System and method for IPS and VM-based detection of suspicious objects

US 9,756,074 B2
Filed: 03/27/2014
Issued: 09/05/2017
Est. Priority Date: 12/26/2013
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer readable storage medium having stored thereon instructions, the instructions being executable by one or more processors to perform operations including:

receive, by an intrusion protection system (IPS) logic, a first plurality of objects and filter the first plurality of objects by identifying a second plurality of objects as suspicious objects, the second plurality of objects being a subset of the first plurality of objects and being lesser or equal in number to the first plurality of objects; and

automatically verify, with a virtual execution logic, whether any of the suspicious objects includes an exploit using at least one virtual machine configured to (i) process content within the suspicious objects in a runtime environment and (ii) monitor, during the processing of the content, for behaviors that are indicative of exploits, wherein the at least one virtual machine is configured with a first software image based on results of an analysis performed by the IPS logic;

receive, by a display generation logic, information associated with the suspicious objects, the information includes (i) information directed to each of a plurality of suspicious objects identified by the IPS logic and (ii) information directed to each of one or more suspected exploits detected during processing of the content within a first subset of the suspicious objects, the first subset of the suspicious objects being lesser in number than the second plurality of objects; and

generate a display of the suspicious objects, the display being arranged to highlight the information associated with the one or more suspected exploits detected during processing of the content within the first subset of the suspicious objects.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A threat detection system is integrated with intrusion protection system (IPS) logic and virtual execution logic is shown. The IPS logic is configured to receive a first plurality of objects and filter the first plurality of objects by identifying a second plurality of objects as suspicious objects. The second plurality of objects is a subset of the first plurality of objects and is lesser or equal in number to the first plurality of objects. The virtual execution logic is configured to automatically verify whether any of the suspicious objects is an exploit. The virtual execution logic comprises at least one virtual machine configured to virtually process content within the suspicious objects and monitor for anomalous behaviors during the virtual processing that are indicative of exploits.

Citations

23 Claims

1. A non-transitory computer readable storage medium having stored thereon instructions, the instructions being executable by one or more processors to perform operations including:
- receive, by an intrusion protection system (IPS) logic, a first plurality of objects and filter the first plurality of objects by identifying a second plurality of objects as suspicious objects, the second plurality of objects being a subset of the first plurality of objects and being lesser or equal in number to the first plurality of objects; and
  
  automatically verify, with a virtual execution logic, whether any of the suspicious objects includes an exploit using at least one virtual machine configured to (i) process content within the suspicious objects in a runtime environment and (ii) monitor, during the processing of the content, for behaviors that are indicative of exploits, wherein the at least one virtual machine is configured with a first software image based on results of an analysis performed by the IPS logic;
  
  receive, by a display generation logic, information associated with the suspicious objects, the information includes (i) information directed to each of a plurality of suspicious objects identified by the IPS logic and (ii) information directed to each of one or more suspected exploits detected during processing of the content within a first subset of the suspicious objects, the first subset of the suspicious objects being lesser in number than the second plurality of objects; and
  
  generate a display of the suspicious objects, the display being arranged to highlight the information associated with the one or more suspected exploits detected during processing of the content within the first subset of the suspicious objects.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The computer readable storage medium of claim 1, further comprising:
    - receive the first plurality of objects over a network and route the first plurality of objects to the IPS logic.
  - 3. The computer readable storage medium of claim 1, wherein at least one of the first plurality of objects includes a flow comprising a plurality of related packets that are either received, transmitted, or exchanged during a communication session.
  - 4. The computer readable storage medium of claim 3, wherein the IPS logic performs an exploit signature check, the exploit signature check compares each of the first plurality of objects to one or more exploit signatures, wherein an object of the first plurality of objects is identified as a suspicious object of the plurality of suspicious objects upon matching an exploit signature of the one or more exploit signatures.
  - 5. The computer readable storage medium of claim 4, wherein the IPS logic performs a vulnerability signature check by comparing each of the first plurality of objects to one or more vulnerability signatures, wherein an object of the first plurality of objects is identified as a suspicious object of the plurality of suspicious objects upon matching a vulnerability signature that characterizes a sequence of communications that indicate an attempt to attack a software vulnerability protected by the vulnerability signature.
  - 6. The computer readable storage medium of claim 1, wherein the behaviors of the one or more suspected exploits detected during processing of the content within the first subset of the suspicious objects relate to activities that adversely influence or attack operations of an electronic device.
  - 7. The computer readable storage medium of claim 6, wherein information directed to one or more suspected exploits detected during processing of the content within the first subset of the suspicious objects is highlighted to identify the first subset of the suspicious objects was determined to potentially be an exploit by both the IPS logic and the virtual execution logic.
  - 8. The computer readable storage medium of claim 1, wherein the virtual execution logic verifies the first subset of the suspicious objects as being the one or more suspected exploits when the behaviors monitored during the processing of the first subset of suspicious objects are indicative of exploits while a remaining subset of the suspicious objects are not verified as being exploits.
  - 9. The computer readable storage medium of claim 8, whereingeneration of the display highlighting the information associated with the one or more suspected exploits detected from the content within the first subset of suspicious objects is performed by displaying the information associated with the one or more suspected exploits detected from the content within the first subset of suspicious objects at a particular location on a screen display different from a location for information associated with non-verified exploits associated with the remaining subset of the suspicious objects.
  - 10. The computer readable storage medium of claim 8, whereingeneration of the display highlighting the information associated with the one or more suspected exploits detected from the content within the first subset of suspicious objects by modifying the information associated with the one or more suspected exploits detected from the content within the first subset of suspicious objects to appear differently than information associated with non-verified exploits associated with the remaining subset of suspicious objects.
  - 11. The computer readable storage medium of claim 10, wherein the modifying of the information associated with the one or more suspected exploits detected from the content within the first subset of suspicious objects to appear differently from information associated with non-verified exploits associated with the remaining subset of suspicious objects comprises modifying at least one of a color, size or type of a font used to convey the information associated with the one or more suspected exploits detected from the content within the first subset of suspicious objects to be different than a font used to convey information associated with non-verified exploits associated with the remaining subset of suspicious objects.
  - 12. The computer readable storage medium of claim 1, wherein the IPS logic is communicatively coupled to and integrated within the same electronic device as the virtual execution logic.
  - 13. The computer readable storage medium of claim 1, wherein the virtual execution logic simulates receipt of the object by a destination electronic device.
  - 14. The computer readable storage medium of claim 1, wherein the virtual execution logic further comprises a controller for simulating transmission of the object to a destination electronic device, the controller comprises a protocol sequence replayer.

15. An electronic device comprising:
- a processor; and
  
  a memory coupled to the processor, the memory including;
  
  (1) an intrusion protection system (IPS) logic to filter a first plurality of objects by identifying a second plurality of objects as suspicious objects, the second plurality of objects being a subset of the first plurality of objects and being lesser or equal in number than the first plurality of objects,(2) one or more virtual machines configured to (i) process content within the suspicious objects in a runtime environment, (ii) monitor, during the processing of the content, for behaviors that are indicative of exploits, and (iii) automatically verify whether any of the suspicious objects includes an exploit based on the monitoring of the processing of the content,(3) a display generation logic to (a) receive information associated with the suspicious objects, the information includes (i) information directed to each of a plurality of suspicious objects identified by the IPS logic and (ii) information directed to each of one or more suspected exploits detected during processing of the content within a first subset of the suspicious objects, the first subset of the suspicious objects being lesser in number than the second plurality of objects and (b) generate a display of the suspicious objects, the display being arranged to highlight the information associated with the one or more suspected exploits detected during processing of the content within the first subset of the suspicious objects,wherein the one or more virtual machines is configured with a first software image based on the characteristics indicative of the exploit detected by IPS logic.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The electronic device of claim 15, wherein at least one of the first plurality of objects includes a flow comprising a plurality of related packets that are either received, or transmitted, or exchanged during a communication session.
  - 17. The electronic device of claim 16, wherein the IPS logic, when executed by the processor, performs an exploit signature check, the exploit signature check compares each of the first plurality of objects to one or more exploit signatures, wherein an object of the first plurality of objects is identified as a suspicious object of the plurality of suspicious objects upon matching an exploit signature of the one or more exploit signatures.
  - 18. The electronic device of claim 16, wherein the IPS logic, when executed by the processor, performs a vulnerability signature check by comparing each of the first plurality of objects to one or more vulnerability signatures, wherein an object of the first plurality of objects is identified as a suspicious object of the plurality of suspicious objects upon matching a vulnerability signature that characterizes a sequence of communications that indicate an attempt to attack a software vulnerability protected by the vulnerability signature.
  - 19. The electronic device of claim 16, wherein the one or more virtual machines being configured to operate in combination with a protocol sequence replayer that provides the related packets in accordance with a particular communication sequence indicative of the exploit.
  - 20. The electronic device of claim 15, wherein the display highlights information associated with a first exploit more prominently than information associated with a second exploit.

21. A computerized method comprising:
- receiving, by intrusion protection system (IPS) logic, a first plurality of objects;
  
  filtering, by IPS logic, the first plurality of objects to identify a second plurality of objects as suspicious objects, the second plurality of objects being a subset of the first plurality of objects and being lesser or equal in number to the first plurality of objects;
  
  automatically verifying, by a virtual execution logic, that a first subset of suspicious objects from the second plurality of objects includes an exploit, the virtual execution logic including at least one virtual machine configured to process content within the suspicious objects in a runtime environment and monitor, during the processing of the content, for behaviors that are indicative of exploits, wherein the at least one virtual machine is configured with a first software image based on results of an analysis performed by the IPS logic;
  
  receive, by a display generation logic, information associated with the suspicious objects, the information includes (i) information directed to each of a plurality of suspicious objects identified by the IPS logic and (ii) information directed to each of one or more suspected exploits detected during processing of the content within a first subset of the suspicious objects, the first subset of the suspicious objects being lesser in number than the second plurality of objects; and
  
  generating, by a display generation logic, a display arranged to highlight the information associated with the one or more suspected exploits detected during processing of the content within the first subset of the suspicious objects.
- View Dependent Claims (22, 23)
- - 22. The computerized method of claim 21, wherein the filtering of the first plurality of objects by the IPS logic comprises performing either an exploit signature check or a vulnerability signature check on each of the first plurality of objects.
  - 23. The computerized method of claim 21, wherein the information directed to one or more suspected exploits detected during processing of the content within the first subset of the suspicious objects is highlighted to identify the first subset of the suspicious objects was determined to potentially be an exploit by both the IPS logic and the virtual execution logic.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
FireEye, Inc. (Alphabet Inc.)
Inventors
Aziz, Ashar, Amin, Muhammad, Ismael, Osman Abdoul, Bu, Zheng
Primary Examiner(s)
SHOLEMAN, ABU S

Application Number

US14/228,073
Publication Number

US 20150186645A1
Time in Patent Office

1,258 Days
Field of Search

726 1, 726 22, 726 23, 726 27, 726 28, 726 29, 726 25
US Class Current
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 21/53   by executing in a restricte...

G06F 21/56   Computer malware detection ...

G06F 21/564   by virus signature recognition

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/033   Test or assess software

G06F 9/45558   Hypervisor-specific managem...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04L 63/145   the attack involving the pr...

H04L 63/1491   using deception as counterm...

System and method for IPS and VM-based detection of suspicious objects

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for IPS and VM-based detection of suspicious objects

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links