Composite analysis of executable content across enterprise network

US 9,300,682 B2
Filed: 08/09/2013
Issued: 03/29/2016
Est. Priority Date: 08/09/2013
Status: Active Grant

First Claim

Patent Images

1. A method for use in analyzing executable content within at least one network of an enterprise, the method comprising:

receiving multiple instances of executable content at a central analysis server over at least one network of an enterprise via at least one of a plurality of collection agents disposed within the at least one network, the at least one of the plurality of collection agents remote from and in operative communication with the central analysis server;

extracting, by a hardware processor of the central analysis server, one or more characteristics from each instance of the received executable content;

identifying, by the hardware processor, associations among the extracted characteristics;

determining, based on the associations among the extracted characteristics, that a first portion of executable content is associated with a non-trusted entity;

obtaining a hash value of the first portion of executable content and storing the hash value and the associated extracted characteristics to create a non-trusted entity profile;

storing the extracted characteristics, identified associations, and hash value in a database of the central analysis server, the database accessible by the plurality of collection agents such that each of the plurality of collection agents is operable to identify at least another portion of executable content associated with the non-trusted entity based on the hash value that has been recognized and presented in the database; and

receiving, by the central analysis server, an indication of notice from one of the plurality of collection agents indicative of a detection of the at least another portion of executable content associated with the non-trusted entity at the one of the plurality of collection agents, the indication comprising the hash value, location information but not a copy of the at least another portion of executable content to limit use of enterprise infrastructure resources and so as to update the non-trusted entity profile.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Identification, characterization and attribution of executable content within and across an enterprise infrastructure (e.g., hosts, subnets, routers, etc.) to provide situational awareness for cyber security for purposes of supporting proactive defense and response. Copies of executable content collected at one or more locations within an infrastructure (e.g., hosts, network edges, etc.) may be passed to a central analysis server whereby various characteristics of the executable content may be extracted or gleaned from the copies such as author marks (e.g., directory names), tool marks (e.g., compiler settings), behaviors (e.g., function extraction), patterns (e.g., byte sequences), text, and/or the like. The characteristics may be analyzed in various manners to build profiles of actors or organizations associated with (e.g., responsible for) executable content within the enterprise infrastructure.

29 Citations

View as Search Results

21 Claims

1. A method for use in analyzing executable content within at least one network of an enterprise, the method comprising:
- receiving multiple instances of executable content at a central analysis server over at least one network of an enterprise via at least one of a plurality of collection agents disposed within the at least one network, the at least one of the plurality of collection agents remote from and in operative communication with the central analysis server;
  
  extracting, by a hardware processor of the central analysis server, one or more characteristics from each instance of the received executable content;
  
  identifying, by the hardware processor, associations among the extracted characteristics;
  
  determining, based on the associations among the extracted characteristics, that a first portion of executable content is associated with a non-trusted entity;
  
  obtaining a hash value of the first portion of executable content and storing the hash value and the associated extracted characteristics to create a non-trusted entity profile;
  
  storing the extracted characteristics, identified associations, and hash value in a database of the central analysis server, the database accessible by the plurality of collection agents such that each of the plurality of collection agents is operable to identify at least another portion of executable content associated with the non-trusted entity based on the hash value that has been recognized and presented in the database; and
  
  receiving, by the central analysis server, an indication of notice from one of the plurality of collection agents indicative of a detection of the at least another portion of executable content associated with the non-trusted entity at the one of the plurality of collection agents, the indication comprising the hash value, location information but not a copy of the at least another portion of executable content to limit use of enterprise infrastructure resources and so as to update the non-trusted entity profile.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein the identifying comprises detecting at least one common extracted characteristic shared by the first portion and a second portion of the received executable content.
  - 3. The method of claim 1, wherein the extracted characteristics are selected from the group consisting of:
    - an author mark, a tool mark, a behavior, a pattern, and a text sequence.
  - 4. The method of claim 1, further comprising:
    - updating the non-trusted entity profile based on at least one of the identified associations, wherein the non-trusted entity profile identifies at least one entity associated with the executable content linked to the at least one association, the at least one entity including the non-trusted entity.
  - 5. The method of claim 4, further comprising:
    - monitoring executable content associated with the non-trusted entity profile within the enterprise by detecting at least one common characteristic between extracted characteristics of the first portion of received executable content and the non-trusted entity profile.
  - 6. The method of claim 5, further comprising:
    - attributing the first piece of executable content to the non-trusted entity profile.
  - 7. The method of claim 1, further comprising:
    - tracking the hash value associated with the first portion of executable content as it is detected by the one of the plurality of collection agents by recording a location of the one of the plurality of collection agents that detected the hash value within the enterprise and storing the location of the one of the plurality of collection agents that detected the hash value in the database of the central analysis server.
  - 8. The method of claim 1, further comprising before the receiving:
    - detecting executable content within the at least one network of an enterprise with the at least one of a plurality of collection agents disposed within the at least one network of the enterprise;
      
      copying the executable content; and
      
      distributing the executable content copies to the central analysis server.
  - 9. The method of claim 8, further comprising:
    - tagging, by the collection agent, the executable content copies with location information that identifies a location of the collection agent within the enterprise.
  - 10. The method of claim 8, wherein the hash value uniquely identifies the first portion of executable content.
  - 11. The method of claim 8, wherein the collection agent resides at a network host.
  - 12. The method of claim 8, wherein the collection agent resides at a strategic point in the enterprise infrastructure, the strategic point being selected from the group consisting of:
    - a network edge, a major subnet division, and a router.

13. A system for analyzing executable content within at least one network of an enterprise, comprising:
- a plurality of collection agents disposed within one or more networks of an enterprise and executable by one or more hardware processors of one or more devices within the one or more networks, wherein each collection agent is configured to detect a presence of multiple instances of executable content within the enterprise; and
  
  a central analysis server remotely disposed from and in operative communication with the plurality of collection agents via the one or more networks, the central analysis server comprising;
  
  a collection engine, executable by a hardware processor of the central analysis server, that is configured to capture and store the multiple instances of executable content received from the plurality of collection agents;
  
  an extraction engine, executable by the hardware processor of the central analysis server, that is configured to extract one or more characteristics from each instance of the executable content;
  
  an analysis engine, executable by the hardware processor of the central analysis server, that is configured to;
  
  identify associations among the extracted characteristics;
  
  determine, based on the associations among the extracted characteristics, that a first portion of executable content is associated with a non-trusted entity;
  
  obtain a hash value for the first portion of executable content; and
  
  store the hash value and the associated extracted characteristics to create a non-trusted entity profile; and
  
  a first database that is configured to store the extracted characteristics, identified associations, and hash value, the first database being accessible by the hardware processor of the central analysis server and the plurality of collection agents such that each of the plurality of collection agents is operable to identify at least another portion of executable content associated with the non-trusted entity based on the hash value that has been recognized and presented in the database,wherein each of the plurality of collection agents is operable to transmit to the central analysis server an indication of notice indicative of a detection of the non-trusted entity at the corresponding collection agent, the indication comprising the hash value, location information but not a copy of the at least another portion of executable content to limit use of enterprise infrastructure resources and so as to update the non-trusted entity profile.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The system of claim 13, wherein at least one of the collection agents resides at a strategic point in the enterprise infrastructure, the strategic point being selected from the group consisting of:
    - a network edge, a major subnet division, and a router.
  - 15. The system of claim 13, wherein the analysis engine is configured to update the non-trusted entity profile based on the identified associations, wherein the non-trusted entity profile identifies at least one entity associated with the executable content linked to the at least one association, the at least one entity including the non-trusted entity.
  - 16. The system of claim 13 further comprising:
    - a second database, accessible by the hardware processor of the central analysis server, that is configured to store the non-trusted entity profile.
  - 17. The system of claim 13, wherein the extracted characteristics are selected from the group consisting of:
    - an author mark, a tool mark, a behavior, a pattern, and a text sequence.
  - 18. The system of claim 13, wherein the first database is configured to store information specifying a unique location associated with each piece of executable content.

19. A system for analyzing executable content within at least one network of an enterprise, comprising:
- a plurality of collection agents disposed within one or more networks of an enterprise and executable by one or more hardware processors of one or more devices within the one or more networks, wherein each collection agent is configured to detect a presence of multiple instances of executable content within the enterprise; and
  
  a central analysis server interconnected to the plurality of collection agents via the one or more networks, the central analysis server comprising;
  
  a collection engine, executable by a hardware processor of the central analysis server, that is configured to capture and store the multiple instances of executable content received from the plurality of collection agents;
  
  an extraction engine, executable by the hardware processor of the central analysis server, that is configured to extract one or more characteristics from each instance of the executable content, wherein the extracted characteristics include at least one of an author mark, a tool mark, a behavior, a pattern, and a text sequence;
  
  an analysis engine, executable by the hardware processor of the central analysis server, that is configured to;
  
  identify associations among the extracted characteristics to determine that a first portion of executable content is associated with a non-trusted entity;
  
  obtain a hash value for the first portion of executable content; and
  
  store the hash value and the associated extracted characteristics to create a non-trusted entity profile; and
  
  a first database that is configured to store the extracted characteristics, identified associations, and hash value, the first database being accessible by the hardware processor of the central analysis server and the plurality of collection agents such that each of the plurality of collection agents is operable to identify at least another portion of executable content associated with the non-trusted entity based on the hash value that has been recognized and presented in the database,wherein each of the plurality of collection agents is operable to transmit to the central analysis server an indication of notice indicative of a detection of the non-trusted entity at the corresponding collection agent, the indication comprising the hash value, location information but not a copy of the at least another portion of executable content to limit use of enterprise infrastructure resources and so as to update the non-trusted entity profile,and wherein the analysis engine is configured to identify associations among the extracted characteristics to identify a second portion of executable content being associated with the non-trusted entity, wherein the non-trusted entity profile is updateable in relation to the second portion of executable content, and wherein each of the plurality of collection agents is operable to identify at least another portion of executable content associated with the non-trusted entity at least partially based on the non-trusted entity profile.
- View Dependent Claims (20, 21)
- - 20. The system of claim 19, wherein the collection engine is configured to capture and store the second portion of executable content received from the plurality of collection agents, and wherein the extraction engine is configured to extract one or more characteristics from the second portion of executable content, and wherein the analysis engine is configured to identify associations among the extracted characteristics to determine the second portion of executable content is associated with the non-trusted entity, and wherein the extracted characteristics and identified associations of the second portion of executable content are stored with the non-trusted entity profile.
  - 21. The system of claim 20, wherein the received indication from the one of the plurality of collection agents is a message that includes the hash value associated with the at least another portion of executable content.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lockheed Martin Corporation (Martin Marietta Corporation)
Original Assignee
Lockheed Martin Corporation (Martin Marietta Corporation)
Inventors
Burnham, James B., Hale, Robert W., Sewell, Timothy A.
Primary Examiner(s)
Chai, Longbit

Application Number

US13/963,674
Publication Number

US 20150047034A1
Time in Patent Office

963 Days
Field of Search

726/23
US Class Current

1/1
CPC Class Codes

H04L 63/1425 Traffic logging, e.g. anoma...

H04L 63/1441 Countermeasures against mal...

Composite analysis of executable content across enterprise network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

29 Citations

21 Claims

Specification

Use Cases

Quick Links

Others

Composite analysis of executable content across enterprise network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

29 Citations

21 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others