Advanced persistent threat (APT) detection center

US 9,628,507 B2
Filed: 09/30/2013
Issued: 04/18/2017
Est. Priority Date: 09/30/2013
Status: Active Grant

First Claim

Patent Images

1. A computerized method for discovering and identifying an advanced persistent threat (APT) object corresponding to an object that includes an APT being a type of malware that is directed at a particular target and seeks to surveil, extract or manipulate data to which the particular target would have access, comprising:

receiving an object to be classified by one or more virtual machines of an APT detection center, the APT detection center includes a server and the one or more virtual machines communicatively coupled to the server and configured for processing of the received object;

extracting features of the received object during processing of the received object by the one or more virtual machines, a first extracted feature of the extracted features includes information associated with an action performed during processing of the received object within the one or more virtual machines;

conducting, by the server, a first analysis by comparing the extracted features with features of known APT objects stored in an APT database accessible to the server;

responsive to determining that the extracted features satisfy a prescribed level of correlation with one or more features of known APT objects in the APT database, identifying the received object as an APT object in the APT database; and

responsive to determining that the extracted features fail to satisfy the prescribed level of correlation with the one or more features of the known APT objects in the APT database, conducting a second analysis by the server subsequent to the first analysis, the second analysis includes a comparison of features associated with known non-APT malware to determine whether the received object is known non-APT type malware, the second analysis being different from the first analysis.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computerized method is described in which one or more received objects are analyzed by an advanced persistent threat (APT) detection center to determine if the objects are APTs. The analysis may include the extraction of features describing and characterizing features of the received objects. The extracted features may be compared with features of known APT malware objects and known non-APT malware objects to determine a classification or probability of the received objects being APT malware. Upon determination that the received objects are APT malware, warning messages may be transmitted to a user of associated client devices. Classified objects may also be used to generate analytic data for the prediction and prevention of future APT attacks.

Citations

35 Claims

1. A computerized method for discovering and identifying an advanced persistent threat (APT) object corresponding to an object that includes an APT being a type of malware that is directed at a particular target and seeks to surveil, extract or manipulate data to which the particular target would have access, comprising:
- receiving an object to be classified by one or more virtual machines of an APT detection center, the APT detection center includes a server and the one or more virtual machines communicatively coupled to the server and configured for processing of the received object;
  
  extracting features of the received object during processing of the received object by the one or more virtual machines, a first extracted feature of the extracted features includes information associated with an action performed during processing of the received object within the one or more virtual machines;
  
  conducting, by the server, a first analysis by comparing the extracted features with features of known APT objects stored in an APT database accessible to the server;
  
  responsive to determining that the extracted features satisfy a prescribed level of correlation with one or more features of known APT objects in the APT database, identifying the received object as an APT object in the APT database; and
  
  responsive to determining that the extracted features fail to satisfy the prescribed level of correlation with the one or more features of the known APT objects in the APT database, conducting a second analysis by the server subsequent to the first analysis, the second analysis includes a comparison of features associated with known non-APT malware to determine whether the received object is known non-APT type malware, the second analysis being different from the first analysis.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 2. The computerized method of claim 1, wherein the conducting of the first analysis comprises correlating the extracted features of the received object with the features of known APT objects and the conducting of the second analysis comprises correlating the extracted features of the received object with features of known malware that differs from the known APT objects.
  - 3. The computerized method of claim 1, wherein the extracted features of the received object satisfy a prescribed level of correlation when a predefined number of the extracted features match features of one or more known APT objects in the APT database.
  - 4. The computerized method of claim 1, wherein the received object is a file suspected to contain malware code.
  - 5. The computerized method of claim 4, wherein the extracted features are extracted before and after the malware code has been activated.
  - 6. The computerized method of claim 1, wherein the received object includes a dropped object, the dropped object being (i) generated during processing of an object within the one or more virtual machines and (ii) returned to the one or more virtual machines for processing and extracting of the features of the dropped object.
  - 7. The computerized method of claim 1, further comprising:
    - normalizing the extracted features of the received object such that each value in the extracted features is converted to a discrete or continuous value.
  - 8. The computerized method of claim 1, further comprising:
    - transmitting a warning to a user of a client device that the received object is an APT object in response to determining that the extracted features of the received object satisfy a prescribed level of correlation, wherein the received object is received from a client device operated by the user.
  - 9. The computerized method of claim 8, wherein the received object is received through an interface displayed on the client device and the warning is presented to the user through the interface.
  - 10. The computerized method of claim 1, wherein the extracted features include data describing the behavior and characteristics of the received object that is received from a source external to the server.
  - 11. The computerized method of claim 1, wherein the comparing of the extracted features with the features of the known APT objects in the APT database utilizes statistical and machine learning techniques to determine whether the extracted features of the received object satisfy the prescribed level of correlation to one or more of the known APT objects in the APT database.
  - 12. The computerized method of claim 1, further comprising:
    - analyzing the APT database to, based on stored APT objects, determine the severity of the APT object.
  - 13. The computerized method of claim 12, further comprisinganalyzing stored APT objects within the APT database to rank the APT objects according to severity, the ranking of the severity of a first APT object of the stored APT objects is based on one or more of the size of a target and damage caused by the first APT object.
  - 14. The computerized method of claim 13, furthering comprising:
    - comparing extracted features of the first APT object with extracted features of a second APT object; and
      
      assigning the severity of the first object to the second object upon determining that the first APT object shares one or more features with the second APT object.
  - 15. The computerized method of claim 12, wherein the analysis of the APT database comprises:
    - determining trends for APT attacks based on stored APT objects in the APT database; and
      
      signaling a user of a possible future attack based on the determined trends.
  - 16. The computerized method of claim 15, wherein the trends are determined relative to one or more of a time period and a target type.
  - 17. The computerized method of claim 1, further comprising analyzing stored APT objects within the APT database and generating an attacker profile bycomparing extracted features of a first APT object stored in the APT database to extracted features of a second APT object stored in the APT database;
    - andassociating the first APT object and the second APT object with an attacker profile upon determining that multiple APT objects share a predefined number of extracted features.
  - 18. The computerized method of claim 17, further comprising:
    - comparing extracted features from a third APT object with one or more of the first APT object and the second APT objectassociated with the attacker profile; and
      
      attributing the third APT object to an attacker associated with the attacker profile upon determining that the third APT object shares the predefined number of extracted features with multiple APT objects.
  - 19. The computerized method of claim 1 further comprising analyzing the APT database and identifying an APT campaign that comprises:
    - detecting a number of APT objects in the APT database that have occurred within a specified time period;
      
      determining whether the number of APT objects detected during the specified time period is above a campaign threshold value; and
      
      signaling that an APT campaign is occurring during the specified time period in response to determining that the number of APT objects during the specified time period is above the campaign threshold value.
  - 20. The computerized method of claim 19, wherein the detected APT objects are associated with a single attacker.
  - 21. The computerized method of claim 1, wherein the extracted features include data that exhibit that an associated attacker has prior knowledge about a target of the received object.
  - 22. The computerized method of claim 1, wherein the extracting features of the received object is performed by a virtual machine during the processing of the object.

23. A non-transitory storage medium including instructions, when executed by one or more hardware processors, discovering and identifying a new advanced persistent threat (APT) object corresponding to an object that includes an APT being a type of malware that is directed at a particular target and seeks to surveil, extract or manipulate data to which the particular target would have access by performing a plurality of operations, comprising:
- extracting features of received object to be classified, the extracted features comprise at least a first extracted feature that includes information associated with an action performed during processing of the object;
  
  conducting a first analysis by comparing, by an APT classifier, the extracted features, including the first extracted feature, with features of known APT objects al-se that are stored in an APT database; and
  
  responsive to determining that the extracted features satisfy a prescribed level of correlation with one or more features of known APT objects, identifying the received object as an APT object in the APT database; and
  
  responsive to determining that the extracted features fail to satisfy the prescribed level of correlation with the one or more features of the known APT objects, conducting a second analysis by determining whether the received object is known malware or benign, the second analysis being different from the first analysis.

24. An advanced persistent threats (APT) detection center system for identifying and discovering a new APT being a type of malware that is directed at a particular target and seeks to surveil, extract or manipulate data to which the particular target would have access, comprising:
- one or more hardware processors;
  
  a memory including one or more software modules that, when executed by the one or more hardware processors;
  
  extract features, including APT related features, of a received object to be classified, the extracted features comprise at least a first extracted feature that includes information associated with an action performed during processing of the object;
  
  conduct a first analysis by comparing, by an APT classifier, the extracted features, including the first extracted feature, with features of known APT objects that are stored in an APT database;
  
  responsive to determining that the extracted features satisfy-a prescribed level of correlation with one or more features of known APT objects in the APT database, identify the received object as an APT object in the APT database; and
  
  responsive to determining that the extracted features fail to satisfy the prescribed level of correlation with the one or more features of the known APT objects in the APT database, conduct a second analysis by determining whether the received object is known malware or benign, the second analysis being different from the first analysis.

25. A computerized method for discovering and identifying a new advanced persistent threat (APT) being a type of malware that is directed at a particular target and seeks to surveil, extract or manipulate data to which the particular target would have access, comprising:
- determining one or more features associated with an object by one or more virtual machines of an APT detection center, the APT detection center includes a server and the one or more virtual machines that are configured for processing of the object, each of the one or more features describing a behavior of the object that is monitored during processing of the object;
  
  conducting a first analysis by the APT detection center in comparing the one or more features with features of objects in an APT database using an APT classifier;
  
  responsive to determining that the one or more features satisfy a prescribed level of correlation with features of a known APT object, identifying the object as an APT object in the APT database by the APT detection center; and
  
  responsive to determining that the one or more features fail to satisfy the prescribed level of correlation with the features of the known APT object, conducting by the APT detection center a second analysis by determining whether the received object is known malware or benign, the second analysis being different from the first analysis.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34, 35)
- - 26. The computerized method of claim 25, wherein identifying the object as the APT object when a predefined number of the one or more features has the prescribed level of correlation with features of the known APT object in the APT database.
  - 27. The computerized method of claim 25, wherein the one or more objects is a file suspected to contain malware.
  - 28. The computerized method of claim 27, wherein the determining of the one or more features associated with the object comprisesreceiving the object to be classified;
    - extracting the one or more features from the object;
      
      storing the object along with the one or more features in the APT database.
  - 29. The computerized method of claim 28, further comprising:
    - extracting a dropped object generated by the object;
      
      extracting one or more features describing behavior and characteristics of the dropped object; and
      
      associating the dropped object and the one or more extracted features of the dropped object with the object in the APT database.
  - 30. The computerized method of claim 25, further comprising:
    - normalizing the one or more features of the object so that each value in the one or more features is converted to a discrete or continuous value.
  - 31. The computerized method of claim 25, further comprising:
    - transmitting a warning message to a client device that the object is an APT object in response to determining that the one or more features of the object have the prescribed level of correlation with one or more features of known APT objects in the APT database.
  - 32. The computerized method of claim 25, further comprising:
    - analyzing the APT database, based on stored APT objects, to perform a plurality of (1) creating attacker profiles, (2) collecting evidence of an APT attack, (3) determining a level of severity of an APT object, (4) discovering and identifying overall APT campaigns, (5) performing attribution of the APT attack, and (6) predict future APT trends.
  - 33. The computerized method of claim 25, further comprising:
    - analyzing the APT database, based on stored APT objects, to discover and identifying overall APT campaigns.
  - 34. The computerized method of claim 25, further comprising:
    - analyzing the APT database, based on stored APT objects, to perform an attribution of the APT attack.
  - 35. The computerized method of claim 25, further comprising:
    - analyzing the APT database, based on stored APT objects, to predict future APT trends.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
FireEye, Inc. (Alphabet Inc.)
Inventors
Haq, Thoufique, Zhai, Jinjian, Pidathala, Vinay K.
Primary Examiner(s)
Najjar, Saleh
Assistant Examiner(s)
Gao, Shu Chun

Application Number

US14/042,483
Publication Number

US 20150096024A1
Time in Patent Office

1,296 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 21/564   by virus signature recognition

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

H04L 63/205   involving negotiation or de...

Advanced persistent threat (APT) detection center

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

35 Claims

Specification

Solutions

Use Cases

Quick Links

Advanced persistent threat (APT) detection center

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

35 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links