Electronic device for aggregation, correlation and consolidation of analysis attributes

US 9,641,546 B1
Filed: 04/11/2016
Issued: 05/02/2017
Est. Priority Date: 03/14/2013
Status: Active Grant

First Claim

Patent Images

1. An electronic device for detecting a malware attack and controlling a display of information associated with a migration of suspicious network content during the malware attack, the electronic device comprising:

a processor;

a communication interface logic communicatively coupled to the processor; and

a storage device communicatively coupled to the processor, the storage device comprisesaggregation logic that, when processed by the processor, receives analytic data from each of a plurality of systems via the communication interface logic, the analytic data from each system of the plurality of systems comprises one or more input attributes being information used in routing of the suspicious network content over a network and one or more analysis attributes being (a) a portion of the suspicious network content or (b) at least one anomalous behavior observed during prior analysis of the portion of the suspicious network content,correlation logic that, when processed by the processor and responsive to receiving the analytic data from each of the plurality of systems, attempts to find relationships between the one or more analysis attributes provided from each system of the plurality of systems based on determined similarities between the one or more analysis attributes,consolidation logic that, when processed by the processor, consolidates input attributes of the one or more input attributes associated with at least (i) a first analysis attribute of the one or more analysis attributes from a first system of the plurality of systems and (ii) a second analysis attribute of the one or more analysis attributes from a second system of the plurality of systems in response to detected similarities between the first analysis attribute and the second analysis attribute, anddisplay logic that, when processed by the processor, generates display information including the consolidated input attributes.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In communication with security appliances, an electronic device for providing a holistic view of a malware attack is described. The electronic device features one or more processors and a storage device. The storage device includes aggregation logic, correlation logic, consolidation logic, and display logic: The aggregation logic is configured to receive input attributes and analysis attributes from each of the security appliances. The correlation logic attempts to find relationships between analysis attributes provided from each security appliance. The consolidation logic receives at least (i) a first analysis attribute from a first security appliance and (ii) a second analysis attribute from a second security appliance in response to the first analysis attribute corresponding to the second analysis attribute. The display logic generates display information including the consolidated input attributes.

702 Citations

18 Claims

1. An electronic device for detecting a malware attack and controlling a display of information associated with a migration of suspicious network content during the malware attack, the electronic device comprising:
- a processor;
  
  a communication interface logic communicatively coupled to the processor; and
  
  a storage device communicatively coupled to the processor, the storage device comprisesaggregation logic that, when processed by the processor, receives analytic data from each of a plurality of systems via the communication interface logic, the analytic data from each system of the plurality of systems comprises one or more input attributes being information used in routing of the suspicious network content over a network and one or more analysis attributes being (a) a portion of the suspicious network content or (b) at least one anomalous behavior observed during prior analysis of the portion of the suspicious network content,correlation logic that, when processed by the processor and responsive to receiving the analytic data from each of the plurality of systems, attempts to find relationships between the one or more analysis attributes provided from each system of the plurality of systems based on determined similarities between the one or more analysis attributes,consolidation logic that, when processed by the processor, consolidates input attributes of the one or more input attributes associated with at least (i) a first analysis attribute of the one or more analysis attributes from a first system of the plurality of systems and (ii) a second analysis attribute of the one or more analysis attributes from a second system of the plurality of systems in response to detected similarities between the first analysis attribute and the second analysis attribute, anddisplay logic that, when processed by the processor, generates display information including the consolidated input attributes.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The electronic device of claim 1, wherein the correlation logic attempts to find relationships between the one or more analysis attributes by at least determining whether the first analysis attribute matches the second analysis attribute.
  - 3. The electronic device of claim 2, wherein the consolidation logic attempts to find relationships between the one or more analysis attributes provided from each system of the plurality of systems by at least identifying that a first network content including the first analysis attribute received from the first system is the same as or related to a second network content including the second analysis attribute received from the second system.
  - 4. The electronic device of claim 1, wherein the first analysis attribute comprises at least one of (i) information directed to a portion of the network content that is analyzed for malware within the first system and (ii) one or more anomalous behaviors observed during malware detection analysis of the information.
  - 5. The electronic device of claim 3, wherein the first network content includes an electronic mail (email) message that is analyzed for malware by the first system and the second network content includes network traffic that is analyzed for malware by the second system.
  - 6. The electronic device of claim 1, wherein the one or more input attributes associated with the first analysis attribute comprises at least one of (i) information identifying a destination of the first network content and (ii) information identifying a source of the first network content.
  - 7. The electronic device of claim 1, wherein the correlation logic attempts to find the relationships between the one or more analysis attributes by at least comparing similarities between an artifact being part of the one or more analysis attributes and anomalous behavior observed during analysis of the artifacts, the artifact including a Uniform Resource Locator (URL) or a document while the observed anomalous behavior includes a registry change or a file change.
  - 8. The electronic device of claim 3, wherein the display logic, when executed by the processor, generates the display information that includes one or more images representing that the first analysis attribute detected by the first system originated from the second network content analyzed by the second system.
  - 9. The electronic device of claim 1, wherein the first system comprises a web-based security appliance to inspect ingress data traffic and to provide at least the first attribute to based on an analysis of the ingress data traffic.
  - 10. The electronic device of claim 9, wherein the second system comprises a communication-based security appliance to analyze an incoming communication message and to provide at least the second attribute to the electronic device, the incoming communication message includes an electronic mail message or a text message.
  - 11. The electronic device of claim 9, wherein the second system comprises a storage-based security appliance to analyze a file and to provide at least the second attribute associated with the file to the electronic device.

12. In communication with a plurality of security appliances, an electronic device for providing a holistic view of a malware attack, the electronic device comprising:
- a processor;
  
  a storage device communicatively coupled to the processor, the storage device comprisesaggregation logic that, when processed by the processor, receives one or more input attributes being information used in routing of suspicious network content over a network and one or more analysis attributes from each of the plurality of security appliances, wherein the one or more analysis attributes being (a) a portion of the suspicious network content or (b) at least one anomalous behavior observed during analysis of the portion of the suspicious network content in the plurality of security appliances,correlation logic that, when processed by the processor, attempts to find relationships between the one or more analysis attributes provided from each security appliance of the plurality of security appliances,consolidation logic that, when processed by the processor, receives at least (i) a first analysis attribute from a first security appliance of the plurality of security appliances and (ii) a second analysis attribute of the one or more analysis attributes from a second security appliance of the plurality of security appliances in response to the first analysis attribute corresponding to the second analysis attribute, and consolidates input attributes of the one or more input attributes associated with the first analysis attribute and the second analysis attribute, anddisplay logic that, when processed by the processor, generates display information including the consolidated input attributes.
- View Dependent Claims (13, 14, 15, 16, 17, 18)
- - 13. The electronic device of claim 12, wherein the correlation logic attempts to find relationships between the one or more analysis attributes by at least determining whether the first analysis attribute matches the second analysis attribute.
  - 14. The electronic device of claim 13, wherein the consolidation logic attempts to find relationships between the one or more analysis attributes provided from each security appliance of the plurality of security appliances by at least identifying that a first network content including the first analysis attribute received from the first security appliance is the same as or related to a second network content including the second analysis attribute received from the second security appliance.
  - 15. The electronic device of claim 14, wherein the first security appliance includes a first malware content detection system and the second security appliance includes a second malware content detection system.
  - 16. The electronic device of claim 12, wherein the first security appliance comprises a web-based security appliance to inspect ingress data traffic and to provide at least the first attribute to the electronic device based on a result of an inspection of the ingress data traffic by the web-based security appliance.
  - 17. The electronic device of claim 12, wherein the second security appliance comprises a communication-based security appliance to analyze an incoming communication message and to provide at least the second attribute to the electronic device, the incoming communication message includes an electronic mail message or a text message.
  - 18. The electronic device of claim 12, wherein the second security appliance comprises a storage-based security appliance to analyze a file to be stored in a file server and to provide at least the second attribute associated with the file to the electronic device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Manni, Jayaraman, Eun, Philip, Berrow, Michael M.
Primary Examiner(s)
Mehrmanesh, Amir

Application Number

US15/096,088
Time in Patent Office

386 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/554   involving event detection a...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1483   service impersonation, e.g....

Electronic device for aggregation, correlation and consolidation of analysis attributes

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

702 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Electronic device for aggregation, correlation and consolidation of analysis attributes

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

702 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links