COMPOSITE ANALYSIS OF EXECUTABLE CONTENT ACROSS ENTERPRISE NETWORK
First Claim
1. A method for use in analyzing executable content within at least one network of an enterprise, the method comprising:
- receiving executable content at a central analysis server over at least one network of an enterprise;
extracting, by a processor of the central analysis server, one or more characteristics from the executable content;
identifying, by the processor, associations among the extracted characteristics; and
storing the extracted characteristics and identified associations in a database accessible by the central analysis server.
1 Assignment
0 Petitions
Accused Products
Abstract
Identification, characterization and attribution of executable content within and across an enterprise infrastructure (e.g., hosts, subnets, routers, etc.) to provide situational awareness for cyber security for purposes of supporting proactive defense and response. Copies of executable content collected at one or more locations within an infrastructure (e.g., hosts, network edges, etc.) may be passed to a central analysis server whereby various characteristics of the executable content may be extracted or gleaned from the copies such as author marks (e.g., directory names), tool marks (e.g., compiler settings), behaviors (e.g., function extraction), patterns (e.g., byte sequences), text, and/or the like. The characteristics may be analyzed in various manners to build profiles of actors or organizations associated with (e.g., responsible for) executable content within the enterprise infrastructure.
-
Citations
20 Claims
-
1. A method for use in analyzing executable content within at least one network of an enterprise, the method comprising:
-
receiving executable content at a central analysis server over at least one network of an enterprise; extracting, by a processor of the central analysis server, one or more characteristics from the executable content; identifying, by the processor, associations among the extracted characteristics; and storing the extracted characteristics and identified associations in a database accessible by the central analysis server. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A system for analyzing executable content within at least one network of an enterprise, comprising:
-
a plurality of collection agents disposed within one or more networks of an enterprise and executable by one or more processors of one or more devices within the one or more networks, wherein each collection agent is configured to detect a presence of executable content within the enterprise; and a central analysis server interconnected to the plurality of collection agents via the one or more networks, the central analysis server comprising; a collection engine, executable by a processor of the central analysis engine, that is configured to capture and store executable content received from the plurality of collection agents; an extraction engine, executable by the processor of the central analysis engine, that is configured to extract one or more characteristics from the executable content; an analysis engine, executable by the processor of the central analysis engine, that is configured to identify associations among the extracted characteristics; and a first database, accessible by the processor of the central analysis engine, that is configured to store the executable content and the extracted characteristics. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
Specification