Systems, methods, and media protecting a digital data processing device from attack

US 9,143,518 B2
Filed: 02/22/2013
Issued: 09/22/2015
Est. Priority Date: 08/18/2005
Status: Active Grant

First Claim

Patent Images

1. A method for protecting a digital data processing device from attack, the method comprising:

within a virtual environment in at least one hardware processor;

receiving at least one attachment to a first electronic mail;

executing the at least one attachment to the first electronic mail;

determining whether anomalous behavior occurs; and

generating feedback based on the execution of the at least one attachment to the first electronic mail when anomalous behavior is determined to have occurred;

receiving at least one attachment to a second electronic mail; and

based on the feedback and the at least one attachment to the second electronic mail, performing filtering on the second electronic mail.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In accordance with some embodiments of the disclosed subject matter, systems, methods, and media for protecting a digital data processing device from attack are provided. For example, in some embodiments, a method for protecting a digital data processing device from attack is provided, that includes, within virtual environment: receiving at least one attachment to an electronic mail; and executing the at least one attachment; and based on the execution of the at least one attachment, determining whether anomalous behavior occurs.

Citations

57 Claims

1. A method for protecting a digital data processing device from attack, the method comprising:
- within a virtual environment in at least one hardware processor;
  
  receiving at least one attachment to a first electronic mail;
  
  executing the at least one attachment to the first electronic mail;
  
  determining whether anomalous behavior occurs; and
  
  generating feedback based on the execution of the at least one attachment to the first electronic mail when anomalous behavior is determined to have occurred;
  
  receiving at least one attachment to a second electronic mail; and
  
  based on the feedback and the at least one attachment to the second electronic mail, performing filtering on the second electronic mail.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The method of claim 1, wherein the determining whether anomalous behavior occurs comprises using a model constructed from at least normal data of one or more digital data processing devices.
  - 3. The method of claim 1, wherein the determining whether anomalous behavior occurs comprises classifying behavior of the execution of the at least one attachment to the first electronic mail using a model built from at least normal data.
  - 4. The method of claim 1, wherein the determining whether anomalous behavior occurs comprises classifying behavior of the execution of the at least one attachment to the first electronic mail using a model built from registry data.
  - 5. The method of claim 4, wherein the registry data includes at least one of:
    - a name of a process that accessed a registry, a type of query sent to the registry, a registry key in the registry that was accessed, a response from the registry, and a value of the registry key that was accessed.
  - 6. The method of claim 1, further comprising identifying an attempt, during execution of the attachment, to detect that the attachment is being executed by the virtual environment and inhibiting the attachment from detecting that the attachment is being executed by the virtual environment.
  - 7. The method of claim 1, further comprising determining that the at least one attachment to the second electronic mail is identical to the at least one attachment to the first electronic mail, wherein the filtering on the second electronic mail is performed in response to the determination that the at least one attachment to the second electronic mail is identical to the at least one attachment to the first electronic mail.
  - 8. The method of claim 1, wherein the determining whether anomalous behavior occurs comprises using a model constructed from training data collected during use of one or more digital data processing devices.
  - 9. The method of claim 1, wherein the determining whether anomalous behavior occurs comprises using a model constructed from training data collected during normal use of one or more digital data processing devices.
  - 10. The method of claim 9, wherein the training data is normal data.
  - 11. The method of claim 10, wherein the normal data is clean data.
  - 12. The method of claim 1, wherein the determining whether anomalous behavior occurs comprises classifying behavior of the execution of the at least one attachment using an already-trained model for a host-based intrusion detection system.
  - 13. The method of claim 1, wherein the determining whether anomalous behavior occurs comprises classifying behavior of the execution of the at least one attachment using an already-trained model constructed from registry data.
  - 14. The method of claim 13, wherein the registry data includes at least one of:
    - a name of a process that accessed a registry, a type of query sent to the registry, a registry key in the registry that was accessed, a response from the registry, and a value of the registry key that was accessed.
  - 15. The method of claim 1, wherein the feedback is sent to a learning component.
  - 16. The method of claim 1, wherein filtering on the second electronic mail is performed based directly on the feedback.
  - 17. The method of claim 1, wherein filtering on the second electronic mail is performed using the feedback to determine whether to perform filtering.

18. A system for protecting a digital data processing device from attack, the system comprising:
- at least one hardware processor that;
  
  provides a virtual environment that;
  
  receives at least one attachment to a first electronic mail;
  
  executes the at least one attachment to the first electronic mail;
  
  determines whether anomalous behavior occurs; and
  
  generates feedback based on the execution of the at least one attachment to the first electronic mail when anomalous behavior is determined to have occurred;
  
  receives at least one attachment to a second electronic mail;
  
  based on the feedback and the at least one attachment to the second electronic mail, performs filtering on the second electronic mail.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34)
- - 19. The system of claim 18, wherein the determining whether anomalous behavior occurs comprises using a model constructed from at least normal data of one or more digital processing devices.
  - 20. The system of claim 18, wherein the determining whether anomalous behavior occurs comprises classifying behavior of the execution of the at least one attachment to the first electronic mail using a model built from at least normal data.
  - 21. The system of claim 18, wherein the determining whether anomalous behavior occurs comprises classifying behavior of the execution of the at least one attachment to the first electronic mail using a model built from registry data.
  - 22. The system of claim 21, wherein the registry data includes at least one of:
    - a name of a process that accessed a registry, a type of query sent to the registry, a registry key in the registry that was accessed, a response from the registry, and a value of the registry key that was accessed.
  - 23. The system of claim 18, wherein the at least one hardware processor also identifies an attempt, during execution of the attachment, to detect that the attachment is being executed by the virtual environment and inhibits the attachment from detecting that the attachment is being executed by the virtual environment.
  - 24. The system of claim 18, wherein the at least one hardware processor also determines that the at least one attachment to the second electronic mail is identical to the at least one attachment to the first electronic mail, and wherein the filtering on the second electronic mail is performed in response to the determination that the at least one attachment to the second electronic mail is identical to the at least one attachment to the first electronic mail.
  - 25. The system of claim 18, wherein the determining whether anomalous behavior occurs comprises using a model constructed from training data collected during use of one or more digital data processing devices.
  - 26. The system of claim 18, wherein the determining whether anomalous behavior occurs comprises using a model constructed from training data collected during normal use of one or more digital data processing device.
  - 27. The system of claim 26, wherein the training data is normal data.
  - 28. The system of claim 27, wherein the normal data is clean data.
  - 29. The system of claim 18, wherein the determining whether anomalous behavior occurs comprises classifying behavior of the execution of the at least one attachment using an already-trained model for a host-based intrusion detection system.
  - 30. The system of claim 29, wherein the determining whether anomalous behavior occurs comprises classifying behavior of the execution of the at least one attachment using an already-trained model constructed from registry data.
  - 31. The system of claim 30, wherein the registry data includes at least one of:
    - a name of a process that accessed a registry, a type of query sent to the registry, a registry key in the registry that was accessed, a response from the registry, and a value of the registry key that was accessed.
  - 32. The system of claim 31, wherein the feedback is sent to a learning component.
  - 33. The system of claim 18, wherein filtering on the second electronic mail is performed based directly on the feedback.
  - 34. The system of claim 18, wherein filtering on the second electronic mail is performed using the feedback to determine whether to perform filtering.

35. A non-transitory computer-readable medium containing computer-executable instructions that, when executed by a computer, cause the computer to perform a method for protecting a digital data processing device from attack, the method comprising:
- within a virtual environment;
  
  receiving at least one attachment to a first electronic mail;
  
  executing the at least one attachment to the first electronic mail;
  
  determining whether anomalous behavior occurs; and
  
  generating feedback based on the execution of the at least one attachment to the first electronic mail when anomalous behavior is determined to have occurred; and
  
  receiving at least one attachment to a second electronic mail;
  
  andbased on the feedback and the at least one attachment to the second electronic mail, performing filtering on the second electronic mail.
- View Dependent Claims (36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51)
- - 36. The non-transitory computer-readable medium of claim 35, wherein the determining whether anomalous behavior occurs comprises using a model constructed from normal data of one or more digital data processing devices.
  - 37. The non-transitory computer-readable medium of claim 35, wherein the determining whether anomalous behavior occurs comprises classifying behavior of the execution of the at least one attachment to the first electronic mail using a model built from at least normal data.
  - 38. The non-transitory computer-readable medium of claim 35, wherein the determining whether anomalous behavior occurs comprises classifying behavior of the execution of the at least one attachment to the first electronic mail using a model built from registry data.
  - 39. The non-transitory computer-readable medium of claim 38, wherein the registry data includes at least one of:
    - a name of a process that accessed a registry, a type of query sent to the registry, a registry key in the registry that was accessed, a response from the registry, and a value of the registry key that was accessed.
  - 40. The non-transitory computer-readable medium of claim 35, wherein the method further comprises identifying an attempt, during execution of the attachment, to detect that the attachment is being executed by the virtual environment and inhibiting the attachment from detecting that the attachment is being executed by the virtual environment.
  - 41. The non-transitory computer-readable medium of claim 35, wherein the method further comprises determining that the at least one attachment to the second electronic mail is identical to the at least one attachment to the first electronic mail, wherein the filtering on the second electronic mail is performed in response to the determination that the at least one attachment to the second electronic mail is identical to the at least one attachment to the first electronic mail.
  - 42. The non-transitory computer-readable medium of claim 35, wherein the determining whether anomalous behavior occurs comprises using a model constructed from training data collected during use of one or more digital data processing devices.
  - 43. The non-transitory computer-readable medium of claim 35, wherein the determining whether anomalous behavior occurs comprises using a model constructed from training data collected during normal use of one or more digital data processing devices.
  - 44. The non-transitory computer-readable medium of claim 43, wherein the training data is normal data.
  - 45. The non-transitory computer-readable medium of claim 44, wherein the normal data is clean data.
  - 46. The non-transitory computer-readable medium of claim 35, wherein the determining whether anomalous behavior occurs comprises classifying behavior of the execution of the at least one attachment using an already-trained model for a host-based intrusion detection system.
  - 47. The non-transitory computer-readable medium of claim 35, wherein the determining whether anomalous behavior occurs comprises classifying behavior of the execution of the at least one attachment using an already-trained model constructed from registry data.
  - 48. The non-transitory computer-readable medium of claim 47, wherein the registry data includes at least one of:
    - a name of a process that accessed a registry, a type of query sent to the registry, a registry key in the registry that was accessed, a response from the registry, and a value of the registry key that was accessed.
  - 49. The non-transitory computer-readable medium of claim 35, wherein the feedback is sent to a learning component.
  - 50. The non-transitory computer-readable medium of claim 35, wherein filtering on the second electronic mail is performed based directly on the feedback.
  - 51. The non-transitory computer-readable medium of claim 35, wherein filtering on the second electronic mail is performed using the feedback to determine whether to perform filtering.

52. A method for protecting a digital data processing device from attack, the method comprising:
- within a virtual environment in at least one hardware processor;
  
  receiving a first electronic mail including at least one hyperlink;
  
  executing the at least one hyperlink;
  
  determining whether anomalous behavior occurs by classifying behavior of the execution of the at least one hyperlink using a model built from at least normal data; and
  
  generating feedback based on the execution of the at least one hyperlink when anomalous behavior is determined to have occurred;
  
  receiving a second electronic mail including a second hyperlink;
  
  andbased on the feedback, performing filtering on the second electronic mail.

53. A system for protecting a digital data processing device from attack, the system comprising:
- at least one hardware processor that;
  
  provides a virtual environment;
  
  receives a first electronic mail including at least one hyperlink;
  
  executes the at least one hyperlink;
  
  determines whether anomalous behavior occurs by classifying behavior of the execution of the at least one hyperlink using a model built from at least normal data; and
  
  generates feedback based on the execution of the at least one hyperlink when anomalous behavior is determined to have occurred;
  
  receives a second electronic mail including a second hyperlink;
  
  andbased on the feedback, performs filtering on the second electronic mail.

54. A non-transitory computer-readable medium containing computer-executable instructions that, when executed by a computer, cause the computer to perform a method for protecting a digital data processing device from attack, the method comprising:
- within a virtual environment;
  
  receiving a first electronic mail including at least one hyperlink;
  
  executing the at least one hyperlink;
  
  determining whether anomalous behavior occurs by classifying behavior of the execution of the at least one hyperlink using a model built from at least normal data; and
  
  generating feedback based on the execution of the at least one hyperlink when anomalous behavior is determined to have occurred;
  
  receiving a second electronic mail including a second hyperlink;
  
  andbased on the feedback, performing filtering on the second electronic mail.

55. A method for protecting a digital data processing device from attack, the method comprising:
- within a virtual environment in at least one hardware processor;
  
  receiving a first electronic mail with a first payload;
  
  executing the first payload;
  
  determining whether anomalous behavior occurs; and
  
  generating feedback based on the execution of the first payload when anomalous behavior is determined to have occurred;
  
  receiving a second electronic mail with a second payload;
  
  determining that the second payload is identical to the first payload; and
  
  based on the feedback and in response to the determination that the second payload is identical to the first payload, filtering the second electronic mail.

56. A system for protecting a digital data processing device from attack, the system comprising:
- at least one hardware processor that;
  
  provides a virtual environment;
  
  receives a first electronic mail with a first payload;
  
  executes the first payload;
  
  determines whether anomalous behavior occurs; and
  
  generates feedback based on the execution of the first payload when anomalous behavior is determined to have occurred; and
  
  receives a second electronic mail with a second payload;
  
  determines that the second payload is identical to the first payload; and
  
  based on the feedback and in response to the determination that the second payload is identical to the first payload, filters the second electronic mail.

57. A non-transitory computer-readable medium containing computer-executable instructions that, when executed by a computer, cause the computer to perform a method for protecting a digital data processing device from attack, the method comprising:
- within a virtual environment;
  
  receiving a first electronic mail with a first payload;
  
  executing the first payload;
  
  determining whether anomalous behavior occurs; and
  
  generating feedback based on the execution of the first payload when anomalous behavior is determined to have occurred; and
  
  receiving a second electronic mail with a second payload;
  
  determining that the second payload is identical to the first payload; and
  
  based on the feedback and in response to the determination that the second payload is identical to the first payload, filtering the second electronic mail.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trustees Of Columbia University In The City Of New York (Columbia University)
Original Assignee
Trustees Of Columbia University In The City Of New York (Columbia University)
Inventors
Sidiroglou, Stylianos, Keromytis, Angelos D., Stolfo, Salvatore J.
Primary Examiner(s)
Song, Hosuk

Application Number

US13/774,825
Publication Number

US 20130167233A1
Time in Patent Office

942 Days
Field of Search

726/1, 726 11- 15, 726 22- 24, 713/176, 713187-188
US Class Current

1/1
CPC Class Codes

H04L 51/08   Annexed information, e.g. a...

H04L 51/212   using filtering or selectiv...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1466   Active attacks involving in...

Systems, methods, and media protecting a digital data processing device from attack

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

57 Claims

Specification

Solutions

Use Cases

Quick Links

Systems, methods, and media protecting a digital data processing device from attack

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

57 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links