System, apparatus and method for automatically verifying exploits within suspect objects and highlighting the display information associated with the verified exploits

US 10,476,909 B1
Filed: 10/19/2016
Issued: 11/12/2019
Est. Priority Date: 12/26/2013
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer readable storage medium having stored thereon instructions, the instructions being executable by one or more processors of a threat detection system to perform operations comprising:

filtering, by an intrusion protection system (IPS), received objects by identifying a first plurality of received objects as suspicious objects;

determining a first subset of the suspicious objects that includes one or more verified malicious objects by monitoring processing of the suspicious objects within a virtual machine for behaviors indicative of the one or more verified malicious objects; and

providing a report to one or more endpoint devices for display on a display device, the report includes a display of information associated with the one or more verified malicious objects in a first window and a display of information associated with a second subset of the suspicious objects including one or more non-verified malicious objects in a second window, different than the first window.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to one embodiment, a threat detection system comprising an intrusion protection system (IPS) logic, a virtual execution logic and a reporting logic is shown. The IPS logic is configured to receive a first plurality of objects and analyze the first plurality of objects to identify a second plurality of objects as potential exploits, the second plurality of objects being a subset of the first plurality of objects and being lesser or equal in number to the first plurality of objects. The virtual execution logic including at least one virtual machine configured to process content within each of the second plurality of objects and monitor for anomalous behaviors during the processing that are indicative of exploits to classify that a first subset of the second plurality of objects includes one or more verified exploits. The reporting logic configured to provide a display of exploit information associated with the one or more verified exploits.

758 Citations

32 Claims

1. A non-transitory computer readable storage medium having stored thereon instructions, the instructions being executable by one or more processors of a threat detection system to perform operations comprising:
- filtering, by an intrusion protection system (IPS), received objects by identifying a first plurality of received objects as suspicious objects;
  
  determining a first subset of the suspicious objects that includes one or more verified malicious objects by monitoring processing of the suspicious objects within a virtual machine for behaviors indicative of the one or more verified malicious objects; and
  
  providing a report to one or more endpoint devices for display on a display device, the report includes a display of information associated with the one or more verified malicious objects in a first window and a display of information associated with a second subset of the suspicious objects including one or more non-verified malicious objects in a second window, different than the first window.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The non-transitory computer readable storage medium of claim 1, wherein the report includes a listing of a first object comprising a first malicious object being highlighted compared to a second object of the suspicious objects.
  - 3. The non-transitory computer readable storage medium of claim 1, wherein the report includes a name of at least one of the one or more verified malicious objects.
  - 4. The non-transitory computer readable storage medium of claim 1, wherein the report includes a signature pattern associated with at least one of the one or more verified malicious objects.
  - 5. The non-transitory computer readable storage medium of claim 1, wherein the report includes addressing information of a source device of at least one of the one or more verified malicious objects.
  - 6. The non-transitory computer readable storage medium of claim 5, wherein the addressing information of the source device includes a geographic location of a source of a first suspicious object of the suspicious objects corresponding to at least one of the one or more verified malicious objects.
  - 7. The non-transitory computer readable storage medium of claim 5, wherein the addressing information of the source device includes addressing information of an intermediary device that received a first suspicious object of the suspicious objects corresponding to at least one of the one or more verified malicious objects.
  - 8. The non-transitory computer readable storage medium of claim 1, wherein a field included in the report, when selected, provides information associated with detected attacks within a network associated with a selected malicious object.
  - 9. The non-transitory computer readable storage medium of claim 1, wherein a field included in the report, when selected, provides information directed to a recommended remediation technique for a selected malicious object.
  - 10. The non-transitory computer readable storage medium of claim 1, wherein the report includes a listing of a severity level of at least one of the one or more verified malicious objects.
  - 11. The non-transitory computer readable storage medium of claim 1, wherein the report includes a listing of a software type detected to be vulnerable to at least one of the one or more verified malicious objects.
  - 12. The non-transitory computer readable storage medium of claim 1, wherein the display of information associated with the one or more verified malicious objects includes one or more highlighted objects, wherein highlighting of the one or more highlighted objects is in accordance with a prescribed threat level assigned to each object of the one or more highlighted objects.
  - 13. The non-transitory computer readable storage medium of claim 1, wherein at least one of the first subset of the suspicious objects that includes a first verified malicious object of the one or more verified malicious objects is an exploit.

14. An electronic device comprising:
- one or more processors; and
  
  a memory coupled to the one or more processors, the memory including instructions, the instructions being executable by the one or more processors to perform operations, comprising;
  
  filter received objects by identifying a first plurality of received objects as suspicious objects with an intrusion protection system (IPS);
  
  determine a first subset of the suspicious objects includes one or more verified malicious objects by monitoring processing within a virtual machine of the first plurality of the received objects for behaviors indicative of the one or more verified malicious objects; and
  
  provide a report to one or more endpoint devices for display on a display device, the report includes a display of information associated with the one or more verified malicious objects in a first window and a display of information associated with a second subset of the suspicious objects including one or more non-verified malicious objects in a second window, different than the first window.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The electronic device of claim 14, wherein the report includes addressing information of a source device of the one or more verified malicious objects.
  - 16. The electronic device of claim 15, wherein the addressing information of the source device includes a geographic location of a source of a first malicious object of the one or more verified malicious objects.
  - 17. The electronic device of claim 15, wherein the addressing information of the source device includes addressing information of an intermediary device that received a suspicious object corresponding to a first malicious object of the one or more verified malicious objects.
  - 18. The electronic device of claim 14, wherein the report includes a listing of a software type detected to be vulnerable to a first malicious object of the one or more verified malicious objects.
  - 19. The electronic device of claim 14, wherein the display of information associated with the one or more verified malicious objects includes one or more highlighted objects, wherein highlighting of the one or more highlighted objects is in accordance with a prescribed threat level assigned to each object of the one or more highlighted objects.
  - 20. The electronic device of claim 14, wherein at least one of the first subset of the suspicious objects that includes a first verified malicious object of the one or more verified malicious objects is an exploit.

21. A computerized method comprising:
- filtering received objects by identifying a first plurality of the received objects as suspicious objects with an intrusion protection system (IPS);
  
  determining a first subset of the suspicious objects includes one or more verified malicious objects by monitoring processing within a virtual machine of the suspicious objects for behaviors indicative of the one or more verified malicious objects; and
  
  providing a report to one or more endpoint devices for display on a display device, the report includes a display of information associated with the one or more verified malicious objects in a first window and a display of information associated with a second subset of the suspicious objects including one or more non-verified malicious object in a second window, different than the first window.
- View Dependent Claims (22, 23, 24, 25, 26, 29)
- - 22. The computerized method of claim 21, wherein the report includes addressing information of a source device of a selected malicious object.
  - 23. The computerized method of claim 22, wherein the addressing information of the source device includes a geographic location of a source of the selected malicious object.
  - 24. The computerized method of claim 22, wherein the addressing information of the source device includes addressing information of an intermediary device that received the selected malicious object.
  - 25. The computerized method of claim 21, wherein the report includes information that identifies one or more highlighted objects of the first subset of the suspicious objects, wherein highlighting of the one or more highlighted objects is in accordance with a prescribed threat level assigned to each object of the first subset of the suspicious objects.
  - 26. The computerized method of claim 21, wherein at least one of the first subset of the suspicious objects that includes a first verified malicious object of the one or more verified malicious objects is an exploit.
  - 29. The computerized method of claim 24, wherein at least one of the first subset of the suspicious objects that includes a first verified malicious object of the one or more verified malicious objects is an exploit.

27. A computerized method comprising:
- filtering, during a first analysis, received objects to identify a first plurality of the received objects as suspicious objects;
  
  determining, during a second analysis, a first subset of the suspicious objects that includes one or more verified malicious objects by monitoring processing of the suspicious objects for behaviors indicative of the one or more verified malicious objects; and
  
  providing a report to one or more endpoint devices for display on a display device, the report includes a display of information associated with the one or more verified malicious objects in a first window and a display of information associated with a second subset of the suspicious objects including one or more non-verified malicious objects in a second window, different than the first window.
- View Dependent Claims (28)
- - 28. The computerized method of claim 27, wherein the report includes a listing of one or more highlighted objects, wherein highlighting of the one or more highlighted objects is conducted in accordance with a prescribed threat level assigned to each object of the first subset of the suspicious objects.

30. A threat detection system, comprising:
- one or more processors; and
  
  a storage device communicatively coupled to the one or more processors and having stored thereon logic configured to be executed by the one or more processors, the logic including;
  
  an intrusion protection system (IPS) logic, upon execution by the one or more processors, configured to receive a first plurality of objects and analyze the first plurality of objects to identify a second plurality of objects as potentially malicious, the second plurality of objects being a subset of the first plurality of objects and being lesser or equal in number to the first plurality of objects,a virtual execution logic, upon execution by the one or more processors, including at least one virtual machine configured to process content within each of the second plurality of objects and monitor for anomalous behaviors during the processing that are indicative of maliciousness to determine that a first subset of the second plurality of objects includes one or more verified malicious objects, anda reporting logic, upon execution by the one or more processors, configured to provide a display of information associated with the one or more verified malicious objects, wherein the reporting logic comprises display generation logic that generates a display of information associated with the one or more verified malicious objects in a first window and a display of information associated with a second subset of the second plurality of objects including one or more non-verified malicious objects in a second window, different than the first window.
- View Dependent Claims (31, 32)
- - 31. The threat detection system of claim 30, wherein the display of the information associated with the one or more verified malicious objects includes an interactive dashboard having:
    - (1) a first display area illustrating (i) a name of a first verified malicious object of the one or more verified malicious objects, (ii) a time associated with detection of the first verified malicious object, and (iii) a pattern used to detect or verify the first verified malicious object, and (2) a second display area providing access to additional information regarding a selected verified malicious object.
  - 32. The threat detection system of claim 30, wherein at least one of the one or more verified malicious objects is an exploit.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Aziz, Ashar, Amin, Muhammad, Ismael, Osman Abdoul, Bu, Zheng
Primary Examiner(s)
Plecha, Thaddeus J

Application Number

US15/298,159
Time in Patent Office

1,119 Days
Field of Search
US Class Current
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 21/53   by executing in a restricte...

G06F 21/56   Computer malware detection ...

G06F 21/564   by virus signature recognition

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/033   Test or assess software

G06F 9/45558   Hypervisor-specific managem...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04L 63/145   the attack involving the pr...

H04L 63/1491   using deception as counterm...

System, apparatus and method for automatically verifying exploits within suspect objects and highlighting the display information associated with the verified exploits

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

758 Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

System, apparatus and method for automatically verifying exploits within suspect objects and highlighting the display information associated with the verified exploits

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

758 Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links