Multi-vector malware detection and analysis
First Claim
Patent Images
1. A computer-implemented method for detecting a cross-vector cyber-attack initiated via an email, the method comprising:
- receiving, by a network malware detection system (NMDS) from an email malware detection system (EMDS), (i) a suspicious object identifier associated with an object extracted from a suspicious email and (ii) one or more features of the object detected by the EMDS, the NMDS having at least one hardware processor;
monitoring network traffic, by the NMDS, for communications associated with the suspicious object identifier, and extracting a suspicious network object from the communications;
analyzing the suspicious network object by the NMDS to detect features of the suspicious network object;
correlating, by the NMDS, the detected features of the suspicious network object with the one or more features detected by the EMDS in order to determine a classification of the object extracted from the suspicious email; and
issuing, by a reporting engine, an alert to an administrator when the object extracted from the suspicious email is classified as malicious.
7 Assignments
0 Petitions
Accused Products
Abstract
A computerized method to coordinate the detection capabilities of an email-based malware detection system with the detection capabilities of a network-based malware detection system and prevent multi-vector cyber-security attacks. The described system detects and analyzes suspicious objects via the email vector and monitors and analyzes associated objects via the network vector, collecting features of each object. The features of associated objects are analyzed, correlated and classified to determine if they are malicious.
-
Citations
21 Claims
-
1. A computer-implemented method for detecting a cross-vector cyber-attack initiated via an email, the method comprising:
-
receiving, by a network malware detection system (NMDS) from an email malware detection system (EMDS), (i) a suspicious object identifier associated with an object extracted from a suspicious email and (ii) one or more features of the object detected by the EMDS, the NMDS having at least one hardware processor; monitoring network traffic, by the NMDS, for communications associated with the suspicious object identifier, and extracting a suspicious network object from the communications; analyzing the suspicious network object by the NMDS to detect features of the suspicious network object; correlating, by the NMDS, the detected features of the suspicious network object with the one or more features detected by the EMDS in order to determine a classification of the object extracted from the suspicious email; and issuing, by a reporting engine, an alert to an administrator when the object extracted from the suspicious email is classified as malicious. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A non-transitory computer-readable medium deployed within a network malware detection system (NMDS) including contents that, when executed by a processor, are configured to cause a detection of a multi-vector cyber-attack by performing operations comprising:
-
receive a suspicious object identifier and first features of a suspicious object, from an email malware detection system (EMDS) and monitor network communications to detect and extract one or more objects associated with the suspicious object identifier, wherein the EMDS analyzed a received email to detect the suspicious object and the first features of the suspicious object and associated the suspicious object identifier with the suspicious object; analyze the one or more extracted objects associated with the suspicious object identifier in a virtual machine within a dynamic analysis logic of the NMDS to detect second features of the one or more extracted objects associated with the suspicious object identifier that are associated with malware; and correlate the first features with the second features in order to determine a classification of the suspicious object by a classification engine of the NMDS. - View Dependent Claims (11)
-
-
12. A system for detecting a cross-vector cyber-attack received via an email, the system comprising:
-
an email malware detection system (EMDS), with one or more first hardware processors and logic adapted to analyze the email and detect a suspicious object and first features of the suspicious object, and in response, generate a suspicious object identifier; and a network malware detection system (NMDS), the NMDS including logic adapted to receive the suspicious object identifier and the first features, monitor traffic on a private network for traffic associated with the suspicious object identifier and extract and analyze a network object in the traffic by the NMDS analysis logic for second features of the network object that are associated with malware; wherein the NMDS comprises a classification engine to receive and correlate the first features and the second features in order to determine a classification of the suspicious object. - View Dependent Claims (13, 14, 15)
-
-
16. A computer-implemented method for detecting a cross-vector cyber-attack initiated via an email, the method comprising:
-
monitoring network traffic, by a network malware detection system (NMDS), for communications associated with the suspicious object identifier, and extracting a suspicious network object from the communications, wherein the suspicious object identifier corresponds to a suspicious object detected in the email received by an email malware detection system (EMDS) and is received by the NMDS with first features of the suspicious from the EMDS, wherein the EMDS includes at least a second hardware processor and analyzes the email to detect the first features; analyzing the suspicious network object by a dynamic analysis logic of the NMDS, the dynamic analysis logic configured to detect second features based on processing of suspicious network object in a virtual machine, the second features being of the suspicious network object; correlating the second features with the first features in order to determine, by a classification engine, a classification of the first object; and issuing, by reporting engine, an alert to an administrator when the first object is classified as malicious. - View Dependent Claims (17, 18, 19, 20, 21)
-
Specification