System, apparatus and method for automatically verifying exploits within suspect objects and highlighting the display information associated with the verified exploits
First Claim
1. A non-transitory computer readable storage medium having stored thereon instructions, the instructions being executable by one or more processors to perform operations including threat detection system, comprising:
- an intrusion protection system (IPS) logic identifying, with an intrusion protection system (IPS), a first plurality of objects as suspicious objects and outputting information associated with the suspicious objects;
a virtual execution logic configured to receive the suspicious objects, with a virtual execution logic, and verify, with the virtual execution logic, whether any of the suspicious objects is an exploit, the virtual execution logic including at least one virtual machine configured to virtually process content within the suspicious objects and monitor for anomalous behaviors during the virtual processing that are indicative of exploits; and
reporting logic to issue a report including the information associated with the suspicious objects from the IPS logic and results of the virtual processing of the content within the suspicious objects,wherein the reporting logic further comprises display generation logic to receive information associated with exploits detected from virtual processing of a first subset of suspicious objects and generate a display highlighting the information associated with the exploits detected from the first subset of suspicious objects by modifying the information associated with the exploits detected from the first subset of suspicious objects to appear differently than information associated with non-verified exploits associated with a second subset of suspicious objects different than the first subset of suspicious objects.
5 Assignments
0 Petitions
Accused Products
Abstract
A threat detection system is integrated with intrusion protection system (IPS) logic, virtual execution logic and reporting logic is shown. The IPS logic is configured to identify a first plurality of objects as suspicious objects and outputting information associated with the suspicious objects. The virtual execution logic is configured to receive the suspicious objects and verify whether any of the suspicious objects is an exploit. The virtual execution logic includes at least one virtual machine configured to virtually process content within the suspicious objects and monitor for anomalous behaviors during the virtual processing that are indicative of exploits. The reporting logic is configured to issue a report including the information associated with the suspicious objects from the IPS logic and results of the virtual processing of the content within the suspicious objects.
713 Citations
45 Claims
-
1. A non-transitory computer readable storage medium having stored thereon instructions, the instructions being executable by one or more processors to perform operations including threat detection system, comprising:
-
an intrusion protection system (IPS) logic identifying, with an intrusion protection system (IPS), a first plurality of objects as suspicious objects and outputting information associated with the suspicious objects; a virtual execution logic configured to receive the suspicious objects, with a virtual execution logic, and verify, with the virtual execution logic, whether any of the suspicious objects is an exploit, the virtual execution logic including at least one virtual machine configured to virtually process content within the suspicious objects and monitor for anomalous behaviors during the virtual processing that are indicative of exploits; and reporting logic to issue a report including the information associated with the suspicious objects from the IPS logic and results of the virtual processing of the content within the suspicious objects, wherein the reporting logic further comprises display generation logic to receive information associated with exploits detected from virtual processing of a first subset of suspicious objects and generate a display highlighting the information associated with the exploits detected from the first subset of suspicious objects by modifying the information associated with the exploits detected from the first subset of suspicious objects to appear differently than information associated with non-verified exploits associated with a second subset of suspicious objects different than the first subset of suspicious objects. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 19, 20, 21, 22, 23, 24, 37, 38, 39)
-
-
14. An electronic device comprising:
-
a processor; and a memory coupled to the processor, the memory including (1) an intrusion protection system (IPS) logic to detect characteristics of a plurality of objects being indicative of an exploit, the plurality of objects include at least a first object and a second object, (2) one or more virtual machines configured to (i) virtually process content within the first object, (ii) monitor for anomalous behaviors during the virtual processing that are indicative of exploits, and (iii) verify whether the first object is an exploit, and (3) reporting logic to issue a report that differentiates between information associated with a potential exploit that is detected by the IPS logic and verified through virtual processing by the one or more virtual machines and information associated with a potential exploit that is detected by the IPS logic without verification by the one or more virtual machines, wherein the reporting logic includes display generation logic that, when executed by the processor and upon receipt of information associated with exploits detected, generates a display highlighting the information associated with the potential exploit verified through virtual processing by the one or more virtual machines to appear differently than information associated with non-verified exploits associated with a second subset of suspicious objects different than the first subset of suspicious objects. - View Dependent Claims (15, 16, 17, 25, 26, 27, 28, 29, 30, 40, 42)
-
-
18. A computerized method comprising:
-
receiving a first plurality of objects by intrusion protection system (IPS) logic; filtering the first plurality of objects by the IPS logic to identify a second plurality of objects as suspicious objects, the second plurality of objects being a subset of the first plurality of objects and being lesser or equal in number to the first plurality of objects; verifying, by a virtual execution logic, that a portion of the second plurality of objects are exploits, the virtual execution logic including at least one virtual machine configured to process content within the second plurality of objects and monitor for anomalous behaviors during the processing that are indicative of exploits; and generating a display that prioritizes information associated with the verified portion of the second plurality of objects over information associated with one or more remaining objects of the second plurality of objects that correspond to a non-verified portion of the second plurality of objects by highlighting the information associated with the verified portion of the second plurality of objects to appear differently than information associated with the non-verified portions of the second plurality of objects. - View Dependent Claims (31, 32, 33, 34, 35, 36, 41, 43, 44, 45)
-
Specification