System and method for IPS and VM-based detection of suspicious objects
First Claim
1. A non-transitory computer readable storage medium having stored thereon instructions, the instructions being executable by one or more processors to perform operations including:
- receive, by an intrusion protection system (IPS) logic, a first plurality of objects and filter the first plurality of objects by identifying a second plurality of objects as suspicious objects, the second plurality of objects being a subset of the first plurality of objects and being lesser or equal in number to the first plurality of objects; and
automatically verify, with a virtual execution logic, whether any of the suspicious objects includes an exploit using at least one virtual machine configured to (i) process content within the suspicious objects in a runtime environment and (ii) monitor, during the processing of the content, for behaviors that are indicative of exploits, wherein the at least one virtual machine is configured with a first software image based on results of an analysis performed by the IPS logic;
receive, by a display generation logic, information associated with the suspicious objects, the information includes (i) information directed to each of a plurality of suspicious objects identified by the IPS logic and (ii) information directed to each of one or more suspected exploits detected during processing of the content within a first subset of the suspicious objects, the first subset of the suspicious objects being lesser in number than the second plurality of objects; and
generate a display of the suspicious objects, the display being arranged to highlight the information associated with the one or more suspected exploits detected during processing of the content within the first subset of the suspicious objects.
7 Assignments
0 Petitions
Accused Products
Abstract
A threat detection system is integrated with intrusion protection system (IPS) logic and virtual execution logic is shown. The IPS logic is configured to receive a first plurality of objects and filter the first plurality of objects by identifying a second plurality of objects as suspicious objects. The second plurality of objects is a subset of the first plurality of objects and is lesser or equal in number to the first plurality of objects. The virtual execution logic is configured to automatically verify whether any of the suspicious objects is an exploit. The virtual execution logic comprises at least one virtual machine configured to virtually process content within the suspicious objects and monitor for anomalous behaviors during the virtual processing that are indicative of exploits.
-
Citations
23 Claims
-
1. A non-transitory computer readable storage medium having stored thereon instructions, the instructions being executable by one or more processors to perform operations including:
-
receive, by an intrusion protection system (IPS) logic, a first plurality of objects and filter the first plurality of objects by identifying a second plurality of objects as suspicious objects, the second plurality of objects being a subset of the first plurality of objects and being lesser or equal in number to the first plurality of objects; and automatically verify, with a virtual execution logic, whether any of the suspicious objects includes an exploit using at least one virtual machine configured to (i) process content within the suspicious objects in a runtime environment and (ii) monitor, during the processing of the content, for behaviors that are indicative of exploits, wherein the at least one virtual machine is configured with a first software image based on results of an analysis performed by the IPS logic; receive, by a display generation logic, information associated with the suspicious objects, the information includes (i) information directed to each of a plurality of suspicious objects identified by the IPS logic and (ii) information directed to each of one or more suspected exploits detected during processing of the content within a first subset of the suspicious objects, the first subset of the suspicious objects being lesser in number than the second plurality of objects; and generate a display of the suspicious objects, the display being arranged to highlight the information associated with the one or more suspected exploits detected during processing of the content within the first subset of the suspicious objects. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. An electronic device comprising:
-
a processor; and a memory coupled to the processor, the memory including; (1) an intrusion protection system (IPS) logic to filter a first plurality of objects by identifying a second plurality of objects as suspicious objects, the second plurality of objects being a subset of the first plurality of objects and being lesser or equal in number than the first plurality of objects, (2) one or more virtual machines configured to (i) process content within the suspicious objects in a runtime environment, (ii) monitor, during the processing of the content, for behaviors that are indicative of exploits, and (iii) automatically verify whether any of the suspicious objects includes an exploit based on the monitoring of the processing of the content, (3) a display generation logic to (a) receive information associated with the suspicious objects, the information includes (i) information directed to each of a plurality of suspicious objects identified by the IPS logic and (ii) information directed to each of one or more suspected exploits detected during processing of the content within a first subset of the suspicious objects, the first subset of the suspicious objects being lesser in number than the second plurality of objects and (b) generate a display of the suspicious objects, the display being arranged to highlight the information associated with the one or more suspected exploits detected during processing of the content within the first subset of the suspicious objects, wherein the one or more virtual machines is configured with a first software image based on the characteristics indicative of the exploit detected by IPS logic. - View Dependent Claims (16, 17, 18, 19, 20)
-
-
21. A computerized method comprising:
-
receiving, by intrusion protection system (IPS) logic, a first plurality of objects; filtering, by IPS logic, the first plurality of objects to identify a second plurality of objects as suspicious objects, the second plurality of objects being a subset of the first plurality of objects and being lesser or equal in number to the first plurality of objects; automatically verifying, by a virtual execution logic, that a first subset of suspicious objects from the second plurality of objects includes an exploit, the virtual execution logic including at least one virtual machine configured to process content within the suspicious objects in a runtime environment and monitor, during the processing of the content, for behaviors that are indicative of exploits, wherein the at least one virtual machine is configured with a first software image based on results of an analysis performed by the IPS logic; receive, by a display generation logic, information associated with the suspicious objects, the information includes (i) information directed to each of a plurality of suspicious objects identified by the IPS logic and (ii) information directed to each of one or more suspected exploits detected during processing of the content within a first subset of the suspicious objects, the first subset of the suspicious objects being lesser in number than the second plurality of objects; and generating, by a display generation logic, a display arranged to highlight the information associated with the one or more suspected exploits detected during processing of the content within the first subset of the suspicious objects. - View Dependent Claims (22, 23)
-
Specification