System, apparatus and method for detecting a malicious attack based on static analysis of a multi-flow object
First Claim
1. An apparatus for detecting one or more exploits, comprising:
- one or more hardware ports that provide connectivity between the apparatus and a transmission medium;
network-traffic static analysis logic communicatively coupled to the one or more hardware ports, the network-traffic static analysis logic to conduct an analysis of a multi-flow object based on information from a plurality of related flows received via the one or more hardware ports by analyzing characteristics of the multi-flow object and determining if the characteristics of the multi-flow object are indicative of an exploit of the one of more exploits, wherein the analysis of the multi-flow object represents a static analysis of characteristics associated with the plurality of related flows and each flow of the plurality of related flows comprises one or more related messages communicated during a single communication session between a source network device and a destination network device; and
a classification engine to receive results of the analysis of the multi-flow object and, based on the results of the analysis of the multi-flow object, determine whether the multi-flow object is the exploit.
7 Assignments
0 Petitions
Accused Products
Abstract
In an embodiment, a threat detection and prevention system comprises a network-traffic static analysis logic and a classification engine. The network-traffic static analysis logic is configured to conduct an analysis of a multi-flow object by analyzing characteristics of the multi-flow object and determining if the characteristics of the multi-flow object is associated with a malicious attack such as being indicative of an exploit for example. The classification engine is configured to receive results of the analysis of the multi-flow object and, based on the results of the analysis of the multi-flow object, determine whether the multi-flow object is associated with a malicious attack.
-
Citations
29 Claims
-
1. An apparatus for detecting one or more exploits, comprising:
-
one or more hardware ports that provide connectivity between the apparatus and a transmission medium; network-traffic static analysis logic communicatively coupled to the one or more hardware ports, the network-traffic static analysis logic to conduct an analysis of a multi-flow object based on information from a plurality of related flows received via the one or more hardware ports by analyzing characteristics of the multi-flow object and determining if the characteristics of the multi-flow object are indicative of an exploit of the one of more exploits, wherein the analysis of the multi-flow object represents a static analysis of characteristics associated with the plurality of related flows and each flow of the plurality of related flows comprises one or more related messages communicated during a single communication session between a source network device and a destination network device; and a classification engine to receive results of the analysis of the multi-flow object and, based on the results of the analysis of the multi-flow object, determine whether the multi-flow object is the exploit. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. An apparatus comprising:
-
a processor; and a memory communicatively coupled to the processor, the memory comprises a network-traffic static analysis logic being a software module that, when executed by the processor, conducts an analysis of a multi-flow object by analyzing characteristics of the multi-flow object that include message ordering within a plurality of related flows associated with the multi-flow object and determining if the characteristics of the multi-flow object are associated with a malicious attack, wherein the multi-flow object includes an aggregation of a plurality of related flows and each flow of the plurality of related flows comprises one or more related messages communicated during a single communication session between a source network device and a destination network device, and a classification engine being a software module that, when executed by the processor, receives results of the analysis of the multi-flow object and, based on the results of the analysis of the multi-flow object, determines whether the multi-flow object is associated with the malicious attack. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
-
-
16. An electronic device, comprising:
- one or more hardware ports that provide connectivity between the apparatus and a transmission medium;
network-traffic static analysis logic communicatively coupled to the one or more hardware ports, the network-traffic static analysis logic to conduct a first analysis of a multi-flow object based on information from a plurality of related flows received via the one or more hardware ports to determine if the multi-flow object has characteristics associated with a malicious attack, wherein the multi-flow object includes an aggregation of the plurality of related flows and each flow of the plurality of related flows comprises one or more related messages communicated during a single communication session between a source network device and a destination network device;
a dynamic analysis engine including at least one virtual machine configured to process information within the multi-flow object determined by the first analysis as having characteristics associated with the malicious attack, the dynamic analysis engine further (i) monitoring behaviors of the multi-flow object during the virtual processing by the at least one virtual machine and (ii) generating results based on the monitored behaviors; and
a classification engine to receive the results from the dynamic analysis engine and to generate a feedback signal that is provided to the network-traffic static analysis logic in response to a triggering event, the feedback signal prompting the network-traffic static analysis logic to perform a second analysis of the multi-flow object and provide results of the second analysis to the classification engine. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
- one or more hardware ports that provide connectivity between the apparatus and a transmission medium;
Specification