System, apparatus and method for automatically verifying exploits within suspect objects and highlighting the display information associated with the verified exploits

US 9,306,974 B1
Filed: 02/11/2015
Issued: 04/05/2016
Est. Priority Date: 12/26/2013
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer readable storage medium having stored thereon instructions, the instructions being executable by one or more processors to perform operations including threat detection system, comprising:

an intrusion protection system (IPS) logic identifying, with an intrusion protection system (IPS), a first plurality of objects as suspicious objects and outputting information associated with the suspicious objects;

a virtual execution logic configured to receive the suspicious objects, with a virtual execution logic, and verify, with the virtual execution logic, whether any of the suspicious objects is an exploit, the virtual execution logic including at least one virtual machine configured to virtually process content within the suspicious objects and monitor for anomalous behaviors during the virtual processing that are indicative of exploits; and

reporting logic to issue a report including the information associated with the suspicious objects from the IPS logic and results of the virtual processing of the content within the suspicious objects,wherein the reporting logic further comprises display generation logic to receive information associated with exploits detected from virtual processing of a first subset of suspicious objects and generate a display highlighting the information associated with the exploits detected from the first subset of suspicious objects by modifying the information associated with the exploits detected from the first subset of suspicious objects to appear differently than information associated with non-verified exploits associated with a second subset of suspicious objects different than the first subset of suspicious objects.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A threat detection system is integrated with intrusion protection system (IPS) logic, virtual execution logic and reporting logic is shown. The IPS logic is configured to identify a first plurality of objects as suspicious objects and outputting information associated with the suspicious objects. The virtual execution logic is configured to receive the suspicious objects and verify whether any of the suspicious objects is an exploit. The virtual execution logic includes at least one virtual machine configured to virtually process content within the suspicious objects and monitor for anomalous behaviors during the virtual processing that are indicative of exploits. The reporting logic is configured to issue a report including the information associated with the suspicious objects from the IPS logic and results of the virtual processing of the content within the suspicious objects.

713 Citations

45 Claims

1. A non-transitory computer readable storage medium having stored thereon instructions, the instructions being executable by one or more processors to perform operations including threat detection system, comprising:
- an intrusion protection system (IPS) logic identifying, with an intrusion protection system (IPS), a first plurality of objects as suspicious objects and outputting information associated with the suspicious objects;
  
  a virtual execution logic configured to receive the suspicious objects, with a virtual execution logic, and verify, with the virtual execution logic, whether any of the suspicious objects is an exploit, the virtual execution logic including at least one virtual machine configured to virtually process content within the suspicious objects and monitor for anomalous behaviors during the virtual processing that are indicative of exploits; and
  
  reporting logic to issue a report including the information associated with the suspicious objects from the IPS logic and results of the virtual processing of the content within the suspicious objects,wherein the reporting logic further comprises display generation logic to receive information associated with exploits detected from virtual processing of a first subset of suspicious objects and generate a display highlighting the information associated with the exploits detected from the first subset of suspicious objects by modifying the information associated with the exploits detected from the first subset of suspicious objects to appear differently than information associated with non-verified exploits associated with a second subset of suspicious objects different than the first subset of suspicious objects.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 19, 20, 21, 22, 23, 24, 37, 38, 39)
- - 2. The non-transitory computer readable storage medium of claim 1, wherein each of the first plurality of objects is a flow comprising a plurality of related packets that are either received, transmitted, or exchanged during a communication session.
  - 3. The non-transitory computer readable storage medium of claim 1, wherein the information associated with the suspicious objects comprises an identifier of an exploit associated with a first suspicious object of the suspicious objects.
  - 4. The non-transitory computer readable storage medium of claim 3, wherein the information associated with the suspicious objects comprises a recommended remediation technique for the exploit associated with the first suspicious object of the suspicious objects.
  - 5. The non-transitory computer readable storage medium of claim 1, wherein the information associated with the suspicious objects comprises a source address of an electronic device transmitting the network traffic.
  - 6. The non-transitory computer readable storage medium claim 1, wherein operations conducted by the virtual execution logic on at least one of the suspicious objects are conducted concurrently with operations conducted by the IPS logic on a second plurality of objects different than the first plurality of objects.
  - 7. The non-transitory computer readable storage medium of claim 1, wherein the display generation logic receives the information associated with exploits detected from virtual processing of the suspicious objects and generates the display highlighting the information associated with the exploits detected from virtual processing of the suspicious objects.
  - 8. The non-transitory computer readable storage medium of claim 1, wherein the virtual execution logic verifies the first subset of the suspicious objects as being exploits when the anomalous behaviors monitored during virtual processing of the suspicious objects are indicative of exploits while a remaining subset of the suspicious objects are not verified as being exploits.
  - 9. The non-transitory computer readable storage medium of claim 1, wherein the display generation logic receives information associated with exploits detected from virtual processing of the first subset of suspicious objects and generates the display highlighting the information associated with the exploits detected from the first subset of suspicious objects by displaying the information associated with the exploits detected from the first subset of suspicious objects at a particular location on a screen display different from a location for information associated with non-verified exploits associated with a second subset of suspicious objects different than the first subset of suspicious objects.
  - 10. The non-transitory computer readable storage medium of claim 1, wherein the modifying of the information associated with the exploits detected from the first subset of suspicious objects to appear differently from information associated with non-verified exploits associated with the second subset of suspicious objects comprises modifying at least one of a color, size or type of a font used to convey the information associated with the exploits detected from the first subset of suspicious objects to be different than a font used to convey information associated with non-verified exploits associated with the second subset of suspicious objects.
  - 11. The non-transitory computer readable storage medium of claim 1, wherein the IPS logic is communicatively coupled to and integrated within a digital device including the virtual execution logic.
  - 12. The non-transitory computer readable storage medium of claim 1, wherein the virtual execution logic further comprises a protocol sequence replayer for simulating transmission of the object to a destination electronic device.
  - 13. The non-transitory computer readable storage medium of claim 1, wherein the reporting logic to issue an alert to one or more security administrators to communicate urgency in handling one or more exploits detected by the IPS logic and verified by the virtual execution logic.
  - 19. The non-transitory computer readable storage medium of claim 1, wherein the highlighting includes altering an order of a listing of the suspicious objects.
  - 20. The non-transitory computer readable storage medium of claim 1, wherein the highlighting includes displaying the information associated with the exploits detected from the first subset of suspicious objects at a top of a listing of the suspicious objects.
  - 21. The non-transitory computer readable storage medium claim 1, wherein the highlighting includes modifying a font of a conveyance of the exploits detected from the first subset of suspicious objects.
  - 22. The non-transitory computer readable storage medium of claim 1, wherein the display is an interactive dashboard.
  - 23. The non-transitory computer readable storage medium of claim 1, wherein the generated display is displayed within a plurality of display windows.
  - 24. The non-transitory computer readable storage medium of claim 1, wherein the generated display is displayed on a plurality of screens.
  - 37. The non-transitory computer readable storage medium of claim 1, wherein the highlighting includes placing one or more images proximate to information associated with an exploit of the exploits detected from the first subset of suspicious objects.
  - 38. The non-transitory computer readable storage medium of claim 23, wherein the information associated with the exploits detected from the first subset of suspicious objects is displayed on a first display window of the plurality of display windows and the information associated with the non-verified exploits associated with the second subset of suspicious objects is displayed on a second display window of the plurality of display windows.
  - 39. The non-transitory computer readable storage medium of claim 24, wherein the information associated with the exploits detected from the first subset of suspicious objects is displayed on a first display screen of the plurality of display screens and the information associated with the non-verified exploits associated with the second subset of suspicious objects is displayed on a second display screen of the plurality of display screens.

14. An electronic device comprising:
- a processor; and
  
  a memory coupled to the processor, the memory including (1) an intrusion protection system (IPS) logic to detect characteristics of a plurality of objects being indicative of an exploit, the plurality of objects include at least a first object and a second object, (2) one or more virtual machines configured to (i) virtually process content within the first object, (ii) monitor for anomalous behaviors during the virtual processing that are indicative of exploits, and (iii) verify whether the first object is an exploit, and (3) reporting logic to issue a report that differentiates between information associated with a potential exploit that is detected by the IPS logic and verified through virtual processing by the one or more virtual machines and information associated with a potential exploit that is detected by the IPS logic without verification by the one or more virtual machines,wherein the reporting logic includes display generation logic that, when executed by the processor and upon receipt of information associated with exploits detected, generates a display highlighting the information associated with the potential exploit verified through virtual processing by the one or more virtual machines to appear differently than information associated with non-verified exploits associated with a second subset of suspicious objects different than the first subset of suspicious objects.
- View Dependent Claims (15, 16, 17, 25, 26, 27, 28, 29, 30, 40, 42)
- - 15. The electronic device of claim 14, wherein first object is a flow comprising a plurality of related packets that are either received, or transmitted, or exchanged during a communication session.
  - 16. The electronic device of claim 14, wherein the IPS logic, when executed by the processor, performs an exploit signature check, the exploit signature check compares the first object to one or more exploit signatures, wherein the first object is determined to include characteristics indicative of an exploit upon matching an exploit signature of the one or more exploit signatures.
  - 17. The electronic device of claim 14, wherein the display generation logic, when executed by the processor and upon receipt of information associated with exploits detected from virtual processing content within the first object, generates the display highlighting the information associated with the potential exploit verified through virtual processing by the one or more virtual machines by displaying the information at a particular location on a screen display different from a location for information associated with the potential exploit that is detected by the IPS logic without verification by the one or more virtual machines.
  - 25. The electronic device of claim 14, wherein the highlighting includes altering an order of a listing of the suspicious objects.
  - 26. The electronic device of claim 14, wherein the highlighting includes displaying the information associated with the potential exploit verified through virtual processing at a top of a listing of the suspicious objects.
  - 27. The electronic device claim 14, wherein the highlighting includes modifying a font of a conveyance of the potential exploit verified through virtual processing.
  - 28. The electronic device of claim 14, wherein the display is an interactive dashboard.
  - 29. The electronic device of claim 14, wherein the generated display is displayed within a plurality of display windows.
  - 30. The electronic device of claim 14, wherein the generated display is displayed on a plurality of screens.
  - 40. The electronic device of claim 14, wherein highlighting includes placing one or more images proximate to the information associated with the potential exploit.
  - 42. The electronic device of claim 30, wherein the information associated with the potential exploit is displayed on a first display screen of the plurality of display screens and the information associated with the non-verified exploits is displayed on a second display screen of the plurality of display screens.

18. A computerized method comprising:
- receiving a first plurality of objects by intrusion protection system (IPS) logic;
  
  filtering the first plurality of objects by the IPS logic to identify a second plurality of objects as suspicious objects, the second plurality of objects being a subset of the first plurality of objects and being lesser or equal in number to the first plurality of objects;
  
  verifying, by a virtual execution logic, that a portion of the second plurality of objects are exploits, the virtual execution logic including at least one virtual machine configured to process content within the second plurality of objects and monitor for anomalous behaviors during the processing that are indicative of exploits; and
  
  generating a display that prioritizes information associated with the verified portion of the second plurality of objects over information associated with one or more remaining objects of the second plurality of objects that correspond to a non-verified portion of the second plurality of objects by highlighting the information associated with the verified portion of the second plurality of objects to appear differently than information associated with the non-verified portions of the second plurality of objects.
- View Dependent Claims (31, 32, 33, 34, 35, 36, 41, 43, 44, 45)
- - 31. The computerized method of claim 18, wherein the highlighting of the information associated with the verified portion of the second plurality of objects includes altering an order of a listing of the second plurality of objects.
  - 32. The computerized method of claim 18, wherein the highlighting of the information associated with the verified portion of the second plurality of objects includes displaying the information associated with the verified portion of the second plurality of objects at a top of a listing of the second plurality of objects.
  - 33. The computerized method of claim 18, wherein the highlighting of the information associated with the verified portion of the second plurality of objects includes modifying a font of a conveyance of the information associated with the verified portion of the second plurality of objects at a top of a listing of the second plurality of objects.
  - 34. The computerized method of claim 18, wherein the display is an interactive dashboard.
  - 35. The computerized method of claim 18, wherein the generated display is displayed within a plurality of display windows.
  - 36. The computerized method of claim 18, wherein the generated display is displayed on a plurality of screens.
  - 41. The electronic device of claim 31, wherein the information associated with the potential exploit is displayed on a first display window of the plurality of display windows and the information associated with the non-verified exploits is displayed on a second display window of the plurality of display windows.
  - 43. The computerized method of claim 18, wherein the highlighting of the information associated with the verified portion of the second plurality of objects includes placing one or more images proximate to the information associated with each object that is part of the verified portion of the second plurality of objects.
  - 44. The computerized method of claim 35, wherein the information associated with the verified portion of the second plurality of objects is displayed on a first display window of the plurality of display windows and the information associated with the non-verified portions of the second plurality of objects is displayed on a second display window of the plurality of display windows.
  - 45. The computerized method of claim 36, wherein the information associated with the verified portion of the second plurality of objects is displayed on a first display screen of the plurality of display screens and the information associated with the non-verified portions of the second plurality of screens is displayed on a second display screen of the plurality of display screens.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Aziz, Ashar, Amin, Muhammad, Ismael, Osman Abdoul, Bu, Zheng
Primary Examiner(s)
Sholeman, Abu

Application Number

US14/620,055
Time in Patent Office

419 Days
Field of Search

723/1, 723/22, 723/23, 723/24, 723/25, 723/26
US Class Current

1/1
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 21/53   by executing in a restricte...

G06F 21/56   Computer malware detection ...

G06F 21/564   by virus signature recognition

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/033   Test or assess software

G06F 9/45558   Hypervisor-specific managem...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04L 63/145   the attack involving the pr...

H04L 63/1491   using deception as counterm...

System, apparatus and method for automatically verifying exploits within suspect objects and highlighting the display information associated with the verified exploits

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

713 Citations

45 Claims

Specification

Solutions

Use Cases

Quick Links

System, apparatus and method for automatically verifying exploits within suspect objects and highlighting the display information associated with the verified exploits

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

713 Citations

45 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links