Malicious message analysis system
First Claim
1. A computerized method configured to analyze a message by a network device, comprising:
- conducting a first analysis of an object included as part of the message to generate one or more attributes being a first set of attributes;
determining whether the first set of attributes is determinative as to whether the message is associated with a malicious attack;
generating an alert in response to determining from the first analysis that the message is associated with a malicious attack;
conducting a second analysis of content recovered from a header or a body of the message to generate one or more delivery protocol attributes;
correlating attributes associated with one or more analyses including at least the one or more delivery protocol attributes and the first set of attributes in accordance with one or more correlation rules in response to the first set of attributes not being determinative as to whether the message is associated with the malicious attack;
generating a threat index based on the correlated attributes associated with the one or more analyses; and
generating the alert in response to determining that the threat index identifies that the message is associated with a malicious attack.
5 Assignments
0 Petitions
Accused Products
Abstract
A computerized technique is provided to analyze a message for malware by determining context information from attributes of the message. The attributes are determined by performing one or more of a static analysis of meta information of the message (e.g., delivery protocol attributes) to generate a first result; a dynamic analysis of an object contained in the message to generate a second result; and, in some embodiments, an emulation of the object to generate a third result. The first result, second result, and third result are correlated in accordance with one or more correlation rules to generate a threat index for the message. The threat index is compared with a predetermined threshold to determine whether the message should be classified as malware and, if so, an alert is generated.
746 Citations
36 Claims
-
1. A computerized method configured to analyze a message by a network device, comprising:
-
conducting a first analysis of an object included as part of the message to generate one or more attributes being a first set of attributes; determining whether the first set of attributes is determinative as to whether the message is associated with a malicious attack; generating an alert in response to determining from the first analysis that the message is associated with a malicious attack; conducting a second analysis of content recovered from a header or a body of the message to generate one or more delivery protocol attributes; correlating attributes associated with one or more analyses including at least the one or more delivery protocol attributes and the first set of attributes in accordance with one or more correlation rules in response to the first set of attributes not being determinative as to whether the message is associated with the malicious attack; generating a threat index based on the correlated attributes associated with the one or more analyses; and generating the alert in response to determining that the threat index identifies that the message is associated with a malicious attack. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A system to detect malicious messages, comprising:
-
one or more processors; and a storage module communicatively coupled to the one or more processors, the storage module including logic to determine context information comprising one or more combinations of attributes by performing one or more analyses, the logic comprises (a) a meta analyzer to analyze meta information of the message to generate a first set of attributes and (b) one or more engines including (i) a static analysis engine or (ii) a dynamic analysis engine or (iii) an emulation engine to analyze an object attached to the message to produce a second set of attributes, correlation logic to correlate attributes associated with the second set of attributes, in accordance with one or more correlation rules so as to generate a first threat index, classification engine to determine whether the first threat index identifies that the message is malicious, and reporting engine to generate an alert in response to determining that the first threat index identifies that the message is malicious, wherein in response to the first threat index failing to identify the message is malicious, the correlation logic being further configured to correlate attributes associated with the one or more analyses, including the first set of attributes and the second set of attributes, in accordance with the one or more correlation rules so as to generate a second threat index, the classification engine to determine whether the second threat index identifies that the message is malicious, and the reporting engine to generate the alert in response to determining that the second threat index identifies that the message is malicious. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
-
-
28. A computerized method configured to analyze a message by a network device, comprising:
-
determining context information comprising one or more combinations of attributes by performing one or more analyses, the one or more analyses comprises a first analysis of content recovered from a header of the message to generate a first set of attributes corresponding to one or more delivery protocol attributes; correlating attributes associated with the one or more analyses, including the first set of attributes, in accordance with one or more correlation rules; generating a first threat index based on the first set of attributes; and generating an alert in response to determining that the first threat index identifies that the message is associated with a malicious attack; generating another threat index based on a second set of attributes in response to determining that the first threat index fails to identify that the message is associated with a malicious attack; and generating an alert in response to determining that the second threat index identifies that the message is associated with a malicious attack. - View Dependent Claims (29, 30, 31, 32, 33, 34, 35, 36)
-
Specification