System, apparatus and method for detecting a malicious attack based on static analysis of a multi-flow object

US 9,432,389 B1
Filed: 03/31/2014
Issued: 08/30/2016
Est. Priority Date: 03/31/2014
Status: Active Grant

First Claim

Patent Images

1. An apparatus for detecting one or more exploits, comprising:

one or more hardware ports that provide connectivity between the apparatus and a transmission medium;

network-traffic static analysis logic communicatively coupled to the one or more hardware ports, the network-traffic static analysis logic to conduct an analysis of a multi-flow object based on information from a plurality of related flows received via the one or more hardware ports by analyzing characteristics of the multi-flow object and determining if the characteristics of the multi-flow object are indicative of an exploit of the one of more exploits, wherein the analysis of the multi-flow object represents a static analysis of characteristics associated with the plurality of related flows and each flow of the plurality of related flows comprises one or more related messages communicated during a single communication session between a source network device and a destination network device; and

a classification engine to receive results of the analysis of the multi-flow object and, based on the results of the analysis of the multi-flow object, determine whether the multi-flow object is the exploit.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In an embodiment, a threat detection and prevention system comprises a network-traffic static analysis logic and a classification engine. The network-traffic static analysis logic is configured to conduct an analysis of a multi-flow object by analyzing characteristics of the multi-flow object and determining if the characteristics of the multi-flow object is associated with a malicious attack such as being indicative of an exploit for example. The classification engine is configured to receive results of the analysis of the multi-flow object and, based on the results of the analysis of the multi-flow object, determine whether the multi-flow object is associated with a malicious attack.

Citations

29 Claims

1. An apparatus for detecting one or more exploits, comprising:
- one or more hardware ports that provide connectivity between the apparatus and a transmission medium;
  
  network-traffic static analysis logic communicatively coupled to the one or more hardware ports, the network-traffic static analysis logic to conduct an analysis of a multi-flow object based on information from a plurality of related flows received via the one or more hardware ports by analyzing characteristics of the multi-flow object and determining if the characteristics of the multi-flow object are indicative of an exploit of the one of more exploits, wherein the analysis of the multi-flow object represents a static analysis of characteristics associated with the plurality of related flows and each flow of the plurality of related flows comprises one or more related messages communicated during a single communication session between a source network device and a destination network device; and
  
  a classification engine to receive results of the analysis of the multi-flow object and, based on the results of the analysis of the multi-flow object, determine whether the multi-flow object is the exploit.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The apparatus of claim 1, wherein the characteristics comprises message ordering within a plurality of related flows associated with the multi-flow object, wherein each flow of the plurality of related flows comprises the one or more related messages that include a plurality of related messages communicated during the single communication session between the source network device being a single source network device and the destination network device being a single destination network device.
  - 3. The apparatus of claim 1, wherein the characteristics comprise one or more of (i) header types within HTTP-based messages associated with the multi-flow object;
    - (ii) parameter values for corresponding headers within the HTTP-based messages;
      
      or (iii) ordering of information associated with the HTTP-based messages associated with the multi-flow object.
  - 4. The apparatus of claim 1, wherein the analysis of the multi-flow object corresponds to an enhanced static analysis of characteristics associated with the multi-flow object that are different from characteristics analyzed by the network-traffic static analysis logic during a first static analysis of the multi-flow object prior to the enhanced static analysis.
  - 5. The apparatus of claim 1 further comprising:
    - a dynamic analysis engine including at least one virtual machine configured to conduct virtual processing of information within the multi-flow object, the dynamic analysis engine further (i) monitoring behaviors of the multi-flow object during the virtual processing by the at least one virtual machine and (ii) generating results based on the monitored behaviors,wherein the classification engine uses the results generated from the dynamic analysis engine and the results of the analysis of the multi-flow object by the network-traffic static analysis logic to determine whether the multi-flow object is the exploit.
  - 6. The apparatus of claim 5, wherein the analysis of the multi-flow object by the network-traffic static analysis logic is triggered by a feedback signal and feedback signal is triggered when the classification engine determines that the results from the dynamic analysis engine fail to identify the multi-flow object is the exploit.
  - 7. The apparatus of claim 1, wherein the multi-flow object includes at least a first data flow of the plurality of related data flows and a second data flow of the plurality of related data flows that is responsive to the first data flow, the first data flow including information associated with a HTTP GET request message and the second data flow including information associated with a HTTP GET response message.

8. An apparatus comprising:
- a processor; and
  
  a memory communicatively coupled to the processor, the memory comprisesa network-traffic static analysis logic being a software module that, when executed by the processor, conducts an analysis of a multi-flow object by analyzing characteristics of the multi-flow object that include message ordering within a plurality of related flows associated with the multi-flow object and determining if the characteristics of the multi-flow object are associated with a malicious attack, wherein the multi-flow object includes an aggregation of a plurality of related flows and each flow of the plurality of related flows comprises one or more related messages communicated during a single communication session between a source network device and a destination network device, and a classification engine being a software module that, when executed by the processor, receives results of the analysis of the multi-flow object and, based on the results of the analysis of the multi-flow object, determines whether the multi-flow object is associated with the malicious attack.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
- - 9. The apparatus of claim 8, wherein the characteristics comprise one or more of (i) header types within HTTP-based messages associated with the multi-flow object;
    - (ii) parameter values for corresponding headers within the HTTP-based messages;
      
      or (iii) ordering of information associated with the HTTP-based messages associated with the multi-flow object.
  - 10. The apparatus of claim 8, wherein the analysis of the multi-flow object by the network-traffic static analysis logic is triggered by communications from the classification engine.
  - 11. The apparatus of claim 8, wherein the analysis of the multi-flow object represents an enhanced static analysis of characteristics associated with a plurality of related flows of the multi-flow object that are different than characteristics analyzed and reported by the network-traffic static analysis logic to the classification engine prior to the enhanced static analysis, wherein each flow of the plurality of related flows comprises the one or more related messages being a plurality of related messages communicated during the single communication session between the source network device being a single source network device and the destination network device being a single destination network device.
  - 12. The apparatus of claim 8, wherein the memory further comprises:
    - a dynamic analysis engine being a software module that, when executed by the processor, causes at least one virtual machine to conduct virtual processing of information within the multi-flow object, the dynamic analysis engine further (i) monitoring behaviors of the multi-flow object during the virtual processing by the at least one virtual machine and (ii) generating results based on the monitored behaviors,wherein the classification engine uses the results generated from the dynamic analysis engine and the results of the analysis of the multi-flow object by the network-traffic static analysis logic to determine whether the multi-flow object is associated with the malicious attack.
  - 13. The apparatus of claim 12, wherein the analysis of the multi-flow object by the network-traffic static analysis logic is triggered by a feedback signal and the feedback signal is triggered when the classification engine determines that the results from the dynamic analysis engine fail to identify the multi-flow object is associated with the malicious attack.
  - 14. The apparatus of claim 8, wherein the analysis of the multi-flow object by the network-traffic static analysis logic is triggered by a feedback signal and the feedback signal is triggered when the classification engine fails to identify the multi-flow object is associated with the malicious attack.
  - 15. The apparatus of claim 8, wherein the multi-flow object includes at least a first data flow of the plurality of related data flows and a second data flow of the plurality of related data flows that is responsive to the first data flow, the first data flow including information associated with a HTTP GET request message and the second data flow including information associated with a HTTP GET response message responsive to the HTTP GET request message.

16. An electronic device, comprising:
- one or more hardware ports that provide connectivity between the apparatus and a transmission medium;
  
  network-traffic static analysis logic communicatively coupled to the one or more hardware ports, the network-traffic static analysis logic to conduct a first analysis of a multi-flow object based on information from a plurality of related flows received via the one or more hardware ports to determine if the multi-flow object has characteristics associated with a malicious attack, wherein the multi-flow object includes an aggregation of the plurality of related flows and each flow of the plurality of related flows comprises one or more related messages communicated during a single communication session between a source network device and a destination network device;
  
  a dynamic analysis engine including at least one virtual machine configured to process information within the multi-flow object determined by the first analysis as having characteristics associated with the malicious attack, the dynamic analysis engine further (i) monitoring behaviors of the multi-flow object during the virtual processing by the at least one virtual machine and (ii) generating results based on the monitored behaviors; and
  
  a classification engine to receive the results from the dynamic analysis engine and to generate a feedback signal that is provided to the network-traffic static analysis logic in response to a triggering event, the feedback signal prompting the network-traffic static analysis logic to perform a second analysis of the multi-flow object and provide results of the second analysis to the classification engine.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
- - 17. The electronic device of claim 16, wherein each flow of the plurality of related flows comprises the one or more related messages that include a plurality of related messages communicated during the single communication session between the source network device being a single source network device and the destination network device being a single destination network device.
  - 18. The electronic device of claim 17, wherein the static analysis of the characteristics related to the communication protocols comprises analysis of one or more of (i) header types within the plurality of related messages being HTTP-based messages;
    - (ii) parameter values for corresponding headers within the HTTP-based messages;
      
      or (iii) ordering information associated with the HTTP-based messages.
  - 19. The electronic device of claim 16, wherein the first analysis analyzes characteristics of the multi-flow object different from characteristics of the multi-flow object analyzed during the second analysis.
  - 20. The electronic device of claim 19, wherein the first analysis comprises one of a heuristic analysis, a determinative analysis, or a signature matching.
  - 21. The electronic device of claim 19, wherein the first analysis conducts signature matching associated with a first subset of signatures and the second analysis conducts signature matching associated with a second subset of signatures that is mutually exclusive from the first subset of signatures.
  - 22. The electronic device of claim 19, wherein the results of the second analysis including one or more of (i) a score based on anomalous characteristics detected during the second analysis of the multi-flow object, (ii) the anomalous characteristics, or (iii) an updated score different than the score if (a) the first analysis of the multi-flow object produced a first score used by the classification engine to classify the multi-flow object as malicious or benign and (b) the second analysis is directed to the multi-flow object that includes additional information that was not analyzed during the first analysis.
  - 23. The electronic device of claim 19, wherein the network-traffic static analysis logic comprises:
    - a traffic pre-filter logic configured to (i) parse incoming network traffic, and (ii) aggregate information associated with the network traffic from a common Internet Protocol (IP) address for a period of time, the aggregated information being associated with the multi-flow object; and
      
      a correlation logic configured to conduct the first analysis of the multi-flow object and produce results of the first analysis of the multi-flow object.
  - 24. The electronic device of claim 19, wherein the classification engine comprises:
    - a score determination logic that computes a score that represents whether the multi-flow object is an exploit, the score being based on the results from the dynamic analysis engine and the results of the second analysis of the multi-flow object by the network-traffic static analysis logic.
  - 25. The electronic device of claim 24, wherein the classification engine further comprises prioritization logic that is configured to apply weighting to the results from the dynamic analysis engine and the results from the network-traffic static analysis logic.
  - 26. The electronic device of claim 24, wherein the prioritization logic applies a first weighting to the results from the network-traffic static analysis logic and a second weighting to the results from the dynamic analysis engine, the first weighting being different than the second weighting.
  - 27. The electronic device of claim 16, wherein the triggering event is a determination by the classification engine that the results from the dynamic analysis engine fail to identify the multi-flow object has characteristics associated with the malicious attack.
  - 28. The electronic device of claim 27, wherein the classification engine fails to identify the multi-flow object has characteristics associated with the malicious attack due to one or more factors including (1) a software detect that comprises (i) the at least one virtual machine using an application that failed to trigger one or more anomalous behaviors during the virtual processing of the multi-flow object, or (ii) the at least one virtual machine crashing, or (2) incomplete content analyzed including a failure by the at least one virtual machine to virtually process certain information within the multi-flow object due to time constraints in the virtual processing of the information within the multi-flow object.
  - 29. The electronic device of claim 16, wherein the multi-flow object includes at least a first data flow of the plurality of related data flows and a second data flow of the plurality of related data flows that is responsive to the first data flow, the first data flow including information associated with a HTTP GET request message and the second data flow including information associated with a HTTP GET response message responsive to the HTTP GET request message.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
FireEye, Inc. (Alphabet Inc.)
Inventors
Khalid, Yasir, Deshpande, Shivani, Amin, Muhammad
Primary Examiner(s)
Shehni, Ghazal

Application Number

US14/231,260
Time in Patent Office

883 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/1425 Traffic logging, e.g. anoma...

System, apparatus and method for detecting a malicious attack based on static analysis of a multi-flow object

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

System, apparatus and method for detecting a malicious attack based on static analysis of a multi-flow object

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links