Patent Grant
10200384
The present invention relates generally to network security and more particularly to detecting malicious software operating in computers and other digital devices.
Malicious software, or malware for short, may include any program or file that is harmful by design to a computer. Malware includes computer viruses, worms, Trojan horses, adware, spyware, and any programming that gathers information about a computer or its user or otherwise operates without permission. The owners of the computers are often unaware that these programs have been added to their computers and are often similarly unaware of their function.
Malicious network content is a type of malware distributed over a network via websites, e.g., servers operating on a network according to an HTTP standard or other well-known standard. Malicious network content distributed in this manner may be actively downloaded and installed on a computer, without the approval or knowledge of its user, simply by the computer accessing the web site hosting the malicious network content (the “malicious web site”). Malicious network content may be embedded within objects associated with web pages hosted by the malicious web site. Malicious network content may also enter a computer on receipt or opening of email. For example, email may contain an attachment, such as a PDF document, with embedded malicious executable programs. Furthermore, malicious content may exist in files contained in a computer memory or storage device, having infected those files through any of a variety of attack vectors.
Various processes and devices have been employed to prevent the problems associated with malicious content. For example, computers often run antivirus scanning software that scans a particular computer for viruses and other forms of malware. The scanning typically involves automatic detection of a match between content stored on the computer (or attached media) and a library or database of signatures of known malware. The scanning may be initiated manually or based on a schedule specified by a user or system administrator associated with the particular computer. Unfortunately, by the time malware is detected by the scanning software, some damage on the computer or loss of privacy may have already occurred, and the malware may have propagated from the infected computer to other computers. Additionally, it may take days or weeks for new signatures to be manually created, the scanning signature library updated and received for use by the scanning software, and the new signatures employed in new scans.
Moreover, anti-virus scanning utilities may have limited effectiveness to protect against all exploits by polymorphic malware. Polymorphic malware has the capability to mutate to defeat the signature match process while keeping its original malicious capabilities intact. Signatures generated to identify one form of a polymorphic virus may not match against a mutated form. Thus polymorphic malware is often referred to as a family of virus rather than a single virus, and improved anti-virus techniques to identify such malware families is desirable.
Another type of malware detection solution employs virtual environments to replay content within a sandbox established by virtual machines (VMs) that simulates or mimics a target operating environment. Such solutions monitor the behavior of content during execution to detect anomalies and other activity that may signal the presence of malware. One such system sold by FireEye, Inc., the assignee of the present patent application, employs a two-phase malware detection approach to detect malware contained in network traffic monitored in real-time. In a first or “static” phase, a heuristic is applied to network traffic to identify and filter packets that appear suspicious in that they exhibit characteristics associated with malware. In a second or “dynamic” phase, the suspicious packets (and typically only the suspicious packets) are replayed within one or more virtual machines. For example, if a user is trying to download a file over a network, the file is extracted from the network traffic and analyzed in the virtual machine using an instance of a browser to load the suspicious packets. The results of the analysis constitute monitored behaviors of the suspicious packets, which may indicate that the file should be declared malicious. The two-phase malware detection solution may detect numerous types of malware and, even malware missed by other commercially available approaches. Through its verification technique, the two-phase malware detection solution may also achieve a significant reduction of false positives relative to such other commercially available approaches. Otherwise, dealing with a large number of false positives in malware detection may needlessly slow or interfere with download of network content or receipt of email, for example. This two-phase approach has even proven successful against many types of polymorphic malware and other forms of advanced persistent threats.
In some instances, malware may take the form of a “bot,” a contraction for software robot. Commonly, in this context, a bot is configured to control activities of a digital device (e.g., a computer) without authorization by the digital device's user. Bot-related activities include bot propagation to attack other computers on a network. Bots commonly propagate by scanning nodes (e.g., computers or other digital devices) available on a network to search for a vulnerable target. When a vulnerable computer is found, the bot may install a copy of itself, and then continue to seek other computers on a network to infect.
A bot may, without the knowledge or authority of the infected computer's user, establish a command and control (CnC) communication channel to send outbound communications to its master (e.g., a hacker or herder) or a designated surrogate and to receive instructions back. Often the CnC communications are sent over the Internet, and so comply with the Hypertext Transfer Protocol (HTTP) protocol. Bots may receive CnC communication from a centralized bot server or another infected computer (peer to peer). The outbound communications over the CnC channel are often referred to as “callbacks,” and may signify that bots are installed and ready to act. Inbound CnC communications may contain instructions directing the bot to cause the infected computers (i.e., zombies) to participate in organized attacks against one or more computers on a network. For example, bot-infected computers may be directed to ping another computer on a network, such as a bank or government agency, in a denial-of-service attack, often referred to as a distributed denial-of-service attack (DDoS). In other examples, upon receiving instructions, a bot may (a) direct an infected computer to transmit spam across a network; (b) transmit information regarding or stored on the infected host computer; (c) act as a keylogger and record keystrokes on the infected host computer, or (d) search for personal information (such as email addresses contained in an email or a contacts file). This information may be transmitted to one or more other infected computers to the bot's master.
Further enhancement to malware detection effectiveness while avoiding false positives is desirable of course, particularly as malware developers continue to create new forms of exploits, including more sophisticated bots and botnets, having potentially serious consequences.
Techniques may automatically detect bots or botnets running in a computer or other digital device by detecting command and control communications, called “call-backs,” from malicious code that has previously gained entry into the digital device. Callbacks are detected using a distributed approach employing one or more local analyzers and a central analyzer. The local analyzers capture packets of outbound communications, generate signatures from header information, and analyze the captured packets using various techniques. The techniques may include packet header signature matching against verified callback signatures and deep packet inspection (e.g., dark domain analysis and dark IP address analysis). The central analyzer receives signatures and associated packet header information from the local analyzers, checks for signature matches in a global signature cache, and may, in some embodiments, perform further analysis, for example, host reputation analysis with respect to the packet headers. The central analyzer employs machine learning to generate callback probability scores associated with each packet header whose information is received. The scores may indicate callback status, i.e., whether the packet headers are associated with callbacks and thus malicious. The central analyzer may then update the global signature cache with that status, and generally coordinates among the local analyzers, including sharing verified callback signatures with them.
In an illustrative embodiment, a local analyzer performs the following steps: A) forming a first signature based on a preferably partially masked header of a captured network packet for use as an index into a local signature cache and into a local event/anomaly database, where each captured packet may represent an event; B) performing a deep packet inspection of the captured network header; C) subscribing to a service provided by a central analyzer located remotely from the local cache and (for example, coupled thereto by a network) for determining, based on a global signature cache lookup and at least in part on results (called anomalies) from the deep packet inspection performed by the local analyzer on the captured network packet, whether the first signature corresponds to a malware callback; and D) responsive to a message received from the central analyzer, storing results of the central analyzer's determination in the local signature cache if the current signature corresponds to a malware callback and updating the local event/anomaly database.
In an illustrative embodiment, a central analyzer performs the following steps: A) receiving a first signature representative of a captured network packet from a local analyzer, B) using the received first signature as an index to find a match in a global signature cache and to update a global event/anomaly database, where each captured packet may represent an event and where anomalies are identified by analysis performed by the local cache with respect to the captured network packet; C) absent a match, performing further analysis, in at least some embodiments including, for example, a reputation analysis, e.g., using online resources; D) determining, based at least in part on the anomalies and the results of the analysis, if any, by the central analyzer, whether the first signature corresponds to a malware callback; E) storing match information and/or results of the determination in the global signature cache if the current signature corresponds to a malware callback and updating the global event/anomaly database; and F) sending a message to the local analyzer with the match information and/or results of the determination.
Detecting callbacks as described herein as a keystone of malicious attack and exploit analysis may permit embodiments of the invention to detect disparate forms of malware, and even families of polymorphic virus that use the same communication mechanisms to obtain instructions and other communications in furtherance of their nefarious purposes.
The invention will be more fully understood with reference to the following detailed description in conjunction with the drawings, of which:
Generally speaking, a bot is a type of (or part of) an active infiltration attack, often installing or operating in a two-step process. The first step is the initial infection, which may be a typically small package of malicious code (malware) whose function is to compromise the infected device. The second step involves that malware obtaining instructions as to malicious activity it is to perform, including possibly downloading additional malware, e.g., over the Internet or sending messages or data from the infected computer. This second step often involves establishing a CnC channel over which it may send a message providing its status or requesting CnC communications (instructions). This is called a “callback,” and the exchange of such communications may be referred to as callback activity.
The CnC may use an undocumented entry point, or subvert and use a documented entry point to request instructions over a CnC channel, which are often transmitted over the same or other channels. Often the CnC channel is established via a non-standard port provided by the operating system of the infected device. In so doing, the bot bypasses normal security and authentication mechanisms, and thereby achieves unauthorized egress from the computer. A hallmark of bots is the manner by which they utilize egress points for callbacks is designed to remain undetected to the digital device's user and system/network administrators.
To achieve detection of callback activity, embodiments of the invention provide a distributed callback detection and analysis system, which may include one or more local analysers and a central analyser, often cloud based. The local analysers may each perform (a) a signature match, comparing a signature generated from a current HTTP header against those generated from HTTP headers previously determined to be associated with callback activity; and (b) deep packet inspection of received HTTP packets (i.e., packets containing HTTP messages), including, for example, one or more of protocol compliance analysis, dark domain analysis and dark IP address analysis. If the signatures match, the current HTTP header is associated with callback activity and an alert may be generated. If the signatures do not match but the deep packet analysis finds suspicious anomalies (e.g., protocol non-compliance or unconventional syntax or content, or destination is a dark domain or dark IP address), the current HTTP header and related communication information is provided to the central analyser. The central analyser may perform additional evaluation, such as a reputation analysis, for example, using on-line resources. Afterwards, a threat heuristic analysis may be performed, combining all the results from the local and central analyser to reach a probabilistic determination of whether the suspicious content should be declared malicious.
In some embodiments, the local analyser operates to sniff network traffic for HTTP packets, extract HTTP headers therefrom, form signatures of preferably select HTTP header fields, and perform a look-up of those header signatures to determine whether those headers have been analysed previously for potential indicators of an attack. If the signatures were previously associated with an attack, an alert may be immediately issued. The local analyzer may also perform a deep packet inspection. This may entail evaluating information contained within fields of the headers for protocol anomalies, suspicious header content, suspicious domain identifiers (dark domain analysis), and/or suspicious destination IP addresses (dark IP address analysis). Based on this evaluation, the local analyzer may decide whether the header information indicates malware (e.g., a bot) is present. Upon finding suspicious anomalies, the local analyser reports the suspect (e.g., the header signatures and, in some embodiments, metadata related to the communication) to a central analyser to whose services it subscribes for further evaluation and centeralized coordination with other local appliances. The central analyser may perform additional evaluation, such as a reputation analysis, for example, using on-line resources. Afterwards, a threat heuristic analysis may be performed, combining all the results from the local and central analyser to reach a probabilistic determination of whether the suspicious content should be declared malicious. To that end, the threat heuristic analysis may employ machine learning or training to perform threat analytics, for example, by compare the current analysis results with those from labelled malware and labelled non-malware samples. The threat heuristics analysis yields a threat probability for the current results. If the threat probability exceeds a pre-determined threshold, an alert may be issued.
Throughout this specification, reference is made to HTTP. HTTP is an application layer protocol widely used for data communications for the World Wide Web. The Request for Comment (RFC) 2616: Hypertext Transfer Protocol—HTTP/1.1 specification sets out the semantics and other requirements for HTTP communications. HTTP resources are identified and located on a network by Uniform Resource Locators (URLs). Employing a client-server computing model, HTTP provides data communication for example between one or more web browsers running on computers or other electronic devices constituting the clients, and an application running on a computer or other electronic device hosting a website constituting the server. HTTP is a request-response protocol. For example, a user clicks on a link on their web browser, which sends a request over the Internet to web server hosting the website identified in the request. The server may then send back a response containing the contents of that site, including perhaps text and images for display by the user's browser.
The HTTP specification defines fields of HTTP headers, which are components of HTTP messages used in both requests and responses, and define the operating parameters of an HTTP communication or transaction. The header fields are transmitted after the request or response line, which is the first line of a message. As noted, the HTTP semantics are well defined, for example: Header fields are colon-separated, name-value pairs in clear-text string format. Each field is terminated by a carriage return (CR) and line feed (LF) character sequence. The end of the header fields is indicated by an empty field, resulting in the transmission of two consecutive CR-LF pairs. Variations from the specified semantics constitute anomalies. Also, the HTTP specification allows users to define their own fields and content, though often practice and convention dictate how those fields are used and what content may be expected. Variations from those conventions may also be deemed anomalies. Finally, sometimes malware authors will insert content into the fields, such as malware names or other tell tail malware descriptors or indicators, which serve as strong evidence of malicious activity. These too will be deemed anomalies for purposes of this specification.
For communication, an HTTP header is added to an HTTP message, and placed in a TCP/UDP message (sometimes more than one TCP/UDP message per HTTP message), which, in turn, is encapsulated (as payload) in an IP Datagram, which is encapsulated (as payload) in a Layer 2 Frame, which is sent as a signal over the transmission medium as a string of binary numbers. Each Layer 2 Frame has, in order, a Layer 2 header, an IP header, a TCP or UDP header, a HTTP header, HTTP data, etc., and finally a Layer 2 footer. Taking this explanation one step further, the IP layer includes in its header the information necessary for the packet to find its way to its final destination. More specifically, for computer-to-computer communication across networks, a source device forms packets for transmission by placing the IP address of the destination computer in the IP header of each packet involved in a communication session. The data packets are encapsulated as noted above and placed on the network and routed across the network to the destination having the specified IP address. In this specification, reference will be made to “packets,” which shall be used in its broadest sense to include, without limitation, messages, datagrams, frames and, of course, packets, unless the context requires otherwise. Accordingly, packet capture techniques may yield the HTTP header, IP address of the destination of an IP packet as well as domain identifiers from the URL of HTTP headers included in the IP packets.
The outbound communications monitored by the local analyzers 102, 104, 106 may contain network packets, which are normally expected to be in conformance with the HTTP protocol or other suitable protocol. While HTTP will be used as an example of a suitable protocol through the specification, the invention may be practiced with any standard protocol, preferably an application-level protocol for data communication. The network packets may be sent over networks 112, 114, 116 by computers 132, 134, 136 to one or more other computers 132, 134, 136 situated, for example, on the trusted side of the respective firewalls 120, 122, 124. The network packets may also be sent by computers 132, 134, 136 over networks 112, 114, 116 and network 118 to one or more computers, such as server 138, situated on the untrusted side of the firewall 120, 122, 124, and possibly at geographically distant location. Each local analyzer may be deployed at a respective IT facility 142, 144, 146 of an enterprise A, B, C. Each of the networks 112, 114, 116 may be proprietary networks, such as a LAN or WAN, and the network 118 may be a public network, such as the Internet. The networks 112, 114, 116, 180 may constitute, in various alternative embodiments, separate networks or sub-networks of a common network, for example. In a yet another alternative embodiment, the local analyzers 102, 104, 106 may be coupled with the central analyzer 110 via a dedicated communication link rather than a LAN or WAN.
While three local analyzers 102, 104, 106 coupled for operation with a single central analyzer 110 are shown in this figure for purposes of illustration and may be considered collectively as forming a local/global analyzer cell, the invention can be practiced with any number of local analyzers in a group within a single cell, where the number of analyzers is selected to be able sufficiently to monitor outbound communications under prevailing traffic conditions, with the group of local analyzers within the local/global analyzer cell being associated with the single central analyzer 110. Moreover, the local/global analyzer cell may be replicated throughout an enterprise or across multiple related or unrelated enterprises, so as to provide a scalable deployment. Moreover, in one embodiment, the central analyzer 110 of one local/global analyzer cell may be connected to a central analyzer 150 of a second local/global analyzer cell, and so forth so as to distribute results of its analysis to one or more other local/global analyzer cells to enhance filtering and detection of callbacks across two or more local/global analyzer cells.
One embodiment of the invention takes advantage of “software as a service” (“SaaS”) principles of business, in which the central analyzer 140 may be a cloud-based server providing services to one or more service subscribers. In this environment, the local analyzers 102, 104, 106 may be considered clients that avail themselves of the services of the central analyzer 110 configured as a server and located, for example, within the Internet. In some embodiments, the services of a central analyzer 110 may be provided by an IT service provider on behalf of a number of customers that subscribe to its services, each of which having at least one local analyzer 102, 104, 106 either located on the customer's premised or coupled to the customer's trusted network and provisioned for providing local analysis. Alternatively, the central analyzer 110 and each of the local analyzers 102, 104, 106 may be deployed as an appliance (i.e., a dedicated electronic device serving to detect malware) integrated as part of a local or enterprise-wide network, as a firewall or other network device adapted to provided malware detection as described herein, or as a network endpoint adapted to provide malware detection as described herein, and systems may deploy any one or a combination of the foregoing implementations.
The first stage filtering logic 164 has a local signature matching logic 174, an alert generation logic 175, and a deep packet inspection logic 176. The local signature matching logic 174 receives a stream of captured packet headers and, for each, generates a signature from information contained in the header. The signature may be hash of at least portions of the information contained in the header. In other embodiments, the signature may be an identifier associated with the header, and may or may not be based on the information depending on the embodiment. Then, the local signature matching logic 174 accesses a repository (not shown in this figure), such as a cache, of signatures of previously evaluated and confirmed malware to determine whether the current header signature matches any of those for malware previously evaluated. If a match is found, the alert generation logic 175 issues an alert. The deep packet inspection logic 176 analyses the packet headers of captured packets for anomalies or other evidence indicating the packets may constitute malware. The deep packet inspection 176 may include protocol anomaly matching, as described elsewhere herein. In some embodiments, if the deep packet inspection logic 176 does not detect any anomalies (or, in some embodiments, only de minimus or minor ones), the packet may be dropped from further analysis. If the local signature matching logic 174 finds no match but the deep packet inspection 176 finds anomalies, the current packet header is deemed a malware “suspect” or “suspect packet.” As such, the current packet header is provided, along with its corresponding header signature, for further analysis by the second stage filtering logic 168 of the central analyzer 166.
In some embodiments, the local signature matching logic 174 may process captured packets prior to the deep packet inspection logic 176 examining the captured packets, in which case the deep packet inspection logic 176 need only examine packets whose signatures did not have a match. In other embodiments, the deep packet inspection logic 176 may examine captured packets before the local signature matching logic 174 performs its cache lookup, in which case the deep packet inspection's cache lookup need only be performed with respect packet headers having anomalies. This may prove beneficial from a time and resource conservation perspective. Of course, they may also operate in a parallel or overlapping fashion in some embodiments.
The second stage filtering logic 168 includes a global signature matching logic 184 and a host reputation evaluation logic 186. As used herein, “global” signifies that the central analyzer's logic processes data obtained from all local analyzers 162-1, 162-2, . . . 162-N associated with the central analyzer 166. That association between the local analyzers 162-1, 162-2, . . . 162-N and the central analyzer 166 may be established on a business basis, where the users of the local analyzers 162-1, 162-2, . . . 162-N subscribe to and, in some cases, may pay a fee for the services (SaaS) of the central analyzer 166. The global signature matching logic 184 operates in a similar fashion to the local signature matching logic 174 as described above, except, in this case, the repository or cache (not shown in this drawing) includes a potentially more current list or even a more comprehensive list of globally identified malicious packet header signatures. In some embodiments, the global cache may have a more comprehensive list of malicious packet header signatures because the local cache may have retired entries after a certain length of time or the global cache may receive signatures from other local analyzers (not shown) that are not subscribers to the central analyzer 166 or from other central analyzers (not shown), which have not yet been shared with the local analyzers 162-1, 162-2, . . . 162-N. If the global signature matching logic 184 finds a match, it may, depending on the embodiment, take the following steps: (a) forward the current packet header and signature to the post processing logic 170 for further analysis, e.g., for forensics purposes; (b) initiate an alert, and forward a malware warning to all local analyzers 162-1, 162-2, . . . 162-N so that the local analyzers may update their local cache; and/or (c) proceed with evaluation by the reputation evaluation logic 186. If the global signature matching logic 184 does not find a match, the packet header is provided to the reputation evaluation logic 186. In alternative embodiments, the reputation evaluation logic 186 may process the packet header before the global cache look-up, or in parallel therewith.
The reputation evaluation logic 186 may evaluate the reputation of the host by performing an on-line or “live” investigation of the reputation of the destination of the URL or IP address of the destination of the packet. For example, if the URL is associated with a reputable business, that would be regarded as low risk. However, if the URL is associated with a dubious web site, possible a malicious web site, the reputation evaluation logic 186 would mark the packet as having a suspicious attribute or anomaly (for example, in an event/anomaly database). The packets so marked may be referred to as “suspicious suspect packets.”
The post processing logic 170 includes a threat heuristics engine or logic 188, a global signature generation and distribution logic 192, and alert generation logic 194. The threat heuristics logic 188 receives the results (attributes) from a second stage filtering logic 168, and the packet header signature and related information (e.g., anomalies, metadata) from the analytics performed by the first stage filtering logic 164.
The threat heuristics logic 188 performs a threat heuristic analysis to verify whether the captured headers contain bootkits. The threat heuristics logic 188 is configured to calculate a probability that the packet is associated with a callback and thus malicious. To that end, the threat heuristics analysis may advantageously employ principles of machine learning. Machine learning refers to a process or system that can learn from data, i.e., be trained to distinguish between “good” and “bad”, or in this case, between malicious and non-malicious, and classify samples under test accordingly. The core of machine learning deals with representation and generalization, that is, representation of data instances (e.g., the anomalies and other analytical results, which can be collectively called “attributes”), and functions performed on those instances (e.g., weighting and probability formulas). Generalization is the property that the process or system uses to apply what it learns on a learning set of known (or “labeled”) data instances to unknown (or “unlabeled”) examples. To do this, the process or system must extract learning from the labeled set that allows it to make useful predictions in new and unlabeled cases.
For machine learning, the DCDA system 160 may operate in a training mode and in an operational mode. In a training mode, the DCDA system 160 employs a threat heuristics training logic 172 to subject known samples (labeled samples) of callback communications and known samples of clean or non-malicious communications to analysis to calibrate the threat heuristics logic 188 for probability scoring of callbacks and non-callback activities. To accomplish this, the threat heuristics training logic 172 may submit malicious and clean samples to one of the local analyzers 162-1, 162-2, . . . 162-N and a central analyzer 166. In some embodiments, the threat heuristics training logic 172 may employ a special forensics system (e.g., with a single local analyzer and a central analyzer as respective back-end and front-end components on the same controller, e.g., controller 600 of
In an operating mode, the threat heuristics analysis logic 188 combines all attributes with respect to a current packet under test (unlabeled, of course) to form a current pattern containing potential indicators of callback activity. Then, the threat heuristics analysis logic 188 compares that pattern and/or, in some embodiments, each and every one of the attributes contained therein, with those obtained during the training mode. Where attributes are separately analyzed, the threat heuristics analysis logic 188 may assign weights based on experience during training to attributes that are deemed more closely associated with malware. It then assigns a probability score to each of the possible patterns, and/or, in some embodiments, to each of the attributes within each pattern as to its likelihood of appearing in a malicious and/or clean sample based on the learned probability scoring. This may involve determining how closely a pattern of attributes in an unlabeled sample compares to a labeled sample, using a proximity calculation based on the probability of encountering each attribute in a malware or non-malware pattern. The end result may be a composite probability score for the current packet under test. The score is indicative of whether the current packet under test is associated with a callback and thus malware. If the score exceeds a pre-determined (e.g., learned or administrator set) threshold, for example, the current packet is deemed malicious. Accuracy in prediction of malware will depend on the selection and number of relevant attributes, the selection of weights to be assigned to each, the comparison process used, and the quality of training.
The global signature generation and distribution logic 192 receives the results from the threat heuristics logic 188, that is, depending on the embodiment, a probability score (e.g., from 1 to 10, where 10 is the highest probability) indicating whether the current packet header is associated with or contains malware or a declaration that the packet header is or is not (i.e., a binary determination) associated with or contains malware. The global signature generation and distribution logic 192 provides an update to the local analyzers 162-1, 162-2, . . . 162-N including the score and/or determination from the threat heuristics logic 170. The local analyzer may then update their event/anomaly databases and caches with this information. If their caches already have the signature, it is now marked as being associated with malware. The alert generation logic 194 may issue a notice, report, warning, or other alert to a security administrator in the event that the threat heuristics logic 188 concludes the probability score is above a pre-determined, and, in some embodiments, user or administrator set threshold or declares the current packet is associated with or contains malware.
Processor 202 is further coupled to persistent storage 230 via transmission medium 225. According to one embodiment, persistent storage 230 may include classification logic 240, which in turn may include packet capture engine 250, signature generator 252, caching control logic 254, traffic header analyzer 256 for deep packet header inspection, host analyzer 258 for domain based host analysis and IP based host analysis. The persistent storage 230 may also include a TLD blacklist repository 264, an event/anomaly database 266, an IP blacklist repository 268, and a local cache 270. Of course, when implemented as hardware, the local classifier 240 would be implemented separately from persistent memory 230.
Packet capture engine 250 may be implemented using known packet capture or “PCAP” techniques, for example, in a packet capture engine or packet replay tool (not shown). The packet capture engine 250 may capture packets travelling over a network, such as network 112, 114, 116 of
Signature generator 252 may be configured to received packet headers from the PCAP engine 250, strip off parameter values contained in the headers, generate a hash (e.g., using Md5sum) of the remaining fields of the headers (sometimes referred to as a partially-masked PCAP), and store the resulting hash value along with the packet header in the event/anomaly database 206 as its corresponding signature. The parameter values stripped off by the signature generator 252 may contain personal or proprietary information of a nature that would render sharing of such information with geographically remote systems (possibly situated outside an enterprise and even in another country) undesirable. In other words, the signature generator 252 extracts select fields of characters for use in forming the signature for the full packet header and discards the remaining characters as unneeded surplus for these purposes.
It may prove helpful to consider an example of signature generation from an HTTP header:
POST/images/greenherbalteagirlholdingcup250.php?v95=5&tq=gJ4WKIYVhX HTTP/1.0
Connection: close
Host: greenherbalteaonline.com
Accept: */*
User-Agent: mozilla/2.0
data=14590234234GGDGD2A98JK==
The masked header (after removing parameter values from the URI and the stub data) might read as follows:
POST/images/greenherbalteagirlholdingcup250.php?v95=*&tq=* HTTP/1.0
Connection: close
Host: greenherbalteaonline.com
Accept: */*
User-Agent: mozilla/2.0
The hash of this masked header may be used to identify the above-given communication for future references. An md5sum hash of the second header as shown above yields 1a7724e7a428b 1d865bb01847a8178d5.
The caching control logic 254 uses each header signature from the signature generator 254 as an index into the cache 270 of the persistent memory 230 to determine if an entry stored therein matches the header signature. The cache 270 is updated from time to time with results of the second stage filtering process, as will be discussed in detail below, so as to contain information regarding previously detected callbacks, accessible in the cache by header signatures. The cache 270 may contain the header signatures of verified callbacks, together with the associated “raw”, partially-masked PCAP and, depending on the embodiment, other information regarding the callbacks, such as the indicators detected by the local analyzer 200 and/or central analyzer 110 (
Traffic header analyzer 256 is configured to use the partially-masked PCAPs from the packet capture engine 250 to detect anomalies in packet header fields that may indicate callback communications. The traffic header analyzer 256 may implement any of a variety of anomalies detection techniques involving packet header scanning, including for example: (a) identifying non-standard patterns (e.g., field contents) relative to the applicable protocol (e.g., HTTP), (b) identifying invalid header sequencing for the applicable protocol (e.g., HTTP), (c) comparing header structures with a whitelist and/or blacklist of prevalent, legitimate and/or illegitimate header structures for the applicable protocol (e.g., HTTP). For example, the fields of a header may be out of order or sequence, e.g., the host header, which should follow GET but may appear later, or particular fields may be omitted, due to mistake or carelessness by a programmer, who may be a malware author.
Host analyzer 258 employs domain analysis logic 261 to check the destination host domains identified in packet headers received from the packet capture engine 250 against a Top Level Domain (TLD) blacklist and/or a TLD whitelist stored in a respective TLD blacklist repository 264 and TLD whitelist repository 266 of persistent memory 230. The TLD blacklist repository stores blacklisted TLDs (top level domain) that are known or believed to be associated with malicious servers and/or with dynamic DNS services often used by bot “herders.” For example, certain country designations of the TLDs may be associated at any particular time with a high incidence of malware authorship, possibly due to nation-state sponsored or condoned cyber-threat activities, and therefore encountering those TLDs may render the packets containing those TLDs suspicious/suspects for purposes of this invention.
The results from the analysis performed by the host analyzer 258 may correspond to any of several difficult outcomes. Matches of the destination host domains with the stored, blacklisted TLDs may result in the corresponding packet header signatures being designated as a highly suspicious callback suspect and sent to the central analyzer 110 (
Host analyzer 258 may also employ an IP analysis logic 262 to check the destination host IP addresses contained in the full packet headers received from the packet capture engine 250 against an blacklist stored in a respective IP blacklist repository 268 of persistent memory 230. The IP blacklist repository stores IP addresses associated with (assigned to) known or suspected malicious servers or other electronic devices, e.g., IP addresses corresponding to verified sources of malicious attacks. Matches with the stored, blacklisted IP addresses result in the corresponding packet header signatures being designated as highly suspicious callback suspects and sent to the central analyzer 110 (
Instead of relying solely on local analysis, based on locally gathered and stored information, regarding malware and their callbacks, the distributed detection and analysis system 100 (
Finally, persistent logic 430 includes a threat heuristic training logic 456 and a threat heuristics logic or engine 454. The operation of the foregoing components of the central analyzer 400 may be appreciated from the description of
Proceeding with the central analysis portion 504, in step 524, logic checks whether results corresponding to the event are in the global cache. If they are, that is, if a cache hit, in step 526, logic sends an update to the local cache to reflect the cache hit in the global cache, for example, indicating or marking a header signature as malicious. In step 528, logic modifies the events/anomaly database to reflect the cache hit in the global cache and issues an alert indicating that the suspect is malware. On the other hand, if step 524 finds that the corresponding results are not in the global cache, in step 532 logic invokes a live analysis engine, which assess the reputation of the header URL and or IP address based on on-line resources, such as by visiting the web site corresponding to the URL or other Web-based resources. In step 533, logic combines the results from analysis in the local and central analyzers. In step 534, logic updates the global cache with the results all of the heuristics analysis. Also, in some embodiments, if step 524 finds that the corresponding results are not in the global cache, in step 236, logic queues the event for a re-analysis by the central analyzer portion 504 after a period of time or when workloads are lower. By that time, it is possible that the global cache may have been updated with new results from the threat heuristics analysis.
Embodiments of the distributed callback detection system may be deployed as a stand-alone system or integrated into malware detection systems that examine and analyze other additional characteristics or attributes of the content that may indicate the presence of malware, such as, for example, malware signature scanning utilities or the afore-mentioned two-phase malware detection solutions. For example, the callback detection mechanisms described herein can be added to appliances and other systems for detecting malware, either by adding a virtual machine execution capability to such systems or by adding a local analyzer or a central analyzer functionality.
The controller 600 may also have a communication network interface 640, an input/output (I/O) interface 650, and a user interface 660. The communication network interface 640 may be coupled with a communication network 672 via a communication medium 670. The communications network interface 640 may communicate with other digital devices (not shown) via the communications medium 670. The communication interface 640 may include a network tap 840 (
The I/O interface 650 may include any device that can receive input from or provide output to a user. The I/O interface 650 may include, but is not limited to, a flash drive, a compact disc (CD) drive, a digital versatile disc (DVD) drive, or other type of I/O peripheral (not separately shown). The user interface 660 may include, but is not limited to a keyboard, mouse, touchscreen, keypad, biosensor, display monitor or other human-machine interface (not separately shown) to allow a user to control the controller 600. The display monitor may include a screen on which is provided a command line interface or graphical user interface.
In various embodiments of the invention, a number of different controllers (for example, each of a type as illustrated and described for controller 600 may be used to implement the invention.
The communication network 720 may include a public computer network such as the Internet, in which case a firewall 725 may be interposed between the communication network 720 and the client device 730. Alternatively, the communication network may be a private computer network such as a wireless telecommunication network, wide area network, or local area network, or a combination of networks.
The malicious network content detection system 725 is shown as coupled with the network 720 by a network interface 735, including a network tap 740 (e.g., a data/packet capturing device). The network tap 740 may include a digital network tap configured to monitor network data and provide a copy of the network data to the malicious network content detection system 725. The network tap 740 may copy any portion of the network data, for example, any number of packets from the network data. In embodiments where the malicious content detection system 750 is implemented as an dedicated appliance or a dedicated computer system, the network tap 740 may include an assembly integrated into the appliance or computer system that includes network ports, network interface card and related logic (not shown) for connecting to the communication network 728 to non-disruptively “tap” traffic thereon and provide a copy of the traffic to the heuristic module 750. In other embodiments, the network tap 740 can be integrated into a firewall (for example, using a SPAN port), router, switch or other network device (not shown) or can be a standalone component, such as an appropriate commercially available network tap. In virtual environments, a virtual tap (vTAP) can be used to copy traffic from virtual networks.
The malicious network content detection system 725 may include a heuristic module 760, a heuristics database 762, a scheduler 770, a virtual machine pool 780, an analysis engine 782 and a reporting module 784. The heuristic module 760 receives the copy of the network data from the network tap 740 and applies heuristics to the data to determine if the network data might contain suspicious network content. The heuristics applied by the heuristic module 760 may be based on data and/or rules stored in the heuristics database 762. The heuristic module 760 may examine the image of the captured content without executing or opening the captured content. For example, the heuristic module 760 may examine the metadata or attributes of the captured content and/or the code image (e.g., a binary image of an executable) to determine whether a certain portion of the captured content matches a predetermined pattern or signature that is associated with a particular type of malicious content. In one example, the heuristic module 760 flags network data as suspicious after applying a heuristic analysis.
When a characteristic of the packet, such as a sequence of characters or keyword, is identified that meets the conditions of a heuristic, a suspicious characteristic of the network content is identified. The identified characteristic may be stored for reference and analysis. In some embodiments, the entire packet may be inspected (e.g., using deep packet inspection techniques, as described hereinabove) and multiple characteristics may be identified before proceeding to the next step. In some embodiments, the characteristic may be determined as a result of an analysis across multiple packets comprising the network content. A score related to a probability that the suspicious characteristic identified indicates malicious network content is determined. The heuristic module 760 may also provide a priority level for the packet and/or the features present in the packet. The scheduler 770 may then load and configure a virtual machine from the virtual machine pool 780 in an order related to the priority level, and dispatch the virtual machine to the analysis engine 782 to process the suspicious network content.
The heuristic module 760 may provide the packet containing the suspicious network content to the scheduler 770, along with a list of the features present in the packet and the malicious probability scores associated with each of those features. Alternatively, the heuristic module 760 may provide a pointer to the packet containing the suspicious network content to the scheduler 770 such that the scheduler 770 may access the packet via a memory shared with the heuristic module 760. In another embodiment, the heuristic module 760 may provide identification information regarding the packet to the scheduler 770 such that the scheduler 770, replayer 705, or virtual machine may query the heuristic module 760 for data regarding the packet as needed.
The scheduler 770 may identify the client device 730 and retrieve a virtual machine associated with the client device 730. A virtual machine may itself be executable software that is configured to mimic the performance of a device (e.g., the client device 730). The virtual machine may be retrieved from the virtual machine pool 780. Furthermore, the scheduler 770 may identify, for example, a Web browser running on the client device 730, and retrieve a virtual machine associated with the web browser.
The scheduler 770 may retrieve and configure the virtual machine to mimic the pertinent performance characteristics of the client device 730. The scheduler 770 may determine the features of the client device 730 that are affected by the network data by receiving and analyzing the network data from the network tap 740. Such features of the client device 730 may include ports that are to receive the network data, select device drivers that are to respond to the network data, and any other devices coupled to or contained within the client device 730 that can respond to the network data. In other embodiments, the heuristic module 760 may determine the features of the client device 730 that are affected by the network data by receiving and analyzing the network data from the network tap 740. The heuristic module 750 may then transmit the features of the client device to the scheduler 770.
The virtual machine pool 780 may be configured to store one or more virtual machines. The virtual machine pool 780 may include software and/or a storage medium capable of storing software. In one example, the virtual machine pool 780 stores a single virtual machine that can be configured by the scheduler 770 to mimic the performance of any client device 730 on the communication network 720. The virtual machine pool 780 may store any number of distinct virtual machines that can be configured to simulate the performance of a wide variety of client devices 730.
The analysis engine 782 simulates the receipt and/or display of the network content from the server device 710 after the network content is received by the client device 110 to analyze the effects of the network content upon the client device 730. The analysis engine 782 may identify the effects of malware or malicious network content by analyzing the simulation of the effects of the network content upon the client device 730 that is carried out on the virtual machine. There may be multiple analysis engines 750 to simulate multiple streams of network content. The analysis engine 782 may be configured to monitor the virtual machine for indications that the suspicious network content is in fact malicious network content. Such indications may include unusual network transmissions, unusual changes in performance, and the like. This detection process is referred to as a dynamic malicious content detection. The analysis engine 782 may flag the suspicious network content as malicious network content according to the observed behavior of the virtual machine.
In alternative embodiments of the invention, the heuristics module 760 or the analysis engine 782 may implement the local analyzer 200 of
The reporting module 784 may issue alerts indicating the presence of malware, and using pointers and other reference information, identify the packets of the network content containing the malware, for example, using the signatures described hereinabove. Additionally, the server device 710 may be added to a list of malicious network content providers, and future network transmissions originating from the server device 710 may be blocked from reaching their intended destinations, e.g., by firewall 725.
The computer network system 700 may also include a further communication network 790, which couples the malicious content detection system (MCDS) 750 with one or more other MCDS, of which MCDS 792 and MCDS 794 are shown, and a management system 796, which may be implemented as a Web server having a Web interface. The communication network 790 may, in some embodiments, be coupled for communication with or part of network 720. The management system 796 is responsible for managing the MCDS 750, 792, 794 and providing updates to their operation systems and software programs. Also, the management system 796 may cause malware signatures generated by any of the MCDS 750, 792, 794 to be shared with one or more of the other MCDS 750, 792, 794, for example, on a subscription basis. Moreover, the malicious content detection system as described in the foregoing embodiments may be incorporated into one or more of the MCDS 750, 792, 794, or into all of them, depending on the deployment. Also, the management system 796 or another dedicated computer station may incorporate the malicious content detection system in deployments where such detection is to be conducted at a centralized resource.
As described above, the detection or analysis performed by the heuristic module 760 may be referred to as static detection or static analysis, which may generate a first score (e.g., a static detection score) according to a first scoring scheme or algorithm. The detection or analysis performed by the analysis engine 782 is referred to as dynamic detection or dynamic analysis, which may generate a second score (e.g., a dynamic detection score) according to a second scoring scheme or algorithm. The first and second scores may be combined, according to a predetermined algorithm, to derive a final score indicating the probability that a malicious content suspect is indeed malicious or should be declared or considered with high probability of malicious.
Furthermore, detection systems 750 and 792-794 may deployed in a variety of distributed configurations, depending on the embodiment. For example, detection system 750 may be deployed as a detection appliance at a client site to detect any suspicious content, for example, at a local area network (LAN) of the client. In addition, any of MCDS 792 and MCDS 794 may also be deployed as dedicated data analysis systems. Systems 750 and 792-794 may be configured and managed by a management system 796 over network 790, which may be a LAN, a wide area network (WAN) such as the Internet, or a combination of both. Management system 796 may be implemented as a Web server having a Web interface to allow an administrator of a client (e.g., corporation entity) to log in to manage detection systems 750 and 792-794. For example, an administrator may able to activate or deactivate certain functionalities of malicious content detection systems 750 and 792-794 or alternatively, to distribute software updates such as malicious content definition files (e.g., malicious signatures or patterns) or rules, etc. Furthermore, a user can submit via a Web interface suspicious content to be analyzed, for example, by dedicated data analysis systems 792-794. As described above, malicious content detection includes static detection and dynamic detection. Such static and dynamic detections can be distributed amongst different systems over a network. For example, static detection may be performed by detection system 750 at a client site, while dynamic detection of the same content can be offloaded to the cloud, for example, by any of detection systems 792-794. Other configurations may exist.
The embodiments discussed herein are illustrative. As these embodiments are described with reference to illustrations, various modifications or adaptations of the methods and/or specific structures described may become apparent to those skilled in the art. For example, aspects of the embodiments may be performed by executable software, such as a program or operating system. For example, embodiments of the local analyzer may be implemented in an operating system. Of course, the operating system may incorporate other aspects instead of or in addition to that just described, as will be appreciated in light of the description contained in this specification. Similarly, a utility or other computer program executed on a server or other computer system may also implement the local analyzer or other aspects. Noteworthy, these embodiments need not employ a virtual environment, but rather test for callback activity during normal execution of the operating system, utility or program within a computer system.
It should be understood that the operations performed by the above-described illustrative embodiments are purely exemplary and imply no particular order unless explicitly required. Further, the operations may be used in any sequence when appropriate and may be partially used. Embodiments may employ various computer-implemented operations involving data stored in computer systems. These operations include physical manipulation of physical quantities. Usually, though not necessarily, these quantities take the form of electrical, magnetic, or optical signals capable of being stored, transferred, combined, compared, and otherwise manipulated.
Any of the operations described herein are useful machine operations. The present invention also relates to a device or an apparatus for performing these operations. The apparatus may be specially constructed for the required purpose, or the apparatus may be a general-purpose computer selectively activated or configured by a computer program stored in the computer. In particular, various general-purpose machines may be used with computer programs written in accordance with the teachings herein, or it may be more convenient to construct a more specialized apparatus to perform the required operations, or multiple apparatus each performing a portion of the operations. Where apparatus or components of apparatus are described herein as being coupled or connected to other apparatus or other components, the connection may be direct or indirect, unless the context requires otherwise.
The present invention may be embodied as computer readable code on a computer readable medium. The computer readable medium is any data storage device that can store data, which can be thereafter read by a computer system. Examples of the computer readable medium include hard drives, flash drives, read-only memory, random-access memory, CD-ROMs, CD-Rs, CD-RWs, magnetic tapes, and other optical and non-optical data storage devices. The computer readable medium can also be distributed over a network-coupled computer system so that the computer readable code is stored and executed in a distributed fashion. The computer readable medium can also be distributed using a switching fabric, such as used in compute farms.
The terms “logic”, “module”, “engine” and “unit” are representative of hardware, firmware or software that is configured to perform one or more functions. As hardware, these components may include circuitry such as processing circuitry (e.g., a microprocessor, one or more processor cores, a programmable gate array, a microcontroller, an application specific integrated circuit, etc.), receiver, transmitter and/or transceiver circuitry, semiconductor memory, combinatorial logic, or other types of electronic components. When implemented in software, the logic, modules, engines, and units may be in the form of one or more software modules, such as executable code in the form of an executable application, an operating system, an application programming interface (API), a subroutine, a function, a procedure, an applet, a servlet, a routine, source code, object code, a script, a shared library/dynamic load library, or one or more instructions. These software modules may be stored in any type of a suitable non-transitory storage medium, or transitory storage medium (e.g., electrical, optical, acoustical or other form of propagated signals such as carrier waves, infrared signals, or digital signals). Examples of non-transitory storage medium may include, but are not limited or restricted to a programmable circuit; a semiconductor memory; non-persistent storage such as volatile memory (e.g., any type of random access memory “RAM”); persistent storage such as non-volatile memory (e.g., read-only memory “ROM”, power-backed RAM, flash memory, phase-change memory, etc.), a solid-state drive, hard disk drive, an optical disc drive, or a portable memory device. As firmware, the executable code is stored in persistent storage. Software is operational when executed by processing circuitry. Execution may be in the form of direct execution, emulation, or interpretation.
Lastly, the terms “or” and “and/or” as used herein are to be interpreted as inclusive or meaning any one or any combination. Therefore, “A, B or C” or “A, B and/or C” mean “any of the following: A; B; C; A and B; A and C; B and C; A, B and C.” An exception to this definition will occur only when a combination of elements, functions, steps or acts are in some way inherently mutually exclusive.
It will be appreciated by those of ordinary skill in the art that modifications to and variations of the above-described embodiments of a system and method of detecting callbacks and associated malware may be made without departing from the inventive concepts disclosed herein. Accordingly, the specification and drawings are to be regarded as illustrative rather than restrictive, and the invention should not be viewed as limited except as by the scope and spirit of the appended claims. It will be recognized that the terms “comprising,” “including,” and “having,” as used herein, are specifically intended to be read as open-ended terms of art.
This application is a continuation of U.S. patent application Ser. No. 13/830,573 filed Mar. 14, 2013, now U.S. Pat. No. 9,430,646 issued Aug. 30, 2016 and entitled “Distributed Systems And Methods For Automatically Detecting Unknown Bots And Botnets”, the entire contents of which is incorporated herein by reference.
| Number | Name | Date | Kind |
|---|---|---|---|
| 4292580 | Ott et al. | Sep 1981 | A |
| 5175732 | Hendel et al. | Dec 1992 | A |
| 5440723 | Arnold et al. | Aug 1995 | A |
| 5490249 | Miller | Feb 1996 | A |
| 5657473 | Killean et al. | Aug 1997 | A |
| 5842002 | Schnurer et al. | Nov 1998 | A |
| 5978917 | Chi | Nov 1999 | A |
| 6088803 | Tso et al. | Jul 2000 | A |
| 6094677 | Capek et al. | Jul 2000 | A |
| 6108799 | Boulay et al. | Aug 2000 | A |
| 6118382 | Hibbs et al. | Sep 2000 | A |
| 6269330 | Cidon et al. | Jul 2001 | B1 |
| 6272641 | Ji | Aug 2001 | B1 |
| 6279113 | Vaidya | Aug 2001 | B1 |
| 6298445 | Shostack et al. | Oct 2001 | B1 |
| 6357008 | Nachenberg | Mar 2002 | B1 |
| 6417774 | Hibbs et al. | Jul 2002 | B1 |
| 6424627 | Sørhaug et al. | Jul 2002 | B1 |
| 6442696 | Wray et al. | Aug 2002 | B1 |
| 6484315 | Ziese | Nov 2002 | B1 |
| 6487666 | Shanklin et al. | Nov 2002 | B1 |
| 6493756 | O'Brien et al. | Dec 2002 | B1 |
| 6550012 | Villa et al. | Apr 2003 | B1 |
| 6700497 | Hibbs et al. | Mar 2004 | B2 |
| 6775657 | Baker | Aug 2004 | B1 |
| 6831893 | Ben Nun et al. | Dec 2004 | B1 |
| 6832367 | Choi et al. | Dec 2004 | B1 |
| 6895550 | Kanchirayappa et al. | May 2005 | B2 |
| 6898632 | Gordy et al. | May 2005 | B2 |
| 6907396 | Muttik et al. | Jun 2005 | B1 |
| 6941348 | Petry et al. | Sep 2005 | B2 |
| 6971097 | Wallman | Nov 2005 | B1 |
| 6981279 | Arnold et al. | Dec 2005 | B1 |
| 6995665 | Appelt et al. | Feb 2006 | B2 |
| 7007107 | Ivchenko et al. | Feb 2006 | B1 |
| 7028179 | Anderson et al. | Apr 2006 | B2 |
| 7043757 | Hoefelmeyer et al. | May 2006 | B2 |
| 7069316 | Gryaznov | Jun 2006 | B1 |
| 7080407 | Zhao et al. | Jul 2006 | B1 |
| 7080408 | Pak et al. | Jul 2006 | B1 |
| 7093002 | Wolff et al. | Aug 2006 | B2 |
| 7093239 | van der Made | Aug 2006 | B1 |
| 7096498 | Judge | Aug 2006 | B2 |
| 7100201 | Izatt | Aug 2006 | B2 |
| 7107617 | Hursey et al. | Sep 2006 | B2 |
| 7159149 | Spiegel et al. | Jan 2007 | B2 |
| 7213260 | Judge | May 2007 | B2 |
| 7231667 | Jordan | Jun 2007 | B2 |
| 7240364 | Branscomb et al. | Jul 2007 | B1 |
| 7240368 | Roesch et al. | Jul 2007 | B1 |
| 7243371 | Kasper et al. | Jul 2007 | B1 |
| 7249175 | Donaldson | Jul 2007 | B1 |
| 7287278 | Liang | Oct 2007 | B2 |
| 7308716 | Danford et al. | Dec 2007 | B2 |
| 7328453 | Merkle, Jr. et al. | Feb 2008 | B2 |
| 7346486 | Ivancic et al. | Mar 2008 | B2 |
| 7356736 | Natvig | Apr 2008 | B2 |
| 7386888 | Liang et al. | Jun 2008 | B2 |
| 7392542 | Bucher | Jun 2008 | B2 |
| 7418729 | Szor | Aug 2008 | B2 |
| 7428300 | Drew et al. | Sep 2008 | B1 |
| 7441272 | Durham et al. | Oct 2008 | B2 |
| 7448084 | Apap et al. | Nov 2008 | B1 |
| 7458098 | Judge et al. | Nov 2008 | B2 |
| 7464404 | Carpenter et al. | Dec 2008 | B2 |
| 7464407 | Nakae et al. | Dec 2008 | B2 |
| 7467408 | O'Toole, Jr. | Dec 2008 | B1 |
| 7478428 | Thomlinson | Jan 2009 | B1 |
| 7480773 | Reed | Jan 2009 | B1 |
| 7487543 | Arnold et al. | Feb 2009 | B2 |
| 7496960 | Chen et al. | Feb 2009 | B1 |
| 7496961 | Zimmer et al. | Feb 2009 | B2 |
| 7516488 | Kienzle et al. | Apr 2009 | B1 |
| 7519990 | Xie | Apr 2009 | B1 |
| 7523493 | Liang et al. | Apr 2009 | B2 |
| 7530104 | Thrower et al. | May 2009 | B1 |
| 7540025 | Tzadikario | May 2009 | B2 |
| 7546638 | Anderson et al. | Jun 2009 | B2 |
| 7565550 | Liang et al. | Jul 2009 | B2 |
| 7568233 | Szor et al. | Jul 2009 | B1 |
| 7584455 | Ball | Sep 2009 | B2 |
| 7603715 | Costa et al. | Oct 2009 | B2 |
| 7607171 | Marsden et al. | Oct 2009 | B1 |
| 7639714 | Stolfo et al. | Dec 2009 | B2 |
| 7644441 | Schmid et al. | Jan 2010 | B2 |
| 7657419 | van der Made | Feb 2010 | B2 |
| 7676841 | Sobchuk et al. | Mar 2010 | B2 |
| 7698548 | Shelest et al. | Apr 2010 | B2 |
| 7707633 | Danford et al. | Apr 2010 | B2 |
| 7712136 | Sprosts et al. | May 2010 | B2 |
| 7730011 | Deninger et al. | Jun 2010 | B1 |
| 7739740 | Nachenberg et al. | Jun 2010 | B1 |
| 7779463 | Stolfo et al. | Aug 2010 | B2 |
| 7784097 | Stolfo et al. | Aug 2010 | B1 |
| 7832008 | Kraemer | Nov 2010 | B1 |
| 7836502 | Zhao et al. | Nov 2010 | B1 |
| 7849506 | Dansey et al. | Dec 2010 | B1 |
| 7854007 | Sprosts et al. | Dec 2010 | B2 |
| 7869073 | Oshima | Jan 2011 | B2 |
| 7877803 | Enstone et al. | Jan 2011 | B2 |
| 7904959 | Sidiroglou et al. | Mar 2011 | B2 |
| 7908660 | Bahl | Mar 2011 | B2 |
| 7930738 | Petersen | Apr 2011 | B1 |
| 7937761 | Bennett | May 2011 | B1 |
| 7949849 | Lowe et al. | May 2011 | B2 |
| 7996556 | Raghavan et al. | Aug 2011 | B2 |
| 7996836 | McCorkendale et al. | Aug 2011 | B1 |
| 7996904 | Chiueh et al. | Aug 2011 | B1 |
| 7996905 | Arnold et al. | Aug 2011 | B2 |
| 8006305 | Aziz | Aug 2011 | B2 |
| 8010667 | Zhang et al. | Aug 2011 | B2 |
| 8020206 | Hubbard et al. | Sep 2011 | B2 |
| 8028338 | Schneider et al. | Sep 2011 | B1 |
| 8042184 | Batenin | Oct 2011 | B1 |
| 8045094 | Teragawa | Oct 2011 | B2 |
| 8045458 | Alperovitch et al. | Oct 2011 | B2 |
| 8069484 | McMillan et al. | Nov 2011 | B2 |
| 8087086 | Lai et al. | Dec 2011 | B1 |
| 8171553 | Aziz et al. | May 2012 | B2 |
| 8176049 | Deninger et al. | May 2012 | B2 |
| 8176480 | Spertus | May 2012 | B1 |
| 8201246 | Wu et al. | Jun 2012 | B1 |
| 8204984 | Aziz et al. | Jun 2012 | B1 |
| 8214905 | Doukhvalov et al. | Jul 2012 | B1 |
| 8220055 | Kennedy | Jul 2012 | B1 |
| 8225288 | Miller et al. | Jul 2012 | B2 |
| 8225373 | Kraemer | Jul 2012 | B2 |
| 8233882 | Rogel | Jul 2012 | B2 |
| 8234640 | Fitzgerald et al. | Jul 2012 | B1 |
| 8234709 | Viljoen et al. | Jul 2012 | B2 |
| 8239944 | Nachenberg et al. | Aug 2012 | B1 |
| 8260914 | Ranjan | Sep 2012 | B1 |
| 8266091 | Gubin et al. | Sep 2012 | B1 |
| 8286251 | Eker et al. | Oct 2012 | B2 |
| 8291499 | Aziz et al. | Oct 2012 | B2 |
| 8307435 | Mann et al. | Nov 2012 | B1 |
| 8307443 | Wang et al. | Nov 2012 | B2 |
| 8312545 | Tuvell et al. | Nov 2012 | B2 |
| 8321936 | Green et al. | Nov 2012 | B1 |
| 8321941 | Tuvell et al. | Nov 2012 | B2 |
| 8332571 | Edwards, Sr. | Dec 2012 | B1 |
| 8365286 | Poston | Jan 2013 | B2 |
| 8365297 | Parshin et al. | Jan 2013 | B1 |
| 8370938 | Daswani et al. | Feb 2013 | B1 |
| 8370939 | Zaitsev et al. | Feb 2013 | B2 |
| 8375444 | Aziz et al. | Feb 2013 | B2 |
| 8381299 | Stolfo et al. | Feb 2013 | B2 |
| 8402529 | Green et al. | Mar 2013 | B1 |
| 8464340 | Ahn et al. | Jun 2013 | B2 |
| 8479174 | Chiriac | Jul 2013 | B2 |
| 8479276 | Vaystikh et al. | Jul 2013 | B1 |
| 8479291 | Bodke | Jul 2013 | B1 |
| 8499357 | Juvekar | Jul 2013 | B1 |
| 8510827 | Leake et al. | Aug 2013 | B1 |
| 8510828 | Guo et al. | Aug 2013 | B1 |
| 8510842 | Amit et al. | Aug 2013 | B2 |
| 8516478 | Edwards et al. | Aug 2013 | B1 |
| 8516590 | Ranadive et al. | Aug 2013 | B1 |
| 8516593 | Aziz | Aug 2013 | B2 |
| 8522348 | Chen et al. | Aug 2013 | B2 |
| 8528086 | Aziz | Sep 2013 | B1 |
| 8533824 | Hutton et al. | Sep 2013 | B2 |
| 8539582 | Aziz et al. | Sep 2013 | B1 |
| 8549638 | Aziz | Oct 2013 | B2 |
| 8555388 | Wang et al. | Oct 2013 | B1 |
| 8555391 | Demir et al. | Oct 2013 | B1 |
| 8561177 | Aziz et al. | Oct 2013 | B1 |
| 8566946 | Aziz et al. | Oct 2013 | B1 |
| 8584094 | Dadhia et al. | Nov 2013 | B2 |
| 8584234 | Sobel et al. | Nov 2013 | B1 |
| 8584239 | Aziz et al. | Nov 2013 | B2 |
| 8595834 | Xie et al. | Nov 2013 | B2 |
| 8627476 | Satish et al. | Jan 2014 | B1 |
| 8635696 | Aziz | Jan 2014 | B1 |
| 8682054 | Xue et al. | Mar 2014 | B2 |
| 8682812 | Ranjan | Mar 2014 | B1 |
| 8689333 | Aziz | Apr 2014 | B2 |
| 8695096 | Zhang | Apr 2014 | B1 |
| 8713631 | Pavlyushchik | Apr 2014 | B1 |
| 8713681 | Silberman et al. | Apr 2014 | B2 |
| 8726379 | Stiansen | May 2014 | B1 |
| 8726392 | McCorkendale et al. | May 2014 | B1 |
| 8739280 | Chess et al. | May 2014 | B2 |
| 8776229 | Aziz | Jul 2014 | B1 |
| 8782792 | Bodke | Jul 2014 | B1 |
| 8789172 | Stolfo et al. | Jul 2014 | B2 |
| 8789178 | Kejriwal et al. | Jul 2014 | B2 |
| 8793787 | Ismael et al. | Jul 2014 | B2 |
| 8805947 | Kuzkin et al. | Aug 2014 | B1 |
| 8806647 | Daswani et al. | Aug 2014 | B1 |
| 8832829 | Manni et al. | Sep 2014 | B2 |
| 8850570 | Ramzan | Sep 2014 | B1 |
| 8850571 | Staniford et al. | Sep 2014 | B2 |
| 8881234 | Narasimhan et al. | Nov 2014 | B2 |
| 8881282 | Aziz et al. | Nov 2014 | B1 |
| 8898788 | Aziz et al. | Nov 2014 | B1 |
| 8935779 | Manni et al. | Jan 2015 | B2 |
| 8984638 | Aziz et al. | Mar 2015 | B1 |
| 8990939 | Staniford et al. | Mar 2015 | B2 |
| 8990944 | Singh et al. | Mar 2015 | B1 |
| 8997219 | Staniford et al. | Mar 2015 | B2 |
| 9009822 | Ismael et al. | Apr 2015 | B1 |
| 9009823 | Ismael et al. | Apr 2015 | B1 |
| 9027135 | Aziz | May 2015 | B1 |
| 9071638 | Aziz et al. | Jun 2015 | B1 |
| 9104867 | Thioux et al. | Aug 2015 | B1 |
| 9106694 | Aziz et al. | Aug 2015 | B2 |
| 9118715 | Staniford et al. | Aug 2015 | B2 |
| 9143522 | Wang et al. | Sep 2015 | B2 |
| 9159035 | Ismael et al. | Oct 2015 | B1 |
| 9171160 | Vincent et al. | Oct 2015 | B2 |
| 9176843 | Ismael et al. | Nov 2015 | B1 |
| 9189627 | Islam | Nov 2015 | B1 |
| 9195829 | Goradia et al. | Nov 2015 | B1 |
| 9197664 | Aziz et al. | Nov 2015 | B1 |
| 9223972 | Vincent et al. | Dec 2015 | B1 |
| 9225740 | Ismael et al. | Dec 2015 | B1 |
| 9241010 | Bennett et al. | Jan 2016 | B1 |
| 9251343 | Vincent et al. | Feb 2016 | B1 |
| 9262635 | Paithane et al. | Feb 2016 | B2 |
| 9282109 | Aziz et al. | Mar 2016 | B1 |
| 9294501 | Mesdaq et al. | Mar 2016 | B2 |
| 9300686 | Pidathala et al. | Mar 2016 | B2 |
| 9306960 | Aziz | Apr 2016 | B1 |
| 9306974 | Aziz et al. | Apr 2016 | B1 |
| 9311479 | Manni et al. | Apr 2016 | B1 |
| 20010005889 | Albrecht | Jun 2001 | A1 |
| 20010047326 | Broadbent et al. | Nov 2001 | A1 |
| 20020018903 | Kokubo et al. | Feb 2002 | A1 |
| 20020038430 | Edwards et al. | Mar 2002 | A1 |
| 20020091819 | Melchione et al. | Jul 2002 | A1 |
| 20020095607 | Lin-Hendel | Jul 2002 | A1 |
| 20020116627 | Tarbotton et al. | Aug 2002 | A1 |
| 20020144156 | Copeland | Oct 2002 | A1 |
| 20020162015 | Tang | Oct 2002 | A1 |
| 20020166063 | Lachman et al. | Nov 2002 | A1 |
| 20020169952 | DiSanto et al. | Nov 2002 | A1 |
| 20020184528 | Shevenell et al. | Dec 2002 | A1 |
| 20020188887 | Largman et al. | Dec 2002 | A1 |
| 20020194490 | Halperin et al. | Dec 2002 | A1 |
| 20030074578 | Ford et al. | Apr 2003 | A1 |
| 20030084318 | Schertz | May 2003 | A1 |
| 20030101381 | Mateev et al. | May 2003 | A1 |
| 20030115483 | Liang | Jun 2003 | A1 |
| 20030188190 | Aaron et al. | Oct 2003 | A1 |
| 20030191957 | Hypponen et al. | Oct 2003 | A1 |
| 20030200460 | Morota et al. | Oct 2003 | A1 |
| 20030212902 | van der Made | Nov 2003 | A1 |
| 20030217283 | Hrastar et al. | Nov 2003 | A1 |
| 20030229801 | Kouznetsov et al. | Dec 2003 | A1 |
| 20030237000 | Denton et al. | Dec 2003 | A1 |
| 20040003323 | Bennett et al. | Jan 2004 | A1 |
| 20040015712 | Szor | Jan 2004 | A1 |
| 20040019832 | Arnold et al. | Jan 2004 | A1 |
| 20040047356 | Bauer | Mar 2004 | A1 |
| 20040064737 | Milliken et al. | Apr 2004 | A1 |
| 20040083408 | Spiegel et al. | Apr 2004 | A1 |
| 20040088581 | Brawn et al. | May 2004 | A1 |
| 20040093513 | Cantrell et al. | May 2004 | A1 |
| 20040111531 | Staniford et al. | Jun 2004 | A1 |
| 20040117478 | Triulzi et al. | Jun 2004 | A1 |
| 20040117624 | Brandt et al. | Jun 2004 | A1 |
| 20040128355 | Chao et al. | Jul 2004 | A1 |
| 20040165588 | Pandya | Aug 2004 | A1 |
| 20040236963 | Danford et al. | Nov 2004 | A1 |
| 20040243349 | Greifeneder et al. | Dec 2004 | A1 |
| 20040249911 | Alkhatib et al. | Dec 2004 | A1 |
| 20040250124 | Chesla | Dec 2004 | A1 |
| 20040255161 | Cavanaugh | Dec 2004 | A1 |
| 20040268147 | Wiederin et al. | Dec 2004 | A1 |
| 20050005159 | Oliphant | Jan 2005 | A1 |
| 20050021740 | Bar et al. | Jan 2005 | A1 |
| 20050033960 | Vialen et al. | Feb 2005 | A1 |
| 20050033989 | Poletto et al. | Feb 2005 | A1 |
| 20050050148 | Mohammadioun et al. | Mar 2005 | A1 |
| 20050086523 | Zimmer et al. | Apr 2005 | A1 |
| 20050091513 | Mitomo et al. | Apr 2005 | A1 |
| 20050091533 | Omote et al. | Apr 2005 | A1 |
| 20050091652 | Ross et al. | Apr 2005 | A1 |
| 20050108562 | Khazan et al. | May 2005 | A1 |
| 20050114663 | Cornell et al. | May 2005 | A1 |
| 20050125195 | Brendel | Jun 2005 | A1 |
| 20050149726 | Joshi et al. | Jul 2005 | A1 |
| 20050157662 | Bingham et al. | Jul 2005 | A1 |
| 20050183143 | Anderholm et al. | Aug 2005 | A1 |
| 20050201297 | Peikari | Sep 2005 | A1 |
| 20050210533 | Copeland et al. | Sep 2005 | A1 |
| 20050238005 | Chen et al. | Oct 2005 | A1 |
| 20050240781 | Gassoway | Oct 2005 | A1 |
| 20050262562 | Gassoway | Nov 2005 | A1 |
| 20050265331 | Stolfo | Dec 2005 | A1 |
| 20050283839 | Cowburn | Dec 2005 | A1 |
| 20060010495 | Cohen et al. | Jan 2006 | A1 |
| 20060015416 | Hoffman et al. | Jan 2006 | A1 |
| 20060015715 | Anderson | Jan 2006 | A1 |
| 20060015747 | Van de Ven | Jan 2006 | A1 |
| 20060021029 | Brickell et al. | Jan 2006 | A1 |
| 20060021054 | Costa et al. | Jan 2006 | A1 |
| 20060031476 | Mathes et al. | Feb 2006 | A1 |
| 20060047665 | Neil | Mar 2006 | A1 |
| 20060070130 | Costea et al. | Mar 2006 | A1 |
| 20060075496 | Carpenter et al. | Apr 2006 | A1 |
| 20060095968 | Portolani et al. | May 2006 | A1 |
| 20060101516 | Sudaharan et al. | May 2006 | A1 |
| 20060101517 | Banzhof et al. | May 2006 | A1 |
| 20060117385 | Mester et al. | Jun 2006 | A1 |
| 20060123477 | Raghavan et al. | Jun 2006 | A1 |
| 20060143709 | Brooks et al. | Jun 2006 | A1 |
| 20060150249 | Gassen et al. | Jul 2006 | A1 |
| 20060161983 | Cothrell et al. | Jul 2006 | A1 |
| 20060161987 | Levy-Yurista | Jul 2006 | A1 |
| 20060161989 | Reshef et al. | Jul 2006 | A1 |
| 20060164199 | Gilde et al. | Jul 2006 | A1 |
| 20060173992 | Weber et al. | Aug 2006 | A1 |
| 20060179147 | Tran et al. | Aug 2006 | A1 |
| 20060184632 | Marino et al. | Aug 2006 | A1 |
| 20060191010 | Benjamin | Aug 2006 | A1 |
| 20060221956 | Narayan et al. | Oct 2006 | A1 |
| 20060236393 | Kramer et al. | Oct 2006 | A1 |
| 20060242709 | Seinfeld et al. | Oct 2006 | A1 |
| 20060248519 | Jaeger et al. | Nov 2006 | A1 |
| 20060248582 | Panjwani et al. | Nov 2006 | A1 |
| 20060251104 | Koga | Nov 2006 | A1 |
| 20060288417 | Bookbinder et al. | Dec 2006 | A1 |
| 20070006288 | Mayfield et al. | Jan 2007 | A1 |
| 20070006313 | Porras et al. | Jan 2007 | A1 |
| 20070011174 | Takaragi et al. | Jan 2007 | A1 |
| 20070016951 | Piccard et al. | Jan 2007 | A1 |
| 20070022454 | Yoon et al. | Jan 2007 | A1 |
| 20070033645 | Jones | Feb 2007 | A1 |
| 20070038943 | FitzGerald et al. | Feb 2007 | A1 |
| 20070064689 | Shin et al. | Mar 2007 | A1 |
| 20070074169 | Chess et al. | Mar 2007 | A1 |
| 20070094730 | Bhikkaji | Apr 2007 | A1 |
| 20070101435 | Konanka et al. | May 2007 | A1 |
| 20070128855 | Cho et al. | Jun 2007 | A1 |
| 20070142030 | Sinha et al. | Jun 2007 | A1 |
| 20070143827 | Nicodemus et al. | Jun 2007 | A1 |
| 20070156895 | Vuong | Jul 2007 | A1 |
| 20070157180 | Tillmann et al. | Jul 2007 | A1 |
| 20070157306 | Elrod et al. | Jul 2007 | A1 |
| 20070168988 | Eisner et al. | Jul 2007 | A1 |
| 20070171824 | Ruello et al. | Jul 2007 | A1 |
| 20070174915 | Gribble et al. | Jul 2007 | A1 |
| 20070192500 | Lum | Aug 2007 | A1 |
| 20070192858 | Lum | Aug 2007 | A1 |
| 20070198275 | Malden et al. | Aug 2007 | A1 |
| 20070208822 | Wang et al. | Sep 2007 | A1 |
| 20070220607 | Sprosts et al. | Sep 2007 | A1 |
| 20070240218 | Tuvell et al. | Oct 2007 | A1 |
| 20070240219 | Tuvell et al. | Oct 2007 | A1 |
| 20070240220 | Tuvell et al. | Oct 2007 | A1 |
| 20070240222 | Tuvell et al. | Oct 2007 | A1 |
| 20070250930 | Aziz et al. | Oct 2007 | A1 |
| 20070256132 | Oliphant | Nov 2007 | A2 |
| 20070271446 | Nakamura | Nov 2007 | A1 |
| 20080005782 | Aziz | Jan 2008 | A1 |
| 20080028463 | Dagon et al. | Jan 2008 | A1 |
| 20080032556 | Schreier | Feb 2008 | A1 |
| 20080040710 | Chiriac | Feb 2008 | A1 |
| 20080046781 | Childs et al. | Feb 2008 | A1 |
| 20080066179 | Liu | Mar 2008 | A1 |
| 20080072326 | Danford et al. | Mar 2008 | A1 |
| 20080077793 | Tan et al. | Mar 2008 | A1 |
| 20080080518 | Hoeflin et al. | Apr 2008 | A1 |
| 20080084259 | Yoshida et al. | Apr 2008 | A1 |
| 20080086720 | Lekel | Apr 2008 | A1 |
| 20080098476 | Syversen | Apr 2008 | A1 |
| 20080120722 | Sima et al. | May 2008 | A1 |
| 20080134178 | Fitzgerald et al. | Jun 2008 | A1 |
| 20080134334 | Kim et al. | Jun 2008 | A1 |
| 20080141376 | Clausen et al. | Jun 2008 | A1 |
| 20080181227 | Todd | Jul 2008 | A1 |
| 20080184367 | McMillan et al. | Jul 2008 | A1 |
| 20080184373 | Traut et al. | Jul 2008 | A1 |
| 20080189787 | Arnold et al. | Aug 2008 | A1 |
| 20080201778 | Guo et al. | Aug 2008 | A1 |
| 20080209557 | Herley et al. | Aug 2008 | A1 |
| 20080215742 | Goldszmidt et al. | Sep 2008 | A1 |
| 20080222729 | Chen et al. | Sep 2008 | A1 |
| 20080263665 | Ma et al. | Oct 2008 | A1 |
| 20080295172 | Bohacek | Nov 2008 | A1 |
| 20080301444 | Kim | Dec 2008 | A1 |
| 20080301810 | Lehane et al. | Dec 2008 | A1 |
| 20080307524 | Singh et al. | Dec 2008 | A1 |
| 20080313738 | Enderby | Dec 2008 | A1 |
| 20080320594 | Jiang | Dec 2008 | A1 |
| 20090003317 | Kasralikar et al. | Jan 2009 | A1 |
| 20090007100 | Field et al. | Jan 2009 | A1 |
| 20090013408 | Schipka | Jan 2009 | A1 |
| 20090031423 | Liu et al. | Jan 2009 | A1 |
| 20090036111 | Danford et al. | Feb 2009 | A1 |
| 20090037835 | Goldman | Feb 2009 | A1 |
| 20090044024 | Oberheide et al. | Feb 2009 | A1 |
| 20090044274 | Budko et al. | Feb 2009 | A1 |
| 20090064332 | Porras et al. | Mar 2009 | A1 |
| 20090077666 | Chen et al. | Mar 2009 | A1 |
| 20090083369 | Marmor | Mar 2009 | A1 |
| 20090083855 | Apap et al. | Mar 2009 | A1 |
| 20090089879 | Wang et al. | Apr 2009 | A1 |
| 20090094697 | Provos et al. | Apr 2009 | A1 |
| 20090113425 | Ports et al. | Apr 2009 | A1 |
| 20090125976 | Wassermann et al. | May 2009 | A1 |
| 20090126015 | Monastyrsky et al. | May 2009 | A1 |
| 20090126016 | Sobko et al. | May 2009 | A1 |
| 20090133125 | Choi et al. | May 2009 | A1 |
| 20090144823 | Lamastra et al. | Jun 2009 | A1 |
| 20090158430 | Borders | Jun 2009 | A1 |
| 20090172815 | Gu et al. | Jul 2009 | A1 |
| 20090187992 | Poston | Jul 2009 | A1 |
| 20090193293 | Stolfo et al. | Jul 2009 | A1 |
| 20090198651 | Shifter et al. | Aug 2009 | A1 |
| 20090198670 | Shifter et al. | Aug 2009 | A1 |
| 20090198689 | Frazier et al. | Aug 2009 | A1 |
| 20090199274 | Frazier et al. | Aug 2009 | A1 |
| 20090199296 | Xie et al. | Aug 2009 | A1 |
| 20090228233 | Anderson et al. | Sep 2009 | A1 |
| 20090241187 | Troyansky | Sep 2009 | A1 |
| 20090241190 | Todd et al. | Sep 2009 | A1 |
| 20090265692 | Godefroid et al. | Oct 2009 | A1 |
| 20090271867 | Zhang | Oct 2009 | A1 |
| 20090300415 | Zhang et al. | Dec 2009 | A1 |
| 20090300761 | Park et al. | Dec 2009 | A1 |
| 20090328185 | Berg et al. | Dec 2009 | A1 |
| 20090328221 | Blumfield et al. | Dec 2009 | A1 |
| 20100005146 | Drako et al. | Jan 2010 | A1 |
| 20100011205 | McKenna | Jan 2010 | A1 |
| 20100017546 | Poo et al. | Jan 2010 | A1 |
| 20100030996 | Butler, II | Feb 2010 | A1 |
| 20100031353 | Thomas et al. | Feb 2010 | A1 |
| 20100031358 | Elovici | Feb 2010 | A1 |
| 20100037314 | Perdisci et al. | Feb 2010 | A1 |
| 20100043073 | Kuwamura | Feb 2010 | A1 |
| 20100054278 | Stolfo et al. | Mar 2010 | A1 |
| 20100058474 | Hicks | Mar 2010 | A1 |
| 20100064044 | Nonoyama | Mar 2010 | A1 |
| 20100077481 | Polyakov et al. | Mar 2010 | A1 |
| 20100083376 | Pereira et al. | Apr 2010 | A1 |
| 20100115621 | Staniford et al. | May 2010 | A1 |
| 20100132038 | Zaitsev | May 2010 | A1 |
| 20100154056 | Smith et al. | Jun 2010 | A1 |
| 20100180344 | Malyshev et al. | Jul 2010 | A1 |
| 20100192223 | Ismael et al. | Jul 2010 | A1 |
| 20100220863 | Dupaquis et al. | Sep 2010 | A1 |
| 20100235831 | Dittmer | Sep 2010 | A1 |
| 20100251104 | Massand | Sep 2010 | A1 |
| 20100281102 | Chinta et al. | Nov 2010 | A1 |
| 20100281541 | Stolfo et al. | Nov 2010 | A1 |
| 20100281542 | Stolfo et al. | Nov 2010 | A1 |
| 20100287260 | Peterson et al. | Nov 2010 | A1 |
| 20100299754 | Amit et al. | Nov 2010 | A1 |
| 20100306173 | Frank | Dec 2010 | A1 |
| 20110004737 | Greenebaum | Jan 2011 | A1 |
| 20110025504 | Lyon et al. | Feb 2011 | A1 |
| 20110041179 | St Hlberg | Feb 2011 | A1 |
| 20110047594 | Mahaffey et al. | Feb 2011 | A1 |
| 20110047620 | Mahaffey et al. | Feb 2011 | A1 |
| 20110055907 | Narasimhan et al. | Mar 2011 | A1 |
| 20110078794 | Manni et al. | Mar 2011 | A1 |
| 20110093951 | Aziz | Apr 2011 | A1 |
| 20110099620 | Stavrou et al. | Apr 2011 | A1 |
| 20110099633 | Aziz | Apr 2011 | A1 |
| 20110099635 | Silberman et al. | Apr 2011 | A1 |
| 20110113231 | Kaminsky | May 2011 | A1 |
| 20110145918 | Jung et al. | Jun 2011 | A1 |
| 20110145920 | Mahaffey et al. | Jun 2011 | A1 |
| 20110145934 | Abramovici et al. | Jun 2011 | A1 |
| 20110167493 | Song et al. | Jul 2011 | A1 |
| 20110167494 | Bowen et al. | Jul 2011 | A1 |
| 20110173213 | Frazier et al. | Jul 2011 | A1 |
| 20110173460 | Ito et al. | Jul 2011 | A1 |
| 20110219449 | St. Neitzel et al. | Sep 2011 | A1 |
| 20110219450 | McDougal et al. | Sep 2011 | A1 |
| 20110225624 | Sawhney et al. | Sep 2011 | A1 |
| 20110225655 | Niemela et al. | Sep 2011 | A1 |
| 20110247072 | Staniford et al. | Oct 2011 | A1 |
| 20110265182 | Peinado et al. | Oct 2011 | A1 |
| 20110289582 | Kejriwal et al. | Nov 2011 | A1 |
| 20110302587 | Nishikawa et al. | Dec 2011 | A1 |
| 20110307954 | Melnik et al. | Dec 2011 | A1 |
| 20110307955 | Kaplan et al. | Dec 2011 | A1 |
| 20110307956 | Yermakov et al. | Dec 2011 | A1 |
| 20110314546 | Aziz et al. | Dec 2011 | A1 |
| 20110320816 | Yao | Dec 2011 | A1 |
| 20120023593 | Puder et al. | Jan 2012 | A1 |
| 20120054869 | Yen et al. | Mar 2012 | A1 |
| 20120066698 | Yanoo | Mar 2012 | A1 |
| 20120079596 | Thomas et al. | Mar 2012 | A1 |
| 20120084859 | Radinsky et al. | Apr 2012 | A1 |
| 20120110667 | Zubrilin et al. | May 2012 | A1 |
| 20120117652 | Manni et al. | May 2012 | A1 |
| 20120121154 | Xue et al. | May 2012 | A1 |
| 20120124426 | Maybee et al. | May 2012 | A1 |
| 20120145066 | King | Jun 2012 | A1 |
| 20120174186 | Aziz et al. | Jul 2012 | A1 |
| 20120174196 | Bhogavilli et al. | Jul 2012 | A1 |
| 20120174218 | McCoy et al. | Jul 2012 | A1 |
| 20120198279 | Schroeder | Aug 2012 | A1 |
| 20120210423 | Friedrichs et al. | Aug 2012 | A1 |
| 20120222121 | Staniford et al. | Aug 2012 | A1 |
| 20120255015 | Sahita et al. | Oct 2012 | A1 |
| 20120255017 | Sallam | Oct 2012 | A1 |
| 20120260342 | Dube et al. | Oct 2012 | A1 |
| 20120266244 | Green et al. | Oct 2012 | A1 |
| 20120278886 | Luna | Nov 2012 | A1 |
| 20120297489 | Dequevy | Nov 2012 | A1 |
| 20120330801 | McDougal et al. | Dec 2012 | A1 |
| 20120331553 | Aziz et al. | Dec 2012 | A1 |
| 20130014259 | Gribble et al. | Jan 2013 | A1 |
| 20130036472 | Aziz | Feb 2013 | A1 |
| 20130047257 | Aziz | Feb 2013 | A1 |
| 20130074185 | McDougal | Mar 2013 | A1 |
| 20130086684 | Mohler | Apr 2013 | A1 |
| 20130097699 | Balupari | Apr 2013 | A1 |
| 20130097706 | Titonis et al. | Apr 2013 | A1 |
| 20130111587 | Goel et al. | May 2013 | A1 |
| 20130117852 | Stute | May 2013 | A1 |
| 20130117855 | Kim et al. | May 2013 | A1 |
| 20130139264 | Brinkley et al. | May 2013 | A1 |
| 20130145471 | Richard | Jun 2013 | A1 |
| 20130160125 | Likhachev et al. | Jun 2013 | A1 |
| 20130160127 | Jeong et al. | Jun 2013 | A1 |
| 20130160130 | Mendelev et al. | Jun 2013 | A1 |
| 20130160131 | Madou et al. | Jun 2013 | A1 |
| 20130167236 | Sick | Jun 2013 | A1 |
| 20130174214 | Duncan | Jul 2013 | A1 |
| 20130185789 | Hagiwara et al. | Jul 2013 | A1 |
| 20130185795 | Winn et al. | Jul 2013 | A1 |
| 20130185798 | Saunders et al. | Jul 2013 | A1 |
| 20130191915 | Antonakakis et al. | Jul 2013 | A1 |
| 20130196649 | Paddon et al. | Aug 2013 | A1 |
| 20130227691 | Aziz et al. | Aug 2013 | A1 |
| 20130246370 | Bartram et al. | Sep 2013 | A1 |
| 20130247186 | LeMasters | Sep 2013 | A1 |
| 20130263260 | Mahaffey et al. | Oct 2013 | A1 |
| 20130291109 | Staniford et al. | Oct 2013 | A1 |
| 20130298243 | Kumar et al. | Nov 2013 | A1 |
| 20130318038 | Shifter et al. | Nov 2013 | A1 |
| 20130318073 | Shifter et al. | Nov 2013 | A1 |
| 20130325791 | Shifter et al. | Dec 2013 | A1 |
| 20130325792 | Shifter et al. | Dec 2013 | A1 |
| 20130325871 | Shifter et al. | Dec 2013 | A1 |
| 20130325872 | Shifter et al. | Dec 2013 | A1 |
| 20140032875 | Butler | Jan 2014 | A1 |
| 20140053260 | Gupta et al. | Feb 2014 | A1 |
| 20140053261 | Gupta et al. | Feb 2014 | A1 |
| 20140130158 | Wang et al. | May 2014 | A1 |
| 20140137180 | Lukacs et al. | May 2014 | A1 |
| 20140169762 | Ryu | Jun 2014 | A1 |
| 20140179360 | Jackson et al. | Jun 2014 | A1 |
| 20140181131 | Ross | Jun 2014 | A1 |
| 20140189687 | Jung et al. | Jul 2014 | A1 |
| 20140189866 | Shiffer et al. | Jul 2014 | A1 |
| 20140189882 | Jung et al. | Jul 2014 | A1 |
| 20140237600 | Silberman et al. | Aug 2014 | A1 |
| 20140280245 | Wilson | Sep 2014 | A1 |
| 20140283037 | Sikorski et al. | Sep 2014 | A1 |
| 20140283063 | Thompson et al. | Sep 2014 | A1 |
| 20140328204 | Klotsche et al. | Nov 2014 | A1 |
| 20140337836 | Ismael | Nov 2014 | A1 |
| 20140344926 | Cunningham et al. | Nov 2014 | A1 |
| 20140351935 | Shao et al. | Nov 2014 | A1 |
| 20140380473 | Bu et al. | Dec 2014 | A1 |
| 20140380474 | Paithane et al. | Dec 2014 | A1 |
| 20150007312 | Pidathala et al. | Jan 2015 | A1 |
| 20150096022 | Vincent et al. | Apr 2015 | A1 |
| 20150096023 | Mesdaq et al. | Apr 2015 | A1 |
| 20150096024 | Haq et al. | Apr 2015 | A1 |
| 20150096025 | Ismael | Apr 2015 | A1 |
| 20150180886 | Staniford et al. | Jun 2015 | A1 |
| 20150186645 | Aziz et al. | Jul 2015 | A1 |
| 20150220735 | Paithane et al. | Aug 2015 | A1 |
| 20150372980 | Eyada | Dec 2015 | A1 |
| 20160044000 | Cunningham | Feb 2016 | A1 |
| 20160127393 | Aziz et al. | May 2016 | A1 |
| Number | Date | Country |
|---|---|---|
| 2439806 | Jan 2008 | GB |
| 2490431 | Oct 2012 | GB |
| 0223805 | Mar 2002 | WO |
| 02006928 | Aug 2003 | WO |
| 200717636 | Oct 2007 | WO |
| 2008041950 | Apr 2008 | WO |
| 2011084431 | Jul 2011 | WO |
| 2011112348 | Sep 2011 | WO |
| 2012075336 | Jun 2012 | WO |
| 2012145066 | Oct 2012 | WO |
| 2013067505 | May 2013 | WO |
| Entry |
|---|
| Leading Colleges Select FireEye to Stop Malware-Related Data Breaches, FireEye Inc., 2009. |
| Simon Heron, Technologies for Spam Detection, Network Security (Year: 2009). |
| “Network Security: NetDetector—Network Intrusion Forensic System (NIFS) Whitepaper”, (“NetDetector Whitepaper”), (2003). |
| “Packet”, Microsoft Computer Dictionary, Microsoft Press, (Mar. 2002), 1 page. |
| “When Virtual is Better Than Real”, IEEEXplore Digital Library, available at, http://ieeexplore.ieee.org/xpl/articleDetails.isp?reload=true&arnumbe- r=990073, (Dec. 7, 2013). |
| Abdullah, et al., Visualizing Network Data for Intrusion Detection, 2005 IEEE Workshop on Information Assurance and Security, pp. 100-108. |
| Adetoye, Adedayo , et al., “Network Intrusion Detection & Response System”, (“Adetoye”), (Sep. 2003). |
| AltaVista Advanced Search Results. “attack vector identifier”. Http://www.altavista.com/web/results?Itag=ody&pg=aq&aqmode=aqa=Event+Orch- estrator . . . , (Accessed on Sep. 15, 2009). |
| AltaVista Advanced Search Results. “Event Orchestrator”. Http://www.altavista.com/web/results?Itag=ody&pg=aq&aqmode=aqa=Event+Orch- esrator . . . , (Accessed on Sep. 3, 2009). |
| Apostolopoulos, George; hassapis, Constantinos; “V-eM: A cluster of Virtual Machines for Robust, Detailed, and High-Performance Network Emulation”, 14th IEEE International Symposium on Modeling, Analysis, and Simulation of Computer and Telecommunication Systems, Sep. 11-14, 2006, pp. 117-126. |
| Aura, Tuomas, “Scanning electronic documents for personally identifiable information”, Proceedings of the 5th ACM workshop on Privacy in electronic society. ACM, 2006. |
| Baecher, “The Nepenthes Platform: An Efficient Approach to collect Malware”, Springer-verlag Berlin Heidelberg, (2006), pp. 165-184. |
| Baldi, Mario; Risso, Fulvio; “A Framework for Rapid Development and Portable Execution of Packet-Handling Applications”, 5th IEEE International Symposium Processing and Information Technology, Dec. 21, 2005, pp. 233-238. |
| Bayer, et al., “Dynamic Analysis of Malicious Code”, J Comput Virol, Springer-Verlag, France., (2006), pp. 67-77. |
| Boubalos, Chris , “extracting syslog data out of raw pcap dumps, seclists.org, Honeypots mailing list archives”, available at http://seclists.org/honeypots/2003/q2/319 (“Boubalos”), (Jun. 5, 2003). |
| Chaudet, C. , et al., “Optimal Positioning of Active and Passive Monitoring Devices”, International Conference on Emerging Networking Experiments and Technologies, Proceedings of the 2005 ACM Conference on Emerging Network Experiment and Technology, CoNEXT '05, Toulousse, France, (Oct. 2005), pp. 71-82. |
| Chen, P. M. and Noble, B. D., “When Virtual is Better Than Real, Department of Electrical Engineering and Computer Science”, University of Michigan (“Chen”) (2001). |
| Cisco “Intrusion Prevention for the Cisco ASA 5500-x Series” Data Sheet (2012). |
| Cisco, Configuring the Catalyst Switched Port Analyzer (SPAN) (“Cisco”), (1992-2003). |
| Clark, John, Sylvian Leblanc,and Scott Knight. “Risks associated with usb hardware trojan devices used by insiders.” Systems Conference (SysCon), 2011 IEEE International. IEEE, 2011. |
| Cohen, M.I. , “PyFlag—An advanced network forensic framework”, Digital investigation 5, Elsevier, (2008), pp. S112-S120. |
| Costa, M. , et al., “Vigilante: End-to-End Containment of Internet Worms”, SOSP '05, Association for Computing Machinery, Inc., Brighton U.K., (Oct. 23-26, 2005). |
| Crandall, J.R. , et al., “Minos:Control Data Attack Prevention Orthogonal to Memory Model”, 37th International Symposium on Microarchitecture, Portland, Oregon, (Dec. 2004). |
| Deutsch, P. , “Zlib compressed data format specification version 3.3” RFC 1950, (1996). |
| Distler, “Malware Analysis: An Introduction”, SANS Institute InfoSec Reading Room, SANS Institute, (2007). |
| Dunlap, George W. , et al., “ReVirt: Enabling Intrusion Analysis through Virtual-Machine Logging and Replay”, Proceeding of the 5th Symposium on Operating Systems Design and Implementation, USENIX Association, (“Dunlap”), (Dec. 9, 2002). |
| Excerpt regarding First Printing Date for Merike Kaeo, Designing Network Security (“Kaeo”), (2005). |
| Filiol, Eric , et al., “Combinatorial Optimisation of Worm Propagation on an Unknown Network”, International Journal of Computer Science 2.2 (2007). |
| FireEye Malware Analysis & Exchange Network, Malware Protection System, FireEye Inc., 2010. |
| FireEye Malware Analysis, Modern Malware Forensics, FireEye Inc., 2010. |
| FireEye v.6.0 Security Target, pp. 1-35, Version 1.1, FireEye Inc., May 2011. |
| Gibler, Clint, et al. AndroidLeaks: automatically detecting potential privacy leaks in android applications on a large scale. Springer Berlin Heidelberg, 2012. |
| Goel, et al., Reconstructing System State for Intrusion Analysis, Apr. 2008 SIGOPS Operating Systems Review, vol. 42 Issue 3, pp. 21-28. |
| Gregg Keizer: “Microsoft's HoneyMonkeys Show Patching Windows Works”, Aug. 8, 2005, XP055143386, Retrieved from the Internet: URL:http://www.informationweek.com/microsofts-honeymonkeys-show-patching-windows-works/d/d-id/1035069? [retrieved on Jun. 1, 2016]. |
| Heng Yin et al, Panorama: Capturing System-Wide Information Flow for Malware Detection and Analysis, Research Showcase @ CMU, Carnegie Mellon University, 2007. |
| Hjelmvik, Erik , “Passive Network Security Analysis with NetworkMiner”, (IN)Secure, Issue 18, (Oct. 2008), pp. 1-100. |
| Idika et al., A-Survey-of-Malware-Detection-Techniques, Feb. 2, 2007, Department of Computer Science, Purdue University. |
| IEEE Xplore Digital Library Sear Results for “detection of unknown computer worms”. Http//ieeexplore.ieee.org/searchresult.jsp?SortField=Score&SortOrder=desc- &ResultC . . . , (Accessed on Aug. 28, 2009). |
| Isohara, Takamasa, Keisuke Takemori, and Ayumu Kubota. “Kernel-based behavior analysis for android malware detection.” Computational intelligence and Security (CIS), 2011 Seventh International Conference on. IEEE, 2011. |
| Kaeo, Merike , “Designing Network Security”, (“Kaeo”), (Nov. 2003). |
| Kevin A Roundy et al: “Hybrid Analysis and Control of Malware”, Sep. 15, 2010, Recent Advances in Intrusion Detection, Springer Berlin Heidelberg, Berlin, Heidelberg, pp. 317-338, XP019150454 ISBN:978-3-642-15511-6. |
| Kim, H., et al., “Autograph: Toward Automated, Distributed Worm Signature Detection”, Proceedings of the 13th Usenix Security Symposium (Security 2004), San Diego, (Aug. 2004), pp. 271-286. |
| King, Samuel T., et al., “Operating System Support for Virtual Machines”, (“King”) (2003). |
| Krasnyansky, Max , et al., Universal TUN/TAP driver, available at https://www.kernel.org/doc/Documentation/networking/tuntap.txt (2002) (“Krasnyansky”). |
| Kreibich, C. , et al., “Honeycomb-Creating Intrusion Detection Signatures Using Honeypots”, 2nd Workshop on Hot Topics in Networks (HotNets-11), Boston, USA, (2003). |
| Kristoff, J. , “Botnets, Detection and Mitigation: DNS-Based Techniques”, NU Security Day, (2005), 23 pages. |
| Li et al., A VMM-Based System Call Interposition Framework for Program Monitoring, Dec. 2010, IEEE 16th International Conference on Parallel and Distributed Systems, pp. 706-711. |
| Liljenstam, Michael , et al., “Simulating Realistic Network Traffic for Worm Warning System Design and Testing”, Institute for Security Technology studies, Dartmouth College (“Liljenstam”), (Oct. 27, 2003). |
| Lindorfer, Martina, Clemens Kolbitsch, and Paolo Milani Comparetti. “Detecting environment-sensitive malware.” Recent Advances in Intrusion Detection. Springer Berlin Heidelberg, 2011. |
| Lok Kwong et al: “DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis”, Aug. 10, 2012, XP055158513, Retrieved from the Internet: URL:https://www.usenix.org/system/files/conference/usenixsecurity12/sec12- -final107.pdf [retrieved on Dec. 15, 2014]. |
| Marchette, David J., “Computer Intrusion Detection and Network Monitoring: A Statistical Viewpoint”, (“Marchette”), (2001). |
| Margolis, P.E. , “Random House Webster's ‘Computer & Internet Dictionary 3rd Edition’”, ISBN 0375703519, (Dec. 1998). |
| Moore, D. , et al., “Internet Quarantine: Requirements for Containing Self-Propagating Code”, INFOCOM, vol. 3, (Mar. 30-Apr. 3, 2003), pp. 1901-1910. |
| Morales, Jose A., et al., ““Analyzing and exploiting network behaviors of malware.””, Security and Privacy in Communication Networks. Springer Berlin Heidelberg, 2010. 20-34. |
| Mori, Detecting Unknown Computer Viruses, 2004, Springer-Verlag Berlin Heidelberg. |
| Natvig, Kurt , “SANDBOXII: Internet”, Virus Bulletin Conference, (“Natvig”), (Sep. 2002). |
| NetBIOS Working Group. Protocol Standard for a NetBIOS Service on a TCP/UDP transport: Concepts and Methods. STD 19, RFC 1001, Mar. 1987. |
| Newsome, J. , et al., “Dynamic Taint Analysis for Automatic etection, Analysis, and Signature Generation of Exploits on Commodity Software”, In Proceedings of the 12th Annual Network and Distributed System Security, Symposium (NDSS '05), (Feb. 2005). |
| Newsome, J. , et al., “Polygraph: Automatically Generating Signatures for Polymorphic Worms”, In Proceedings of the IEEE Symposium on Security and Privacy, (May 2005). |
| Nojiri, D. , et al., “Cooperation Response Strategies for Large Scale Attack Mitigation”, DARPA Information Survivability Conference and Exposition, vol. 1, (Apr. 22-24, 2003), pp. 293-302. |
| Oberheide et al., CloudAV.sub.--N-Version Antivirus in the Network Cloud, 17th USENIX Security Symposium USENIX Security '08 Jul. 28-Aug. 1, 2008 San Jose, CA. |
| Reiner Sailer, Enriquillo Valdez, Trent Jaeger, Roonald Perez, Leendert van Doom, John Linwood Griffin, Stefan Berger., sHype: Secure Hypervisor Appraoch to Trusted Virtualized Systems (Feb. 2, 2005) (“Sailer”). |
| Silicon Defense, “Worm Containment in the Internal Network”, (Mar. 2003), pp. 1-25. |
| Singh, S. , et al., “Automated Worm Fingerprinting”, Proceedings of the ACM/USENIX Symposium on Operating System Design and Implementation, San Francisco, California, (Dec. 2004). |
| Spitzner, Lance , “Honeypots: Tracking Hackers”, (“Spizner”), (Sep. 17, 2002). |
| The Sniffers's Guide to Raw Traffic available at: yuba.stanford.edu/.about.casado/pcap/section1.html, (Jan. 6, 2014). |
| Thomas H. Ptacek, and Timothy N. Newsham , “Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection”, Secure Networks, (“Ptacek”), (Jan. 1998). |
| U.S. Appl. No. 13/830,573, filed Mar. 14, 2013 Final Office Action dated Jul. 15, 2015. |
| U.S. Appl. No. 13/830,573, filed Mar. 14, 2013 Non-Final Office Action dated Dec. 17, 2015. |
| U.S. Appl. No. 13/830,573, filed Mar. 14, 2013 Non-Final Office Action dated Dec. 31, 2014. |
| U.S. Pat. No. 8,171,553 filed Apr. 20, 2006, Inter Parties Review Decision dated Jul. 10, 2015. |
| U.S. Pat. No. 8,291,499 filed Mar. 16, 2012, Inter Parties Review Decision dated Jul. 10, 2015. |
| Venezia, Paul , “NetDetector Captures Intrusions”, InfoWorld Issue 27, (“Venezia”), (Jul. 14, 2003). |
| Wahid et al., Characterising the Evolution in Scanning Activity of Suspicious Hosts, Oct. 2009, Third International Conference on Network and System Security, pp. 344-350. |
| Wthyte, et al., “DNS-Based Detection of Scanning Works in an Enterprise Network”, Proceedings of the 12th Annual Network and Distributed System Security Symposium, (Feb. 2005), 15 pages. |
| Williamson, Matthew M., “Throttling Viruses: Restricting Propagation to Defeat Malicious Mobile Code”, ACSAC Conference, Las Vegas, NV, USA, (Dec. 2002), pp. 1-9. |
| Yuhei Kawakoya et al: “Memory behavior-based automatic malware unpacking in stealth debugging environment”, Malicious and Unwanted Software (Malware), 2010 5th International Conference on, IEEE, Piscataway, NJ, USA, Oct. 19, 2010, pp. 39-46, XP031833827, ISBN:978-1-4244-8-9353-1. |
| Zhang et al., The Effects of Threading, Infection Time, and Multiple-Attacker Collaboration on Malware Propagation, Sep. 2009, IEEE 28th International Symposium on Reliable Distributed Systems, pp. 73-82. |
| Number | Date | Country | |
|---|---|---|---|
| Parent | 13830573 | Mar 2013 | US |
| Child | 15250770 | US |
