Detection and classification of exploit kits

US 9,825,976 B1
Filed: 09/30/2015
Issued: 11/21/2017
Est. Priority Date: 09/30/2015
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer readable storage medium having stored thereon instructions, the instructions being executable by one or more processors to perform operations including:

responsive to determining that a correlation between a representation of the first portion of received network traffic and a representation of a known exploit kit results in a level of similarity above a first prescribed score value, classifying the representation of the first portion of the received network traffic into an exploit kit family corresponding to the representation the known exploit kit; and

responsive to determining that the level of similarity resulting from the correlation between the representation of the first portion of the received network traffic and the representation of the known exploit kit is below the first prescribed score value and above a second prescribed score value,(i) analyzing, by an expert system logic executed by the one or more processors, the representation of the first portion of the received network traffic, and(ii) processing, within a virtual machine, at least a second portion of the received network traffic to determine whether processing of the received network traffic results in behavior indicative of an exploit kit.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A non-transitory computer readable storage medium having stored thereon instructions executable by a processor to perform operations including: responsive to determining that a correlation between a representation of the first portion of network traffic and a representation of a known exploit kit results in a score above a first prescribed score value, classifying the representation of the first portion of the received network traffic into an exploit kit family corresponding to the representation the known exploit kit; and responsive to determining that the score is below the first prescribed score value and above a second prescribed score value, (i) analyzing the representation of the first portion of the received network traffic, and (ii) processing, within a virtual machine, a second portion of the received network traffic to determine whether processing of the received network traffic results in behavior indicative of an exploit kit is shown.

Citations

20 Claims

1. A non-transitory computer readable storage medium having stored thereon instructions, the instructions being executable by one or more processors to perform operations including:
- responsive to determining that a correlation between a representation of the first portion of received network traffic and a representation of a known exploit kit results in a level of similarity above a first prescribed score value, classifying the representation of the first portion of the received network traffic into an exploit kit family corresponding to the representation the known exploit kit; and
  
  responsive to determining that the level of similarity resulting from the correlation between the representation of the first portion of the received network traffic and the representation of the known exploit kit is below the first prescribed score value and above a second prescribed score value,(i) analyzing, by an expert system logic executed by the one or more processors, the representation of the first portion of the received network traffic, and(ii) processing, within a virtual machine, at least a second portion of the received network traffic to determine whether processing of the received network traffic results in behavior indicative of an exploit kit.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 16)
- - 2. The computer readable storage medium of claim 1 having stored thereon further instructions that, when executed by one or more processors, perform operations further comprising:
    - correlating, by a correlation logic executed by the one or more processors, the representation of the first portion of the received network traffic with the representation of the known exploit kit.
  - 3. The computer readable storage medium of claim 2 having stored thereon further instructions that, when executed by one or more processors, perform operations further comprising:
    - prior to the correlating, removing one or more hardcoded parameters from the representation of the first portion of the received network traffic, wherein the representation of the first portion of the received network traffic is an Abstract Syntax Tree (AST).
  - 4. The computer readable storage medium of claim 1 having stored thereon further instructions that, when executed by one or more processors, perform operations further comprising:
    - generating a score representing a level of confidence that processing the representation of the first portion of received network traffic results in malicious, anomalous or unwanted behavior.
  - 5. The computer readable storage medium of claim 4 having stored thereon further instructions that, when executed by one or more processors, perform operations further comprising:
    - responsive to determining the score is above a third threshold, configuring the virtual machine in accordance with a context of the score.
  - 6. The computer readable storage medium of claim 1, wherein the analyzing by the expert system logic includes applying at least one of a heuristic algorithm, a probabilistic algorithm or a machine learning algorithm to the representation of the first portion of received network traffic.
  - 7. The computer readable storage medium of claim 1, wherein the analyzing by the expert system logic includes an analysis for a presence of one or more of a shell code pattern, a No-Operation (NOOP) sled or a function call known to be vulnerable.
  - 8. The computer readable storage medium of claim 1, wherein the analyzing by the expert system logic includes an n-gram analysis on a name of a file that is included in the received network traffic.
  - 9. The computer readable storage medium of claim 1, wherein the first portion of the received network traffic includes less than an entirety of a representation of the received network traffic.
  - 10. The computer readable storage medium of claim 1, wherein processing in the virtual machine includes performance of one or more simulated human interactions.
  - 16. The computer readable storage medium of claim 1, wherein the analyzing by the expert system logic includes applying at least one of a heuristic algorithm, a probabilistic algorithm or a machine learning algorithm to the representation of the first portion of received network traffic.

11. An apparatus for exploit kit detection and classification, the apparatus comprising:
- one or more processors;
  
  a storage device communicatively coupled to the one or more processors;
  
  a correlation logic for (i) correlating an abstract syntax tree (AST) representation of network traffic to one or more ASTs representing known exploit kits and (ii) determining whether a level of similarity exists (a) above a first threshold or (b) below the first threshold and above a second threshold;
  
  an AST analysis logic for applying at least one of a heuristic algorithm, a probabilistic algorithm or a machine learning algorithm to the AST representation of the network traffic when the level of similarity is below the first threshold and above the second threshold;
  
  a dynamic analysis logic including one or more virtual machines for processing the AST representation of the network traffic, and a score determination logic for determining a score indicating a likelihood of the network including an exploit kit,wherein the score is based on one or more of the analysis of the AST analysis logic or the processing of the AST representation of the network traffic in the one or more virtual machines.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The apparatus of claim 11 further comprising:
    - an AST generating and filtering logic for extracting JavaScript from the received network traffic, generating the AST representation of the network traffic from the extracted JavaScript and filtering the AST representation of the network traffic.
  - 13. The apparatus of claim 12, wherein the filtering includes removing one or more hardcoded parameters from the AST representation of the network traffic.
  - 14. The apparatus of claim 11 further comprising:
    - a classification logic for classifying the AST representation of the network traffic into an exploit kit family when the level of similarity is above the first threshold.
  - 15. The apparatus of claim 11, wherein responsive to determining the score is above a third threshold, configuring the virtual machine in accordance with a context of the score.

17. A method for exploit kit detection comprising:
- correlating an abstract syntax tree (AST) representation of network traffic to a AST representation of a known exploit kit;
  
  responsive to determining a first level of similarity exists below a first threshold and above a second threshold, applying at least one of a heuristic algorithm, a probabilistic algorithm or a machine learning algorithm to the AST representation of the network traffic; and
  
  processing the AST representation of the network traffic in a virtual machine to determine a likelihood that the network traffic includes an exploit kit,wherein the determination of the likelihood is based on results of one or more of (i) the application of at least one of the heuristic algorithm, the probabilistic algorithm or the machine learning algorithm, or (ii) the processing in the virtual machine.
- View Dependent Claims (18, 19, 20)
- - 18. The method of claim 17 further comprising:
    - responsive to determining that a second level of similarity exists above a first threshold, classifying the AST representation of the network traffic into an exploit kit family corresponding to the AST representation the known exploit kit.
  - 19. The method of claim 17 further comprising:
    - responsive to determining the application at least one of the heuristic algorithm, the probabilistic algorithm or the machine learning algorithm to the AST representation of the network traffic indicate the network traffic is above a predetermined level of suspiciousness, configuring the virtual machine in accordance with a context of the score.
  - 20. The method of claim 19, wherein the context may include results of a n-gram analysis performed on the name of a file included within the network traffic.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
FireEye, Inc. (Alphabet Inc.)
Inventors
Gomez, Joshua Lewis, Singh, Abhishek
Primary Examiner(s)
Shaw, Brian F

Application Number

US14/871,830
Time in Patent Office

783 Days
Field of Search

726 22, 726 26, 717156
US Class Current
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/566   Dynamic detection, i.e. det...

G06N 20/00   Machine learning

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

Detection and classification of exploit kits

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Detection and classification of exploit kits

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links