System and method of detecting delivery of malware using cross-customer data

US 9,363,280 B1
Filed: 08/22/2014
Issued: 06/07/2016
Est. Priority Date: 08/22/2014
Status: Active Grant

First Claim

Patent Images

1. A computerized method for malware detection conducted by a management platform including processing circuitry and a data store, comprising:

receiving a set of indicators of compromise (IOCs) from a first source for storage in the data store, the set of IOCs identified as being caused by a known malware associated with a first message type;

receiving, for storage in the data store, one or more IOCs from a second source that is different from the first source where a cause of the one or more IOCs is unknown; and

responsive to a triggering event that includes a shift in volume of a given type of IOC at the second source that exceeds a prescribed threshold, conducting a predictive analysis by the processing circuitry of the one or more IOCs received from the second source to determine whether the received IOCs from the second source correspond to the set of IOCs received from the first source,wherein information associated with at least the set of IOCs is used to locate a malware associated with the first message type that is undetected at the second source and is the cause of the one or more IOCs at the second source.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to one embodiment, a computerized method comprises receiving a set of indicators of compromise (IOCs) associated with a known malware of a first message type from a first source and receiving one or more IOCs (IOC(s)) from a second source that is different from the first source. Thereafter, a determination is made as to whether the received IOC(s) from the second source correspond to the set of IOCs received from the first source. If so, information associated with at least the set of IOCs is used to locate a malware of the first message type that is undetected at the second source.

659 Citations

48 Claims

1. A computerized method for malware detection conducted by a management platform including processing circuitry and a data store, comprising:
- receiving a set of indicators of compromise (IOCs) from a first source for storage in the data store, the set of IOCs identified as being caused by a known malware associated with a first message type;
  
  receiving, for storage in the data store, one or more IOCs from a second source that is different from the first source where a cause of the one or more IOCs is unknown; and
  
  responsive to a triggering event that includes a shift in volume of a given type of IOC at the second source that exceeds a prescribed threshold, conducting a predictive analysis by the processing circuitry of the one or more IOCs received from the second source to determine whether the received IOCs from the second source correspond to the set of IOCs received from the first source,wherein information associated with at least the set of IOCs is used to locate a malware associated with the first message type that is undetected at the second source and is the cause of the one or more IOCs at the second source.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The computerized method of claim 1, wherein the set of IOCs caused by the known malware associated with the first message type includes a set of IOCs associated with an email message that has been previously detected at the first source as being malicious.
  - 3. The computerized method of claim 1, wherein the set of IOCs caused by the known malware associated with the first message type includes a set of IOCs associated with a text message that has been previously detected at the first source as being malicious.
  - 4. The computerized method of claim 1, wherein the triggering event associated with the shift in volume of a given type of IOC at the second source includes an increase in volume of the given type of IOC at the second source that exceeds the prescribed threshold.
  - 5. The computerized method of claim 1, wherein the conducting the predictive analysis of the one or more IOCs received from the second source to determine whether the one or more IOCs received from the second source correspond to the set of IOCs received from the first source comprises determining whether a prescribed number of the received IOCs are present in the set of IOCs associated with the known malware.
  - 6. The computerized method of claim 1, wherein the conducting the predictive analysis of the one or more IOCs received from the second source to determine whether the one or more IOCs received from the second source correspond to the set of IOCs received from the first source comprises determining whether the one or more IOCs received from the second source are present and in the same chronological order as the set of IOCs associated with the known malware.
  - 7. The computerized method of claim 1, wherein a degree of correspondence for determining whether the one or more IOCs received from the second source correspond to the set of IOCs received from the first source is dynamic.
  - 8. The computerized method of claim 1, wherein the determining whether the IOCs received from the second source correspond to the set of IOCs received from the first source further comprisesdetermining a threat level associated with the one or more IOCs, the threat level signifies a degree of confidence that the one or more IOCs are caused by a malicious electronic message;
    - selecting a particular type of response based on the determined threat level.
  - 9. The computerized method of claim 8, the threat level is determined based, at least in part, on whether the set of IOCs from the first source are detected or observed, where a determined correspondence between the one or more IOCs received from the second source and the set of IOCs that have been observed by the first source is assigned a higher threat level than a determined correspondence between the one or more IOCs received from the second source and the set of IOCs detected by the first source.
  - 10. The computerized method of claim 8, wherein the threat level is determined based, at least in part, on a timing of the one or more IOCs compared to a timing of the set of IOCs associated with the known malware that includes an identified malicious electronic message.
  - 11. The computerized method of claim 1, wherein the malware associated with the first message type that is undetected at the second source comprises a first malicious electronic message.
  - 12. The computerized method of claim 11, the information associated with at least the set of IOCs that is used to locate the first malicious electronic message comprises an arrival time of a second malicious electronic message detected at the first source.
  - 13. The computerized method of claim 11, the information associated with at least the set of IOCs that is used to locate the first malicious electronic message further comprises information associated with the one or more IOCs received from the second source that include one or more of (i) a geographical origin of the second source, (ii) a group membership of the second source, (iii) a company type of the second source, or (iv) a type of industry to which the second source belongs.
  - 14. The computerized method of claim 1, wherein the receiving of the set of IOCs from the first source and the receiving of the one or more IOCs from the second source comprises receiving the set of IOCs and the receiving of the one or more IOCs in transit over a network.
  - 15. The computerized method of claim 14, wherein the receiving of one or more IOCs is conducted automatically over a network.

16. A system comprising:
- processing circuitry;
  
  a first logic in communication with the processing circuitry, the first logic is configured to (i) receive a set of indicators of compromise (IOCs) that are detected to have been caused by a known malware associated with a first message type from a first source, (ii) receive one or more IOCs from a second source that is different from the first source where a cause of the one or more IOCs is unknown, and (iii) determine whether a triggering event has occurred that signifies at least a prescribed likelihood that the one or more IOCs from the second source are caused by a undetected malicious electronic message present at the second source; and
  
  a second logic in communication with the processing circuitry, the second logic is configured to (i) conduct a predictive analysis that evaluates whether the received IOCs from the second source correspond to the set of IOCs caused by the known malware associated with the first message type, and (ii) determine a threat level, which signifies a level of confidence that the received IOCs from the second source are caused by the undetected malicious electronic message.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 17. The system of claim 16, wherein the set of IOCs associated with the known malware includes a set of IOCs associated with an electronic mail message that has been previously detected at the first source as being malicious.
  - 18. The system of claim 16, wherein the set of IOCs associated with the known malware includes a set of IOCs associated with a text message that has been previously detected at the first source as being malicious.
  - 19. The system of claim 16, wherein the second logic determines whether the received IOCs from the second source correspond to the set of IOCs received from the first source occurs in response to the triggering event.
  - 20. The system of claim 19, wherein the triggering event includes an increase in volume of a given type of IOC within the received IOCs from the second source event that exceeds a prescribed threshold.
  - 21. The system of claim 16, wherein the second logic evaluates whether the received IOCs from the second source correspond to the set of IOCs received from the first source by determining whether a particular number of the received IOCs from the second source are present and in the same chronological order as in the set of IOCs associated with the known malware.
  - 22. The system of claim 21, wherein a degree of correspondence for evaluating whether the received IOCs from the second source correspond to the set of IOCs received from the first source is dynamic.
  - 23. The system of claim 21, wherein the second logic, after determining the threat level, selects a particular type of response based on the determined threat level.
  - 24. The system of claim 23, wherein the second logic determines the threat level based, at least in part, on whether the set of IOCs from the first source is detected or observed, where a determined correspondence between the received IOCs and the set of IOCs that have been observed by the first source is assigned a higher threat level than the determined correspondence between the received IOCs and the set of IOCs detected by the first source.
  - 25. The system of claim 16, wherein the second logic determines the threat level based, at least in part, on a timing of the received IOCs compared to a timing of the set of IOCs, the first message type includes an electronic message.

26. A system comprising:
- processing circuitry; and
  
  a memory coupled to the processing circuitry, the memory includes(1) logic that controls receipt of (a) a set of indicators of compromise (IOCs) from a first source and the set of IOCs are identified as being caused by a malicious electronic message of a first message type and (b) one or more IOCs from a second source that is different from the first source where a cause of the one or more IOCs is unknown,(2) logic that conducts a predictive analysis to determine whether the one or more IOCs from the second source are caused by an undetected malicious electronic message, the predictive analysis includes evaluating whether the one or more IOCs from the second source correspond to the set of IOCs associated with the malicious electronic message and determining a threat level, which signifies a level of confidence that the one or more IOCs from the second source are caused by the undetected malicious electronic message, and(3) logic that selects a particular type of response based on the determined threat level.
- View Dependent Claims (27, 28, 29, 30, 31, 32, 33)
- - 27. The system of claim 26, wherein the set of IOCs associated with the known malware includes a set of IOCs associated with an electronic mail message that has been previously detected at the first source as being associated with the malicious electronic message.
  - 28. The computerized method of claim 27, wherein the first source is a network device that includes message analysis logic and the second source is a network device operating as a web-based security appliance.
  - 29. The system of claim 26, wherein the logic that conducts the predictive analysis to determine whether the received one or more IOCs from the second source correspond to the set of IOCs associated with the malicious electronic message performs the predictive analysis in response to a triggering event.
  - 30. The system of claim 29, wherein the triggering event includes an increase in volume of a given type of IOC within the received IOCs from the second source event that exceeds a prescribed threshold.
  - 31. The system of claim 26, wherein the logic that conducts the predictive analysis evaluating whether the one or more IOCs from the second source correspond to the set of IOCs associated with the malicious electronic message by determining whether a particular number of the one or more IOCs from the second source are present and in the same chronological order as in the set of IOCs associated with the malicious electronic message.
  - 32. The system of claim 31, wherein the particular number for evaluating whether the one or more IOCs from the second source correspond to the set of IOCs received from the first source is dynamic.
  - 33. The system of claim 26, wherein the logic that conducts the predictive analysis evaluating whether the one or more IOCs from the second source correspond to the set of IOCs associated with the malicious electronic message by determining the threat level based, at least in part, on a timing of the one or more IOCs compared to a timing of the set of IOCs, the first message type includes an electronic message.

34. A computerized method for malware detection conducted by a network device including processing circuitry and a data store, comprising:
- receiving a set of indicators of compromise (IOCs) from a first source, the set of IOCs identified as being caused by a known malware associated with a first message type;
  
  receiving one or more IOCs from a second source that is different from the first source where a cause of the one or more IOCs is unknown; and
  
  conducting a predictive analysis of the one or more IOCs received from the second source to determine whether the received IOCs from the second source correspond to the set of IOCs received from the first source by (i) determining a threat level associated with the one or more IOCs, the threat level signifies a degree of confidence that the one or more IOCs are caused by a malicious electronic message, and (ii) selecting a particular type of response based on the determined threat level,wherein information associated with at least the set of IOCs is used to locate a malware associated with the first message type that is undetected at the second source and is the cause of the one or more IOCs at the second source.
- View Dependent Claims (35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46)
- - 35. The computerized method of claim 34, wherein the set of IOCs includes a set of IOCs associated with an email message that has been previously detected at the first source as being malicious.
  - 36. The computerized method of claim 34, wherein the set of IOCs includes a set of IOCs associated with a text message that has been previously detected at the first source as being malicious.
  - 37. The computerized method of claim 34, wherein the conducting the predictive analysis of the one or more IOCs received from the second source to determine whether the received IOCs from the second source correspond to the set of IOCs received from the first source occurs in response to a triggering event.
  - 38. The computerized method of claim 37, wherein the triggering event includes an increase in volume of a given type of IOC at the second source that exceeds a prescribed threshold.
  - 39. The computerized method of claim 34, wherein the conducting the predictive analysis of the one or more IOCs received from the second source to determine whether the one or more IOCs received from the second source correspond to the set of IOCs received from the first source comprises determining whether a prescribed number of the received IOCs are present in the set of IOCs associated with the known malware.
  - 40. The computerized method of claim 34, wherein the conducting the predictive analysis of the one or more IOCs received from the second source to determine whether the one or more IOCs received from the second source correspond to the set of IOCs received from the first source comprises determining whether the one or more IOCs received from the second source are present and in the same chronological order as the set of IOCs associated with the known malware.
  - 41. The computerized method of claim 34, wherein a degree of correspondence for determining whether the one or more IOCs received from the second source correspond to the set of IOCs received from the first source is dynamic.
  - 42. The computerized method of claim 34, the threat level is determined based, at least in part, on whether the set of IOCs from the first source are detected or observed, where a determined correspondence between the one or more IOCs received from the second source and the set of IOCs that have been observed by the first source is assigned a higher threat level than a determined correspondence between the one or more IOCs received from the second source and the set of IOCs detected by the first source.
  - 43. The computerized method of claim 34, wherein the threat level is determined based, at least in part, on a timing of the one or more IOCs compared to a timing of the set of IOCs associated with the known malware that includes an identified malicious electronic message.
  - 44. The computerized method of claim 34, wherein the malware associated with the first message type that is undetected at the second source comprises a first malicious electronic message.
  - 45. The computerized method of claim 44, the information associated with at least the set of IOCs that is used to locate the first malicious electronic message comprises an arrival time of a second malicious electronic message detected at the first source.
  - 46. The computerized method of claim 34, wherein the first source is a network device that includes message analysis logic and the second source is a network device operating as a web-based security appliance.

47. A computerized method for malware detection conducted by a network device including processing circuitry and a data store, comprising:
- receiving a set of indicators of compromise (IOCs) from a first source, the set of IOCs identified as being caused by a known malware associated with a first message type;
  
  receiving one or more IOCs from a second source that is different from the first source where a cause of the one or more IOCs is unknown; and
  
  conducting a predictive analysis of the one or more IOCs received from the second source to determine whether the received IOCs from the second source correspond to the set of IOCs received from the first source,wherein information including an arrival time of a malicious electronic message detected at the first source is used to locate a second malicious electronic message of the first message type that is undetected at the second source and is the cause of the one or more IOCs at the second source.
- View Dependent Claims (48)
- - 48. The computerized method of claim 47, wherein the information associated with at least the set of IOCs that is used to locate the second malicious electronic message further comprises information associated with the one or more IOCs received from the second source that include one or more of (i) a geographical origin of the second source, (ii) a group membership of the second source, (iii) a company type of the second source, or (iv) a type of industry to which the second source belongs.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Rivlin, Alexandr, Mehra, Divyesh, Uyeno, Henry, Pidathala, Vinay
Primary Examiner(s)
Song, Hosuk

Application Number

US14/466,898
Time in Patent Office

655 Days
Field of Search

713/187, 713/188, 726 22- 26
US Class Current

1/1
CPC Class Codes

G06F 9/45508   Runtime interpretation or e...

H04L 51/212   using filtering or selectiv...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

System and method of detecting delivery of malware using cross-customer data

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

659 Citations

48 Claims

Specification

Solutions

Use Cases

Quick Links

System and method of detecting delivery of malware using cross-customer data

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

659 Citations

48 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links