ADVANCED PERSISTENT THREAT (APT) DETECTION CENTER

US 20150096024A1
Filed: 09/30/2013
Published: 04/02/2015
Est. Priority Date: 09/30/2013
Status: Active Grant

First Claim

Patent Images

1. A computerized method for discovering and identifying advanced persistent threats (APT) using an APT detection center, comprising:

receiving, by an APT server, an object to be classified;

extracting features describing behavior of the received object;

storing the received object along with the extracted features in an APT database;

comparing the extracted features with features of objects in the APT database using an APT classifier; and

flagging the received object as an APT object in the APT database in response to determining that the extracted features include one or more APT related features having a prescribed level of correlation with one or more features of known APT objects in the APT database.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computerized method is described in which one or more received objects are analyzed by an advanced persistent threat (APT) detection center to determine if the objects are APTs. The analysis may include the extraction of features describing and characterizing features of the received objects. The extracted features may be compared with features of known APT malware objects and known non-APT malware objects to determine a classification or probability of the received objects being APT malware. Upon determination that the received objects are APT malware, warning messages may be transmitted to a user of associated client devices. Classified objects may also be used to generate analytic data for the prediction and prevention of future APT attacks.

Citations

31 Claims

1. A computerized method for discovering and identifying advanced persistent threats (APT) using an APT detection center, comprising:
- receiving, by an APT server, an object to be classified;
  
  extracting features describing behavior of the received object;
  
  storing the received object along with the extracted features in an APT database;
  
  comparing the extracted features with features of objects in the APT database using an APT classifier; and
  
  flagging the received object as an APT object in the APT database in response to determining that the extracted features include one or more APT related features having a prescribed level of correlation with one or more features of known APT objects in the APT database.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 2. The computerized method of claim 1, wherein the comparing comprises correlating extracted features of the received object with the features of known APT, known malware, or known benign objects in the APT database and based on the correlation determining whether the received object is an APT object.
  - 3. The computerized method of claim 1, wherein extracted features are similar to one or more known APT objects in the APT database when a predefined number of extracted features match features of the known APT objects in the APT database.
  - 4. The computerized method of claim 1, wherein the received object is a file suspected to contain malware code.
  - 5. The computerized method of claim 2, wherein the extracted features are extracted before and after the malware code has been activated.
  - 6. The computerized method of claim 5, further comprising:
    - extracting a dropped object generated by the received object;
      
      extracting features describing behavior and characteristics of the dropped object; and
      
      associating the dropped object and the extracted features of the dropped object with the received object in the APT database.
  - 7. The computerized method of claim 1, further comprising:
    - normalizing the extracted features of the received object such that each value in the extracted features is converted to a discrete or continuous value.
  - 8. The computerized method of claim 1, further comprising:
    - transmitting a warning to a user of a client device that the received object is an APT object in response to determining that the extracted features of the received object are similar to features of one or more of the known APT objects in the APT database, wherein the received object is received from a client device operated by the user.
  - 9. The computerized method of claim 8, wherein the received object is received through an interface displayed on the client device and the warning is presented to the user through the interface.
  - 10. The computerized method of claim 1, wherein the extracted features include data describing the behavior and characteristics of the received object that is received from a source external to the APT server and the received object.
  - 11. The computerized method of claim 1, wherein comparing the extracted features with features of the known APT objects in the APT database utilizes statistical and machine learning techniques to determine whether the extracted features of the received object are similar to one or more of the known APT objects in the APT database.
  - 12. The computerized method of claim 1, further comprising:
    - analyzing the APT database to, based on stored APT objects, perform one or more of (1) creating attacker profiles, (2) determine the severity of an APT object, (3) discovering and identifying overall APT campaigns, (4) performing attribution of APT attacks and (5) predict future APT trends and attacks.
  - 13. The computerized method of claim 12, wherein the analysis of the APT database comprises:
    - comparing extracted features of a first APT object stored in the APT database to extracted features of a second APT object stored in the APT database; and
      
      associating the first and second APT objects with an attacker profile upon determining that multiple APT objects share a predefined number of extracted features.
  - 14. The computerized method of claim 13, further comprising:
    - comparing extracted features from a third APT object with one or more of the first and second APT objects associated with the attacker profile; and
      
      attributing the third APT object to an attacker associated with the attacker profile upon determining that the third APT object shares the predefined number of extracted features with multiple APT objects.
  - 15. The computerized method of claim 12, wherein the analysis of the APT database comprises:
    - detecting a number of APT objects in a specified time period;
      
      determining whether the number of APT objects detected during the specified time period is above a campaign threshold value; and
      
      signaling, in response to determining that the number of APT objects during the specified time period is above the campaign threshold value that an APT campaign is occurring during the specified time period.
  - 16. The computerized method of claim 15, wherein the detected APT objects are associated with a single attacker.
  - 17. The computerized method of claim 12, wherein the analysis of the APT database comprises:
    - ranking the severity of a first APT object, wherein the severity of the first APT object is based on one or more of the size of a target and damage caused by the first APT object.
  - 18. The computerized method of claim 17, furthering comprising:
    - comparing extracted features of the first APT object with extracted features of a second APT object; and
      
      assigning the severity of the first object to the second object upon determining that the first APT object shares one or more features with the second APT object.
  - 19. The computerized method of claim 12, wherein the analysis of the APT database comprises:
    - determining trends for APT attacks based on stored APT objects in the APT database; and
      
      signaling a user of a possible future attack based on the determined trends.
  - 20. The computerized method of claim 19, wherein the trends are determined relative to one or more of a time period and a target type.
  - 21. The computerized method of claim 1, wherein the APT related features include data that exhibit that an associated attacker has prior knowledge about a target of the received object.

22. A non-transitory storage medium including instructions discovering and identifying new advanced persistent threats (APT), when the instructions are executed by one or more hardware processors in an APT detection center, performs a plurality of operations, comprising:
- extracting features, including APT related features, describing behavior and characteristics of received object to be classified;
  
  storing the received object along with the extracted features in an APT database;
  
  comparing, by an APT classifier, the extracted features, including the APT features, with features of known APT objects also stored in the APT database; and
  
  flagging the received object as an APT object in the APT database in response to determining that the extracted features are similar to one or more features of known APT objects in the APT database.

23. An advanced persistent threats (APT) detection center system for identifying and discovering new APTs, comprising:
- one or more hardware processors;
  
  a memory including one or more software modules that, when executed by the one or more hardware processors;
  
  extract features, including APT related features, describing behavior of a received object to be classified;
  
  store the received object along with the extracted features in an APT database;
  
  compare, by an APT classifier, the extracted features, including the APT features, with features of known APT objects also stored in the APT database; and
  
  flag the received object as an APT object in the APT database in response to determining that the extracted features are similar to one or more features of known APT objects in the APT database.

24. A computerized method for discovering and identifying new advanced persistent threats (APT) using an APT detection center, comprising:
- determining one or more features associated with an object, each of the one or more features describing a behavior of the object that is monitored during virtual processing of the object;
  
  comparing the one or more features with features of objects in an APT database using an APT classifier; and
  
  identifying the object as an APT object in the APT database in response to determining that the one or more features have a prescribed level of correlation with one or more features of the objects in the APT database.
- View Dependent Claims (26, 27, 28, 29, 30, 31)
- - 26. The computerized method of claim 24, wherein the one or more objects is a file suspected to contain malware.
  - 27. The computerized method of claim 26, wherein the determining of the one or more features associated with the object comprisesreceiving the object to be classified;
    - extracting the one or more features from the object;
      
      storing the object along with the one or more features in the APT database.
  - 28. The computerized method of claim 27, further comprising:
    - extracting a dropped object generated by the object;
      
      extracting one or more features describing behavior and characteristics of the dropped object; and
      
      associating the dropped object and the one or more extracted features of the dropped object with the object in the APT database.
  - 29. The computerized method of claim 24, further comprising:
    - normalizing the one or more features of the object so that each value in the one or more features is converted to a discrete or continuous value.
  - 30. The computerized method of claim 24, further comprising:
    - transmitting a warning message to a client device that the object is an APT object in response to determining that the one or more features of the object have the prescribed level of correlation with one or more features of known APT objects in the APT database.
  - 31. The computerized method of claim 24, further comprising:
    - analyzing the APT database, based on stored APT objects, to perform one or more of (1) creating attacker profiles, (2) collecting evidence of an APT attack, (3) determining a level of severity of an APT object, (4) discovering and identifying overall APT campaigns, (5) performing attribution of the APT attack and (6) predict future APT trends.

25. The computerized method of claim 25, wherein identifying the object as the APT object when a predefined number of the one or more features has a prescribed level of correlation with features of a known APT object in the APT database.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
FireEye, Inc. (Alphabet Inc.)
Inventors
Haq, Thoufique, Zhai, Jinjian, Pidathala, Vinay K.

Granted Patent

US 9,628,507 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 21/564   by virus signature recognition

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

H04L 63/205   involving negotiation or de...

ADVANCED PERSISTENT THREAT (APT) DETECTION CENTER

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

31 Claims

Specification

Solutions

Use Cases

Quick Links

ADVANCED PERSISTENT THREAT (APT) DETECTION CENTER

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

31 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links