System, apparatus and method for automatically verifying exploits within suspect objects and highlighting the display information associated with the verified exploits
First Claim
1. A non-transitory computer readable storage medium having stored thereon instructions, the instructions being executable by one or more processors of a threat detection system to perform operations comprising:
- filtering, by an intrusion protection system (IPS), received objects by identifying a first plurality of received objects as suspicious objects;
determining a first subset of the suspicious objects that includes one or more verified malicious objects by monitoring processing of the suspicious objects within a virtual machine for behaviors indicative of the one or more verified malicious objects; and
providing a report to one or more endpoint devices for display on a display device, the report includes a display of information associated with the one or more verified malicious objects in a first window and a display of information associated with a second subset of the suspicious objects including one or more non-verified malicious objects in a second window, different than the first window.
5 Assignments
0 Petitions
Accused Products
Abstract
According to one embodiment, a threat detection system comprising an intrusion protection system (IPS) logic, a virtual execution logic and a reporting logic is shown. The IPS logic is configured to receive a first plurality of objects and analyze the first plurality of objects to identify a second plurality of objects as potential exploits, the second plurality of objects being a subset of the first plurality of objects and being lesser or equal in number to the first plurality of objects. The virtual execution logic including at least one virtual machine configured to process content within each of the second plurality of objects and monitor for anomalous behaviors during the processing that are indicative of exploits to classify that a first subset of the second plurality of objects includes one or more verified exploits. The reporting logic configured to provide a display of exploit information associated with the one or more verified exploits.
758 Citations
32 Claims
-
1. A non-transitory computer readable storage medium having stored thereon instructions, the instructions being executable by one or more processors of a threat detection system to perform operations comprising:
-
filtering, by an intrusion protection system (IPS), received objects by identifying a first plurality of received objects as suspicious objects; determining a first subset of the suspicious objects that includes one or more verified malicious objects by monitoring processing of the suspicious objects within a virtual machine for behaviors indicative of the one or more verified malicious objects; and providing a report to one or more endpoint devices for display on a display device, the report includes a display of information associated with the one or more verified malicious objects in a first window and a display of information associated with a second subset of the suspicious objects including one or more non-verified malicious objects in a second window, different than the first window. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. An electronic device comprising:
-
one or more processors; and a memory coupled to the one or more processors, the memory including instructions, the instructions being executable by the one or more processors to perform operations, comprising; filter received objects by identifying a first plurality of received objects as suspicious objects with an intrusion protection system (IPS); determine a first subset of the suspicious objects includes one or more verified malicious objects by monitoring processing within a virtual machine of the first plurality of the received objects for behaviors indicative of the one or more verified malicious objects; and provide a report to one or more endpoint devices for display on a display device, the report includes a display of information associated with the one or more verified malicious objects in a first window and a display of information associated with a second subset of the suspicious objects including one or more non-verified malicious objects in a second window, different than the first window. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
-
21. A computerized method comprising:
-
filtering received objects by identifying a first plurality of the received objects as suspicious objects with an intrusion protection system (IPS); determining a first subset of the suspicious objects includes one or more verified malicious objects by monitoring processing within a virtual machine of the suspicious objects for behaviors indicative of the one or more verified malicious objects; and providing a report to one or more endpoint devices for display on a display device, the report includes a display of information associated with the one or more verified malicious objects in a first window and a display of information associated with a second subset of the suspicious objects including one or more non-verified malicious object in a second window, different than the first window. - View Dependent Claims (22, 23, 24, 25, 26, 29)
-
-
27. A computerized method comprising:
-
filtering, during a first analysis, received objects to identify a first plurality of the received objects as suspicious objects; determining, during a second analysis, a first subset of the suspicious objects that includes one or more verified malicious objects by monitoring processing of the suspicious objects for behaviors indicative of the one or more verified malicious objects; and providing a report to one or more endpoint devices for display on a display device, the report includes a display of information associated with the one or more verified malicious objects in a first window and a display of information associated with a second subset of the suspicious objects including one or more non-verified malicious objects in a second window, different than the first window. - View Dependent Claims (28)
-
-
30. A threat detection system, comprising:
-
one or more processors; and a storage device communicatively coupled to the one or more processors and having stored thereon logic configured to be executed by the one or more processors, the logic including; an intrusion protection system (IPS) logic, upon execution by the one or more processors, configured to receive a first plurality of objects and analyze the first plurality of objects to identify a second plurality of objects as potentially malicious, the second plurality of objects being a subset of the first plurality of objects and being lesser or equal in number to the first plurality of objects, a virtual execution logic, upon execution by the one or more processors, including at least one virtual machine configured to process content within each of the second plurality of objects and monitor for anomalous behaviors during the processing that are indicative of maliciousness to determine that a first subset of the second plurality of objects includes one or more verified malicious objects, and a reporting logic, upon execution by the one or more processors, configured to provide a display of information associated with the one or more verified malicious objects, wherein the reporting logic comprises display generation logic that generates a display of information associated with the one or more verified malicious objects in a first window and a display of information associated with a second subset of the second plurality of objects including one or more non-verified malicious objects in a second window, different than the first window. - View Dependent Claims (31, 32)
-
Specification