 5. The system of claim 1, wherein the malware detection system receives an identifier related to the object and obtains the object identified by the identifier from a network object store coupled to the malware detection system via a network connection.
  - 6. The system of claim 1, wherein the malware detection system receives the object to be processed by the malware detection system from the first endpoint.
  - 7. The system of claim 1, wherein the security logic engine determines the first software profile as vulnerable in response to the first determination of maliciousness of the object as malicious.
  - 8. The system of claim 1, wherein the security logic engine identifies a software profile for each of a plurality of endpoints on the network and in response to the first determination of maliciousness, identifies a subset of the plurality of endpoints as vulnerable to the object based on the software profile of each endpoint of the plurality of endpoints, and includes the information regarding the subset of the plurality of endpoints in the alert.
  - 9. The system of claim 1, wherein the second software profile is different than the first software profile.
  - 10. The system of claim 1, wherein the first endpoint comprises an agent configured to detect one or more features related to the object exhibited during processing of the object by the first endpoint.

11. A computerized method to determine maliciousness of an object, comprising:
- conducting an analysis of the object determined to be suspicious based on a first set of features associated with the object, by a first virtual machine of a malware detection system, in response to a first endpoint of a plurality of endpoints determining the object is suspicious, the analysis comprising (i) receiving the object by the malware detection system, and (ii) identifying a second set of features associated with the object during analysis by the malware detection system, the first virtual machine being provisioned with a first software profile;
  
  receiving information associated with the first set of features and information associated with the second set of features by a security logic engine;
  
  generating a first determination of maliciousness of the object, by correlating the received information associated with the first set of features and the second set of features with features of known malicious and benign objects and classifying the object in response to the correlation of the received information, by the security logic engine;
  
  generating a first alert to report the first determination of maliciousness; and
  
  conducting an analysis of the object by a second virtual machine of the malware detection system in response to the security logic engine identifying a threat vector associated with at least a second endpoint of the plurality of endpoints different than the first endpoint, the second virtual machine being provisioned with a second software profile different than the first software profile.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The computerized method of claim 11, wherein the second set of features comprise behaviors exhibited during processing of the object in the first virtual machine of the malware detection system.
  - 13. The computerized method of claim 11, wherein the security logic engine is a component of the malware detection system.
  - 14. The computerized method of claim 11, further comprising:
    - receiving, by the security logic engine, information associated with a third set of features, detected while processing the object by the second endpoint;
      
      generating a second determination of maliciousness, by the security logic engine, of the object by correlating the received information associated with the first, second, and third set of features with features of known malicious and benign objects and classifying the object based on the second determination of maliciousness; and
      
      generating a second alert to report the second determination of maliciousness.
  - 15. The computerized method of claim 11, wherein the second alert generated by the security logic engine further comprises information to prevent the processing of the object by each of the plurality of endpoints.
  - 16. The computerized method of claim 11, further comprises:
    - identifying the second software profile associated with the second endpoint, by the security logic engine;
      
      configuring the second virtual machine of the malware detection system with the second software profile;
      
      generating a second determination of maliciousness in response to correlating information associated with an identified third set of features with known malicious and benign objects; and
      
      determining, by the security logic engine, the second endpoint software profile is vulnerable to the object in response to the second determination of maliciousness.
  - 17. The computerized method of claim 16, wherein the security logic engine further comprises:
    - associating, by the security logic engine, each endpoint, communicatively coupled with the security logic engine, with a software profile; and
      
      determining, by the security logic engine the vulnerability of each endpoint of the plurality of endpoints in response to correlating between the vulnerable software profile and the software profiles of each endpoint.
  - 18. The computerized method of claim 11, further comprising receiving, by the security logic engine, information related to communication between one or more endpoints and the first endpoint having processed the object;
    - and determining, by the security logic engine, one or more endpoints of the plurality of endpoints are at risk of being affected by the object.
  - 19. The computerized method of claim 11, wherein prior to conducting the analysis of the object by the first virtual machine of the malware detection system, the method further comprising:
    - identifying the first set of features associated with the object during processing the object by the first endpoint of the plurality of endpoints; and
      
      determining, by the first endpoint, the object is suspicious based on the first set of features associated with the object.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
FireEye, Inc. (Alphabet Inc.)
Inventors
Aziz, Ashar, Ismael, Osman Abdoul
Primary Examiner(s)
Gergiso, Techane

Application Number

US15/633,226
Time in Patent Office

855 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/56   Computer malware detection ...

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/1408   by monitoring network traff...

H04L 63/1433   Vulnerability analysis

H04L 63/145   the attack involving the pr...

Malware detection verification and enhancement by coordinating endpoint and malware detection systems

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Malware detection verification and enhancement by coordinating endpoint and malware detection systems

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links