Dynamically remote tuning of a malware content detection system

US 9,223,972 B1
Filed: 03/31/2014
Issued: 12/29/2015
Est. Priority Date: 03/31/2014
Status: Active Grant

First Claim

Patent Images

1. An apparatus comprising:

a processor; and

a memory communicatively coupled to the processor, the memory comprises one or more detection modules each being software that is configurable to enable, disable or modify capabilities for that corresponding detection module, a first detection module of the one or more detection modules, when executed by the processor, conducts a first capability including an analysis of a received object to determine if the received object is associated with a malicious attack,wherein the analysis is altered upon receipt of a configuration file that is substantially lesser in size than the software forming the first detection module and includes information to alter one or more rules controlling the first capability.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to one embodiment, an apparatus comprises a processor and memory. Communicatively coupled to the processor, the memory comprises one or more detection modules each being software that is configurable to enable, disable or modify capabilities for that corresponding detection module. A first detection module the detection modules, when executed by the processor, conducts a first capability including an analysis of a received object to determine if the received object is associated with a malicious attack. The analysis may be altered upon receipt of a configuration file that is substantially lesser in size than the software forming the first detection module and includes information to alter one or more rules controlling the first capability.

Citations

22 Claims

1. An apparatus comprising:
- a processor; and
  
  a memory communicatively coupled to the processor, the memory comprises one or more detection modules each being software that is configurable to enable, disable or modify capabilities for that corresponding detection module, a first detection module of the one or more detection modules, when executed by the processor, conducts a first capability including an analysis of a received object to determine if the received object is associated with a malicious attack,wherein the analysis is altered upon receipt of a configuration file that is substantially lesser in size than the software forming the first detection module and includes information to alter one or more rules controlling the first capability.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The apparatus of claim 1, wherein the software associated with the one or more detection engines is fully parameterized by including parameters that control operability of the one or more rules, a first subset of the parameters is modifiable to alter the one or more rules associated with the first subset of the parameters so as to alter the analysis of the received object conducted by the first detection module.
  - 3. The apparatus of claim 2, wherein the first detection module is software that is configurable and includes a first plurality of rules for controlling one or more virtual machines and monitoring logic partially forming the first detection module, the first detection module, when executed by the processor, conducts the analysis of the received object by (i) the one or more virtual machines virtually processing the received object and (ii) the monitoring logic monitoring behaviors of the received object during virtual processing so as to detect one or more anomalous behaviors from the monitored behaviors,wherein the configuration file alters the first subset of the parameters to change the one or more rules of the first plurality of rules so as to change operability of the monitoring logic.
  - 4. The apparatus of claim 3, wherein the configuration file alters the first subset of the parameters so as to change at least one of a number or types of monitors that are active and in operations during the analysis of the received object by the first detection module.
  - 5. The apparatus of claim 3, wherein the configuration file alters the first subset of the parameters so as to change at least one of (i) a number or type of behaviors to be monitored by the monitoring logic or (ii) signature patterns associated with observed behaviors that are associated with the malicious attack to be monitored by the monitoring logic.
  - 6. The apparatus of claim 3 further comprising a classification module communicatively coupled to the first detection module, the classification module being software that, when executed by the processor, is configured to receive the results output from the first detection module that are based on the monitored behaviors for use in classifying the received object as either malware or benign.
  - 7. The apparatus of claim 2, wherein the configuration file alters the first subset of the parameters so as to change at least one of (1) a number or type of signatures for signature matching conducted during the analysis by the first detection module, (2) a number or type of characteristics to be monitored during the analysis by the first detection module, or (3) a maximum or minimum time for the analysis of the received object by the first detection module.
  - 8. The apparatus of claim 3 further comprising:
    - a second detection module being software that, when executed by the processor, is configured to detect whether the received object exhibits characteristics associated with a malicious attack and, upon detection, providing the received object to the first detection module, the second detection module being configurable by the configuration file to alter a second subset of the parameters associated with one or more rules of a second plurality of rules to change at least one of (1) a number of comparisons between content of the received object and signature patterns conducted by the second detection module to detect whether the received object exhibits characteristics associated with one or more malicious attacks, including the malicious attack, (2) types of signature patterns used for the comparisons, or (3) a number of reiterations of the comparisons conducted by the second detection module to detect whether the received object exhibits characteristics associated with the one or more malicious attacks.
  - 9. The apparatus of claim 8, wherein the second subset of the parameters are based on feedback information associated with at least one of (i) results output from the first detection module or (ii) results output from the second detection module.
  - 10. The apparatus of claim 1, wherein the configuration file alters at least one of (1) which Application Programming Interfaces (APIs) to hook during the analysis of the received object by the first detection module, or (2) a maximum or minimum time for the analysis.
  - 11. The apparatus of claim 1, wherein the configuration file alters (1) which functions calls to hook during the analysis of the received object by the first detection module, and (2) what data is to be returned to the first detection module in response to corresponding function calls during the analysis of the received object by the first detection module.
  - 12. The apparatus of claim 1, wherein the first detection module is software that is configurable and includes a second plurality of rules for controlling a comparison of content within the received object with a first set of signature patterns associated with known malware of a plurality of signature patterns preloaded into the first detection module,wherein the configuration file at least deactivates one or more of the first set of signature patterns or activates one or more of the plurality of signature patterns different than the first set of signature patterns to alter the analysis of the received object without reloading of the software associated with the first detection module.
  - 13. The apparatus of claim 1, wherein the configuration file is uploaded via a user interface communicatively coupled to the one or more detection modules.

14. An apparatus comprising:
- a processor;
  
  a memory communicatively coupled to the processor, wherein the memory comprises;
  
  a first detection engine configured to conduct an analysis of one or more objects that are part of incoming network traffic to identify an object that exhibits characteristics associated with a malicious attack and to output a first result including at least a portion of the analysis by the first detection engine;
  
  a second detection engine configured to further conduct an analysis of the object by (i) virtually processing the object in a virtual environment including one or more virtual machines, (ii) monitoring behaviors occurring during the virtual processing of the object by monitoring logic, and (iii) outputting a second result including at least a portion of the analysis by the second detection engine, the behaviors include anomalous behaviors occurring during virtual processing of the object;
  
  wherein the second detection engine is fully parameterized by including parameters that control operability of a first plurality of rules controlling operability of at least one of the one or more virtual machines or the monitoring logic, a first subset of the parameters is modifiable to alter one or more rules associated with the first plurality of rules to alter the analysis of the object conducted by the second detection engine, and wherein the analysis by the second detection engine is dynamically configurable by uploading a configuration file that is substantially lesser in size than the first detection engine and modifies the first subset of the parameters to alter the analysis in real time.
- View Dependent Claims (15, 16, 17)
- - 15. The apparatus of claim 14, wherein the first detection engine is fully parameterized by including parameters that control operability of the analysis of the one or more objects, a second subset of the parameters is modifiable to alter one or more rules associated with the second plurality of rules that alter the analysis of the one or more objects conducted by the first detection engine, andwherein the analysis by the first detection engine is dynamically configurable by uploading the configuration file that modifies the second subset of the parameters to alter the analysis of the one or more objects in real time.
  - 16. The apparatus of claim 15, wherein the configuration file alters the second subset of the parameters so as to change at least one of (1) a number or type of signatures for signature matching conducted during the analysis by the first detection engine, (2) a number or type of characteristics to be monitored during the analysis by the first detection engine, or (3) a maximum or minimum time for the analysis of the received object by the first detection engine.
  - 17. The apparatus of claim 14, wherein the configuration file alters the first subset of the parameters so as to change at least one of (1) a number or types of monitors forming the monitoring logic that are active and in operations during the analysis of the object by the second detection engine.

18. An apparatus comprising:
- a processor; and
  
  a memory communicatively coupled to the processor, the memory comprises one or more detection modules each being software that is configurable to enable, disable or modify capabilities for that corresponding detection module, a first detection module of the one or more detection modules, when executed by the processor, including a first capability to analyzing a flow to determine if an object associated with the flow is an exploit,wherein the first capability is altered upon receipt of a configuration file that is substantially lesser in size than the software forming the first detection module and includes information to alter one or more rules controlling the first capability.
- View Dependent Claims (19, 20, 21, 22)
- - 19. The apparatus of claim 18, wherein the software associated with the one or more detection engines is fully parameterized by including parameters that control operability of the one or more rules, a first subset of the parameters is modifiable to alter the one or more rules associated with the first subset of the parameters so as to alter the first capability of the first detection module.
  - 20. The apparatus of claim 19, wherein the first detection module is software that is configurable and includes a first plurality of rules for controlling one or more virtual machines and monitoring logic partially forming the first detection module, the first detection module including the first capability of being configured to analyze the object associated with the flow by (i) the one or more virtual machines virtually processing the object and (ii) the monitoring logic monitoring behaviors of the object during virtual processing so as to detect one or more anomalous behaviors from the monitored behaviors,wherein the configuration file alters the first subset of the parameters to change the one or more rules of the first plurality of rules so as to change operability of the monitoring logic.
  - 21. The apparatus of claim 20, wherein the configuration file alters the first subset of the parameters so as to change at least one of a number or types of monitors at least partially forming the monitoring logic that are active and in operations during analysis of the object by the first detection module.
  - 22. The apparatus of claim 19, wherein the configuration file alters the first subset of the parameters so as to change at least one of (1) a number or type of signatures for signature matching conducted during analysis of the object associated with the flow by the first detection module, (2) a number or type of characteristics to be monitored during the analysis of the object associated with the flow by the first detection module, or (3) a maximum or minimum time for the analysis of the object associated with the flow by the first detection module.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
FireEye, Inc. (Alphabet Inc.)
Inventors
Vincent, Michael, Thioux, Emmanuel, Vashisht, Sai, Kindlund, Darien
Primary Examiner(s)
Shehni, Ghazal

Application Number

US14/231,216
Time in Patent Office

638 Days
Field of Search

726 22- 25
US Class Current

1/1
CPC Class Codes

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/20   for managing network securi...

Dynamically remote tuning of a malware content detection system

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Dynamically remote tuning of a malware content detection system

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links