Advanced persistent threat (APT) detection center
First Claim
1. A computerized method for discovering and identifying an advanced persistent threat (APT) object corresponding to an object that includes an APT being a type of malware that is directed at a particular target and seeks to surveil, extract or manipulate data to which the particular target would have access, comprising:
- receiving an object to be classified by one or more virtual machines of an APT detection center, the APT detection center includes a server and the one or more virtual machines communicatively coupled to the server and configured for processing of the received object;
extracting features of the received object during processing of the received object by the one or more virtual machines, a first extracted feature of the extracted features includes information associated with an action performed during processing of the received object within the one or more virtual machines;
conducting, by the server, a first analysis by comparing the extracted features with features of known APT objects stored in an APT database accessible to the server;
responsive to determining that the extracted features satisfy a prescribed level of correlation with one or more features of known APT objects in the APT database, identifying the received object as an APT object in the APT database; and
responsive to determining that the extracted features fail to satisfy the prescribed level of correlation with the one or more features of the known APT objects in the APT database, conducting a second analysis by the server subsequent to the first analysis, the second analysis includes a comparison of features associated with known non-APT malware to determine whether the received object is known non-APT type malware, the second analysis being different from the first analysis.
7 Assignments
0 Petitions
Accused Products
Abstract
A computerized method is described in which one or more received objects are analyzed by an advanced persistent threat (APT) detection center to determine if the objects are APTs. The analysis may include the extraction of features describing and characterizing features of the received objects. The extracted features may be compared with features of known APT malware objects and known non-APT malware objects to determine a classification or probability of the received objects being APT malware. Upon determination that the received objects are APT malware, warning messages may be transmitted to a user of associated client devices. Classified objects may also be used to generate analytic data for the prediction and prevention of future APT attacks.
-
Citations
35 Claims
-
1. A computerized method for discovering and identifying an advanced persistent threat (APT) object corresponding to an object that includes an APT being a type of malware that is directed at a particular target and seeks to surveil, extract or manipulate data to which the particular target would have access, comprising:
-
receiving an object to be classified by one or more virtual machines of an APT detection center, the APT detection center includes a server and the one or more virtual machines communicatively coupled to the server and configured for processing of the received object; extracting features of the received object during processing of the received object by the one or more virtual machines, a first extracted feature of the extracted features includes information associated with an action performed during processing of the received object within the one or more virtual machines; conducting, by the server, a first analysis by comparing the extracted features with features of known APT objects stored in an APT database accessible to the server; responsive to determining that the extracted features satisfy a prescribed level of correlation with one or more features of known APT objects in the APT database, identifying the received object as an APT object in the APT database; and responsive to determining that the extracted features fail to satisfy the prescribed level of correlation with the one or more features of the known APT objects in the APT database, conducting a second analysis by the server subsequent to the first analysis, the second analysis includes a comparison of features associated with known non-APT malware to determine whether the received object is known non-APT type malware, the second analysis being different from the first analysis. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
-
23. A non-transitory storage medium including instructions, when executed by one or more hardware processors, discovering and identifying a new advanced persistent threat (APT) object corresponding to an object that includes an APT being a type of malware that is directed at a particular target and seeks to surveil, extract or manipulate data to which the particular target would have access by performing a plurality of operations, comprising:
-
extracting features of received object to be classified, the extracted features comprise at least a first extracted feature that includes information associated with an action performed during processing of the object; conducting a first analysis by comparing, by an APT classifier, the extracted features, including the first extracted feature, with features of known APT objects al-se that are stored in an APT database; and responsive to determining that the extracted features satisfy a prescribed level of correlation with one or more features of known APT objects, identifying the received object as an APT object in the APT database; and responsive to determining that the extracted features fail to satisfy the prescribed level of correlation with the one or more features of the known APT objects, conducting a second analysis by determining whether the received object is known malware or benign, the second analysis being different from the first analysis.
-
-
24. An advanced persistent threats (APT) detection center system for identifying and discovering a new APT being a type of malware that is directed at a particular target and seeks to surveil, extract or manipulate data to which the particular target would have access, comprising:
-
one or more hardware processors; a memory including one or more software modules that, when executed by the one or more hardware processors; extract features, including APT related features, of a received object to be classified, the extracted features comprise at least a first extracted feature that includes information associated with an action performed during processing of the object; conduct a first analysis by comparing, by an APT classifier, the extracted features, including the first extracted feature, with features of known APT objects that are stored in an APT database; responsive to determining that the extracted features satisfy-a prescribed level of correlation with one or more features of known APT objects in the APT database, identify the received object as an APT object in the APT database; and responsive to determining that the extracted features fail to satisfy the prescribed level of correlation with the one or more features of the known APT objects in the APT database, conduct a second analysis by determining whether the received object is known malware or benign, the second analysis being different from the first analysis.
-
-
25. A computerized method for discovering and identifying a new advanced persistent threat (APT) being a type of malware that is directed at a particular target and seeks to surveil, extract or manipulate data to which the particular target would have access, comprising:
-
determining one or more features associated with an object by one or more virtual machines of an APT detection center, the APT detection center includes a server and the one or more virtual machines that are configured for processing of the object, each of the one or more features describing a behavior of the object that is monitored during processing of the object; conducting a first analysis by the APT detection center in comparing the one or more features with features of objects in an APT database using an APT classifier; responsive to determining that the one or more features satisfy a prescribed level of correlation with features of a known APT object, identifying the object as an APT object in the APT database by the APT detection center; and responsive to determining that the one or more features fail to satisfy the prescribed level of correlation with the features of the known APT object, conducting by the APT detection center a second analysis by determining whether the received object is known malware or benign, the second analysis being different from the first analysis. - View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34, 35)
-
Specification