Cyber attack early warning system

US 9,825,989 B1
Filed: 09/30/2015
Issued: 11/21/2017
Est. Priority Date: 09/30/2015
Status: Active Grant

First Claim

Patent Images

1. A computerized method, comprising:

receiving data associated with an attack alert, the attack alert indicating detection of a malware attack from a remote source;

classifying the received data to produce a classified result, the classified result is to identify at least a type of the malware attack;

analyzing the classified result using an attack-specific engine that is configured to analyze the classified result according to the identified malware attack and generate an attack-specific result, the analyzing of the classified result comprises comparing, by each of a plurality of attack cores, features included in the classified results to features associated with a known type of malware attack, wherein each attack core of the plurality of attack cores is configured as a plug-in;

computing an attack value based on the attack-specific result and an analysis of potential attack targets, wherein the attack value is compared to a threshold value to determine whether or not to generate an early warning alert; and

generating the early warning alert when the attack value matches or exceeds the threshold value.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An early warning system and method for generating an alert regarding a potential attack on a client device is provided for based on real-time analysis. The early warning system and method generally comprise receiving data associated with an attack alert, wherein the attack alert corresponds to an electrical signal that indicates detection of a malware attack from a remote source. The received data is analyzed using an attack-specific engine that is configured to generate an attack-specific result. An attack value is computed based on the attack-specific result and a consideration of potential attack targets, wherein the attack value is compared to a threshold value so as to determine whether or not to generate an early warning alert. An early warning alert is generated when the attack value matches or exceeds the threshold value.

Citations

20 Claims

1. A computerized method, comprising:
- receiving data associated with an attack alert, the attack alert indicating detection of a malware attack from a remote source;
  
  classifying the received data to produce a classified result, the classified result is to identify at least a type of the malware attack;
  
  analyzing the classified result using an attack-specific engine that is configured to analyze the classified result according to the identified malware attack and generate an attack-specific result, the analyzing of the classified result comprises comparing, by each of a plurality of attack cores, features included in the classified results to features associated with a known type of malware attack, wherein each attack core of the plurality of attack cores is configured as a plug-in;
  
  computing an attack value based on the attack-specific result and an analysis of potential attack targets, wherein the attack value is compared to a threshold value to determine whether or not to generate an early warning alert; and
  
  generating the early warning alert when the attack value matches or exceeds the threshold value.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The computerized method of claim 1, wherein the classified result includes metadata associated with one or more objects associated with the malware attack.
  - 3. The computerized method of claim 1, wherein the features of the attack alert comprise at least one of various analysis logs from at least one of (i) one or more virtual machines, (ii) the metadata associated with the malware attack, or (iii) communication logs from a malicious content detection system.
  - 4. The computerized method of claim 1, wherein the attack-specific engine is configured to analyze a variety of time-dependent and time-independent features.
  - 5. The computerized method of claim 1, wherein the correlation engine is configured to receive the attack-specific result from the attack-specific engine prior to generating the early warning alert.
  - 6. The computerized method of claim 1, wherein the attack-specific engine comprises a plurality of cores that are configured to analyze the content of the attack alert and apply a plurality of analysis mechanisms that are specific to a malware attack type.
  - 7. The computerized method of claim 1, wherein generating an early warning alert comprises at least one of communicating an email message, text message, or a display a screen image.
  - 8. The computerized method of claim 1, wherein the early warning alert is communicated to security administrators to indicate the urgency in handling one or more predicted attacks.
  - 9. The computerized method of claim 4, where the time-dependent features comprise at least one of the number of request-response sessions over a predetermined period of time, the time of day of the malware attack, the duration of the malware attack, the month, year, or the execution time of the malware attack.
  - 10. The computerized method of claim 4, where the time-independent features comprise at least one of the geographic location of the malware attack target, industry, or the role or title of a specific party.
  - 11. The computerized method of claim 5, wherein the correlation engine is configured to determine the attack value and compare the attack value with the threshold value.
  - 12. The computerized method of claim 6, wherein the analysis mechanisms comprise at least one of probabilistic logic, heuristic logic, or deterministic logic.

13. A system comprising:
- one or more processors;
  
  a storage module communicatively coupled to the one or more processors, the storage module includingan input engine to receive data associated with an attack alert that indicates detection of a malware attack from a remote source, and classify the received data to produce a classified result, the classified result is to identify at least a type of the malware attack,an attack-specific engine, communicatively coupled to the input engine, to analyze the classified result according to the identified malware attack and to generate an attack-specific result, the attack-specific engine comprises (i) a plurality of attack cores and (ii) routing logic configured to route the classified result to at least one of the plurality of attack cores, each of the plurality of attack cores being configured as a plug-in that compares features included in the classified results with features associated with a known malware attack,a correlation engine communicatively coupled to the attack-specific engine, the correlation engine to compute an attack value based on the attack-specific result and a consideration of potential attack targets, wherein the attack value is compared to a threshold value to determine whether or not to generate an early warning alert, andreporting engine communicatively coupled to the correlation engine, the reporting engine to generate an early warning alert when the attack value matches or exceeds the threshold value.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The system of claim 13, wherein each corresponding attack core of the plurality of attack cores compares the features included in the classified results with specific features associated with a specific type of malware attack.
  - 15. The system of claim 13, wherein the attack-specific engine is configured to analyze the features included in the classified results to a variety of time-dependent and time-independent features.
  - 16. The system of claim 13, wherein the time-dependent features include at least one of (i) a time of day of a detected malware attack or (ii) a duration of the malware attack while the time-independent features include at least one of (i) a geographic location of a target of the malware attack or (ii) an industry attacked by the malware attack.
  - 17. The system of claim 13, wherein the attack-specific engine comprises a plurality of cores that are configured to analyze the content of the attack alert and apply a plurality of analysis mechanisms specific to the type of malware attack.
  - 18. The system of claim 13, wherein the early warning alert comprises at least one of an email message, text message, or a display screen image.
  - 19. The system of claim 13, wherein the early warning alert is communicated to security administrators to indicate the urgency in handling one or more predicted malware attacks.
  - 20. The system of claim 15, wherein the time-dependent features compriseat least one of the number of request-response sessions over a predetermined period of time, the time of day of the malware attack, the duration of the attack, the month, year, or the execution time of the malware attack;
    - andwherein the time-independent features comprise at least one of the geographic location of the malware attack target, industry, or the role or title of a specific party.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
FireEye, Inc. (Alphabet Inc.)
Inventors
Mehra, Divyesh, Singh, Abhishek
Primary Examiner(s)
Kim, Tae

Application Number

US14/872,003
Time in Patent Office

783 Days
Field of Search
US Class Current
CPC Class Codes

H04L 41/147   for predicting network beha...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

Cyber attack early warning system

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Cyber attack early warning system

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links