Multi-vector malware detection and analysis

US 10,523,609 B1
Filed: 12/27/2016
Issued: 12/31/2019
Est. Priority Date: 12/27/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for detecting a cross-vector cyber-attack initiated via an email, the method comprising:

receiving, by a network malware detection system (NMDS) from an email malware detection system (EMDS), (i) a suspicious object identifier associated with an object extracted from a suspicious email and (ii) one or more features of the object detected by the EMDS, the NMDS having at least one hardware processor;

monitoring network traffic, by the NMDS, for communications associated with the suspicious object identifier, and extracting a suspicious network object from the communications;

analyzing the suspicious network object by the NMDS to detect features of the suspicious network object;

correlating, by the NMDS, the detected features of the suspicious network object with the one or more features detected by the EMDS in order to determine a classification of the object extracted from the suspicious email; and

issuing, by a reporting engine, an alert to an administrator when the object extracted from the suspicious email is classified as malicious.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computerized method to coordinate the detection capabilities of an email-based malware detection system with the detection capabilities of a network-based malware detection system and prevent multi-vector cyber-security attacks. The described system detects and analyzes suspicious objects via the email vector and monitors and analyzes associated objects via the network vector, collecting features of each object. The features of associated objects are analyzed, correlated and classified to determine if they are malicious.

Citations

21 Claims

1. A computer-implemented method for detecting a cross-vector cyber-attack initiated via an email, the method comprising:
- receiving, by a network malware detection system (NMDS) from an email malware detection system (EMDS), (i) a suspicious object identifier associated with an object extracted from a suspicious email and (ii) one or more features of the object detected by the EMDS, the NMDS having at least one hardware processor;
  
  monitoring network traffic, by the NMDS, for communications associated with the suspicious object identifier, and extracting a suspicious network object from the communications;
  
  analyzing the suspicious network object by the NMDS to detect features of the suspicious network object;
  
  correlating, by the NMDS, the detected features of the suspicious network object with the one or more features detected by the EMDS in order to determine a classification of the object extracted from the suspicious email; and
  
  issuing, by a reporting engine, an alert to an administrator when the object extracted from the suspicious email is classified as malicious.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the correlating step combines features detected by a static analysis logic of the NMDS.
  - 3. The method of claim 1, wherein the suspicious object identifier is received by the NMDS from the EMDS via a network link.
  - 4. The method of claim 1, wherein the suspicious object identifier is incorporated into the object by the EMDS and the object is activated, wherein activating the object generates network traffic.
  - 5. The method of claim 1, wherein the correlating results in a determination of a maliciousness score for the object extracted from the suspicious email.
  - 6. The method of claim 5, wherein the maliciousness score is used in classifying the object extracted from the suspicious email as benign or malicious.
  - 7. The method of claim 1, wherein the correlating results in a determination of a maliciousness score for each of a plurality of features of the object extracted from the suspicious email.
  - 8. The method of claim 7, wherein the maliciousness score of two or more features of the plurality of features are combined to determine an overall maliciousness score for the object extracted from the suspicious email.
  - 9. The method of claim 1, wherein meta-information originated by the EMDS is utilized in a classification of the object extracted from the suspicious email.

10. A non-transitory computer-readable medium deployed within a network malware detection system (NMDS) including contents that, when executed by a processor, are configured to cause a detection of a multi-vector cyber-attack by performing operations comprising:
- receive a suspicious object identifier and first features of a suspicious object, from an email malware detection system (EMDS) and monitor network communications to detect and extract one or more objects associated with the suspicious object identifier, wherein the EMDS analyzed a received email to detect the suspicious object and the first features of the suspicious object and associated the suspicious object identifier with the suspicious object;
  
  analyze the one or more extracted objects associated with the suspicious object identifier in a virtual machine within a dynamic analysis logic of the NMDS to detect second features of the one or more extracted objects associated with the suspicious object identifier that are associated with malware; and
  
  correlate the first features with the second features in order to determine a classification of the suspicious object by a classification engine of the NMDS.
- View Dependent Claims (11)
- - 11. The non-transitory computer-readable medium of claim 10 wherein, the EMDS provides the suspicious object identifier to the NMDS through respective communication interfaces to monitor network communications.

12. A system for detecting a cross-vector cyber-attack received via an email, the system comprising:
- an email malware detection system (EMDS), with one or more first hardware processors and logic adapted to analyze the email and detect a suspicious object and first features of the suspicious object, and in response, generate a suspicious object identifier; and
  
  a network malware detection system (NMDS), the NMDS including logic adapted to receive the suspicious object identifier and the first features, monitor traffic on a private network for traffic associated with the suspicious object identifier and extract and analyze a network object in the traffic by the NMDS analysis logic for second features of the network object that are associated with malware;
  
  wherein the NMDS comprises a classification engine to receive and correlate the first features and the second features in order to determine a classification of the suspicious object.
- View Dependent Claims (13, 14, 15)
- - 13. The system of claim 12, wherein the EMDS further comprises a coordination engine to generate a suspicious object identifier for each suspicious object of the email.
  - 14. The system of claim 12, wherein the suspicious object identifier is added to the first object and activation of the first object initiates network traffic.
  - 15. The system of claim 12, wherein the NMDS generates a malicious object identifier in response to classifying the object as malicious and provides the malicious object identifier to the EMDS.

16. A computer-implemented method for detecting a cross-vector cyber-attack initiated via an email, the method comprising:
- monitoring network traffic, by a network malware detection system (NMDS), for communications associated with the suspicious object identifier, and extracting a suspicious network object from the communications, wherein the suspicious object identifier corresponds to a suspicious object detected in the email received by an email malware detection system (EMDS) and is received by the NMDS with first features of the suspicious from the EMDS, wherein the EMDS includes at least a second hardware processor and analyzes the email to detect the first features;
  
  analyzing the suspicious network object by a dynamic analysis logic of the NMDS, the dynamic analysis logic configured to detect second features based on processing of suspicious network object in a virtual machine, the second features being of the suspicious network object;
  
  correlating the second features with the first features in order to determine, by a classification engine, a classification of the first object; and
  
  issuing, by reporting engine, an alert to an administrator when the first object is classified as malicious.
- View Dependent Claims (17, 18, 19, 20, 21)
- - 17. The method of claim 16, wherein the classification engine receives and combines third features detected by a static analysis logic of the NMDS with the second features to correlate with known features of malware in order to determine a classification of the first object.
  - 18. The method of claim 16, wherein associating each object with a suspicious object identifier comprises,modifying the first object with the suspicious object identifier;
    - anddelivering the email to the intended recipient with the modified first object.
  - 19. The method of claim 16, wherein the monitoring of the network traffic associated with the suspicious object identifier further comprises,detecting outbound network communications associated with the suspicious object identifier;
    - indicating to a scheduler the first object has been activated and scheduling dynamic analysis of the first object within the virtual machine; and
      
      removing the suspicious object identifier from the outbound network request and relaying the outbound network request to a designated destination.
  - 20. The method of claim 16, wherein the EMDS uses a heuristic or blacklist to determine whether the object is malicious.
  - 21. The method of claim 16, wherein the EMDS is communicatively coupled, via a public network, to the private network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
FireEye, Inc. (Alphabet Inc.)
Inventors
Subramanian, Sakthi
Primary Examiner(s)
Lemma, Samson B

Application Number

US15/390,947
Time in Patent Office

1,099 Days
Field of Search

726 24
US Class Current
CPC Class Codes

G06Q 10/107   Computer-aided management o...

H04L 51/08   Annexed information, e.g. a...

H04L 51/212   using filtering or selectiv...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

Multi-vector malware detection and analysis

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Multi-vector malware detection and analysis

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links