System and method of detecting delivery of malware based on indicators of compromise from different sources

US 9,609,007 B1
Filed: 06/06/2016
Issued: 03/28/2017
Est. Priority Date: 08/22/2014
Status: Active Grant

First Claim

Patent Images

1. An electronic device, comprising:

a communication interface;

a processor coupled to the communication interface; and

a memory coupled to the processor, the memory includesa first logic that, when executed by the processor, organizes (i) a set of indicators of compromise (IOCs) received from a first source via the communication interface, where the set of IOCs have been caused by a known malware associated with a first message type, and (ii) one or more IOCs received from a second source via the communication interface, the second source being different from the first source where a cause of the one or more IOCs is unknown, anda second logic that, when executed by the processor, (i) conducts a predictive analysis that evaluates whether the one or more IOCs have a prescribed degree of correlation with the set of IOCs caused by the known malware associated with the first message type, and (ii) determine a threat level, which signifies a degree of confidence that the one or more IOCs received from the second source are caused by the known malware.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to one embodiment, a computerized method comprises receiving a set of indicators of compromise (IOCs) associated with a known malware of a first message type from a first source and receiving one or more IOCs (IOC(s)) from a second source that is different from the first source. Thereafter, a determination is made as to whether the received IOC(s) from the second source correspond to the set of IOCs received from the first source. If so, information associated with at least the set of IOCs is used to locate a malware of the first message type that is undetected at the second source.

Citations

35 Claims

1. An electronic device, comprising:
- a communication interface;
  
  a processor coupled to the communication interface; and
  
  a memory coupled to the processor, the memory includesa first logic that, when executed by the processor, organizes (i) a set of indicators of compromise (IOCs) received from a first source via the communication interface, where the set of IOCs have been caused by a known malware associated with a first message type, and (ii) one or more IOCs received from a second source via the communication interface, the second source being different from the first source where a cause of the one or more IOCs is unknown, anda second logic that, when executed by the processor, (i) conducts a predictive analysis that evaluates whether the one or more IOCs have a prescribed degree of correlation with the set of IOCs caused by the known malware associated with the first message type, and (ii) determine a threat level, which signifies a degree of confidence that the one or more IOCs received from the second source are caused by the known malware.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The electronic device of claim 1, wherein the set of IOCs caused by the known malware includes a plurality of IOCs associated with an electronic mail message that has been previously detected at the first source as being malicious.
  - 3. The electronic device of claim 1, wherein the set of IOCs caused by the known malware includes a plurality of IOCs associated with a text message that has been previously detected at the first source as being malicious.
  - 4. The electronic device of claim 1, wherein the communication interface is a wireless transceiver that establishes a communicative coupling to a network and receives the set of IOCs and the one or more IOCs via the network.
  - 5. The electronic device of claim 4, wherein the network is a public network.
  - 6. The electronic device of claim 1, wherein the second logic determines whether the one or more IOCs received from the second source have the prescribed degree of correlation to the set of IOCs received from the first source in response to a triggering event that signifies a prescribed likelihood that the one or more IOCs from the second source are caused by an undetected malicious electronic message present at the second source.
  - 7. The electronic device of claim 6, wherein the triggering event includes a shift in volume of a given type of IOC at the second source.
  - 8. The electronic device of claim 7, wherein the shift in volume of the given type of IOC at the second source includes an increase in volume of the given type of IOC at the second source that exceeds a prescribed threshold.
  - 9. The electronic device of claim 1, wherein the second logic, when executed by the processor, evaluates whether the one or more IOCs received from the second source correspond to the set of IOCs received from the first source by determining whether a particular number of the one or more IOCs received from the second source are present and in the same chronological order as in the set of IOCs associated with the known malware.
  - 10. The electronic device of claim 9, wherein the degree of correspondence for evaluating whether the one or more IOCs from the second source correspond to the set of IOCs received from the first source is dynamic.
  - 11. The electronic device of claim 1, wherein the conducting of the predictive analysis to determine whether the one or more IOCs received from the second source correspond to the set of IOCs received from the first source further comprisesdetermining the degree of correlation between the one or more IOCs and the set of IOCs identified as being caused by the known malware;
    - generating at least one alert in response to the degree of correlation exceeding a prescribed threshold.
  - 12. The electronic device of claim 11, wherein the second logic, after determining the threat level, selects a particular type of alert based on the determined threat level.
  - 13. The electronic device of claim 12, wherein the second logic, after determining the threat level, generates (i) a first type of alert being a transmission of a message to security personnel of the second source in response to a first threat level and (ii) a second type of alert being multiple transmissions of a message through different mediums that include at least any two of a group consisting of (a) an electronic message via the network, (b) a text message, and (c) an automated cellular telephone call.
  - 14. The electronic device of claim 1, wherein the second logic, when executed by the processor, determines the threat level based, at least in part, on a timing of the one or more IOCs compared to a timing of the set of IOCs, the first message type includes an electronic message.
  - 15. The electronic device of claim 1, wherein the communication interface is communicatively coupled to the first source and the second source via a network, the first source being a network device that includes message analysis logic and the second source being a network device operating as a web-based security appliance.

16. A computerized method for malware detection conducted by a network device including processing circuitry and a data store, comprising:
- receiving a plurality of indicators of compromise (IOCs) from a first source, the plurality of IOCs identified as being caused by a known malware associated with a first message type;
  
  receiving one or more IOCs from a second source that is different from the first source; and
  
  conducting a predictive analysis of the one or more IOCs received from the second source to determine whether the one or more IOCs from the second source correspond to the plurality of IOCs received from the first source, the predictive analysis includes (i) determining a threat level associated with the one or more IOCs, the threat level signifies a degree of confidence that the one or more IOCs are caused by a malicious electronic message, and (ii) selecting a particular type of response based on the determined threat level,wherein information associated with at least the plurality of IOCs is used to determine a presence of malware associated with the first message type at the second source that is currently undetected and is the cause of the one or more IOCs at the second source.
- View Dependent Claims (17, 18, 19)
- - 17. The computerized method of claim 16, wherein the plurality of IOCs includes a plurality of IOCs associated with either an email message or a text message that has been previously detected at the first source as being malicious.
  - 18. The computerized method of claim 16, wherein the conducting the predictive analysis of the one or more IOCs received from the second source occurs in response to a triggering event, the triggering event includes an increase in volume of a given type of IOC at the second source that exceeds a prescribed threshold.
  - 19. The computerized method of claim 16, wherein the conducting the predictive analysis of the one or more IOCs received from the second source comprises determining whether the one or more IOCs received from the second source are present and in the same chronological order as a corresponding set of IOCs of the plurality of IOCs associated with the known malware.

20. An electronic device, comprising:
- one or more hardware processors; and
  
  a memory coupled to the one or more hardware processors, the memory includesa first logic that, when executed by the one or more hardware processors, organizes (i) a set of indicators of compromise (IOCs) received from a first source, where the set of IOCs have been caused by a known malware associated with a first message type, and (ii) one or more IOCs received from a second source, the second source being different from the first source where a cause of the one or more IOCs is unknown, anda second logic that, when executed by the one or more hardware processors, (i) conducts an analysis that evaluates whether the one or more IOCs have a prescribed degree of correlation with the set of IOCs caused by the known malware associated with the first message type, and (ii) determine a threat level, which signifies a degree of confidence that the one or more IOCs received from the second source are caused by the known malware.

21. A non-transitory storage medium implemented with software for execution by one or more hardware processors, the non-transitory storage medium comprising:
- a first logic that, stored in the non-transitory storage medium and upon execution by the one or more hardware processors, organizes (i) a set of indicators of compromise (IOCs) received from a first source, where the set of IOCs have been caused by a known malware associated with a first message type, and (ii) one or more IOCs received from a second source, the second source being different from the first source where a cause of the one or more IOCs is unknown, anda second logic that, stored in the non-transitory storage medium and upon execution by the one or more hardware processors, (i) conducts an analysis that evaluates whether the one or more IOCs have a prescribed degree of correlation with the set of IOCs caused by the known malware associated with the first message type, and (ii) determine a threat level, which signifies a degree of confidence that the one or more IOCs received from the second source are caused by the known malware.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35)
- - 22. The non-transitory storage medium of claim 21, wherein the set of IOCs caused by the known malware includes a plurality of IOCs associated with an electronic mail message that has been previously detected at the first source as being malicious.
  - 23. The non-transitory storage medium of claim 21, wherein the set of IOCs caused by the known malware includes a plurality of IOCs associated with a text message that has been previously detected at the first source as being malicious.
  - 24. The non-transitory storage medium of claim 21 being implemented within an electronic device that comprises a communication interface communicatively coupled to the one or more hardware processors, the communication interface includes a wireless transceiver that establishes a communicative coupling to a network and receives the set of IOCs and the one or more IOCs via the network.
  - 25. The non-transitory storage medium of claim 24 being implemented within the electronic device including the wireless transceiver communicatively coupled to the network being a public network.
  - 26. The non-transitory storage medium of claim 24 being implemented within the electronic device including the communication interface that is communicatively coupled to the first source and the second source via a network, the first source being a network device that includes message analysis logic and the second source being a network device operating as a web-based security appliance.
  - 27. The non-transitory storage medium of claim 21, wherein the second logic determines whether the one or more IOCs received from the second source have the prescribed degree of correlation to the set of IOCs received from the first source in response to a triggering event that signifies a prescribed likelihood that the one or more IOCs from the second source are caused by an undetected malicious electronic message present at the second source.
  - 28. The non-transitory storage medium of claim 27, wherein the triggering event includes a shift in volume of a given type of IOC at the second source.
  - 29. The non-transitory storage medium of claim 28, wherein the shift in volume of the given type of IOC at the second source includes an increase in volume of the given type of IOC at the second source that exceeds a threshold.
  - 30. The non-transitory storage medium of claim 21, wherein the second logic, when executed by the one or more hardware processors, evaluates whether the one or more IOCs received from the second source correspond to the set of IOCs received from the first source by determining whether a particular number of the one or more IOCs received from the second source are present and in the same chronological order as in the set of IOCs associated with the known malware.
  - 31. The non-transitory storage medium of claim 30, wherein the degree of correspondence for evaluating whether the one or more IOCs from the second source correspond to the set of IOCs received from the first source is dynamic.
  - 32. The non-transitory storage medium of claim 21, wherein the conducting of the analysis to determine whether the one or more IOCs received from the second source correspond to the set of IOCs received from the first source further comprisesdetermining the degree of correlation between the one or more IOCs and the set of IOCs identified as being caused by the known malware;
    - generating at least one alert in response to the degree of correlation exceeding a threshold.
  - 33. The non-transitory storage medium of claim 21, wherein the second logic, after determining the threat level, selects a particular type of alert based on the determined threat level.
  - 34. The non-transitory storage medium of claim 33, wherein the second logic, after determining the threat level, generates (i) a first type of alert being a transmission of a message to security personnel of the second source in response to a first threat level and (ii) a second type of alert being multiple transmissions of a message through different mediums that include at least any two of a group consisting of (a) an electronic message via the network, (b) a text message, and (c) an automated cellular telephone call.
  - 35. The non-transitory storage medium of claim 21, wherein the second logic, when executed by the processor, determines the threat level based, at least in part, on a timing of the one or more IOCs compared to a timing of the set of IOCs, the first message type includes an electronic message.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
FireEye, Inc. (Alphabet Inc.)
Inventors
Rivlin, Alexandr, Mehra, Divyesh, Uyeno, Henry, Pidathala, Vinay
Primary Examiner(s)
Song, Hosuk

Application Number

US15/174,827
Time in Patent Office

295 Days
Field of Search

713/187, 713/188, 726 22- 26
US Class Current

1/1
CPC Class Codes

G06F 9/45508   Runtime interpretation or e...

H04L 51/212   using filtering or selectiv...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

System and method of detecting delivery of malware based on indicators of compromise from different sources

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

35 Claims

Specification

Solutions

Use Cases

Quick Links

System and method of detecting delivery of malware based on indicators of compromise from different sources

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

35 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links