Alerting and tagging using a malware analysis platform for threat intelligence made actionable

US 10,530,789 B2
Filed: 05/03/2019
Issued: 01/07/2020
Est. Priority Date: 02/29/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

receiving a plurality of samples for performing automated malware analysis to generate log files based on the automated malware analysis, wherein a log file for a sample comprises one or more lines based on results of the automated malware analysis for the sample;

processing the log files to extract artifacts associated with the log files;

receiving a configuration to enable an alert action based on a tag type for matching any of the plurality of samples, wherein the tag type is configured for the alert action for a tag based on a search criteria for one or more artifacts, and wherein the alert action is configured to match private samples and public samples;

determining whether the tag matches any of the plurality of samples based on the search criteria for one or more artifacts; and

performing an action based on whether the tag matches any of the plurality of samples including to trigger the alert action based on a determination that the tag matches a sample detected on a first monitored enterprise network, wherein the sample detected on the first monitored enterprise network is a public sample and the first monitored enterprise network is associated with another subscriber'"'"'s enterprise network.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for alerting and tagging using a malware analysis platform for threat intelligence made actionable are disclosed. In some embodiments, a system, process, and/or computer program product for alerting and tagging using a malware analysis platform for threat intelligence made actionable includes receiving a plurality of samples for performing automated malware analysis to generate log files based on the automated malware analysis; processing the log files to extract artifacts associated with the log files; determining whether a tag matches any of the plurality of samples based on the artifacts; and performing an action based on whether the tag matches any of the plurality of samples.

28 Citations

20 Claims

1. A computer-implemented method, comprising:
- receiving a plurality of samples for performing automated malware analysis to generate log files based on the automated malware analysis, wherein a log file for a sample comprises one or more lines based on results of the automated malware analysis for the sample;
  
  processing the log files to extract artifacts associated with the log files;
  
  receiving a configuration to enable an alert action based on a tag type for matching any of the plurality of samples, wherein the tag type is configured for the alert action for a tag based on a search criteria for one or more artifacts, and wherein the alert action is configured to match private samples and public samples;
  
  determining whether the tag matches any of the plurality of samples based on the search criteria for one or more artifacts; and
  
  performing an action based on whether the tag matches any of the plurality of samples including to trigger the alert action based on a determination that the tag matches a sample detected on a first monitored enterprise network, wherein the sample detected on the first monitored enterprise network is a public sample and the first monitored enterprise network is associated with another subscriber'"'"'s enterprise network.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computer-implemented method of claim 1, further comprising:
    - performing a search to identify one or more samples that match the search criteria for one or more artifacts.
  - 3. The computer-implemented method of claim 1, further comprising:
    - receiving a configuration for a tag class to associate the tag with a known actor, targeted campaign, malware family, malicious behavior, or an exploit.
  - 4. The computer-implemented method of claim 1, wherein the tag is a private tag that is visible only to users associated with a subscriber for the first monitored enterprise network.
  - 5. The computer-implemented method of claim 1, wherein an extracted artifact is a high-risk artifact, and wherein the high-risk artifact is determined to be associated with malware based on the automated malware analysis.
  - 6. The computer-implemented method of claim 1, wherein performing automated malware analysis includes performing a dynamic analysis and/or a static analysis.
  - 7. The computer-implemented method of claim 1, further comprising:
    - generating another alert based on a determination that the tag matches a sample detected on a second monitored enterprise network, wherein the sample detected on the second monitored enterprise network is a private sample and the second monitored enterprise network is associated with the subscriber'"'"'s enterprise network.

8. A system, comprising:
- a processor configured to;
  
  receive a plurality of samples for performing automated malware analysis to generate log files based on the automated malware analysis, wherein a log file for a sample comprises one or more lines based on results of the automated malware analysis for the sample;
  
  process the log files to extract artifacts associated with the log files;
  
  receive a configuration to enable an alert action based on a tag type for matching any of the plurality of samples, wherein the tag type is configured for the alert action for a tag based on a search criteria for one or more artifacts, and wherein the alert action is configured to match private samples and public samples;
  
  determine whether the tag matches any of the plurality of samples based on the search criteria for one or more artifacts; and
  
  perform an action based on whether the tag matches any of the plurality of samples including to trigger the alert action based on a determination that the tag matches a sample detected on a first monitored enterprise network, wherein the sample detected on the first monitored enterprise network is a public sample and the first monitored enterprise network is associated with another subscriber'"'"'s enterprise network; and
  
  a memory coupled to the processor and configured to provide the processor with instructions.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system recited in claim 8, wherein the processor is further configured to:
    - perform a search to identify one or more samples that match the search criteria for one or more artifacts.
  - 10. The system recited in claim 8, wherein the processor is further configured to:
    - receive a configuration for a tag class to associate the tag with a known actor, targeted campaign, malware family, malicious behavior, or an exploit.
  - 11. The system recited in claim 8, wherein the tag is a private tag that is visible only to users associated with a subscriber for the first monitored enterprise network.
  - 12. The system recited in claim 8, wherein an extracted artifact is a high-risk artifact, and wherein the high-risk artifact is determined to be associated with malware based on the automated malware analysis.
  - 13. The system recited in claim 8, wherein performing automated malware analysis includes performing a dynamic analysis and/or a static analysis.
  - 14. The system recited in claim 8, wherein the processor is further configured to:
    - generate another alert based on determining that the tag matches a sample detected on a second monitored enterprise network, wherein the sample detected on the second monitored enterprise network is a private sample and the second monitored enterprise network is associated with the subscriber'"'"'s enterprise network.

15. A computer program product, the computer program product being embodied in a non-transitory tangible computer readable storage medium and comprising computer instructions for:
- receiving a plurality of samples for performing automated malware analysis to generate log files based on the automated malware analysis, wherein a log file for a sample comprises one or more lines based on results of the automated malware analysis for the sample;
  
  processing the log files to extract artifacts associated with the log files;
  
  receiving a configuration to enable an alert action based on a tag type for matching any of the plurality of samples, wherein the tag type is configured for the alert action for a tag based on a search criteria for one or more artifacts, and wherein the alert action is configured to match private samples and public samples;
  
  determining whether the tag matches any of the plurality of samples based on the search criteria for one or more artifacts; and
  
  performing an action based on whether the tag matches any of the plurality of samples including to trigger the alert action based on a determination that the tag matches a sample detected on a first monitored enterprise network, wherein the sample detected on the first monitored enterprise network is a public sample and the first monitored enterprise network is associated with another subscriber'"'"'s enterprise network.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer program product recited in claim 15, and further comprising computer instructions for:
    - performing a search to identify one or more samples that match the search criteria for one or more artifacts.
  - 17. The computer program product recited in claim 15, and further comprising computer instructions for:
    - receiving a configuration for a tag class to associate the tag with a known actor, targeted campaign, malware family, malicious behavior, or an exploit.
  - 18. The computer program product recited in claim 15, wherein the tag is a private tag that is visible only to users associated with a subscriber for the first monitored enterprise network.
  - 19. The computer program product recited in claim 15, wherein the artifact is a high-risk artifact, and wherein the high-risk artifact is determined to be associated with malware based on the automated malware analysis.
  - 20. The computer program product recited in claim 15, and further comprising computer instructions for:
    - generating another alert based on a determination that the tag matches a sample detected on a second monitored enterprise network, wherein the sample detected on the second monitored enterprise network is a private sample and the second monitored enterprise network is associated with the subscriber'"'"'s enterprise network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palo Alto Networks Incorporated
Original Assignee
Palo Alto Networks Incorporated
Inventors
Rostamabadi, Farshad, Rostami-Hesarsorkh, Shadi, Vasudevan, Sudarshan, Malik, Bilal
Primary Examiner(s)
Murphy, J. Brant

Application Number

US16/403,368
Publication Number

US 20190268357A1
Time in Patent Office

249 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/562   Static detection

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

Alerting and tagging using a malware analysis platform for threat intelligence made actionable

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

28 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Alerting and tagging using a malware analysis platform for threat intelligence made actionable

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

28 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links