Composite analysis of executable content across enterprise network
First Claim
1. A method for use in analyzing executable content within at least one network of an enterprise, the method comprising:
- receiving multiple instances of executable content at a central analysis server over at least one network of an enterprise via at least one of a plurality of collection agents disposed within the at least one network, the at least one of the plurality of collection agents remote from and in operative communication with the central analysis server;
extracting, by a hardware processor of the central analysis server, one or more characteristics from each instance of the received executable content;
identifying, by the hardware processor, associations among the extracted characteristics;
determining, based on the associations among the extracted characteristics, that a first portion of executable content is associated with a non-trusted entity;
obtaining a hash value of the first portion of executable content and storing the hash value and the associated extracted characteristics to create a non-trusted entity profile;
storing the extracted characteristics, identified associations, and hash value in a database of the central analysis server, the database accessible by the plurality of collection agents such that each of the plurality of collection agents is operable to identify at least another portion of executable content associated with the non-trusted entity based on the hash value that has been recognized and presented in the database; and
receiving, by the central analysis server, an indication of notice from one of the plurality of collection agents indicative of a detection of the at least another portion of executable content associated with the non-trusted entity at the one of the plurality of collection agents, the indication comprising the hash value, location information but not a copy of the at least another portion of executable content to limit use of enterprise infrastructure resources and so as to update the non-trusted entity profile.
1 Assignment
0 Petitions
Accused Products
Abstract
Identification, characterization and attribution of executable content within and across an enterprise infrastructure (e.g., hosts, subnets, routers, etc.) to provide situational awareness for cyber security for purposes of supporting proactive defense and response. Copies of executable content collected at one or more locations within an infrastructure (e.g., hosts, network edges, etc.) may be passed to a central analysis server whereby various characteristics of the executable content may be extracted or gleaned from the copies such as author marks (e.g., directory names), tool marks (e.g., compiler settings), behaviors (e.g., function extraction), patterns (e.g., byte sequences), text, and/or the like. The characteristics may be analyzed in various manners to build profiles of actors or organizations associated with (e.g., responsible for) executable content within the enterprise infrastructure.
29 Citations
21 Claims
-
1. A method for use in analyzing executable content within at least one network of an enterprise, the method comprising:
-
receiving multiple instances of executable content at a central analysis server over at least one network of an enterprise via at least one of a plurality of collection agents disposed within the at least one network, the at least one of the plurality of collection agents remote from and in operative communication with the central analysis server; extracting, by a hardware processor of the central analysis server, one or more characteristics from each instance of the received executable content; identifying, by the hardware processor, associations among the extracted characteristics; determining, based on the associations among the extracted characteristics, that a first portion of executable content is associated with a non-trusted entity; obtaining a hash value of the first portion of executable content and storing the hash value and the associated extracted characteristics to create a non-trusted entity profile; storing the extracted characteristics, identified associations, and hash value in a database of the central analysis server, the database accessible by the plurality of collection agents such that each of the plurality of collection agents is operable to identify at least another portion of executable content associated with the non-trusted entity based on the hash value that has been recognized and presented in the database; and receiving, by the central analysis server, an indication of notice from one of the plurality of collection agents indicative of a detection of the at least another portion of executable content associated with the non-trusted entity at the one of the plurality of collection agents, the indication comprising the hash value, location information but not a copy of the at least another portion of executable content to limit use of enterprise infrastructure resources and so as to update the non-trusted entity profile. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A system for analyzing executable content within at least one network of an enterprise, comprising:
-
a plurality of collection agents disposed within one or more networks of an enterprise and executable by one or more hardware processors of one or more devices within the one or more networks, wherein each collection agent is configured to detect a presence of multiple instances of executable content within the enterprise; and a central analysis server remotely disposed from and in operative communication with the plurality of collection agents via the one or more networks, the central analysis server comprising; a collection engine, executable by a hardware processor of the central analysis server, that is configured to capture and store the multiple instances of executable content received from the plurality of collection agents; an extraction engine, executable by the hardware processor of the central analysis server, that is configured to extract one or more characteristics from each instance of the executable content; an analysis engine, executable by the hardware processor of the central analysis server, that is configured to; identify associations among the extracted characteristics; determine, based on the associations among the extracted characteristics, that a first portion of executable content is associated with a non-trusted entity; obtain a hash value for the first portion of executable content; and store the hash value and the associated extracted characteristics to create a non-trusted entity profile; and a first database that is configured to store the extracted characteristics, identified associations, and hash value, the first database being accessible by the hardware processor of the central analysis server and the plurality of collection agents such that each of the plurality of collection agents is operable to identify at least another portion of executable content associated with the non-trusted entity based on the hash value that has been recognized and presented in the database, wherein each of the plurality of collection agents is operable to transmit to the central analysis server an indication of notice indicative of a detection of the non-trusted entity at the corresponding collection agent, the indication comprising the hash value, location information but not a copy of the at least another portion of executable content to limit use of enterprise infrastructure resources and so as to update the non-trusted entity profile. - View Dependent Claims (14, 15, 16, 17, 18)
-
-
19. A system for analyzing executable content within at least one network of an enterprise, comprising:
-
a plurality of collection agents disposed within one or more networks of an enterprise and executable by one or more hardware processors of one or more devices within the one or more networks, wherein each collection agent is configured to detect a presence of multiple instances of executable content within the enterprise; and a central analysis server interconnected to the plurality of collection agents via the one or more networks, the central analysis server comprising; a collection engine, executable by a hardware processor of the central analysis server, that is configured to capture and store the multiple instances of executable content received from the plurality of collection agents; an extraction engine, executable by the hardware processor of the central analysis server, that is configured to extract one or more characteristics from each instance of the executable content, wherein the extracted characteristics include at least one of an author mark, a tool mark, a behavior, a pattern, and a text sequence; an analysis engine, executable by the hardware processor of the central analysis server, that is configured to; identify associations among the extracted characteristics to determine that a first portion of executable content is associated with a non-trusted entity; obtain a hash value for the first portion of executable content; and store the hash value and the associated extracted characteristics to create a non-trusted entity profile; and a first database that is configured to store the extracted characteristics, identified associations, and hash value, the first database being accessible by the hardware processor of the central analysis server and the plurality of collection agents such that each of the plurality of collection agents is operable to identify at least another portion of executable content associated with the non-trusted entity based on the hash value that has been recognized and presented in the database, wherein each of the plurality of collection agents is operable to transmit to the central analysis server an indication of notice indicative of a detection of the non-trusted entity at the corresponding collection agent, the indication comprising the hash value, location information but not a copy of the at least another portion of executable content to limit use of enterprise infrastructure resources and so as to update the non-trusted entity profile, and wherein the analysis engine is configured to identify associations among the extracted characteristics to identify a second portion of executable content being associated with the non-trusted entity, wherein the non-trusted entity profile is updateable in relation to the second portion of executable content, and wherein each of the plurality of collection agents is operable to identify at least another portion of executable content associated with the non-trusted entity at least partially based on the non-trusted entity profile. - View Dependent Claims (20, 21)
-
Specification