Susceptible environment detection system

US 9,824,216 B1
Filed: 12/31/2015
Issued: 11/21/2017
Est. Priority Date: 12/31/2015
Status: Active Grant

First Claim

Patent Images

1. A computerized method, comprising:

analyzing a plurality of information sources to determine context information with respect to an object, wherein at least a first information source of the plurality of information sources comprises configuration information determined from a client device;

generating one or more software profiles based on the context information, the one or more software profiles being used to provision one or more virtual machines of a dynamic analysis logic system;

generating one or more work orders corresponding to the one or more software profiles;

assigning a priority order to the one or more work orders;

scheduling each of the one or more virtual machines to conduct, in accordance with the assigned priority order, a dynamic analysis of the object;

performing the one or more dynamic analyses of the object by the one or more virtual machines that produce results, each result from a dynamic analysis of the one or more dynamic analyses identifies a susceptible software environment including a susceptible software profile and one or more anomalous behaviors of the object during processing;

classifying the object as malware based, at least part, on the results of the one or more dynamic analyses; and

generating an alert comprising details determined at least in part from the results of the one or more dynamic analyses.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computerized technique wherein a received object is analyzed using a plurality of information sources to determine context information, wherein one information source comprises configuration information determined from a client device. One or more software profiles are generated based on the context information in order to provision one or more virtual machines of a dynamic analysis logic system. One or more work orders are generated based on the one or more software profiles. A priority order is assigned to the one or more software profiles. A dynamic analysis is scheduled based on the work orders and the assigned priority order to determine one or more susceptible software environments, and an alert is generated comprising information to update one or more susceptible environments in real time.

727 Citations

20 Claims

1. A computerized method, comprising:
- analyzing a plurality of information sources to determine context information with respect to an object, wherein at least a first information source of the plurality of information sources comprises configuration information determined from a client device;
  
  generating one or more software profiles based on the context information, the one or more software profiles being used to provision one or more virtual machines of a dynamic analysis logic system;
  
  generating one or more work orders corresponding to the one or more software profiles;
  
  assigning a priority order to the one or more work orders;
  
  scheduling each of the one or more virtual machines to conduct, in accordance with the assigned priority order, a dynamic analysis of the object;
  
  performing the one or more dynamic analyses of the object by the one or more virtual machines that produce results, each result from a dynamic analysis of the one or more dynamic analyses identifies a susceptible software environment including a susceptible software profile and one or more anomalous behaviors of the object during processing;
  
  classifying the object as malware based, at least part, on the results of the one or more dynamic analyses; and
  
  generating an alert comprising details determined at least in part from the results of the one or more dynamic analyses.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The computerized method of claim 1, wherein the details of the alert include i) information that identifies the malware, and ii) information regarding the susceptible software environment.
  - 3. The computerized method of claim 2, wherein the alert may be used to update the client device, the susceptible software environment of the client device, and a threat intelligence network in real time.
  - 4. The computerized method of claim 1, wherein the plurality of information sources comprise an object engine and at least one of an endpoint application and an application version update tracker.
  - 5. The computerized method of claim 4, wherein the application version update tracker is configured to inspect a network stream to determine information specific to updates with respect to the client device.
  - 6. The computerized method of claim 4, wherein the object engine is configured to observe characteristics of the object and compare the observed characteristics to characteristics stored on one or more cyber-security databases.
  - 7. The computerized method of claim 4, wherein the endpoint application is configured to report the configuration information.
  - 8. The computerized method of claim 7, wherein the configuration information comprises details regarding software loaded on the client device, wherein the software comprises any of various applications, operating systems, and plug-ins.
  - 9. The computerized method of claim 1, wherein the priority order may be updated prior to the dynamic analysis using at least one of system capacity, customer-defined rules, and scheduling rules.
  - 10. The computerized method of claim 4, wherein the plurality of information sources further comprise version information with respect to a computing environment that is input by one or more network administrators.

11. A system configured to analyze an object, comprising:
- one or more processors;
  
  a memory communicatively coupled to the one or more processors, the memory to store logic that, when executed by the one or more processors, togenerate one or more software profiles based on the context information, the one or more software profiles being used to provision one or more virtual machines of a dynamic analysis logic system;
  
  generate one or more work orders corresponding to the one or more software profiles;
  
  assign a priority order to the one or more work orders;
  
  schedule each of the one or more virtual machines to conduct, in accordance with the assigned priority order, a dynamic analysis of the object;
  
  perform the one or more dynamic analyses of the object by the one or more virtual machines that produce results, each result from a dynamic analysis of the one or more dynamic analyses identifies a susceptible software environment including a susceptible software profile and one or more anomalous behaviors of the object during processing;
  
  classify the object as malware based, at least part, on the results of the one or more dynamic analyses; and
  
  generate an alert comprising details determined at least in part from the results of the one or more dynamic analyses.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The system of claim 11, wherein the details of the alert include i) information that identifies the malware, and ii) information regarding the susceptible software environment.
  - 13. The system of claim 12, wherein the alert may be used to update one or more client devices or the susceptible software environment in real time.
  - 14. The system of claim 11, wherein the logic comprises an object engine and at least one of an endpoint application and an application version update tracker.
  - 15. The system of claim 14, wherein the application version update tracker is configured to inspect a network stream to determine information specific to updates with respect to a client device.
  - 16. The system of claim 14, wherein the object engine is configured to observe characteristics of the object and compare the observed characteristics to characteristics stored on one or more cyber-security databases.
  - 17. The system of claim 14, wherein the endpoint application is configured to report configuration information determined from a client device.
  - 18. The system of claim 17, wherein the configuration information comprises details regarding software loaded on the client device, wherein the software comprises any of various applications, operating systems, and plug-ins.
  - 19. The system of claim 11, wherein a threat intelligence network is updated based on information regarding the one or more susceptible environments.
  - 20. The system of claim 11, wherein the priority order may be updated prior to the dynamic analysis using at least one of system capacity;
    - customer-defined rules; and
      
      scheduling rules provided from a remote management console.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Khalid, Yasir, Deshpande, Shivani
Primary Examiner(s)
Vaughan, Michael R

Application Number

US14/986,428
Time in Patent Office

691 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/033   Test or assess software

Susceptible environment detection system

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

727 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Susceptible environment detection system

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

727 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links