Detection and classification of exploit kits
First Claim
1. A non-transitory computer readable storage medium having stored thereon instructions, the instructions being executable by one or more processors to perform operations including:
- responsive to determining that a correlation between a representation of the first portion of received network traffic and a representation of a known exploit kit results in a level of similarity above a first prescribed score value, classifying the representation of the first portion of the received network traffic into an exploit kit family corresponding to the representation the known exploit kit; and
responsive to determining that the level of similarity resulting from the correlation between the representation of the first portion of the received network traffic and the representation of the known exploit kit is below the first prescribed score value and above a second prescribed score value,(i) analyzing, by an expert system logic executed by the one or more processors, the representation of the first portion of the received network traffic, and(ii) processing, within a virtual machine, at least a second portion of the received network traffic to determine whether processing of the received network traffic results in behavior indicative of an exploit kit.
7 Assignments
0 Petitions
Accused Products
Abstract
A non-transitory computer readable storage medium having stored thereon instructions executable by a processor to perform operations including: responsive to determining that a correlation between a representation of the first portion of network traffic and a representation of a known exploit kit results in a score above a first prescribed score value, classifying the representation of the first portion of the received network traffic into an exploit kit family corresponding to the representation the known exploit kit; and responsive to determining that the score is below the first prescribed score value and above a second prescribed score value, (i) analyzing the representation of the first portion of the received network traffic, and (ii) processing, within a virtual machine, a second portion of the received network traffic to determine whether processing of the received network traffic results in behavior indicative of an exploit kit is shown.
-
Citations
20 Claims
-
1. A non-transitory computer readable storage medium having stored thereon instructions, the instructions being executable by one or more processors to perform operations including:
-
responsive to determining that a correlation between a representation of the first portion of received network traffic and a representation of a known exploit kit results in a level of similarity above a first prescribed score value, classifying the representation of the first portion of the received network traffic into an exploit kit family corresponding to the representation the known exploit kit; and responsive to determining that the level of similarity resulting from the correlation between the representation of the first portion of the received network traffic and the representation of the known exploit kit is below the first prescribed score value and above a second prescribed score value, (i) analyzing, by an expert system logic executed by the one or more processors, the representation of the first portion of the received network traffic, and (ii) processing, within a virtual machine, at least a second portion of the received network traffic to determine whether processing of the received network traffic results in behavior indicative of an exploit kit. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 16)
-
-
11. An apparatus for exploit kit detection and classification, the apparatus comprising:
-
one or more processors; a storage device communicatively coupled to the one or more processors; a correlation logic for (i) correlating an abstract syntax tree (AST) representation of network traffic to one or more ASTs representing known exploit kits and (ii) determining whether a level of similarity exists (a) above a first threshold or (b) below the first threshold and above a second threshold; an AST analysis logic for applying at least one of a heuristic algorithm, a probabilistic algorithm or a machine learning algorithm to the AST representation of the network traffic when the level of similarity is below the first threshold and above the second threshold; a dynamic analysis logic including one or more virtual machines for processing the AST representation of the network traffic, and a score determination logic for determining a score indicating a likelihood of the network including an exploit kit, wherein the score is based on one or more of the analysis of the AST analysis logic or the processing of the AST representation of the network traffic in the one or more virtual machines. - View Dependent Claims (12, 13, 14, 15)
-
-
17. A method for exploit kit detection comprising:
-
correlating an abstract syntax tree (AST) representation of network traffic to a AST representation of a known exploit kit; responsive to determining a first level of similarity exists below a first threshold and above a second threshold, applying at least one of a heuristic algorithm, a probabilistic algorithm or a machine learning algorithm to the AST representation of the network traffic; and processing the AST representation of the network traffic in a virtual machine to determine a likelihood that the network traffic includes an exploit kit, wherein the determination of the likelihood is based on results of one or more of (i) the application of at least one of the heuristic algorithm, the probabilistic algorithm or the machine learning algorithm, or (ii) the processing in the virtual machine. - View Dependent Claims (18, 19, 20)
-
Specification