Detection and classification of exploit kits

Description

FIELD

Embodiments of the disclosure relate to the field of cyber security. More specifically, embodiments of the disclosure relate to a system for detecting anomalous, or more specifically, unwanted or malicious behavior associated with network traffic.

GENERAL BACKGROUND

Over the last decade, malicious software has become a pervasive problem for Internet users as many networked resources include vulnerabilities that are subject to attack. For example, payloads downloaded while browsing the Internet may exploit these vulnerabilities by allowing a third-party to gain access to one or more areas within the network not typically accessible. For example, a third-party may exploit a software vulnerability to gain unauthorized access to email accounts and/or data files.

For instance, content (e.g., payloads within network traffic) received by a network device while loading an Internet web page may include an exploit kit, which may be understood as a self-contained framework designed to exploit known vulnerabilities and/or download and install additional malicious, anomalous or unwanted objects. Exploit kits, as well as the additional objects that may be downloaded, may attempt to acquire sensitive information, adversely influence, or attack normal operations of the network device or the entire enterprise network by taking advantage of a vulnerability in computer software.

For example, the user of a network device, e.g., a laptop, may activate (e.g., click on) a link while browsing the Internet. The link may open up a new window, or tab within the web browsing application, and redirect the user to an unwanted web page instead of loading the web page expected by the user. The redirect may perform additional actions that may include downloading and installing malicious, anomalous and unwanted payloads.

In current malware detection systems, exploit kit detection is based on a correlation of signatures of known exploit kits. However, in order to generate a signature for an exploit kit, the exploit kit necessarily must have been activated such that malicious, anomalous or unwanted behavior affected one or more network devices or the operation of the network itself. Therefore, current malware detection systems are unable to proactively detect exploit kits and prevent the download and activation thereof.

In some situations, a redirect, a hidden link on a web page or content that automatically downloads upon activation of a link, may enable a third-party to access one or more storage areas of the network device (e.g., contact list or password storage). As another example, through a redirect, a hidden link or automatically downloaded content, a third-party may gain access to the network to which the network device is connected (e.g., an enterprise network) through the network device without proper permissions. Stated generally, exploit kits and additional payloads downloaded in association with an exploit kit may affect the network device, an enterprise network to which the network device is connected, and/or other network devices connected to the enterprise network in a negative or anomalous manner.

Based on the shortcomings set forth above, current signature-based malware detection systems do not proactively detect exploit kits effectively in order to prevent the download thereof and/or the download of additional malicious, anomalous or unwanted payloads.

BRIEF DESCRIPTION OF THE DRAWINGS

Embodiments of the invention are illustrated by way of example and not by way of limitation in the figures of the accompanying drawings, in which like references indicate similar elements and in which:

FIG. 1 is an exemplary block diagram of an exploit kit detection system 110.

FIG. 2 is an exemplary logic diagram of the exploit kit detection system 110 of FIG. 1.

FIG. 3A is the first portion of a flowchart illustrating an exemplary method for detecting and/or classifying an exploit kit with the exploit kit detection system 110 of FIG. 1.

FIG. 3B is the second portion of the flowchart of FIG. 3A illustrating an exemplary method for detecting and/or classifying an exploit kit with the exploit kit detection system 110 of FIG. 1.

DETAILED DESCRIPTION

Various embodiments of the disclosure relate to a detection system that improves detection of exploit kits, particularly, exploit kits for which a signature has not previously been generated. Herein, an exploit kit may lead to infection of an endpoint device with malware, wherein “malware” may collectively refer to exploits that initiate malicious, anomalous or unwanted behaviors.

In one embodiment of the disclosure, the exploit kit detection system comprises one or more of an Abstract Syntax Tree (AST) generating and filtering logic, a correlation logic, a classification logic, an expert system and a dynamic analysis logic. The exploit kit detection system may capture network traffic addressed to one or more endpoint devices within a network (e.g., an enterprise network), parse HyperText Markup Language (HTML) source code within the network traffic, extract the JavaScript™ included within the HTML source code, generate an AST from the extracted JavaScript™ and filter the AST (e.g., the AST provides a standard form for the HTTP source code that is susceptible to analysis). The exploit kit detection system then correlates the filtered AST with ASTs of known exploit kits to determine whether a level of similarity (e.g., a score value based on a performed correlation, wherein the level of similarity may be represented as a percentage, which may be equal to or less than 100%) above a first threshold exists. When a correlation above the first threshold exists, the filtered AST is determined to be within a family of an exploit kit. Herein, it is advantageous to classify an AST that has at least a predetermined level of similarity (e.g., a percentage) with an AST of a known exploit kit as exploit kits may morph quickly. Therefore, as an exploit kit morphs, minor changes to the exploit kit do not prevent the exploit kit detection system from detecting and classifying the morphed exploit kit even though an exact AST has not yet been identified and stored for the exploit kit. Exploit kits that change, or morph, may be referred to as “polymorphic exploit kits.” The minor variations associated with a polymorphic exploit kit have previously made detection of versions of a polymorphic exploit kit for which a signature was not created very difficult. However, correlating the filtered AST with ASTs of known exploit kits enables the exploit kit detection system to account for the minor variations.

Additionally, the detected exploit kit may be used in future correlations with received network traffic. Therefore, the exploit kit detection system is able evolve automatically without the involvement of a network administrator.

Other embodiments may extract additional and/or alternative portions of the received network traffic. For example, an embedded object may be extracted from the HTML source code or from another portion of the received network traffic and analyzed with the exploit kit detection system. Another example may include the extraction of Flash components (e.g., graphics, text, animation, applications, etc.) from the HTML source code and analysis of the Flash components with the exploit detection kit system. Other HTML plug-ins may similarly be extracted, wherein a plug-in may be an application or applet design to extend the functionality of a web browser. Additionally, HTML is merely one example of one markup language used to create web pages. Therefore, alternative markup languages, such as eXtensible HyperText Markup Language (XHTML) may be extracted in place of, or in combination with, the HTML. Other programming languages, scripting languages and markup languages may be used (e.g., XML, Perl, Tcl, Python, PHP: Hypertext Preprocessor (PHP), etc.).

When the correlations do not reveal a level of similarity above the first threshold, the exploit kit detection system determines whether there is a level of similarity above a second threshold being lower than the first threshold. This second threshold signifies that the filtered AST includes some resemblance to a known exploit kit but the system does not have enough confidence to determine the network traffic includes an exploit kit without further analysis. Subsequently, the filtered AST is provided to an expert system which applies heuristic, probabilistic and/or machine learning algorithms to the filtered AST during analysis to further determine a likelihood of the filtered AST including an exploit kit and, if applicable, obtaining a context for dynamic processing. The context may include, but is not limited or restricted to, results of an n-gram analysis performed on the name of a file included within the received network traffic. Examples of heuristics that may aid in the determination of a score, as discussed below, include but are not limited or restricted to, the presence, or lack thereof, of: a redirection from a secured website (“HTTPS”) to an unsecured website (“HTTP”) or vice versa; a number of images above a predefined threshold; and/or POST requests for personal information.

When the expert system determines that a score for the filtered AST is above a third predefined threshold, the HTML source code associated with the filtered AST, the score and the context are provided to the dynamic analysis logic. When the expert system determines the score for the filtered AST is not above a third predefined threshold, the HTML source code associated with the filtered AST is provided to the dynamic analysis logic. The HTML source code is then processed within one or more VMs and monitoring logic monitors the processing for malicious, anomalous or unwanted behaviors. Such behaviors are recorded and upon completion of the processing (e.g., expiration of a predefined time or a certain number of actions have been performed), a score is determined that indicates whether the dynamic processing discovered an exploit kit. A user of an endpoint that was to receive the network traffic and/or a network administer may be alerted to the results of the processing via alert generated by a reporting logic. Such an alert may include various types of messages, which may include text messages and/or email messages, video or audio stream, or other types of information over a wired or wireless communication path. Additionally, when an exploit kit is determined to have been detected, a representation of the filtered AST may be stored for inclusion in future analyses of received network traffic.

As used herein, the transmission of data may take the form of transmission of electrical signals and/or electromagnetic radiation (e.g., radio waves, microwaves, ultraviolet (UV) waves, etc.).

I. Terminology

In the following description, certain terminology is used to describe features of the invention. For example, in certain situations, both terms “logic” and “engine” are representative of hardware, firmware and/or software that is configured to perform one or more functions. As hardware, logic (or engine) may include circuitry having data processing or storage functionality. Examples of such circuitry may include, but are not limited or restricted to a microprocessor, one or more processor cores, a programmable gate array, a microcontroller, a controller, an application specific integrated circuit, wireless receiver, transmitter and/or transceiver circuitry, semiconductor memory, or combinatorial logic.

Logic (or engine) may be software in the form of one or more software modules, such as executable code in the form of an executable application, an application programming interface (API), a subroutine, a function, a procedure, an applet, a servlet, a routine, source code, object code, a shared library/dynamic link library, or one or more instructions. These software modules may be stored in any type of a suitable non-transitory storage medium, or transitory storage medium (e.g., electrical, optical, acoustical or other form of propagated signals such as carrier waves, infrared signals, or digital signals). Examples of non-transitory storage medium may include, but are not limited or restricted to a programmable circuit; a semiconductor memory; non-persistent storage such as volatile memory (e.g., any type of random access memory “RAM”); persistent storage such as non-volatile memory (e.g., read-only memory “ROM”, power-backed RAM, flash memory, phase-change memory, etc.), a solid-state drive, hard disk drive, an optical disc drive, or a portable memory device. As firmware, the executable code is stored in persistent storage.

According to one embodiment, the term “malware” may be construed broadly as any code or activity that initiates a malicious attack and/or operations associated with anomalous or unwanted behavior. For instance, malware may correspond to a type of malicious computer code that executes an exploit to take advantage of a vulnerability, for example, to harm or co-opt operation of a network device or misappropriate, modify or delete data. In the alternative, malware may correspond to an exploit, namely information (e.g., executable code, data, command(s), etc.) that attempts to take advantage of a vulnerability in software and/or an action by a person gaining unauthorized access to one or more areas of a network device to cause the network device to experience undesirable or anomalous behaviors. The undesirable or anomalous behaviors may include a communication-based anomaly or an execution-based anomaly, which, for example, could (1) alter the functionality of an network device executing application software in an atypical manner (a file is opened by a first process where the file is configured to be opened by a second process and not the first process); (2) alter the functionality of the network device executing that application software without any malicious intent; and/or (3) provide unwanted functionality which may be generally acceptable in another context. Additionally, malware may be code that initiates unwanted behavior which may be, as one example, uploading a contact list from an endpoint device to cloud storage without receiving permission from the user.

The term “exploit kit” should be construed as a self-contained framework designed to exploit known vulnerabilities and/or download and install additional malicious, anomalous or unwanted objects. In particular, an exploit kit may comprise a plurality of scripts (e.g., written in PHP) that target specific vulnerabilities. These vulnerabilities are typically security holes in software applications such as Internet browsers (e.g., Internet Explorer, Google Chrome, Mozilla Firefox, etc.) or other software applications (e.g., Adobe PDF Reader, Adobe Flash Player, etc.). In some embodiments, an exploit kit will be downloaded onto an endpoint device after visiting a website. For example, upon activating a link (e.g., selecting to download data or merely clicking on an advertisement), the user may be redirected to various websites, which may also redirect the user to multiple servers. Upon encountering a compromised server, the exploit kit will be downloaded and run automatically such that malicious, anomalous or unwanted behavior results. For example, a plurality of popups may be generated, the user may be redirected again to various websites, or callbacks may be made to a server in an attempt to download payloads. Alternatively, an exploit kit may be downloaded with received network traffic, even from an uncompromised server, and attempt to create a communication line with a foreign server in order to download a payload. This action typically happens without the knowledge of the user and occurs automatically after the initial user interaction of visiting a particular website or activating a link. Exploit kits pose serious security threats as additional payloads downloaded as a result of the callback may attempt to steal sensitive information (e.g., credential information, financial information, etc.) or merely result in anomalous or unwanted behavior.

The term “processing” may include launching an application wherein launching should be interpreted as placing the application in an open state and simulating operations within the application. Processing may also include performing simulations of actions typical of human interactions with the application. For example, the application, “Google Chrome” may be processed such that the application is opened and actions such as visiting a website, scrolling the website page, and activating a link from the website are performed (e.g., the performance of simulated human interactions).

The term “network device” should be construed as any electronic device with the capability of connecting to a network, downloading and installing applications. Such a network may be a public network such as the Internet or a private network such as a wireless data telecommunication network, wide area network, a type of local area network (LAN), or a combination of networks. Examples of a network device may include, but are not limited or restricted to, a laptop, a mobile phone, a tablet, etc. Herein, the terms “network device,” “endpoint device,” and “mobile device” will be used interchangeably. The terms “mobile application” and “application” should be interpreted as software developed to run specifically on a mobile network device.

The term “malicious” may represent a probability (or level of confidence) that the object is associated with a malicious attack or known vulnerability. For instance, the probability may be based, at least in part, on (i) pattern matches; (ii) analyzed deviations in messaging practices or formats (e.g., out of order commands) set forth in applicable communication protocols (e.g., HTTP, TCP, etc.) and/or proprietary document specifications (e.g., Adobe® PDF document specification); (iii) analyzed header or payload parameters to determine compliance, (iv) attempts to communicate with external servers during dynamic processing, (v) attempts to access memory allocated to the application during dynamic processing, and/or other factors that may evidence unwanted or malicious activity.

Lastly, the terms “or” and “and/or” as used herein are to be interpreted as inclusive or meaning any one or any combination. Therefore, “A, B or C” or “A, B and/or C” mean “any of the following: A; B; C; A and B; A and C; B and C; A, B and C.” An exception to this definition will occur only when a combination of elements, functions, steps or acts are in some way inherently mutually exclusive.

The invention may be utilized for detecting exploit kits encountered as a result of browsing the Internet. As this invention is susceptible to embodiments of many different forms, it is intended that the present disclosure includes illustrative embodiments and general principles of the invention and is not intended to limit the invention to the specific embodiments shown and described.

II. General Architecture of an Exploit Kit Detection System

Referring to FIG. 1, an exemplary block diagram of an exploit kit detection system 110 deployed within the network 100 is shown. In one embodiment, the network 100 may be an enterprise network that includes the exploit kit detection system 110, a router 150, an optional firewall 151, a network switch 152, and one or endpoint devices 153. The network 100 may include a public network such as the Internet, a private network (e.g., a local area network “LAN”, wireless LAN, etc.), or a combination thereof. The router 150 serves to receive data, e.g., packets, transmitted via a wireless medium (e.g., a Wireless Local Area Network (WLAN) utilizing the Institute of Electrical and Electronics Engineers (IEEE) 802.11 standard) and/or a wired medium from the cloud computing services 160 and the endpoint devices 153. As is known in the art, the router 150 may provide access to the Internet for devices connected to the network 110.

In one embodiment, the network switch 152 may capture network traffic, make a copy of the network traffic, pass the network traffic to the appropriate endpoint device(s) 153 and pass the copy of the network traffic to the exploit kit detection system 110. In a second embodiment, the network switch 152 may capture the network traffic and pass the network traffic to the exploit kit detection system 110 for processing prior to passing the network traffic to the appropriate endpoint device(s) 153. In such an embodiment, the network traffic will only be passed to the appropriate endpoint device(s) 153 if the analysis of the network traffic does not indicate that the network traffic is associated with a malicious attack, anomalous or unwanted behavior, or, in particular, an exploit kit.

The exploit kit detection system 110 includes a communication interface 111, a storage device 112, an AST generating and filtering logic 113, a correlation logic 114, a classification logic 115, an expert system 116, a dynamic analysis logic 120 and a reporting logic 130.

As shown, the exploit detection kit 110 is communicatively coupled with the cloud computing services 160, the Internet and one or more endpoint devices 153 via the communication interface 111, which directs at least a portion of the network traffic to the AST generating and filtering logic 113. The AST generating and filtering logic 113 receives at least a portion of the received network traffic from the communication interface 111 and extracts the Javascript™ within HTML source code within the network traffic. The received network traffic may be in, for example, one or more packet capture files (PCAP files). Subsequently, the AST generating and filtering logic 113 generates an AST from the Javascript™. Finally, the AST generating and filtering logic 113 filters the AST, which may include, but is not limited or restricted to, removing hardcoded parameters or variables from the AST, determining and removing portions of the AST that are not accessible (e.g., dead code, typically construed as software code that does not affect the results of running the software code) and/or determining and removing infinite loops within the AST.

In one embodiment, the AST generating and filtering logic 113 may comprise a compiler. In a second embodiment, the AST generating and filtering logic 113 may comprise one or more software libraries (e.g., open source libraries).

The correlation logic 114 receives the filtered AST from the AST generating and filtering logic 113 and correlates the filtered AST with one or more entries in a database (e.g., the storage device 112 or a database stored within the cloud computing services 160). Each entry in the database represents an AST of a known exploit kit. The result of a correlation of the filtered AST and an entry in the database reveals a score indicating a prescribed score (e.g., a percentage, a numerical value, a weighted numerical value) that represents how similar the filtered AST is to the AST of the known exploit kit represented by the databasebase entry. In one embodiment, each database entry takes the form of a hash value (e.g., a MD5 hash value, a secure hash algorithm (SHA) hash value, etc.). In such an embodiment, the correlation logic 114 computes a hash value representing the filtered AST and performs the correlation of hash values. In other embodiments, other representations may be used in place of hash values. Additionally, the correlations between the filtered AST and the entries in the database may be of the entire filtered AST or may be of one or more portions of the filtered AST.

The correlation logic 114 subsequently analyzes the results of the correlations performed by the correlation logic to determine whether a correlation of the filtered AST and an entry within the database reveals a level of similarity above a first predetermined threshold (e.g., 60%, 70%, 80%, etc.). When there is a level of similarity above the first predetermined threshold, the correlation logic 114 passes information associated with the correlation to the classification logic 115. The passed information may include the filtered AST, the entry within the database having a level of similarity above the first predetermined threshold with the filtered AST, and/or the score of the correlation. The classification logic 115 then acts to classify the filtered AST as part of the exploit kit family of the known exploit kit represented by the database entry.

Herein, the use of the correlation logic 114 to compare the filtered AST with ASTs of known exploit kits enables the exploit kit detection system 110 to proactively detect exploit kits. An exploit kit may change at a rapid pace such that a detected exploit kit may morph within a matter of days or weeks such that a strict use of signature matching will not be sufficient to detected the morphed version. Therefore, determining whether the filtered AST correlates with an AST of a known exploit kit to produce a level of similarity above a first predetermined threshold enables the exploit kit detection system 110 to, as discussed above, account for changes from a first version of the exploit kit to a second version. When the exploit kit morphs, it may maintain the same malicious, anomalous or unwanted effects. Therefore, the classification logic 115 classifies the santizied AST as a member of the exploit kit family of the exploit kit represented by the database entry. Furthermore, the classification logic 115 may create a new entry to be added to the database representing the exploit kit detected in the filtered AST. Therefore, the exploit kit detection system 110 continuously evolves as it detects variations in exploit kits.

When the correlation logic 114 determines that no correlation between the filtered AST and a database entry is above the first predetermined threshold, the correlation logic determines whether a correlation of the filtered AST and an entry within the database reveals a level of similarity above a second predetermined threshold being lower than the first predetermined threshold (e.g., 30%, 40%, 50%, etc.). When a level of similarity above the second predetermined threshold is present, information associated with the correlation, as discussed above, is passed to the expert system 116.

The expert system 116 utilizes at least one of heuristic, probabilistic and/or machine learning algorithms to analyze the filtered AST for characteristics and/or attributes indicative of an exploit kit. Based on the results of the analysis, the score determination logic 118 of the expert system 116 determines a score indicative of the likelihood the filtered AST includes an exploit kit. For example, the AST analysis logic 113 may analyze the filtered AST for shell code patterns, No-Operation (NOOP) sleds, function calls known to be vulnerable, and/or perform an n-gram analysis on names of files received with the network traffic wherein the n-gram analysis results are correlated with known malicious class names (e.g., stored in the storage device 112).

Upon determination by the expert system that the AST is suspicious (e.g., a score for the AST generated by the expert system 116 signifying the likelihood the filtered AST includes an exploit kit is above a third predefined threshold), the HTML source code of the network traffic, the score and the context of the analysis are passed to the dynamic analysis logic 120 via the scheduler 119. The scheduler 119 may configure one or more of VM 124₁-VM 124_M(M≧1) with selected software profiles. For instance, the context of the analysis may be used to determine which software images (e.g., application(s)) and/or operating systems to be fetched from the storage device 123 for configuring operability of the VM 124₁-VM 124_M.

Upon receiving information from the expert system 116, the dynamic analysis logic 120 performs processing within one or more VMs (e.g., virtual processing) on the HTML source code represented by the filtered AST. Herein, the dynamic processing may occur within one or more virtual machine instances (VMs), which may be provisioned with a guest image associated with a prescribed software profile. Each guest image may include a software application and/or an operating system (OS). Each guest image may further include one or more monitors, namely software components that are configured to observe and capture run-time behavior of an object under analysis during processing within the virtual machine. During the dynamic processing, the network traffic is analyzed. In one embodiment, the monitoring logic 131 may record, inter alia, (i) the location from where the traffic originated (e.g., a trusted or an untrusted website), (ii) the location to where the traffic is being transmitted, and/or (iii) actions taken by received network traffic (e.g., attempts to access particular storage locations, install malware, open anomalous files, attempts to open additional Internet connections (e.g., TCP/IP connections), etc.

In one embodiment, the HTML source code is virtually processed in one or more of VM 124₁-VM 124_M. The monitoring logic 121 monitors the processing such that any malicious, anomalous or unwanted behaviors, and any resulting actions, are recorded. In particular, the monitoring logic 121 may monitor processing of the HTML source code for anomalous traffic to be transmitted outside of the network 100, e.g., callbacks to foreign and/or unknown servers. Callbacks to unknown servers may indicate, for example, an attempt by the HTML source code to download additional payloads which may include malware or software code that results in anomalous or unwanted behavior. Of course, additional malicious, anomalous or unwanted behaviors may be recorded by the monitoring logic 121. In one embodiment, the storage device 123 or the storage device 112 may include predefined definitions and/or rules that indicate malicious, anomalous or unwanted behaviors the monitoring logic 121 is to record. These predefined definitions and/or rules may be continuously updated via software updates received via the cloud computing services 160 and/or via a network administrator (for example, using the Internet to transmit such).

Upon completion of the dynamic processing by the one or more VMs, the score determination logic 125 of the dynamic processing logic 120 determines a score for the HTML source code that indicates a level of suspiciousness for the HTML source code, which is attributed to the filtered AST. The determination of the risk level of the network traffic may be based on, inter alia, (i) the location from where the traffic originated (e.g., a known website compared to an unknown website), (ii) the location to where the traffic is being transmitted, and/or (iii) actions taken by received network traffic during processing (e.g., executable code contained in the network traffic attempts to execute a callback).

When the score indicates that the filtered AST is above a predetermined threshold level (e.g., a particular numerical score or within a predefined category such as “malicious”), the filtered AST, and optionally the dynamic results of the dynamic processing and the analysis of the expert system 116, may be provided to a network administrator. In such a situation, when the network traffic represented by the filtered AST has not yet been provided to the endpoint device(s) 153, the network traffic will not be provided to the endpoint device(s) 153. In the situation in which the network traffic has been provided, an alert may be generated by the reporting logic 190 and transmitted to the endpoint device(s) 153 alerting the user of the inclusion of software the processing of which will result in malicious, anomalous or unwanted behaviors, and in particular, if the network traffic includes an exploit kit.

Furthermore, when the score of the filtered AST indicates the network traffic includes an exploit kit, the filtered AST along with, optionally, the results of the dynamic processing and/or the analysis performed by the expert system 116 may be passed to the classification logic 115 for the generation of a database entry detailing the exploit kit. Herein, the classification logic 115 may define a new exploit kit family or add the filtered AST to the exploit kit bearing the greatest similarity to the filtered AST.

When the score determined by the score determination logic 125 does not rise above a predetermined threshold (i.e., the HTML source code does not include an exploit kit or include software the processing of which results in malicious, anomalous or unwanted behaviors), the network traffic is passed to the endpoint device(s) 153, if it had not previously been done.

The reporting logic 130 is adapted to receive information from the dynamic analysis logic 120, the expert system 116 and the classification logic 115 and generate alerts that identify to a user of an endpoint device, network administrator or an expert network analyst the likelihood of inclusion of an exploit kit within received network traffic and, if applicable, the exploit kit family to which the detected exploit kit belongs. Other additional information regarding the exploit kit family may optionally be included in the alerts. For example, typical behaviors associated with the exploit kit family may be included.

Referring to FIG. 2, an exemplary embodiment of a logical representation of the exploit kit detection system 110 of FIG. 1 is shown. The exploit kit detection system 110 includes one or more processors 200 that are coupled to communication interface logic 210 via a first transmission medium. Communication interface logic 210 enables communications with network devices via the Internet, the cloud computing services 160 and the one or more endpoint devices 153. According to one embodiment of the disclosure, communication interface logic 210 may be implemented as a physical interface including one or more ports for wired connectors. Additionally, or in the alternative, communication interface logic 210 may be implemented with one or more radio units for supporting wireless communications with other electronic devices.

Processor(s) 200 is further coupled to persistent storage 230 via a second transmission medium. According to one embodiment of the disclosure, persistent storage 230 may include (a) the AST generating and filtering logic 113; (b) the correlation logic 114; (c) the classification logic 115; (d) the expert system 116 including the AST analysis logic 117 and the score determination logic 118; and (e) the dynamic analysis logic 120 including the monitoring logic 121, one or more VMs 124₁-124_Mand the VMM 122. Of course, when implemented as hardware, one or more of these logic units could be implemented separately from each other.

Referring to FIGS. 3A and 3B, an exemplary method for detecting and classifying an exploit kit included in received network traffic using the exploit kit detection system 110 of FIG. 1 is shown. Each block illustrated in FIGS. 3A and 3B represents an operation performed in the method 300 of detecting and classifying an exploit kit included in received network traffic. Referring to FIG. 3A, network traffic is received by network 100 and captured by the network switch 152. For example, the network traffic may be captured and sent to the exploit kit detection system 110 for processing prior to passing the network traffic to the endpoint devices 153. Upon receipt of the network traffic, the AST generating and filtering logic 113 parses the network traffic (e.g., HTML source code) and extracts the JavaScript™ (block 301). At block 302, the AST generating and filtering logic 113 generates an AST from the HTML source code. Additionally, the AST generating and filtering logic 113 filters the AST. As was discussed above, in one embodiment, filtering the AST code may refer to removing the hard-coded values within the AST.

At block 303, the correlation logic 114 correlates a representation of the filtered AST with one or more entries within a database, wherein the each entry of the database represents a representation of an AST of a known exploit kit. At block 304, a determination is made as to whether the correlation of block 303 resulted in a level of similarity above a first predetermined threshold between the representation of the filtered AST and an entry in the database. When a level of similarity above the first threshold occurred (yes at block 304), the filtered AST is classified as being part of the exploit kit family to which the exploit kit represented by the entry in database belongs.

When a level of similarity above the first threshold did not occur (no at block 304), a determination is made as to whether the correlation of block 303 resulted in a level of similarity above a second predetermined threshold between the representation of the filtered AST and an entry in the database. When a level of similarity above the second threshold did not occur (no at block 306), the filtered AST is determined to not include an exploit kit and the method 300 ends (block 307). When a level of similarity above the second threshold occurred (yes at block 306), the expert system analyzes the AST (block 308 in FIG. 3B).

Referring now to FIG. 3B, as discussed above, the expert system analyses the AST by through the application of heuristic, probabilistic and machine learning algorithms (block 308). Upon completion of the analysis by the expert system (block 308), a determination is made as to whether the score of the AST exceeds a third predefined threshold (block 309). As discussed above, the third predefined threshold may indicate a level of suspiciousness of the AST. If the score of the AST analysis by the expert system exceeds the third predefined threshold (yes at block 309), the score, the context of the analysis and the HTML source code from the received network traffic are transmitted to the dynamic analysis logic (block 310). If the score of the AST analysis by the expert system does not exceed the predefined score (no at block 309), the HTML source code from the received network traffic are transmitted to the dynamic analysis logic (block 311).

At block 312, the dynamic analysis logic processes the HTML source code in one or more VMs to determine whether the web content received and transmitted during processing of the HTML source code is malicious, anomalous or unwanted. For example, the monitoring logic within the dynamic analysis logic may monitor outgoing network traffic generated by the HTML source code looking for requests to automatically download additional payloads. In some instances, these payloads may be malicious software that is downloaded and installed into the system. Therefore, determining that HTML source code will attempt to download additional payloads on an endpoint device is advantageous and may assist in determining whether the HTML source code includes an exploit kit.

In the foregoing description, the invention is described with reference to specific exemplary embodiments thereof. It will, however, be evident that various modifications and changes may be made thereto without departing from the broader spirit and scope of the invention as set forth in the appended claims.

Claims

1. A non-transitory computer readable storage medium having stored thereon instructions, the instructions being executable by one or more processors to perform operations including: responsive to determining that a correlation between a representation of the first portion of received network traffic and a representation of a known exploit kit results in a level of similarity above a first prescribed score value, classifying the representation of the first portion of the received network traffic into an exploit kit family corresponding to the representation the known exploit kit; andresponsive to determining that the level of similarity resulting from the correlation between the representation of the first portion of the received network traffic and the representation of the known exploit kit is below the first prescribed score value and above a second prescribed score value, (i) analyzing, by an expert system logic executed by the one or more processors, the representation of the first portion of the received network traffic, and(ii) processing, within a virtual machine, at least a second portion of the received network traffic to determine whether processing of the received network traffic results in behavior indicative of an exploit kit.
2. The computer readable storage medium of claim 1 having stored thereon further instructions that, when executed by one or more processors, perform operations further comprising: correlating, by a correlation logic executed by the one or more processors, the representation of the first portion of the received network traffic with the representation of the known exploit kit.
3. The computer readable storage medium of claim 2 having stored thereon further instructions that, when executed by one or more processors, perform operations further comprising: prior to the correlating, removing one or more hardcoded parameters from the representation of the first portion of the received network traffic, wherein the representation of the first portion of the received network traffic is an Abstract Syntax Tree (AST).
4. The computer readable storage medium of claim 1 having stored thereon further instructions that, when executed by one or more processors, perform operations further comprising: generating a score representing a level of confidence that processing the representation of the first portion of received network traffic results in malicious, anomalous or unwanted behavior.
5. The computer readable storage medium of claim 4 having stored thereon further instructions that, when executed by one or more processors, perform operations further comprising: responsive to determining the score is above a third threshold, configuring the virtual machine in accordance with a context of the score.
6. The computer readable storage medium of claim 1, wherein the analyzing by the expert system logic includes applying at least one of a heuristic algorithm, a probabilistic algorithm or a machine learning algorithm to the representation of the first portion of received network traffic.
7. The computer readable storage medium of claim 1, wherein the analyzing by the expert system logic includes an analysis for a presence of one or more of a shell code pattern, a No-Operation (NOOP) sled or a function call known to be vulnerable.
8. The computer readable storage medium of claim 1, wherein the analyzing by the expert system logic includes an n-gram analysis on a name of a file that is included in the received network traffic.
9. The computer readable storage medium of claim 1, wherein the first portion of the received network traffic includes less than an entirety of a representation of the received network traffic.
10. The computer readable storage medium of claim 1, wherein processing in the virtual machine includes performance of one or more simulated human interactions.
11. An apparatus for exploit kit detection and classification, the apparatus comprising: one or more processors;a storage device communicatively coupled to the one or more processors;a correlation logic for (i) correlating an abstract syntax tree (AST) representation of network traffic to one or more ASTs representing known exploit kits and (ii) determining whether a level of similarity exists (a) above a first threshold or (b) below the first threshold and above a second threshold;an AST analysis logic for applying at least one of a heuristic algorithm, a probabilistic algorithm or a machine learning algorithm to the AST representation of the network traffic when the level of similarity is below the first threshold and above the second threshold;a dynamic analysis logic including one or more virtual machines for processing the AST representation of the network traffic, and a score determination logic for determining a score indicating a likelihood of the network including an exploit kit,wherein the score is based on one or more of the analysis of the AST analysis logic or the processing of the AST representation of the network traffic in the one or more virtual machines.
12. The apparatus of claim 11 further comprising: an AST generating and filtering logic for extracting JavaScript from the received network traffic, generating the AST representation of the network traffic from the extracted JavaScript and filtering the AST representation of the network traffic.
13. The apparatus of claim 12, wherein the filtering includes removing one or more hardcoded parameters from the AST representation of the network traffic.
14. The apparatus of claim 11 further comprising: a classification logic for classifying the AST representation of the network traffic into an exploit kit family when the level of similarity is above the first threshold.
15. The apparatus of claim 11, wherein responsive to determining the score is above a third threshold, configuring the virtual machine in accordance with a context of the score.
16. The computer readable storage medium of claim 1, wherein the analyzing by the expert system logic includes applying at least one of a heuristic algorithm, a probabilistic algorithm or a machine learning algorithm to the representation of the first portion of received network traffic.
17. A method for exploit kit detection comprising: correlating an abstract syntax tree (AST) representation of network traffic to a AST representation of a known exploit kit;responsive to determining a first level of similarity exists below a first threshold and above a second threshold, applying at least one of a heuristic algorithm, a probabilistic algorithm or a machine learning algorithm to the AST representation of the network traffic; andprocessing the AST representation of the network traffic in a virtual machine to determine a likelihood that the network traffic includes an exploit kit,wherein the determination of the likelihood is based on results of one or more of (i) the application of at least one of the heuristic algorithm, the probabilistic algorithm or the machine learning algorithm, or (ii) the processing in the virtual machine.
18. The method of claim 17 further comprising: responsive to determining that a second level of similarity exists above a first threshold, classifying the AST representation of the network traffic into an exploit kit family corresponding to the AST representation the known exploit kit.
19. The method of claim 17 further comprising: responsive to determining the application at least one of the heuristic algorithm, the probabilistic algorithm or the machine learning algorithm to the AST representation of the network traffic indicate the network traffic is above a predetermined level of suspiciousness, configuring the virtual machine in accordance with a context of the score.
20. The method of claim 19, wherein the context may include results of a n-gram analysis performed on the name of a file included within the network traffic.

US Referenced Citations (572)

Number	Name	Date	Kind
4292580	Ott et al.	Sep 1981	A
5175732	Hendel et al.	Dec 1992	A
5440723	Arnold et al.	Aug 1995	A
5490249	Miller	Feb 1996	A
5657473	Killean et al.	Aug 1997	A
5842002	Schnurer et al.	Nov 1998	A
5978917	Chi	Nov 1999	A
6088803	Tso et al.	Jul 2000	A
6094677	Capek et al.	Jul 2000	A
6108799	Boulay et al.	Aug 2000	A
6269330	Cidon et al.	Jul 2001	B1
6272641	Ji	Aug 2001	B1
6279113	Vaidya	Aug 2001	B1
6298445	Shostack et al.	Oct 2001	B1
6357008	Nachenberg	Mar 2002	B1
6424627	S.o slashed.rhaug et al.	Jul 2002	B1
6442696	Wray et al.	Aug 2002	B1
6484315	Ziese	Nov 2002	B1
6487666	Shanklin et al.	Nov 2002	B1
6493756	O'Brien et al.	Dec 2002	B1
6550012	Villa et al.	Apr 2003	B1
6775657	Baker	Aug 2004	B1
6831893	Ben Nun et al.	Dec 2004	B1
6832367	Choi et al.	Dec 2004	B1
6895550	Kanchirayappa et al.	May 2005	B2
6898632	Gordy et al.	May 2005	B2
6907396	Muttik et al.	Jun 2005	B1
6941348	Petry et al.	Sep 2005	B2
6971097	Wallman	Nov 2005	B1
6981279	Arnold et al.	Dec 2005	B1
7007107	Ivchenko et al.	Feb 2006	B1
7028179	Anderson et al.	Apr 2006	B2
7043757	Hoefelmeyer et al.	May 2006	B2
7069316	Gryaznov	Jun 2006	B1
7080407	Zhao et al.	Jul 2006	B1
7080408	Pak et al.	Jul 2006	B1
7093002	Wolff et al.	Aug 2006	B2
7093239	van der Made	Aug 2006	B1
7096498	Judge	Aug 2006	B2
7100201	Izatt	Aug 2006	B2
7107617	Hursey et al.	Sep 2006	B2
7159149	Spiegel et al.	Jan 2007	B2
7213260	Judge	May 2007	B2
7231667	Jordan	Jun 2007	B2
7240364	Branscomb et al.	Jul 2007	B1
7240368	Roesch et al.	Jul 2007	B1
7243371	Kasper et al.	Jul 2007	B1
7249175	Donaldson	Jul 2007	B1
7287278	Liang	Oct 2007	B2
7308716	Danford et al.	Dec 2007	B2
7328453	Merkle, Jr. et al.	Feb 2008	B2
7346486	Ivancic et al.	Mar 2008	B2
7356736	Natvig	Apr 2008	B2
7386888	Liang et al.	Jun 2008	B2
7392542	Bucher	Jun 2008	B2
7418729	Szor	Aug 2008	B2
7428300	Drew et al.	Sep 2008	B1
7441272	Durham et al.	Oct 2008	B2
7448084	Apap et al.	Nov 2008	B1
7458098	Judge et al.	Nov 2008	B2
7464404	Carpenter et al.	Dec 2008	B2
7464407	Nakae et al.	Dec 2008	B2
7467408	O'Toole, Jr.	Dec 2008	B1
7478428	Thomlinson	Jan 2009	B1
7480773	Reed	Jan 2009	B1
7487543	Arnold et al.	Feb 2009	B2
7496960	Chen et al.	Feb 2009	B1
7496961	Zimmer et al.	Feb 2009	B2
7519990	Xie	Apr 2009	B1
7523493	Liang et al.	Apr 2009	B2
7530104	Thrower et al.	May 2009	B1
7540025	Tzadikario	May 2009	B2
7546638	Anderson et al.	Jun 2009	B2
7565550	Liang et al.	Jul 2009	B2
7568233	Szor et al.	Jul 2009	B1
7584455	Ball	Sep 2009	B2
7603715	Costa et al.	Oct 2009	B2
7607171	Marsden et al.	Oct 2009	B1
7639714	Stolfo et al.	Dec 2009	B2
7644441	Schmid et al.	Jan 2010	B2
7657419	van der Made	Feb 2010	B2
7676841	Sobchuk et al.	Mar 2010	B2
7698548	Shelest et al.	Apr 2010	B2
7707633	Danford et al.	Apr 2010	B2
7712136	Sprosts et al.	May 2010	B2
7730011	Deninger et al.	Jun 2010	B1
7739740	Nachenberg et al.	Jun 2010	B1
7779463	Stolfo et al.	Aug 2010	B2
7784097	Stolfo et al.	Aug 2010	B1
7832008	Kraemer	Nov 2010	B1
7836502	Zhao et al.	Nov 2010	B1
7849506	Dansey et al.	Dec 2010	B1
7854007	Sprosts et al.	Dec 2010	B2
7869073	Oshima	Jan 2011	B2
7877803	Enstone et al.	Jan 2011	B2
7904959	Sidiroglou et al.	Mar 2011	B2
7908660	Bahl	Mar 2011	B2
7930738	Petersen	Apr 2011	B1
7937387	Frazier et al.	May 2011	B2
7937761	Bennett	May 2011	B1
7949849	Lowe et al.	May 2011	B2
7996556	Raghavan et al.	Aug 2011	B2
7996836	McCorkendale et al.	Aug 2011	B1
7996904	Chiueh et al.	Aug 2011	B1
7996905	Arnold et al.	Aug 2011	B2
8006305	Aziz	Aug 2011	B2
8010667	Zhang et al.	Aug 2011	B2
8020206	Hubbard et al.	Sep 2011	B2
8028338	Schneider et al.	Sep 2011	B1
8042184	Batenin	Oct 2011	B1
8045094	Teragawa	Oct 2011	B2
8045458	Alperovitch et al.	Oct 2011	B2
8069484	McMillan et al.	Nov 2011	B2
8087086	Lai et al.	Dec 2011	B1
8171553	Aziz et al.	May 2012	B2
8176049	Deninger et al.	May 2012	B2
8176480	Spertus	May 2012	B1
8201246	Wu et al.	Jun 2012	B1
8204984	Aziz et al.	Jun 2012	B1
8214905	Doukhvalov et al.	Jul 2012	B1
8220055	Kennedy	Jul 2012	B1
8225288	Miller et al.	Jul 2012	B2
8225373	Kraemer	Jul 2012	B2
8233882	Rogel	Jul 2012	B2
8234640	Fitzgerald et al.	Jul 2012	B1
8234709	Viljoen et al.	Jul 2012	B2
8239944	Nachenberg et al.	Aug 2012	B1
8260914	Ranjan	Sep 2012	B1
8266091	Gubin et al.	Sep 2012	B1
8286251	Eker et al.	Oct 2012	B2
8291499	Aziz et al.	Oct 2012	B2
8307435	Mann et al.	Nov 2012	B1
8307443	Wang et al.	Nov 2012	B2
8312545	Tuvell et al.	Nov 2012	B2
8321936	Green et al.	Nov 2012	B1
8321941	Tuvell et al.	Nov 2012	B2
8332571	Edwards, Sr.	Dec 2012	B1
8365286	Poston	Jan 2013	B2
8365297	Parshin et al.	Jan 2013	B1
8370938	Daswani et al.	Feb 2013	B1
8370939	Zaitsev et al.	Feb 2013	B2
8375444	Aziz et al.	Feb 2013	B2
8381299	Stolfo et al.	Feb 2013	B2
8402529	Green et al.	Mar 2013	B1
8464340	Ahn et al.	Jun 2013	B2
8479174	Chiriac	Jul 2013	B2
8479276	Vaystikh et al.	Jul 2013	B1
8479291	Bodke	Jul 2013	B1
8499283	Mony	Jul 2013	B2
8510827	Leake et al.	Aug 2013	B1
8510828	Guo et al.	Aug 2013	B1
8510842	Amit et al.	Aug 2013	B2
8516478	Edwards et al.	Aug 2013	B1
8516590	Ranadive et al.	Aug 2013	B1
8516593	Aziz	Aug 2013	B2
8522348	Chen et al.	Aug 2013	B2
8528086	Aziz	Sep 2013	B1
8533824	Hutton et al.	Sep 2013	B2
8539582	Aziz et al.	Sep 2013	B1
8549638	Aziz	Oct 2013	B2
8555391	Demir et al.	Oct 2013	B1
8561177	Aziz et al.	Oct 2013	B1
8566476	Shiffer et al.	Oct 2013	B2
8566946	Aziz et al.	Oct 2013	B1
8584094	Dadhia et al.	Nov 2013	B2
8584234	Sobel et al.	Nov 2013	B1
8584239	Aziz et al.	Nov 2013	B2
8595834	Xie et al.	Nov 2013	B2
8627476	Satish et al.	Jan 2014	B1
8635696	Aziz	Jan 2014	B1
8650170	Tonn	Feb 2014	B2
8650637	Beresnevichiene et al.	Feb 2014	B2
8682054	Xue et al.	Mar 2014	B2
8682812	Ranjan	Mar 2014	B1
8689333	Aziz	Apr 2014	B2
8695096	Zhang	Apr 2014	B1
8713631	Pavlyushchik	Apr 2014	B1
8713681	Silberman et al.	Apr 2014	B2
8726392	McCorkendale et al.	May 2014	B1
8739280	Chess et al.	May 2014	B2
8776229	Aziz	Jul 2014	B1
8782792	Bodke	Jul 2014	B1
8789172	Stolfo et al.	Jul 2014	B2
8789178	Kejriwal et al.	Jul 2014	B2
8793278	Frazier et al.	Jul 2014	B2
8793787	Ismael et al.	Jul 2014	B2
8805947	Kuzkin et al.	Aug 2014	B1
8806647	Daswani et al.	Aug 2014	B1
8832829	Manni et al.	Sep 2014	B2
8850570	Ramzan	Sep 2014	B1
8850571	Staniford et al.	Sep 2014	B2
8881234	Narasimhan et al.	Nov 2014	B2
8881271	Butler, II	Nov 2014	B2
8881282	Aziz et al.	Nov 2014	B1
8898788	Aziz et al.	Nov 2014	B1
8935779	Manni et al.	Jan 2015	B2
8949257	Shiffer et al.	Feb 2015	B2
8984638	Aziz et al.	Mar 2015	B1
8990939	Staniford et al.	Mar 2015	B2
8990944	Singh et al.	Mar 2015	B1
8997219	Staniford et al.	Mar 2015	B2
9009822	Ismael et al.	Apr 2015	B1
9009823	Ismael et al.	Apr 2015	B1
9027135	Aziz	May 2015	B1
9071638	Aziz et al.	Jun 2015	B1
9104867	Thioux et al.	Aug 2015	B1
9106630	Frazier et al.	Aug 2015	B2
9106694	Aziz et al.	Aug 2015	B2
9118715	Staniford et al.	Aug 2015	B2
9159035	Ismael et al.	Oct 2015	B1
9171160	Vincent et al.	Oct 2015	B2
9176843	Ismael et al.	Nov 2015	B1
9189627	Islam	Nov 2015	B1
9195829	Goradia et al.	Nov 2015	B1
9197664	Aziz et al.	Nov 2015	B1
9223972	Vincent et al.	Dec 2015	B1
9225740	Ismael et al.	Dec 2015	B1
9241010	Bennett et al.	Jan 2016	B1
9251343	Vincent et al.	Feb 2016	B1
9262635	Paithane et al.	Feb 2016	B2
9268936	Butler	Feb 2016	B2
9275229	LeMasters	Mar 2016	B2
9282109	Aziz et al.	Mar 2016	B1
9294501	Mesdaq et al.	Mar 2016	B2
9300686	Pidathala et al.	Mar 2016	B2
9306960	Aziz	Apr 2016	B1
9306974	Aziz et al.	Apr 2016	B1
9311479	Manni et al.	Apr 2016	B1
9413781	Cunningham et al.	Aug 2016	B2
20010005889	Albrecht	Jun 2001	A1
20010047326	Broadbent et al.	Nov 2001	A1
20020018903	Kokubo et al.	Feb 2002	A1
20020038430	Edwards et al.	Mar 2002	A1
20020091819	Melchione et al.	Jul 2002	A1
20020095607	Lin-Hendel	Jul 2002	A1
20020116627	Tarbotton et al.	Aug 2002	A1
20020144156	Copeland	Oct 2002	A1
20020162015	Tang	Oct 2002	A1
20020166063	Lachman et al.	Nov 2002	A1
20020169952	DiSanto et al.	Nov 2002	A1
20020184528	Shevenell et al.	Dec 2002	A1
20020188887	Largman et al.	Dec 2002	A1
20020194490	Halperin et al.	Dec 2002	A1
20030021728	Sharpe et al.	Jan 2003	A1
20030074578	Ford et al.	Apr 2003	A1
20030084318	Schertz	May 2003	A1
20030101381	Mateev et al.	May 2003	A1
20030115483	Liang	Jun 2003	A1
20030188190	Aaron et al.	Oct 2003	A1
20030191957	Hypponen et al.	Oct 2003	A1
20030200460	Morota et al.	Oct 2003	A1
20030212902	van der Made	Nov 2003	A1
20030229801	Kouznetsov et al.	Dec 2003	A1
20030237000	Denton et al.	Dec 2003	A1
20040003323	Bennett et al.	Jan 2004	A1
20040006473	Mills et al.	Jan 2004	A1
20040015712	Szor	Jan 2004	A1
20040019832	Arnold et al.	Jan 2004	A1
20040047356	Bauer	Mar 2004	A1
20040083408	Spiegel et al.	Apr 2004	A1
20040088581	Brawn et al.	May 2004	A1
20040093513	Cantrell et al.	May 2004	A1
20040111531	Staniford et al.	Jun 2004	A1
20040117478	Triulzi et al.	Jun 2004	A1
20040117624	Brandt et al.	Jun 2004	A1
20040128355	Chao et al.	Jul 2004	A1
20040165588	Pandya	Aug 2004	A1
20040236963	Danford et al.	Nov 2004	A1
20040243349	Greifeneder et al.	Dec 2004	A1
20040249911	Alkhatib et al.	Dec 2004	A1
20040255161	Cavanaugh	Dec 2004	A1
20040268147	Wiederin et al.	Dec 2004	A1
20050005159	Oliphant	Jan 2005	A1
20050021740	Bar et al.	Jan 2005	A1
20050033960	Vialen et al.	Feb 2005	A1
20050033989	Poletto et al.	Feb 2005	A1
20050050148	Mohammadioun et al.	Mar 2005	A1
20050086523	Zimmer et al.	Apr 2005	A1
20050091513	Mitomo et al.	Apr 2005	A1
20050091533	Omote et al.	Apr 2005	A1
20050091652	Ross et al.	Apr 2005	A1
20050108562	Khazan et al.	May 2005	A1
20050114663	Cornell et al.	May 2005	A1
20050125195	Brendel	Jun 2005	A1
20050149726	Joshi et al.	Jul 2005	A1
20050157662	Bingham et al.	Jul 2005	A1
20050183143	Anderholm et al.	Aug 2005	A1
20050201297	Peikari	Sep 2005	A1
20050210533	Copeland et al.	Sep 2005	A1
20050238005	Chen et al.	Oct 2005	A1
20050240781	Gassoway	Oct 2005	A1
20050262562	Gassoway	Nov 2005	A1
20050265331	Stolfo	Dec 2005	A1
20050283839	Cowburn	Dec 2005	A1
20060010495	Cohen et al.	Jan 2006	A1
20060015416	Hoffman et al.	Jan 2006	A1
20060015715	Anderson	Jan 2006	A1
20060015747	Van de Ven	Jan 2006	A1
20060021029	Brickell et al.	Jan 2006	A1
20060021054	Costa et al.	Jan 2006	A1
20060031476	Mathes et al.	Feb 2006	A1
20060047665	Neil	Mar 2006	A1
20060070130	Costea et al.	Mar 2006	A1
20060075496	Carpenter et al.	Apr 2006	A1
20060095968	Portolani et al.	May 2006	A1
20060101516	Sudaharan et al.	May 2006	A1
20060101517	Banzhof et al.	May 2006	A1
20060117385	Mester et al.	Jun 2006	A1
20060123477	Raghavan et al.	Jun 2006	A1
20060143709	Brooks et al.	Jun 2006	A1
20060150249	Gassen et al.	Jul 2006	A1
20060161983	Cothrell et al.	Jul 2006	A1
20060161987	Levy-Yurista	Jul 2006	A1
20060161989	Reshef et al.	Jul 2006	A1
20060164199	Gilde et al.	Jul 2006	A1
20060173992	Weber et al.	Aug 2006	A1
20060179147	Tran et al.	Aug 2006	A1
20060184632	Marino et al.	Aug 2006	A1
20060191010	Benjamin	Aug 2006	A1
20060221956	Narayan et al.	Oct 2006	A1
20060236393	Kramer et al.	Oct 2006	A1
20060242709	Seinfeld et al.	Oct 2006	A1
20060248519	Jaeger et al.	Nov 2006	A1
20060248582	Panjwani et al.	Nov 2006	A1
20060251104	Koga	Nov 2006	A1
20060288417	Bookbinder et al.	Dec 2006	A1
20070006288	Mayfield et al.	Jan 2007	A1
20070006313	Porras et al.	Jan 2007	A1
20070011174	Takaragi et al.	Jan 2007	A1
20070016951	Piccard et al.	Jan 2007	A1
20070019286	Kikuchi	Jan 2007	A1
20070033645	Jones	Feb 2007	A1
20070038943	FitzGerald et al.	Feb 2007	A1
20070064689	Shin et al.	Mar 2007	A1
20070074169	Chess et al.	Mar 2007	A1
20070094730	Bhikkaji et al.	Apr 2007	A1
20070101435	Konanka et al.	May 2007	A1
20070128855	Cho et al.	Jun 2007	A1
20070142030	Sinha et al.	Jun 2007	A1
20070143827	Nicodemus et al.	Jun 2007	A1
20070156895	Vuong	Jul 2007	A1
20070157180	Tillmann et al.	Jul 2007	A1
20070157306	Elrod et al.	Jul 2007	A1
20070168988	Eisner et al.	Jul 2007	A1
20070171824	Ruello et al.	Jul 2007	A1
20070174915	Gribble et al.	Jul 2007	A1
20070192500	Lum	Aug 2007	A1
20070192858	Lum	Aug 2007	A1
20070198275	Malden et al.	Aug 2007	A1
20070208822	Wang et al.	Sep 2007	A1
20070220607	Sprosts et al.	Sep 2007	A1
20070240218	Tuvell et al.	Oct 2007	A1
20070240219	Tuvell et al.	Oct 2007	A1
20070240220	Tuvell et al.	Oct 2007	A1
20070240222	Tuvell et al.	Oct 2007	A1
20070250930	Aziz et al.	Oct 2007	A1
20070256132	Oliphant	Nov 2007	A2
20070271446	Nakamura	Nov 2007	A1
20080005782	Aziz	Jan 2008	A1
20080018122	Zierler et al.	Jan 2008	A1
20080028463	Dagon et al.	Jan 2008	A1
20080040710	Chiriac	Feb 2008	A1
20080046781	Childs et al.	Feb 2008	A1
20080066179	Liu	Mar 2008	A1
20080072326	Danford et al.	Mar 2008	A1
20080077793	Tan et al.	Mar 2008	A1
20080080518	Hoeflin et al.	Apr 2008	A1
20080086720	Lekel	Apr 2008	A1
20080098476	Syversen	Apr 2008	A1
20080120722	Sima et al.	May 2008	A1
20080134178	Fitzgerald et al.	Jun 2008	A1
20080134334	Kim et al.	Jun 2008	A1
20080141376	Clausen et al.	Jun 2008	A1
20080184367	McMillan et al.	Jul 2008	A1
20080184373	Traut et al.	Jul 2008	A1
20080189787	Arnold et al.	Aug 2008	A1
20080201778	Guo et al.	Aug 2008	A1
20080209557	Herley et al.	Aug 2008	A1
20080215742	Goldszmidt et al.	Sep 2008	A1
20080222729	Chen et al.	Sep 2008	A1
20080263665	Ma et al.	Oct 2008	A1
20080295172	Bohacek	Nov 2008	A1
20080301810	Lehane et al.	Dec 2008	A1
20080307524	Singh et al.	Dec 2008	A1
20080313738	Enderby	Dec 2008	A1
20080320594	Jiang	Dec 2008	A1
20090003317	Kasralikar et al.	Jan 2009	A1
20090007100	Field et al.	Jan 2009	A1
20090013408	Schipka	Jan 2009	A1
20090031423	Liu et al.	Jan 2009	A1
20090036111	Danford et al.	Feb 2009	A1
20090037835	Goldman	Feb 2009	A1
20090044024	Oberheide et al.	Feb 2009	A1
20090044274	Budko et al.	Feb 2009	A1
20090064332	Porras et al.	Mar 2009	A1
20090077666	Chen et al.	Mar 2009	A1
20090083369	Marmor	Mar 2009	A1
20090083855	Apap et al.	Mar 2009	A1
20090089879	Wang et al.	Apr 2009	A1
20090094697	Provos et al.	Apr 2009	A1
20090113425	Ports et al.	Apr 2009	A1
20090125976	Wassermann et al.	May 2009	A1
20090126015	Monastyrsky et al.	May 2009	A1
20090126016	Sobko et al.	May 2009	A1
20090133125	Choi et al.	May 2009	A1
20090144823	Lamastra et al.	Jun 2009	A1
20090158430	Borders	Jun 2009	A1
20090172815	Gu et al.	Jul 2009	A1
20090187992	Poston	Jul 2009	A1
20090193293	Stolfo et al.	Jul 2009	A1
20090198651	Shiffer et al.	Aug 2009	A1
20090198670	Shiffer et al.	Aug 2009	A1
20090198689	Frazier et al.	Aug 2009	A1
20090199274	Frazier et al.	Aug 2009	A1
20090199296	Xie et al.	Aug 2009	A1
20090228233	Anderson et al.	Sep 2009	A1
20090241187	Troyansky	Sep 2009	A1
20090241190	Todd et al.	Sep 2009	A1
20090265692	Godefroid et al.	Oct 2009	A1
20090271867	Zhang	Oct 2009	A1
20090300415	Zhang et al.	Dec 2009	A1
20090300761	Park et al.	Dec 2009	A1
20090328185	Berg et al.	Dec 2009	A1
20090328221	Blumfield et al.	Dec 2009	A1
20100005146	Drako et al.	Jan 2010	A1
20100011205	McKenna	Jan 2010	A1
20100017546	Poo et al.	Jan 2010	A1
20100030996	Butler, II	Feb 2010	A1
20100031353	Thomas	Feb 2010	A1
20100037314	Perdisci et al.	Feb 2010	A1
20100043073	Kuwamura	Feb 2010	A1
20100054278	Stolfo et al.	Mar 2010	A1
20100058474	Hicks	Mar 2010	A1
20100064044	Nonoyama	Mar 2010	A1
20100077481	Polyakov et al.	Mar 2010	A1
20100083376	Pereira et al.	Apr 2010	A1
20100115621	Staniford et al.	May 2010	A1
20100132038	Zaitsev	May 2010	A1
20100154056	Smith et al.	Jun 2010	A1
20100180344	Malyshev et al.	Jul 2010	A1
20100192223	Ismael et al.	Jul 2010	A1
20100220863	Dupaquis et al.	Sep 2010	A1
20100235831	Dittmer	Sep 2010	A1
20100251104	Massand	Sep 2010	A1
20100281102	Chinta et al.	Nov 2010	A1
20100281541	Stolfo et al.	Nov 2010	A1
20100281542	Stolfo et al.	Nov 2010	A1
20100287260	Peterson et al.	Nov 2010	A1
20100299754	Amit et al.	Nov 2010	A1
20100306173	Frank	Dec 2010	A1
20110004737	Greenebaum	Jan 2011	A1
20110025504	Lyon et al.	Feb 2011	A1
20110041179	St Hlberg	Feb 2011	A1
20110047594	Mahaffey et al.	Feb 2011	A1
20110047620	Mahaffey et al.	Feb 2011	A1
20110055907	Narasimhan et al.	Mar 2011	A1
20110078794	Manni et al.	Mar 2011	A1
20110093951	Aziz	Apr 2011	A1
20110099620	Stavrou et al.	Apr 2011	A1
20110099633	Aziz	Apr 2011	A1
20110099635	Silberman et al.	Apr 2011	A1
20110113231	Kaminsky	May 2011	A1
20110145918	Jung et al.	Jun 2011	A1
20110145920	Mahaffey et al.	Jun 2011	A1
20110145934	Abramovici et al.	Jun 2011	A1
20110167493	Song et al.	Jul 2011	A1
20110167494	Bowen et al.	Jul 2011	A1
20110173213	Frazier et al.	Jul 2011	A1
20110173460	Ito et al.	Jul 2011	A1
20110219449	St. Neitzel et al.	Sep 2011	A1
20110219450	McDougal et al.	Sep 2011	A1
20110225624	Sawhney et al.	Sep 2011	A1
20110225655	Niemela et al.	Sep 2011	A1
20110247072	Staniford et al.	Oct 2011	A1
20110265182	Peinado et al.	Oct 2011	A1
20110289582	Kejriwal et al.	Nov 2011	A1
20110302587	Nishikawa et al.	Dec 2011	A1
20110307954	Melnik et al.	Dec 2011	A1
20110307955	Kaplan et al.	Dec 2011	A1
20110307956	Yermakov et al.	Dec 2011	A1
20110314546	Aziz et al.	Dec 2011	A1
20120023593	Puder et al.	Jan 2012	A1
20120054869	Yen et al.	Mar 2012	A1
20120066698	Yanoo	Mar 2012	A1
20120079596	Thomas et al.	Mar 2012	A1
20120084859	Radinsky et al.	Apr 2012	A1
20120096553	Srivastava et al.	Apr 2012	A1
20120110667	Zubrilin et al.	May 2012	A1
20120117652	Manni et al.	May 2012	A1
20120121154	Xue et al.	May 2012	A1
20120124426	Maybee et al.	May 2012	A1
20120174186	Aziz et al.	Jul 2012	A1
20120174196	Bhogavilli et al.	Jul 2012	A1
20120174218	McCoy et al.	Jul 2012	A1
20120198279	Schroeder	Aug 2012	A1
20120210423	Friedrichs et al.	Aug 2012	A1
20120222121	Staniford et al.	Aug 2012	A1
20120255015	Sahita et al.	Oct 2012	A1
20120255017	Sallam	Oct 2012	A1
20120260342	Dube et al.	Oct 2012	A1
20120266244	Green	Oct 2012	A1
20120278886	Luna	Nov 2012	A1
20120297489	Dequevy	Nov 2012	A1
20120330801	McDougal et al.	Dec 2012	A1
20120331553	Aziz et al.	Dec 2012	A1
20130014259	Gribble et al.	Jan 2013	A1
20130036472	Aziz	Feb 2013	A1
20130047257	Aziz	Feb 2013	A1
20130074185	McDougal et al.	Mar 2013	A1
20130086684	Mohler	Apr 2013	A1
20130097699	Balupari et al.	Apr 2013	A1
20130097706	Titonis et al.	Apr 2013	A1
20130111587	Goel et al.	May 2013	A1
20130117852	Stute	May 2013	A1
20130117855	Kim et al.	May 2013	A1
20130139264	Brinkley et al.	May 2013	A1
20130160125	Likhachev et al.	Jun 2013	A1
20130160127	Jeong et al.	Jun 2013	A1
20130160130	Mendelev et al.	Jun 2013	A1
20130160131	Madou et al.	Jun 2013	A1
20130167236	Sick	Jun 2013	A1
20130174214	Duncan	Jul 2013	A1
20130185789	Hagiwara et al.	Jul 2013	A1
20130185795	Winn et al.	Jul 2013	A1
20130185798	Saunders et al.	Jul 2013	A1
20130191915	Antonakakis et al.	Jul 2013	A1
20130196649	Paddon et al.	Aug 2013	A1
20130227691	Aziz et al.	Aug 2013	A1
20130246370	Bartram et al.	Sep 2013	A1
20130247186	LeMasters	Sep 2013	A1
20130263260	Mahaffey et al.	Oct 2013	A1
20130291109	Staniford et al.	Oct 2013	A1
20130298243	Kumar et al.	Nov 2013	A1
20130318038	Shiffer et al.	Nov 2013	A1
20130318073	Shiffer et al.	Nov 2013	A1
20130325791	Shiffer et al.	Dec 2013	A1
20130325792	Shiffer et al.	Dec 2013	A1
20130325871	Shiffer et al.	Dec 2013	A1
20130325872	Shiffer et al.	Dec 2013	A1
20140032875	Butler	Jan 2014	A1
20140053260	Gupta et al.	Feb 2014	A1
20140053261	Gupta et al.	Feb 2014	A1
20140130158	Wang	May 2014	A1
20140137180	Lukacs et al.	May 2014	A1
20140169762	Ryu	Jun 2014	A1
20140179360	Jackson et al.	Jun 2014	A1
20140181131	Ross	Jun 2014	A1
20140189687	Jung et al.	Jul 2014	A1
20140189866	Shiffer et al.	Jul 2014	A1
20140189882	Jung et al.	Jul 2014	A1
20140237600	Silberman et al.	Aug 2014	A1
20140280245	Wilson	Sep 2014	A1
20140283037	Sikorski et al.	Sep 2014	A1
20140283063	Thompson et al.	Sep 2014	A1
20140328204	Klotsche et al.	Nov 2014	A1
20140337836	Ismael	Nov 2014	A1
20140344926	Cunningham et al.	Nov 2014	A1
20140351935	Shao et al.	Nov 2014	A1
20140380473	Bu et al.	Dec 2014	A1
20140380474	Paithane et al.	Dec 2014	A1
20150007312	Pidathala et al.	Jan 2015	A1
20150096022	Vincent et al.	Apr 2015	A1
20150096023	Mesdaq et al.	Apr 2015	A1
20150096024	Haq et al.	Apr 2015	A1
20150096025	Ismael	Apr 2015	A1
20150180886	Staniford et al.	Jun 2015	A1
20150186645	Aziz et al.	Jul 2015	A1
20150220735	Paithane et al.	Aug 2015	A1
20150363598	Xu	Dec 2015	A1
20150372980	Eyada	Dec 2015	A1
20160044000	Cunningham	Feb 2016	A1
20160127393	Aziz et al.	May 2016	A1

Foreign Referenced Citations (11)

Number	Date	Country
2439806	Jan 2008	GB
2490431	Oct 2012	GB
0223805	Mar 2002	WO
0206928	Nov 2003	WO
2007117636	Oct 2007	WO
2008041950	Apr 2008	WO
2011084431	Jul 2011	WO
2011112348	Sep 2011	WO
2012075336	Jun 2012	WO
2012145066	Oct 2012	WO
2013067505	May 2013	WO

Non-Patent Literature Citations (75)

Entry
“Mining Specification of Malicious Behavior”—Jha et al, UCSB, Sep. 2007 https://www.cs.ucsb.edu/.about.chris/research/doc/esec07.sub.--mining.pdf- . cited by examiner.
“Network Security: NetDetector—Network Intrusion Forensic System (NIFS) Whitepaper”, (“NetDetector Whitepaper”), (2003).
“Packet”, Microsoft Computer Dictionary, Microsoft Press, (Mar. 2002), 1 page.
“When Virtual is Better Than Real”, IEEEXplore Digital Library, available at, http://ieeexplore.ieee.org/xpl/articleDetails.isp?reload=true&arnumbe- r=990073, (Dec. 7, 2013).
Abdullah, et al., Visualizing Network Data for Intrusion Detection, 2005 IEEE Workshop on Information Assurance and Security, pp. 100-108.
Adetoye, Adedayo , et al., “Network Intrusion Detection & Response System”, (“Adetoye”), (Sep. 2003).
AltaVista Advanced Search Results. “attack vector identifier”. Http://www.altavista.com/web/results?Itag=ody&pg=aq&aqmode=aqa=Event+Orch- estrator . . . , (Accessed on Sep. 15, 2009).
AltaVista Advanced Search Results. “Event Orchestrator”. Http://www.altavista.com/web/results?Itag=ody&pg=aq&aqmode=aqa=Event+Orch- esrator . . . , (Accessed on Sep. 3, 2009).
Apostolopoulos, George; hassapis, Constantinos; “V-eM: A cluster of Virtual Machines for Robust, Detailed, and High-Performance Network Emulation”, 14th IEEE International Symposium on Modeling, Analysis, and Simulation of Computer and Telecommunication Systems, Sep. 11-14, 2006, pp. 117-126.
Aura, Tuomas, “Scanning electronic documents for personally identifiable information”, Proceedings of the 5th ACM workshop on Privacy in electronic society. ACM, 2006.
Baecher, “The Nepenthes Platform: An Efficient Approach to collect Malware”, Springer-verlag Berlin Heidelberg, (2006), pp. 165-184.
Baldi, Mario; Risso, Fulvio; “A Framework for Rapid Development and Portable Execution of Packet-Handling Applications”, 5th IEEE International Symposium Processing and Information Technology, Dec. 21, 2005, pp. 233-238.
Bayer, et al., “Dynamic Analysis of Malicious Code”, J Comput Virol, Springer-Verlag, France., (2006), pp. 67-77.
Boubalos, Chris , “extracting syslog data out of raw pcap dumps, seclists.org, Honeypots mailing list archives”, available at http://seclists.org/honeypots/2003/q2/319 (“Boubalos”), (Jun. 5, 2003).
Chaudet, C. , et al., “Optimal Positioning of Active and Passive Monitoring Devices”, International Conference on Emerging Networking Experiments and Technologies, Proceedings of the 2005 ACM Conference on Emerging Network Experiment and Technology, CoNEXT '05, Toulousse, France, (Oct. 2005), pp. 71-82.
Chen, P. M. and Noble, B. D., “When Virtual is Better Than Real, Department of Electrical Engineering and Computer Science”, University of Michigan (“Chen”) (2001).
Cisco “Intrusion Prevention for the Cisco ASA 5500-x Series” Data Sheet (2012).
Cisco, Configuring the Catalyst Switched Port Analyzer (SPAN) (“Cisco”), (1992).
Clark, John, Sylvian Leblanc,and Scott Knight. “Risks associated with usb hardware trojan devices used by insiders.” Systems Conference (SysCon), 2011 IEEE International. IEEE, 2011.
Cohen, M.I. , “PyFlag—An advanced network forensic framework”, Digital investigation 5, Elsevier, (2008), pp. S112-S120.
Costa, M. , et al., “Vigilante: End-to-End Containment of Internet Worms”, SOSP '05, Association for Computing Machinery, Inc., Brighton U.K., (Oct. 23-26, 2005).
Crandall, J.R. , et al., “Minos:Control Data Attack Prevention Orthogonal to Memory Model”, 37th International Symposium on Microarchitecture, Portland, Oregon, (Dec. 2004).
Deutsch, P. , “Zlib compressed data format specification version 3.3” RFC 1950, (1996).
Distler, “Malware Analysis: An Introduction”, SANS Institute InfoSec Reading Room, SANS Institute, (2007).
Dunlap, George W. , et al., “ReVirt: Enabling Intrusion Analysis through Virtual-Machine Logging and Replay”, Proceeding of the 5th Symposium on Operating Systems Design and Implementation, USENIX Association, (“Dunlap”), (Dec. 9, 2002).
Excerpt regarding First Printing Date for Merike Kaeo, Designing Network Security (“Kaeo”), (2005).
Filiol, Eric , et al., “Combinatorial Optimisation of Worm Propagation on an Unknown Network”, International Journal of Computer Science 2.2 (2007).
FireEye Malware Analysis & Exchange Network, Malware Protection System, FireEye Inc., 2010.
FireEye Malware Analysis, Modern Malware Forensics, FireEye Inc., 2010.
FireEye v.6.0 Security Target, pp. 1-35, Version 1.1, FireEye Inc., May 2011.
Gibler, Clint, et al. AndroidLeaks: automatically detecting potential privacy leaks in android applications on a large scale. Springer Berlin Heidelberg, 2012.
Goel, et al., Reconstructing System State for Intrusion Analysis, Apr. 2008 SIGOPS Operating Systems Review, vol. 42 Issue 3, pp. 21-28.
Gregg Keizer: “Microsoft's HoneyMonkeys Show Patching Windows Works”, Aug. 8, 2005, XP055143386, Retrieved from the Internet: URL:http://www.informationweek.com/microsofts-honeymonkeys-show-patching-windows-works/d/d-id/1035069? [retrieved on Jun. 1, 2016].
Heng Yin et al, Panorama: Capturing System-Wide Information Flow for Malware Detection and Analysis, Research Showcase © CMU, Carnegie Mellon University, 2007.
Hjelmvik, Erik , “Passive Network Security Analysis with NetworkMiner”, (IN)Secure, Issue 18, (Oct. 2008), pp. 1-100.
Idika et al., A-Survey-of-Malware-Detection-Techniques, Feb. 2, 2007, Department of Computer Science, Purdue University.
IEEE Xplore Digital Library Sear Results for “detection of unknown computer worms”. Http//ieeexplore.ieee.org/searchresult.jsp?SortField=Score&SortOrder=desc- &ResultC . . . , (Accessed on Aug. 28, 2009).
Isohara, Takamasa, Keisuke Takemori, and Ayumu Kubota. “Kernel-based behavior analysis for android malware detection.” Computational intelligence and Security (CIS), 2011 Seventh International Conference on. IEEE, 2011.
Kaeo, Merike , “Designing Network Security”, (“Kaeo”), (Nov. 2003).
Kevin A Roundy et al: “Hybrid Analysis and Control of Malware”, Sep. 15, 2010, Recent Advances in Intrusion Detection, Springer Berlin Heidelberg, Berlin, Heidelberg, pp. 317-338, XP019150454 ISBN:978-3-642-15511-6.
Kim, H., et al., “Autograph: Toward Automated, Distributed Worm Signature Detection”, Proceedings of the 13th Usenix Security Symposium (Security 2004), San Diego, (Aug. 2004), pp. 271-286.
King, Samuel T., et al., “Operating System Support for Virtual Machines”, (“King”) (2003).
Krasnyansky, Max , et al., Universal TUN/TAP driver, available at https://www.kernel.org/doc/Documentation/networking/tuntap.txt (2002) (“Krasnyansky”).
Kreibich, C. , et al., “Honeycomb-Creating Intrusion Detection Signatures Using Honeypots”, 2nd Workshop on Hot Topics in Networks (HotNets-11), Boston, USA, (2003).
Kristoff, J. , “Botnets, Detection and Mitigation: DNS-Based Techniques”, NU Security Day, (2005), 23 pages.
Leading Colleges Select FireEye to Stop Malware-Related Data Breaches, FireEye Inc., 2009.
Li et al., A VMM-Based System Call Interposition Framework for Program Monitoring, Dec. 2010, IEEE 16th International Conference on Parallel and Distributed Systems, pp. 706-711.
Liljenstam, Michael , et al., “Simulating Realistic Network Traffic for Worm Warning System Design and Testing”, Institute for Security Technology studies, Dartmouth College (“Liljenstam”), (Oct. 27, 2003).
Lindorfer, Martina, Clemens Kolbitsch, and Paolo Milani Comparetti. “Detecting environment-sensitive malware.” Recent Advances in Intrusion Detection. Springer Berlin Heidelberg, 2011.
Lok Kwong et al: “DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis”, Aug. 10, 2012, XP055158513, Retrieved from the Internet: URL:https://www.usenix.org/system/files/conference/usenixsecurity12/sec12--final107.pdf [retrieved on Dec. 15, 2014].
Marchette, David J., “Computer Intrusion Detection and Network Monitoring: A Statistical Viewpoint”, (“Marchette”), (2001).
Margolis, P.E. , “Random House Webster's ‘Computer & Internet Dictionary 3rd Edition’”, ISBN 0375703519, (Dec. 1998).
Moore, D. , et al., “Internet Quarantine: Requirements for Containing Self-Propagating Code”, INFOCOM, vol. 3, (Mar. 30-Apr. 3, 2003), pp. 1901-1910.
Morales, Jose A., et al., ““Analyzing and exploiting network behaviors of malware.””, Security and Privacy in Communication Networks. Springer Berlin Heidelberg, 2010. 20-34.
Mori, Detecting Unknown Computer Viruses, 2004, Springer-Verlag Berlin Heidelberg.
Natvig, Kurt , “SANDBOXII: Internet”, Virus Bulletin Conference, (“Natvig”), (Sep. 2002).
NetBIOS Working Group. Protocol Standard for a NetBIOS Service on a TCP/UDP transport: Concepts and Methods. STD 19, RFC 1001, Mar. 1987.
Newsome, J. , et al., “Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software”, In Proceedings of the 12th Annual Network and Distributed System Security, Symposium (NDSS '05), (Feb. 2005).
Newsome, J. , et al., “Polygraph: Automatically Generating Signatures for Polymorphic Worms”, In Proceedings of the IEEE Symposium on Security and Privacy, (May 2005).
Nojiri, D. , et al., “Cooperation Response Strategies for Large Scale Attack Mitigation”, DARPA Information Survivability Conference and Exposition, vol. 1, (Apr. 22-24, 2003), pp. 293-302.
Oberheide et al., CloudAV.sub.—N-Version Antivirus in the Network Cloud, 17th USENIX Security Symposium USENIX Security '08 Jul. 28-Aug. 1, 2008 San Jose, CA.
Reiner Sailer, Enriquillo Valdez, Trent Jaeger, Roonald Perez, Leendert van Doom, John Linwood Griffin, Stefan Berger., sHype: Secure Hypervisor Appraoch to Trusted Virtualized Systems (Feb. 2, 2005) (“Sailer”).
Silicon Defense, “Worm Containment in the Internal Network”, (Mar. 2003), pp. 1-25.
Singh, S. , et al., “Automated Worm Fingerprinting”, Proceedings of the ACM/USENIX Symposium on Operating System Design and Implementation, San Francisco, California, (Dec. 2004).
Spitzner, Lance , “Honeypots: Tracking Hackers”, (“Spizner”), (Sep. 17, 2002).
The Sniffers's Guide to Raw Traffic available at: yuba.stanford.edu/.about.casado/pcap/section1.html, (Jan. 6, 2014).
Thomas H. Ptacek, and Timothy N. Newsham , “Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection”, Secure Networks, (“Ptacek”), (Jan. 1998).
U.S. Pat. No. 8,171,553 filed Apr. 20, 2006, Inter Parties Review Decision dated Jul. 10, 2015.
U.S. Pat. No. 8,291,499 filed Mar. 16, 2012, Inter Parties Review Decision dated Jul. 10, 2015.
Venezia, Paul , “NetDetector Captures Intrusions”, InfoWorld Issue 27, (“Venezia”), (Jul. 14, 2003).
Wahid et al., Characterising the Evolution in Scanning Activity of Suspicious Hosts, Oct. 2009, Third International Conference on Network and System Security, pp. 344-350.
Whyte, et al., “DNS-Based Detection of Scanning Works in an Enterprise Network”, Proceedings of the 12th Annual Network and Distributed System Security Symposium, (Feb. 2005), 15 pages.
Williamson, Matthew M., “Throttling Viruses: Restricting Propagation to Defeat Malicious Mobile Code”, ACSAC Conference, Las Vegas, NV, USA, (Dec. 2002), pp. 1-9.
Yuhei Kawakoya et al: “Memory behavior-based automatic malware unpacking in stealth debugging environment”, Malicious and Unwanted Software (Malware), 2010 5th International Conference on, IEEE, Piscataway, NJ, USA, Oct. 19, 2010, pp. 39-46, XP031833827, ISBN:978-1-4244-8-9353-1.
Zhang et al., The Effects of Threading, Infection Time, and Multiple-Attacker Collaboration on Malware Propagation, Sep. 2009, IEEE 28th International Symposium on Reliable Distributed Systems, pp. 73-82.

Detection and classification of exploit kits

Information

Patent Number

Date Filed

Date Issued

Inventors

Original Assignees

Examiners

Agents

CPC

Field of Search

US

CPC

International Classifications

Term Extension

Abstract

Description

Claims

US Referenced Citations (572)

Foreign Referenced Citations (11)

Non-Patent Literature Citations (75)