Exploit detection of malware and malware families

Information

  • Patent Grant
  • 9773112
  • Patent Number
    9,773,112
  • Date Filed
    Monday, September 29, 2014
    10 years ago
  • Date Issued
    Tuesday, September 26, 2017
    7 years ago
Abstract
According to one embodiment, a computerized method comprises, accessing information associated with one or more observed events, wherein one or more of the observed events constitutes an anomalous behavior; accessing a reference model based on a first plurality of events, the reference model comprises a first event of the first plurality of events, a second event of the first plurality of events and a relationship that identifies that the second event of the first plurality of events is based on the first event of the first plurality of events, wherein at least one of the first event and the second event constitutes an anomalous behavior; and comparing the information associated with the one or more observed events with the reference model to determine whether at least one observed event of the one or more observed events matches at least one of the first event of the first plurality of events or the second event of the first plurality of events that constitutes the anomalous behavior is provided.
Description
FIELD

Embodiments of the disclosure relate to the field of cyber security. More specifically, embodiments of the disclosure relate to a system for detecting malware and/or exploits through the comparison of incoming data with reference models describing known instances of malicious behavior.


GENERAL BACKGROUND

Over the last decade, malicious software has become a pervasive problem for Internet users as many networked resources include vulnerabilities that are subject to cyber-attacks. For instance, over the past few years, more and more vulnerabilities are being discovered in software that is loaded onto endpoint devices present on the network, such as vulnerabilities within operating systems for example. These vulnerabilities may be exploited by a person allowing the person to gain access to one or more areas within the network not typically accessible. For example, a person may exploit a vulnerability to gain unauthorized access to email accounts and/or data files.


While some vulnerabilities continue to be addressed through software patches, prior to the release of such software patches, network devices will continue to be targeted for cyber-attacks, for example, by exploits, namely malicious computer code that attempts to acquire sensitive information or adversely influence or attack normal operations of the network device or the entire enterprise network by taking advantage of a vulnerability in computer software.


Currently, a threat detection system observes suspicious or malicious exploits and presents the information regarding the exploits in a list format. While the list format may provide security personnel information directed to uncovered exploits or other detected malicious actions, it fails to identify any relationships between the exploits that would allow security personnel to better understand potential effects, both detected and undetected, caused by the malicious exploit.


In addition, current systems fail to generate reference models based on observed exploits, malicious behaviors, anomalous behaviors (e.g., deviating from typical or expected behavior) or the like for comparison against events observed at a later time.





BRIEF DESCRIPTION OF THE DRAWINGS

Embodiments of the invention are illustrated by way of example and not by way of limitation in the figures of the accompanying drawings, in which like references indicate similar elements and in which:



FIG. 1 a flowchart illustrating an exemplary method for generating a reference model and the applications that may be performed by a malware detection and visualization system (MDVS) using the generated reference model.



FIG. 2 is a block diagram of an exemplary malware detection and visualization system (MDVS) 200 coupled to a network 240.



FIG. 3 is an exemplary embodiment of a logical representation of the MDVS of FIG. 2.



FIG. 4 is an exemplary portion of data received by the event log engine 230 expressed in eXtensible Markup Language (XML).



FIG. 5 is an exemplary portion of data generated by either the reference model generating logic 215 or the machine learning logic 211 expressed in XML.



FIG. 6 is an exemplary illustration of a comparison of a reference model of an association of known malicious events with an association of potentially malicious observed events.



FIGS. 7A-7D are exemplary diagrams illustrating the exploit detection process performed by the matching logic 213 comparing an association of potentially malicious observed events with a reference model of known malicious events.



FIG. 8 is an exemplary illustration of a comparison 800 of reference models 820 and 821 with an association of potentially malicious observed events.



FIG. 9 is an exemplary illustration of a process of generating a malware family reference model.



FIG. 10 is an exemplary embodiment of an interactive display screen for display of associated events and/or particulars of the associated events used in generating the interactive display screens of FIGS. 12-14B.



FIG. 11 is an exemplary portion of data generated by either the reference model generating logic 215 or the machine learning logic 211 expressed in XML.



FIG. 12 is an exemplary illustration of a first embodiment of an interactive display screen for display of associated events and particulars of the associated events.



FIG. 13 is an exemplary illustration of a detailed embodiment of the interactive display screen of FIG. 12.



FIG. 14A is an exemplary illustration of a portion of an interactive display screen for enabling a viewer to generate a signature of a selected event, display particulars of the selected event and/or generate an alert for a selected event.



FIG. 14B is an exemplary illustration of a second embodiment of an interactive display screen for enabling a viewer to generate a signature of a selected event.



FIG. 15 is an exemplary portion of the generated signature (corresponding to the selected section in FIG. 14B) expressed in XML.





DETAILED DESCRIPTION

Various embodiments of the disclosure relate to a malware detection and visualization system that improves exploit detection and/or visual representation of the detection of suspected malware. The malware detection and visualization system includes a machine learning engine that generates reference models used in exploit detection as well as interactive display screen information based on data transmitted to the malware detection and visualization system from one or more endpoint devices, one or more threat detection systems and/or cloud computing services. The generated reference models may be combined to generate malware family reference models allowing the malware detection and visualization system to compare observed events on the network to particularized malware threats in the form of malware affecting a specific file type or malware detected in a common location (e.g., email). Alternatively, a comparison with several reference models or with a large malware family reference model may provide detection against a large range of malware threats. The malware detection and visualization system may take the form of a security appliance or security cloud service, for example. Alternatively, an electronic device may be configured with software, hardware or firmware that includes a malware detection and visualization system. The malware detection and visualization system may be implemented in real-time (e.g., as incoming data is being processed) or as a forensic investigative tool (e.g., after the incoming data has been processed to determine the root cause of a malware exploited has been executed).


The malware detection and visualization system also includes a user interface rendering subsystem that generates interactive display screens from the interactive display screen information and allows security personnel to select displayed malicious events in order to acquire additional information concerning such events as well as generate an alert or a (malware) signature that may be used for subsequent detection of malware associated with these malicious events. The interactive display screens provide a network administrator with a visual representation that compares a reference model of events (e.g., known exploits) and the relationships connecting the events with a group of potentially malicious events and their relationships to one another. The group of potentially malicious events may be derived from observations of endpoint devices, threat detection systems and/or cloud computing services connected to the malware detection and visualization system over a network.


Specifically, in one embodiment, the visual representation allows a viewer to convert a list of events into a nodal diagram in either a top-down representation or a left-to-right representation. The nodal diagrams may enable a view, such as network security personnel, to see how each event relates to one another, if at all. Furthermore, the nodal diagrams provide the visual representation necessary for a viewer to select one or more events, referred to herein as a “grouping” of events, to generate a signature or alert. The signature of a grouping of events may be used as a reference model to check for a particular sequence of events in data received in the future or added to an existing reference model. The alert may be used to notify the network administrator of the observation of a grouping of events that typically implies malicious activity on the network thereby allowing prevention actions to be taken to guard against the malicious activity.


Embodiments of the invention may be employed by or take the form of a network device or apparatus implementing a malware detection and visualization system (MDVS), where the malware detection and visualization system includes a machine learning engine for analyzing data received by the MDVS. The data may include information regarding the observation of events by a server or client device or other system (called an “endpoint”), a threat detection systems (TDS) and/or a cloud computing service. In some embodiments, the observations of events may take place while an endpoint device is operating in real-time or the observations may take place while incoming data is being processed in one or more virtual machines. Examples of incoming data may include, but are not limited or restricted to, network traffic, static files containing structured or unstructured data maintained locally or on a peripheral device and/or executable files. According to one embodiment of the disclosure, an endpoint device, TDS or cloud computing service transmits data regarding an observation of one or more events and/or relationships when an anomalous characteristic of incoming data is observed and thus indicative of an exploit. If so, one or more portions of data may be labeled “suspicious.” Throughout the specification, claims and figures, the term “network traffic” will be used in the discussion but any form of incoming data may be substituted.


A TDS may perform static and/or dynamic analyses on incoming data (e.g., network traffic) to determine whether an object of the incoming data is suspicious or malicious. An illustrative example of the static and dynamic analyses is illustrated in the threat detection and prevention (TDP) system in a prior U.S. patent application entitled “System, Apparatus and Method for Automatically Verifying Exploits Within Suspect Objects and Highlighting the Display Information Associated with the Verified Exploits,” U.S. patent application Ser. No. 14/228,073 filed Mar. 27, 2014, the contents of which are incorporated by reference.


In particular, the machine learning engine may be activated automatically in response to an alert condition that signifies detection of a malicious event by an endpoint device, a TDS and/or a cloud computing service within the network. Alternatively, the machine learning engine may be activated in accordance with a time-based schedule or manually by a user such as security personnel. For instance, the machine learning engine may be activated manually upon selecting a particular visual representation associated with the observance of a malicious event, where one or more events may be concurrently presented on an interactive display screen, and then subsequently selecting a prescribed item on the display screen (e.g., “exploit visualization” button or “timeline visualization” button).


After activation, the machine learning engine may be adapted to obtain received data from a machine learning data store and/or event log, where the received data may include metadata associated with malicious events detected by one or more endpoint devices, TDSes and/or a cloud computing service. The machine learning engine generates a visual representation in the form of a nodal diagram illustrating a potential malware infection, where each node or relationship included in the nodal diagram represents an action, operation, file, process, etc. associated with an anomalous event or relationship. This provides a network administrator with one or more displays directed to the sequence of events to identify which network device(s) and or file(s) within the network may have been infected by the anomalous event. For example, the anomalous event may be an atypical, but non-malicious, operation or relationship; alternatively, the anomalous event may be realized as a malicious event or relationship.


In the nodal diagrams, each event may be selected to display additional information, including, any or all of the following metadata directed to the observance of the selected event: (1) time and date of observance; (2) address information such as the path within the file system in which the affected file is located; (3) process identification of the affected process (if applicable); (4) the particulars of the particular electronic device or cloud computing service that detected the event; and/or (5) the relationship to one or more events associated with the selected event.


I. Terminology


In the following description, certain terminology is used to describe features of the invention. For example, in certain situations, both terms “logic” and “engine” are representative of hardware, firmware and/or software that is configured to perform one or more functions. As hardware, logic (or engine) may include circuitry having data processing or storage functionality. Examples of such circuitry may include, but are not limited or restricted to a microprocessor, one or more processor cores, a programmable gate array, a microcontroller, a controller, an application specific integrated circuit, wireless receiver, transmitter and/or transceiver circuitry, semiconductor memory, or combinatorial logic.


Logic (or engine) may be software in the form of one or more software modules, such as executable code in the form of an executable application, an application programming interface (API), a subroutine, a function, a procedure, an applet, a servlet, a routine, source code, object code, a shared library/dynamic load library, or one or more instructions. These software modules may be stored in any type of a suitable non-transitory storage medium, or transitory storage medium (e.g., electrical, optical, acoustical or other form of propagated signals such as carrier waves, infrared signals, or digital signals). Examples of non-transitory storage medium may include, but are not limited or restricted to a programmable circuit; a semiconductor memory; non-persistent storage such as volatile memory (e.g., any type of random access memory “RAM”); persistent storage such as non-volatile memory (e.g., read-only memory “ROM”, power-backed RAM, flash memory, phase-change memory, etc.), a solid-state drive, hard disk drive, an optical disc drive, or a portable memory device. As firmware, the executable code is stored in persistent storage.


An “exploit” may be construed broadly as information (e.g., executable code, data, command(s), etc.) that attempts to take advantage of a vulnerability and/or an action by a person gaining unauthorized access to one or more areas of a network, a computer and/or an electronic device. Typically, a “vulnerability” is a coding error or artifact of software (e.g., computer program) that allows an attacker to alter legitimate control flow during processing of the software (computer program) by a network device, and thus, causes the network device to experience undesirable or anomalous behaviors. The undesired or anomalous behaviors may include a communication-based anomaly or an execution-based anomaly, which, for example, could (1) alter the functionality of an network device executing application software in an atypical manner (a file is opened by a first process where the file is configured to be opened by a second process and not the first process); (2) alter the functionality of the network device executing that application software without any malicious intent; and/or (3) provide unwanted functionality which may be generally acceptable in another context. To illustrate, a computer program may be considered as a state machine, where all valid states (and transitions between states) are managed and defined by the program, in which case an exploit may be viewed as seeking to alter one or more of the states (or transitions) from those defined by the program. The term “anomalous behavior” should be understood to include either (i) a first event that is an atypical occurrence or a malicious occurrence, or (ii) a relationship identifying that the first event is based on a second event, the relationship being an atypical relationship between the first and second event or a relationship between the first and second events that is malicious to the network, electronic device on which the relationship appears, or to one or more users of the electronic device or of the network.


According to one embodiment, malware may be construed broadly as computer code that executes an exploit to take advantage of a vulnerability, for example, to harm or co-opt operation of a network device or misappropriate, modify or delete data. Conventionally, malware is often said to be designed with malicious intent.


The term “transmission medium” is a physical or logical communication path between two or more network devices (e.g., any devices with data processing and network connectivity such as, for example, a security appliance, a server, a mainframe, a computer such as a desktop or laptop, netbook, tablet, firewall, smart phone, router, switch, bridge, etc.). For instance, the communication path may include wired and/or wireless segments. Examples of wired and/or wireless segments include electrical wiring, optical fiber, cable, bus trace, or a wireless channel using infrared, radio frequency (RF), or any other wired/wireless signaling mechanism.


The term “network device” should be construed as any electronic device with the capability of connecting to a network. Such a network may be a public network such as the Internet or a private network such as a wireless data telecommunication network, wide area network, a type of local area network (LAN), or a combination of networks. Examples of a network device may include, but are not limited or restricted to, a laptop, a mobile phone, a tablet, a computer, etc.


The term “computerized” generally represents that any corresponding operations are conducted by hardware in combination with software and/or firmware. Also, the terms “compare” or “comparison” generally mean determining if a match (e.g., a certain level of correlation) is achieved between two items where one of the items may include a particular signature pattern.


The term “signature” designates an indicator of a set of characteristics and/or behaviors exhibited by one or more exploits that may not be unique to those exploit(s). Thus, a match of the signature may indicate to some level of probability, often well less than 100%, that a portion of received data constitutes an exploit. In some contexts, those of skill in the art have used the term “signature” as a unique identifier or “fingerprint,” for example of a specific virus or virus family (or other exploit), which is generated for instance as a hash of its machine code, and that is a special sub-case for purposes of this disclosure.


The term “observed” indicates that an event or relationship has been detected with a prescribed level of confidence (or probability). A first event or relationship may be observed with a first confidence while a second event or relationship may be observed with a second confidence, the second confidence being lower or higher than the first confidence. Examples of an event may include, but are not limited or restricted to, a process (e.g., an executable file), a non-executable file (e.g., a text document or a registry file), a unique address or location (e.g., a particular website, Internet Protocol (IP) address, or file location).


The term “reference model” should be interpreted as an association of a plurality of events wherein each event is connected to another event and the association includes at least one anomalous behavior (e.g., anomalous event or relationship). For example, a reference model may include a process that (1) injects code into a file unexpectedly and (2) opens multiple files wherein the opening of the files constitutes anomalous behavior. Throughout the specification and claims, the terms “reference model” and “signature” will be used interchangeably.


The term “relationship” means the connection or association of a first event with a second event. Examples of a relationship may include, but are not limited or restricted to, an event: starting a process, terminating a process, modifying a file, generating a file, opening a file, closing a file, deleting a file, infecting a file and/or process, injecting code into file and/or process and/or generating a mutual exclusion (mutex) on a particular file, process, application, etc.


The term “particular” should be interpreted as a characteristic of an event. Examples of particulars include, but are not limited or restricted to, a process identification (PID), a process name, a file name, a process or file path (i.e., unique location on an electronic device), the date and/or time the event was observed and/or occurred, an application programming interface (API) call involved and/or a hash value of the one or more processes or files involved.


Lastly, the terms “or” and “and/or” as used herein are to be interpreted as inclusive or meaning any one or any combination. Therefore, “A, B or C” or “A, B and/or C” mean “any of the following: A; B; C; A and B; A and C; B and C; A, B and C.” An exception to this definition will occur only when a combination of elements, functions, steps or acts are in some way inherently mutually exclusive.


The invention may be utilized for displaying an interactive infection visualization detailing detection, verification and/or prioritization of malicious content. As this invention is susceptible to embodiments of many different forms, it is intended that the present disclosure is to be considered as an example of the principles of the invention and not intended to limit the invention to the specific embodiments shown and described.


II. Malware Detection and Visualization System


Referring to FIG. 1, a flowchart illustrating an exemplary method for generating a reference model and the applications that may be performed by a network device such as, for example, a malware detection and visualization system (MDVS), using the generated reference model is shown. In block 110, the MDVS receives data describing observed events from one or more sources connected to a network. The sources may include one or more endpoint devices, one or more threat detection systems (TDSes) and/or cloud computing services. The received data may provide one or more particulars of the observed events and/or describe relationships between the observed events.


At block 120, the MDVS generates a reference model based on, at least, the received data. The MDVS may use the generated reference to: (i) perform an exploit detection process by comparing data received from one or more sources at a later time to the generated reference model and provide exploit detection feedback to block 120, if applicable (block 130); (ii) generate a malware family reference model from a plurality of generated reference models or reference models received over the network (block 140); and/or (iii) generate one or more interactive display screens to aid in the detection and tracing of exploits and/or one or more anomalous behaviors and provide interactive display screen input to block 120, if applicable (block 150).


Referring to FIG. 2, a block diagram of an exemplary MDVS 200 coupled to a network 240 is shown. The network 240 provides communication connectivity between the MDVS 200 and one or more sources, wherein the sources may include one or more endpoint devices 2501-250N (where N=2 for this embodiment), one or more threat detection systems (TDSes) 2601-260M (where M=3 for this embodiment) and/or the cloud computing services 241. The sources are communicatively coupled to a management system 242, which is adapted to manage the one or more sources as well as the MDVS 200. For instance, the management system 242 may be configured to perform content updates (e.g., upload new rules or modified rules, delete rules, modify parameters that are utilized by the rules, upload metadata stored within other TDSes, or certain metadata associated with the one or more endpoint devices 2501 and/or 2502) within the one or more endpoint devices 1501 and 1502 and/or within the one or more TDSes 2601-2603.


As shown in FIG. 2, the MDVS 200 is an electronic device that is adapted to analyze information associated with a plurality of events observed at one or more sources (the endpoint devices 2501 and 2502, the TDSes 2601-2603 and/or the cloud computing services 241). The MDVS 200 receives data of the observed events and the particulars of the events over the network 240. The network 240 may include a public network such as the Internet, a private network such as a wireless data telecommunication network, wide area network, a type of local area network (LAN), or a combination of networks.


In general, the endpoint devices 2501 and 2502 may observe one or more events during operation of the device and transmit a log of the events along with particulars of the events to the MDVS 200. In addition, the TDSes 2601-2603 may observe one or more events while processing, for instance in one or more virtual machines, one or more portions of data received over the network 240. The TDSes 2601-2603 may then transmit a log containing the events and their particulars to the MDVS 200. The management system 242 controls the transmission of the event logs by the endpoint devices 2501 and 2502 and/or the TDSes 2601-2603. For example, the management system 242 may transmit notifications to the endpoint devices 2501 and 2502 and/or the TDSes 2601-2603 instructing the sources that the event logs should be transmitted to the MDVS 200.


As illustrated in FIG. 2, the MDVS 200 includes a machine learning engine 210, a user interface (UI) rendering subsystem 220 and an event log engine 230. Herein, the machine learning engine 210 may include a machine learning logic 211, a machine learning data store 214, a gathering logic 212, a matching logic 213, and a reference model generation logic 215. The UI rendering subsystem 220 may include a display generation logic 221 and a UI logic 222. The event log engine may include an event log control logic 231 and an event log 232.


In one embodiment, the event log control logic 231 is responsible for receiving data associated with a malicious event that may be detected at and transmitted by the one or more sources over the network 240. Upon receiving the data, the event log control logic 231 may categorize the event and any associated events included in the data, for example, according to the type of event (e.g., executable file, text file, registry file, etc.). The data associated with a malicious event includes the particulars of the malicious event and the particulars of any observed events associated with the malicious event. The event log control logic 231 further adds the particulars of each observed event to the event log 232. Therefore, the MDVS 200 is able to easily access the event particulars in a sorted manner when generating an interactive display screen.


In a second embodiment wherein the MDVS 200 is deployed within an endpoint device 2501, the event log control logic 231 is also responsible for observing the events at the endpoint device on which the MDVS 200 is deployed and for adding data associated with an observed malicious event to the event log 232 as well.


The machine learning logic 211 is responsible for analyzing the data associated with the observed events. The gathering logic 212 of the machine learning logic 211 may query the event log 232 to obtain the one or more portions of the data. The matching logic 213 of the machine learning logic 211 may analyze the one or more portions of the data to generate associations of one or more events based on the particulars of the events. For instance, the machine learning logic 211 may realize a first process (e.g., a parent process) launched several secondary processes (e.g., child processes) and that the child processes subsequently modified one or more files. In addition, the machine learning logic 211 may perform a comparison between the above-referenced realization and one or more reference models formed by events and relationships where one of these events or relationships may be characterized as a known anomalous behavior. Furthermore, the reference model generation logic 215 of the machine learning logic 211 may generate reference models of malware families from the data stored in the event log 232 and data stored in the machine learning data store 214 (the generation of reference models of malware families will be described in detail below). The machine learning logic 211 also generates the interactive display screen information based on the data in the machine learning data store 214 and the event log 232. In one embodiment, the generated reference models of malware families and the interactive display screen information may be expressed in eXtensible Markup Language (XML) and stored in the machine learning data store 214 (as will be discussed below with FIGS. 4 and 5).


The machine learning data store 214 stores the reference models generated by the machine learning logic 211 or received over the network 240 if applicable. For example, an MDVS may be deployed within an endpoint device 2501 and/or 2502, within one or more TDSes 2601-2603, or within the cloud computing services 241. In that such an embodiment, the MDVS 200 may receive one or more reference models generated by the MDVS deployed within the endpoint device 2501. The machine learning data store 214 also stores interactive display screens generated by the machine learning logic 211. In the embodiment wherein an MDVS is deployed within the endpoint device 2501, the data received over the network may include previously generated reference models and/or interactive display screen information. The MDVS 200 may adopt such data without modification or analyze such data to generate its own reference models and/or interactive display screen data in combination with previously received data.


The display generation logic 221 is responsible for displaying the interactive display screens generated from the interactive display screen information generated by the machine learning logic 211. When a request to display an interactive display screen is received by the MDVS 200, the user interface logic 222 notifies the machine learning logic 211. The machine learning logic 211 then queries the machine learning data store 214 and the event log 232 for the appropriate data (e.g., data pertaining to the relevant event(s)) and generates the interactive display screen information. The machine learning logic 211 may transmit the interactive display screen information to the display generation logic 221 or the display generation logic 221 may query the machine learning data store 214 to obtain the interactive display screen information. Upon obtaining the interactive display screen information, the display generation logic 221 generates the physical display screen that illustrates the association of one or more anomalous events and/or a comparison of one or more reference models of events that constitute known anomalous behaviors with an association of one or more observed events. In some embodiments, the display screen may contain the particulars of the events.


The UI logic 222 is responsible for receiving requests for the generation of an interactive display screen, requests to display particulars of an event and/or requests to generate signatures (e.g., reference models).



FIG. 2 also illustrates optional reference model generators 2431-2432 attached to sources connected to the network 240. The reference model generator 2431 may be connected to (or part of) the TDS 2602. The reference model generator 2431 may generate one or more reference models based on network traffic analyzed by the TDS 2602. The one or more reference models may be transmitted to the MDVS 200 through the network 240 and stored in either the event log 232 or the machine learning data store 214. Similarly, the reference model generator 2432 may generate reference models based on data supplied to the management system from a network administrator and/or one or more sources, for example, the endpoint devices 2501 and/or 2502, one or more TDSes 2601-2603 and/or the cloud computing services 241. The generated reference models may be transmitted to the MDVS 200 through the network 240 and stored in either the event log 232 or the machine learning data store 214.


Referring to FIG. 3, an exemplary embodiment of a logical representation of the MDVS of FIG. 2 is shown. The MDVS 200 includes one or more processors 300 that are coupled to communication interface logic 301 via a first transmission medium 320. Communication interface 301 enables communications with endpoint devices 2501 and/or 2502, one or more TDSes 2601-2603, the cloud computing services 241 and/or the management system 242 of FIG. 2. According to one embodiment, communication interface 301 may be implemented as a physical interface including one or more ports for wired connectors. Additionally, or in the alternative, communication interface logic 301 may be implemented with one or more radio units for supporting wireless communications with other electronic devices.


The processor(s) 300 is further coupled to the persistent storage 310 via transmission medium 325. According to one embodiment of the disclosure, persistent storage 310 may include (a) the machine learning engine 210, including the machine learning logic 211 and/or the machine learning data store 214; (b) the UI rendering subsystem 220 that includes the display generation logic 221 and the UI logic 222; and (c) the event log engine 230 including the event log control logic 231 and the event log 232. Of course, when implemented as hardware, one or more of these logic units could be implemented separately from each other.


III. Reference Model Generation


Referring to FIG. 4, an exemplary portion of data received by the event log engine 230 expressed in XML is shown. As described above, the event log control logic 231 receives data transmitted by the one or more sources over the network 240 pertaining to one or more events and the particulars of the events. FIG. 4 illustrates one embodiment of data of events and particulars of the events received by the event log control logic 231. The data illustrated in FIG. 4 is stored in the event log 232 until it is gathered by the gathering logic 212 (discussed below).



FIG. 4 illustrates details of a first event observed at a time having a timestamp of “200.” For example, lines 3-12 state one or more attributes of the process information of a first event at a time having a timestamp value of “200” detailing: (1) the value of the event (“<value>”); (2) the process identification of the event (“<pid>”); (3) the parent process identification of the event (“<ppid>”); (4) the parent name of the event (“<parentname>”); (5) the file size of the event (“<filesize>”); (6) the hash value (e.g., a particular message digest (MD5) hash value) of the event (“<md5sum>”); (7) the securer hash algorithm (SHA) value of the event (“<shalsum>”); and (1) the file identification of the event (“<fid>”). Similarly, lines 13-20 and 21-26 recite event particulars of a second and third event at times having timestamp values of “300” and “350,” respectively.


Based on the data illustrated in FIG. 4, a reference model may be generated by the reference model generation logic 215 of FIG. 2. The generation of a reference model may be triggered, for example, at predetermined time intervals, after receipt of a predetermined amount of data from the network 240, and/or manually by a system administrator or the like. Upon the triggering of the generation of a reference model the gathering logic 212 gathers the data illustrated in FIG. 4 and passes the data to the reference model generation logic 215. Alternatively, the data illustrated in FIG. 4 may be gathered by the gathering logic 212 and passed to the machine learning logic 211 which will generate an association of potentially malicious events for the matching logic 213 to use in an exploit detection process (discussed below).


Referring to FIG. 5, an exemplary portion of data generated by either the reference model generating logic 215 or the machine learning logic 211 expressed in XML is shown. As mentioned above, the gathering logic 212 gathers the data illustrated in FIG. 4 and may pass the data to the reference model generating logic 215. The reference model generating logic 215 generates a reference model for use in an exploit detection process. The generated reference model may be expressed in XML as illustrated in FIG. 5 and subsequently stored in the machine learning data store 214. Alternatively, FIG. 5 may represent an association of potentially malicious events that will be used by the matching logic 213 in an exploit detection process, such as the exploit detection process performed by the matching logic 213 illustrated in FIGS. 6-7C.


The modifications to the data as illustrated in FIG. 4 to obtain the data as illustrated in FIG. 5 provide indicators of the beginning and end of event data (e.g., “<nodes>”) as well as the relationship (e.g., “<edge>”) between two events. The modifications may be performed by either the reference model generation logic 215 or the machine learning logic 211.


IV. Applications of Reference Model(s)


A. Improved Exploit Detection


Referring now to FIG. 6, an exemplary illustration of a comparison of a reference model of an association of known malicious events with an association of potentially malicious observed events is shown. The machine learning logic 211 may perform an exploit detection process by performing the comparison illustrated in FIG. 6. The exploit detection process may be triggered, for example, at predetermined time intervals, after receipt of a predetermined amount of data from the network 240, and/or manually by a system administrator or the like.


The determination of selecting which reference model(s) to use in a comparison such as that illustrated in FIG. 6 is based on one or more factors. Examples of factors include, but are not limited or restricted to, the infection type of one or more events included in the received data (the association of potentially malicious observed events), the type of a file included in the received data and/or the most commonly matched reference models. Alternatively, the received data may be compared to all of the reference models.


Upon the triggering of the exploit detection process, the gathering logic 212 of the machine learning logic 211 initially gathers the data received over the network 240 and stored in the event log 232. The gathering logic 212 also gathers the one or more reference models that will be used in the comparison. The matching logic 213 of the machine learning logic 211 compares the received data and the one or more reference models gathered by the gathering logic 212.


In FIG. 6, the interactive display screen 600 illustrates a side-by-side comparison of two nodal diagrams; the left side being the reference model 620 and the right side being an association of observed potentially malicious events 630 (“the association 630”). The reference model 620 represents an association of known or observed events and the relationships between the events. The observations or knowledge is such that the event and/or relationship was observed and/or known to have occurred with at least a certain probability. The reference model generation logic 215 of FIG. 2 may generate reference models such as reference model 620 from one or more of the data stored in the machine learning data store 214, the data stored in the event log 232 and/or data received over the network 240.


The events Event_1 602, and Event_2 603 through Event_m 604 were observed as a result of the performance of an action or operation caused by the Process_A 601. The events appearing in the reference model 620 are present as a result of one or more events or relationships being deemed at least anomalous, where one or more events or relationships may have been deemed malicious. In one embodiment, the Process_A 601 may have been deemed malicious by the TDS 2601 of FIG. 2 and such information transmitted to the MDVS 200. In some embodiments, all behaviors caused by one malicious event may be considered malicious while in other embodiments, only a subset of the events caused by a malicious event may be deemed malicious.


Referring to the association 630, the solid lines appearing in the association 630 signify that the events and/or relationships (i.e., the line connecting two events) were observed with at least a first confidence (e.g., observation that the event occurred or existed exceeds a first predetermined probability threshold). The dotted lines appearing in the association 630 signify that the events and/or relationships were observed with a second confidence, wherein the second confidence is different and less than the first confidence.


In the comparison performed by the matching logic 213 as illustrated in FIG. 6, some events and/or relationships may be equivalent in both the reference model 620 and the association 630. As is illustrated, the events Event_1 602 and Event_2 603 appear in both the reference model 620 and the association 630. In addition, the machine learning logic 211 may infer that one or more events and/or relationships were observed and should be included in the association 630 based on the reference model 620. For example, the machine learning logic 211 may “learn” that when two events are observed, a third typically is as well and therefore infer that the third event was observed, adding it to association 630. The concept of the machine learning logic 211 learning when events and/or relationship are likely to have be observed by recognizing trends and patterns based on the data stored in the machine learning data store 214, stored in the event log 232 and/or received over the network 240 will be explained in detail along with the discussion of FIGS. 7A-7C below.


Referring to FIGS. 7A-7D, exemplary diagrams illustrating the exploit detection process performed by the matching logic 213 comparing an association of potentially malicious observed events with a reference model of known malicious events are shown. The changes seen between FIG. 7A to FIG. 7B and from FIG. 7B to FIG. 7C illustrate one embodiment of a process the machine learning logic 211 may perform to determine whether at least a portion of the association of potentially malicious observed events matches with one or more reference models. In one embodiment, the progression from FIG. 7A to FIG. 7B to FIG. 7C may be considered the development of one interactive display screen. Alternatively, FIGS. 7A-7C may be considered separate interactive display screens providing a viewer three different perspectives of the potentially malicious events and/or relationships included within the association of potentially malicious events (the right side of the interactive display screen). The embodiment in which FIGS. 7A-7C may be interactive display screens will be discussed below.


The following discussion of FIGS. 7A-7C will explain an embodiment wherein the three figures illustrate the exploit detection process performed by the machine learning logic 211. In addition, the discussion of the changes seen from FIG. 7C to FIG. 7D will explain the enhancement of a reference model based on the data transmitted to the MDVS 200.


Referring to FIG. 7A, an initial stage of the exploit detection process is shown. The exploit detection process includes a comparison 700 that includes the reference model 730 and the association of potentially malicious events 740 (“the association 740”). The reference model 730 includes the event 1.exe 701 that is seen to cause the performance of an action or operation in the events 1_M.exe 702, “hidden files” 703, “tampered files” 704, “www.web1.com resolved to 199.16.199.2” 705, “199.16.199.2” 706, firefox.exe 707 and C:/Windows/explorer.exe 708.


In addition, the reference model 730 details the relationships between the events. For example, FIG. 7A provides that the event 1.exe 701 caused the creation of a mutex to be performed that resulted in the observation of the event 1.exe_M 702. Likewise, it is seen that the event 1.exe 701 exhibited malicious action that resulted in various hidden files 703. Similarly, the relationships between the event 1.exe 701 and the other events included in the reference model 730 are illustrated in the comparison 700.


The association 740 includes the event 1.exe 701 that is seen to cause the performance of an action or operation resulting in the events 1_M.exe 721, “hidden files” 722, “tampered files” 723, “disabled taskmanager” 724 and C:/Windows/4.exe 725. In contrast to the reference model 730, not all of the relationships between the events included in the association 740 are illustrated in FIG. 7A. The association 740 shown in FIG. 7A may not include enough data for the MDVS 200 to initially recognize all events and relationships with at least a first confidence, as mentioned above. As illustrated in FIG. 7A, the machine learning logic 211 may not initially have access to data allowing the machine learning logic 211 to determine relationships between the event 720 and the events 722, 723 and 725 with at least the first confidence.


Therefore, as one embodiment, FIG. 7A illustrates the first stage in the process of generating the association 740 that is shown in FIG. 7C. For example, the data used to generate the association of FIG. 7A may have been transmitted to the MDVS 200 from the TDS 2601. The TDS 2601 may have, for example, processed a portion of network traffic it received in one or more virtual machines and observed, among others, the events and relationship included in the association 740 of FIG. 7A. One or more of the events and/or relationships included in the association 740 of FIG. 7A may be been deemed malicious, prompting the TDS 2601 to transmit the observations to the MDVS 200.


Referring to FIG. 7B, a second stage of the exploit detection process is shown. The association 740 illustrated in FIG. 7B is seen to have two additional events included compared to the association 740 of FIG. 7A. In particular, the two events, “www.web1.com resolves to 199.16.199.2” 750 and “199.16.199.2” 751, are illustrated using dotted lines. In the embodiment of FIGS. 7A-7C, dotted lines are intended to represent that the events and/or relationships were observed with a second confidence, meaning that the data available to the machine learning logic 211 did not provide as much support for the occurrence or existence of the events illustrated using dotted lines as the data did for the occurrence or existence of the events illustrated using solid lines.


Alternatively, the dotted lines may represent that the event was not detected at any one source but instead is an inference from the event's appearance in the reference model 730. For example, the dotted box surrounding the “www.web1.com resolves to 199.16.199.2” event 750 may represent that no source connected to the MDVS 200 via the network 240 observed the “www.web1.com resolves to 199.16.199.2” event 750. Instead, based on the similarities between the association 740 and the reference model 730, the matching logic 213 inferred that the “www.web1.com resolves to 199.16.199.2” event 750 should be included and may have occurred but its observance did not occur.


In one embodiment, the data may have only provided one source of evidence of the occurrence of existence of the events illustrated using dotted lines whereas the first confidence requires Y or more sources of evidence are state that an event occurred or existed (wherein Y≧2). Alternatively, or in addition, the dotted lines may represent that the machine learning logic 211 has inferred that the events illustrated using dotted lines occurred or existed. Through machine learning, the machine learning logic 211 may have recognized that the events illustrated using dotted lines typically occur or exist when one or more of the events illustrated using solid lines were observed and therefore infer that it is likely the events illustrated dotted lines occurred or existed but were not observed with the first confidence. For example, the machine learning logic 211 may recognize that when an executable file (e.g., 4.exe 720) generates a mutex which is followed by the hiding of files and tampering with network settings, it is likely that the website “www.web1.com” resolves to the IP address “199.16.199.2” and source (e.g., TDP 2601) connected to the IP address “199.16.199.2” based on the reference model 730.


Referring to FIG. 7C, the association 740 is fully illustrated such that the relationships between the event 4.exe 720 and the events 1_M.exe 721, “hidden files” 722, “tampered files” 723, “disabled taskmanager” 724, “www.web1.com resolved to 208.73.211.247” 750, “208.73.211.247” 751 and C:/Windows/4.exe 725 are present in the comparison 700. As was discussed regarding FIG. 7B, the machine learning logic 211 may infer one or more relationships based on at least a comparison 700 of the association 740 with the reference model 730. Therefore, the comparison 700 as illustrated in FIG. 7C provides the matching logic 213 the association of the event 4.exe 720 with the events 721-725, 750 and 751 allowing the matching logic 213 to make a determination as to whether the association 740 matches with the reference model 730.


Based on FIGS. 7A-7C, the matching logic 213 may ascertain what malicious events occurred or existed, the relationships between the one or more events as well as the confidence of the machine learning logic 211 of the occurrence or existence of a particular event and/or relationship. The comparison 700 in FIGS. 7A-7C performed by the matching logic 213 to compare the association of observed and/or inferred events with a reference model allowing the matching logic 213 to determine the extent of malicious activity that may have occurred and what files, processes, locations, etc. may have been affected.


Furthermore, the matching logic 213 may determine whether a correlation exists between the reference model 730 and the association 740 depending on predetermined characteristics and thresholds. For example, the matching logic 213 may find a correlation when Z specific events are found to match in the reference model 730 and the association 740 (wherein Z is a predetermined number). Alternatively, the matching logic 213 may determine a correlation exists if a predetermined number of events and/or relationships are found to match between the reference model 730 and the association 740. In yet another embodiment, the matching logic 213 may find a correlation if a predetermined number of events and/or relationships are found to match and one or more events and/or relationships are not present in both of the reference model 730 and the association 740. Any combination of the above scenarios may be used to determine whether a correlation is present between the reference model 730 and the association 740. The machine learning logic 211 may store these correlations in the machine learning data store 211 as a way of “learning” when one or more malicious events and/or relationships may be inferred.


Referring to FIG. 7D, an enhancement to the reference model 730 is shown. The event “Disabled TaskManager 724” has been added to the reference model 730 and is illustrated with a dotted and dashed line. In addition, the relationship between the process 1.exe 701 and the event “Disabled TaskManager 724” is also present in the reference model 730 similarly illustrated with a dotted and dashed line. As a result of the data transmitted to the MDVS 200, and optionally, in addition to the data stored in the event log 232 and/or the machine learning data store 212, the machine learning logic 211 may determine that there is sufficient correlation between an event and/or relationship and a reference model such that the event and/or relationship should be added to the reference model.


In one embodiment, a “sufficient correlation” may include the event and/or relationship appearing within a grouping of events a predetermined number of times. For example, if the event “Disabled TaskManager 724” appears X number of times (wherein X is a predetermined threshold) when a process (e.g., 4.exe 720) generates a mutex, hides files and tampers with network settings, the event “Disabled TaskManager” 724 will be added to the reference model including those events. Referring back to FIG. 1, the addition of event “Disabled TaskManager 724” and the relationship between the between the process 1.exe 701 and the event “Disabled TaskManager 724” is illustrated in FIG. 1 as “exploit detection feedback” from block 130 to block 120. The addition of one or more events and/or relationships to a reference model constitutes exploit detection feedback as illustrated in FIG. 1. The one or more events and/or relationships determined by the matching logic 213 and/or the machine learning logic 211 to be added to one or more reference models may be transmitted to the reference model generation logic 215. The gathering logic 212 may gather the reference models to be updated from the machine learning data store 214. The reference model generation logic 215 may then perform an updating process to the one or more gathered reference models by adding the one or more events or relationships into the one or more reference models. The reference models that are to be updated may be determined by gathering all reference models having one or more common events and/or relationships with the reference model used in the comparison or all reference models included in the machine learning data store 214. Alternatively, reference models to be updated may be selected based on file types included in the reference models and/or a source that observed the events included in the reference models (e.g., email TDS, web TDS, file TDS and/or mobile TDS).


The enhanced reference model 730 may be used to update and/or allow for more particularized exploit detection. For example, the enhanced reference model 730 may be used by, among others, the management system 242 to further configure or reconfigure one or more of the sources (e.g., the endpoint device 2501 and/or the TDS 2601). The reconfiguration or further configuration may entail, for example, configuring the one or more sources to search one or more pieces of network traffic for an extended amount of time, search the one or more pieces of network traffic multiple times and/or search for different malware exploits and/or certain events and/or relationships.


Alternatively, or in addition to, the enhanced reference model 730 may provide a means for updating one or more correlation rules for classifying malware (e.g., updating signatures or rules for determining whether an object of network traffic is suspicious and/or configuring and/or reconfiguring one or more virtual machines (VMs) included in one or more sources). Such updated signatures may be more robust due to the more complete picture of a malware exploit the updated signature provides. In one embodiment, the enhanced reference model 730 may provide improved alerts and recognition of malware based on the enhancement.


Referring to FIG. 8, an exemplary illustration of a comparison 800 of reference models 820 and 821 with an association of potentially malicious observed events is shown. Similar to FIGS. 7A-7C, the comparison 800 includes a left side and a right side. However, in contrast to FIGS. 7A-7C showing a single reference model, the left side of the comparison 800 includes the reference model 820 and the reference model 821. One embodiment of the generation process of the association of potentially malicious events 822 (the association 822) is similar to the embodiment describing FIGS. 7A-7C. Furthermore, in the embodiment of FIG. 8, the machine learning logic 211 may infer events and/or relationships from two reference models.


In FIG. 8, the association 822 is seen to have solid lines illustrating the Event_A_1 802 and the Event_G_1 805. In addition, the relationship connecting the Process_C_1 810 with the Event_A_1 802 and Event_G_1 808 are illustrated using solids lines. Therefore, FIG. 8, illustrates the Event_A_1 802 and the Event_G_1 808 and the connections (i.e., relationships) between the Process_C_1 810 and the events Event_A_1 802 and Event_G_1 808 were observed with at least a first confidence by one or more of the sources connected to, for example, the network 240 of FIG. 2.


Furthermore, the events Event_D_1 805 and Event_F_1 807 as well as the connections between the Process_C_1 810 and the events Event_D_1 805 and Event_F_1 807 are illustrated as dotted lines meaning these events and connections were inferred from the Process_A_1 801 and/or the Process_B_1 809. As can be seen in FIG. 8, the reference model 820 includes the Event_D_1 805. The reference model 821 includes the Event_F_1 807. In addition, not all events present in one or more of the reference models need to be inferred as occurring within the received data. For example, the events Event_B_1 803 and Event_C_1 804 was not inferred by the machine learning logic 211 as having occurred with the association 822. In one embodiment, the received data along with the reference models available to the machine learning logic 211 may not have supported such an inference.


B. Malware Family Reference Model Generation


Malware family generation is the generation of comprehensive signatures used to identify one or more anomalous, or more specifically malicious, files, processes, etc., and/or relationships that are related through, among others, the evolution of a malware, a common point of attack or attack pattern (e.g., multiple pieces of malware gaining unauthorized access to the same file or process within an operating system), a common method of entering a network or electronic device (e.g., embedded software in an email or embedded software in a portable document format (PDF) file), a common targeted vulnerability (e.g., a common exploit kit), a common targeted information and/or a common targeted unauthorized access point. The generation of a malware family reference model may be triggered, for example, at predetermined time intervals, after receipt of a predetermined amount of data from the network 240, and/or manually by a system administrator or the like.


Upon the triggering of the generation of a malware family reference model, the gathering logic 212 of the machine learning logic 211 initially gathers a plurality of appropriate reference models stored in the machine learning data store 214. The gathering logic 212 determines which reference models are appropriate for generation of a malware family reference model based on one or more characteristics of the triggering event and/or the plurality of reference models currently stored in the machine learning data store 214. The matching logic 213 of the machine learning logic 211 compares the received data and the one or more reference models gathered by the gathering logic 212.


In one embodiment, the reference models stored in the machine learning data store 214 may all include one or more common events and/or relationships and therefore all reference models may be used to generate a family malware reference model. Alternatively, appropriate reference models for generating a malware family reference model may be selected based on file types included in the reference models and/or a source that observed the events included in the reference models (e.g., email TDS, web TDS, file TDS and/or mobile TDS). Furthermore, if a network administrator manually triggers the generation of a reference model, the network administrator may manually select one or more of the above characteristics for the gathering logic 212 to use in its determination of what reference models in the machine learning data store 214 are appropriate to include in the reference model generation.


Once the reference models that will be used to generate a malware family reference model have been gathered by the gathering logic 212, the reference models are passed to the reference model generating logic 215. As will be discussed below in relation to FIG. 9, the reference model generating logic 215 generates a malware family reference model by computing the mathematical union between the plurality of reference models gathered by the gathering logic 212.


Referring to FIG. 9, an exemplary illustration of a process of generating a malware family reference model is shown. The generation process 900 performed by the reference model generation logic 215 of FIG. 2 includes a left side and a right side. The left side includes two reference models, the reference models 930 and 931. The reference model 930 includes the Process_A_2 901 and the events Event_A_2 902, Event_B_2 903, Event_D_2 905 and Event_E_2 906. The reference model 931 includes the Process_B_2 908 and the events Event_A_2 902, Event_B_2 903, Event_C_2 904, Event_E_2 906 and Event_F_2 907.


The malware family reference model 940 has been generated from the reference models 930 and 931. The reference model generation logic 215 compares two or more reference models in order to generate a malware family reference model. The reference model generation logic 215 generates the malware family reference model by placing all distinct events in the two or more reference models compared (e.g., the mathematical union of the two or more reference models compared) into the malware family reference model (e.g., the malware family reference model 940).


As illustrated in FIG. 9, the malware family reference model 940 contains all distinct events included in the reference models 930 and 931. In particular, the reference model generation logic 215 generates the malware family reference model 940 by placing the events the reference model 930 has in common with the reference model 931 (the events Event_A_2 902, Event_B_2 903, Event_C_2 904 and Event_E_2 906) in the malware family reference model 940. The reference model generation logic 215 also places any events included in the reference model 930 in the malware family reference model 940 that are not included in the reference model 931 (the events Event_D_2 905). To conclude, the reference model generation logic 215 places any events included in the reference model 931 in the malware family reference model 940 that are not included in the reference model 930 (the events Event_F_2 907). The process of placing events in common or events included in less than all of the reference models compared to generate a malware family reference model may be done in any order.


The malware family reference model 940 also includes the process Process_C_2 910. This process may be equivalent to any of the processes included in one or more of the reference models compared to generate the malware family reference model (e.g., the processes Process_A_2 901 and Process_B_2 908).


The reference models used by the machine learning logic 211 to generate malware family reference models may be stored in the machine learning data store 214 and/or the event log 232, and/or received over the network 240. In addition, signatures generated in accordance with the discussion of FIGS. 14A and 14B may be used in the generation of malware family reference models.


C. Visualization


As mentioned above, interactive display screens comprising FIGS. 7A-7C may be generated by the display generation logic 211 of the UI rendering subsystem 220. In such an embodiment, the interactive display screens illustrating FIGS. 7A-7C may give a viewer a side-by-side visual comparison of a reference model and an association of potentially malicious events (e.g., at least a portion of data received over the network 240). A side-by-side visual comparison may allow a viewer to understand the source of the anomalous behavior as well as determine what files, processes, network settings, etc., and/or relationships that may have been affected.


Referring to now FIG. 10, an exemplary embodiment of an interactive display screen 1000 for display of associated events and/or particulars of the associated events used in generating the interactive display screens of FIGS. 12-14B is shown. Herein, rendered by the UI rendering subsystem 220, the interactive display screen 1000 features a plurality of display areas 1010 and 1030 that illustrate information directed to events and particulars of the observed events over a time period by the one or more sources (the endpoint devices 2501 and 2502, the TDSes 2601-2603 and/or the cloud computing services 241 of FIG. 2) and or the management system 242 of FIG. 2.


According to one embodiment, the display area 1010 displays a plurality of entries 10201-1020R (R≧1, where R=9 for this embodiment) that provides information directed to observed events, where one or more events are anomalous or malicious. As shown, each row of entries (e.g., row 10201) rendered by the UI rendering subsystem 220 features a plurality of fields, including one or more of the following: (1) a date and time of the observation 421; (2) an event name 422; (3) a process identification (PID) 423 (if applicable); (4) a path directing the viewer to the location at which the event may be located 424; and/or (5) a source that observed the event (e.g., email TDS, web TDS, file TDS and/or mobile TDS).


A second area 1030 may be configured to allow selection of one or more observed potentially malicious events for viewing on a second visual representation. In one embodiment, when an observed event has been selected, the row may appear highlighted as is seen in FIG. 10. The buttons 1040 and 1041 enable viewing of an interactive visual representation (e.g., nodal diagram) of the selected events as they relate to one or more events within the display area 1010 and/or as they compare to one or more reference models of known anomalous or malicious behaviors. For example, based on the exemplary embodiment of FIG. 10 in which entry 10202 is selected, activation of the button 1040 labeled “Exploit Visualization” would subsequently present an interactive display screen of the relationships of the observed event represented in entry 10202 to other events, including perhaps one or more events appearing in display area 1010 (to be described below). Similarly, activation of the button 1041 labeled “Timeline Visualization” would subsequently present a second interactive display screen of the relationships of the observed event represented in the selected entry 10202 to other events, including perhaps one or more events appearing in display area 1010 (to be described below). Alternatively, activation of the button 1042 labeled “Generate Signature” would request the machine learning logic 211 of FIG. 2 to generate a signature based on the selected event and, in one embodiment, any subsequent events branching from the selected event (to be discussed in detail below).


One or more interactive display screens may be comprised of, among other things, a top-down nodal or tree diagram (e.g., an “exploit visualization”) or a left-to-right nodal or tree diagram (e.g., “a timeline visualization”). A time axis is illustrated in FIG. 12 and will be discussed below. Particulars of the events may be included to provide a detailed understanding of, among other things, where events are located within an electronic device or various methods of identifying one or more events (e.g., file/process name or PID). In addition, the interactive display screen may provide the viewer an understanding of how the event was detected by color-coding the events or providing various line formatting (e.g., dashed lines, solid lines, double lines, etc.) based on, for example, the portion of a TDS or endpoint device that observed the event. Alternatively, the illustration of the events may be color-coded based on the type of event. Additionally, the display may be a static visual representation of the one or more relationships between one or more events.


In addition, a rank may be assigned to the events included in a nodal diagram. For example, when an association of events are illustrated as a top-down nodal diagram, each row of events may be considered to have the same rank, wherein a first event appearing above a second event has a higher rank than the second event. Alternatively, when an association of events are illustrated as a left-to-right nodal diagram, each column of events may be considered to have the same rank, wherein a first event appearing to the left of a second event has a higher rank than the second event.


Referring to FIG. 11, an exemplary portion of data generated by either the reference model generating logic 215 or the machine learning logic 211 expressed in XML is shown. As described above, the machine learning logic 211 generates interactive display screen information for the visual representation of one or more relationships between one or more events and the particulars of the events. FIG. 11 illustrates one embodiment of data detailing the relationship of a first event to a second event and the relationship of the first event to a third event. For example, lines 5-6 denote the first and second events (node 1 and node 2 as “process_1” and “registry_1,” respectively). Line 9 denotes the relationship before the first and second events (edge 1 as “node_1.created/changed-properties.node_2”). Similarly, Lines 12-20 represent details of the relationship between the first event and the third event.


The data illustrated as FIG. 11 may represent the interactive display screen information used by the display generation logic 221 to generate a display for viewer. For example, the data illustrated in FIG. 11 is used by the display generation logic 221 to generate a portion of FIGS. 12 and 13 as discussed below.


Referring now to FIG. 12, an exemplary illustration of a first embodiment of an interactive display screen for display of associated events and particulars of the associated events is shown. In FIG. 12, the interactive display screen 1200, depicted as a nodal diagram, illustrates the associated events at a high-level allowing a viewer to obtain an understanding of the relationships between one or more observed events wherein one or more anomalous behaviors are present. An anomalous behavior may be (i) a suspicious event or relationship that was observed by one or more of the sources (the endpoint devices 2501 and 2502, the TDSes 2601-2603 and/or the cloud computing services 241) or (ii) a malicious event or relationship observed by one or more of the sources. For example, a malicious event may cause performance of one or more actions that result in one or more malicious behaviors and/or one or more non-malicious behaviors. In general, the depiction of a first event appearing vertically above a second event is intended to illustrate that the first event was observed at a time prior to the second event. Similarly, a depiction of a second event appearing vertically equivalent (e.g., aligned in a row) with a third event, wherein the second event appears to the left of the third event, is intended to illustrate that the second event was observed at a time prior to the third event. It should be noted that exceptions may occur and labeling of such exceptions (e.g., by the use of numbering events and/or relationships) may be used to denote such exceptions to the viewer (numbering of exceptions will be illustrated in and described along with FIG. 13).


In FIG. 12, the Parent_Process_1 1201 is seen to cause an action or operation resulting in the Process_1 1202 at a first time. In one embodiment, the Parent_Process_1 1201 may be a malicious event and starting the Process_1 1202 may constitute a malicious action or operation (e.g., if the Process_1 1202 is also a malicious event and/or if the starting of the Process_1 1202 was not a normal function of the electronic device on which the action or operation occurred (or virtual machine performing processing of the Parent_Process_1 1201)). Alternatively, the Parent_Process_1 1201 and/or the Process_1 1202 may be non-malicious events and the starting of the Process_1 1202 may be construed as a non-malicious action or operation.


In addition, the Process_1 1202 causes the performance of one or more actions or operations that result in the events including: (i) the Registry_1 1203; (ii) the File_1 1204; (iii) the File_2 1205; and (iv) the Process_2 1206. Similarly, the File_1 1204 is depicted as causing the performance of an action or operation that results in the Process_3 1207. Furthermore, the Process_2 1206 is depicted as causing the performance of an action or operation that results in the File_3 1208.


Therefore, according to one embodiment, when the interactive display screen 1000 of FIG. 10 is viewed and the button 1440 (“Exploit Visualization”) is activated, the interactive display screen 1200 is displayed using the information included in the interactive display screen 1000 which may be derived from interactive display screen information expressed as XML files similar to FIG. 11.


As mentioned above, a time axis 1210 is illustrated in FIG. 12. The time axis 1210 illustrates the embodiment wherein an interactive display screen (e.g., the interactive display screen 1200) is configured to illustrate an order of events in a sequential manner according to one or more time axes. The time axis 1210 shows that the events in the interactive display screen 1200 are ordered in a top-to-bottom and left-to-right manner according to the time of performance of the one or more actions or operations that resulted in the events 1201-1208. For example, the event 1202 is illustrated below the event 1201 implying that the performance of the one or more actions or operations that resulted in the event 1201 occurred prior in time to the one or more actions or operations that resulted in the event 1202. Similarly, the event 1203 is illustrated to the left of the event 1204 implying that the performance of the one or more actions or operations that resulted in the event 1203 occurred prior in time to the one or more actions or operations or behaviors that resulted in the event 1204. In another embodiment, a time axis may only comprise one axis (e.g., horizontal such as left-to-right, vertical such as top-to-bottom, etc.). Alternatively, a time axis may not be included in an interactive display screen.


In addition, a time axis may be present in an interactive display screen illustrating a left-to-right nodal diagram (e.g., an embodiment in which FIG. 7D may be used as an interactive display screen). As stated above, when a time axis is present in an interactive display screen illustrating a left-to-right nodal diagram, the time axis may comprise a single axis (e.g., only top-to-bottom) or may comprise two time axes (e.g., top-to-bottom and left-to-right).


Referring back to FIG. 2, the machine learning engine 210 analyzing observed events comprising an exploit after the occurrence of the exploit may fail to determine the source of infection. Even if the events are observed in their entirety, sometimes the voluminous manner of the observed events (events comprising both malicious events and non-malicious events) may make the determination of the presence of an exploit and/or malware difficult. Being able to compare the observed events with a reference model assists in sifting through the data and discovering the origin of infection. For example, a user may have browsed to a well-known Uniform-Resource Locator (URL) that was compromised and unintentionally downloaded malware on an endpoint. Subsequently, the malware may have stolen data and uploaded the stolen data to a foreign server. A reference model stored in the MDVS 200 may contain the sequence of such events. If the matching logic 213 of the MDVS 200 is able to match the observed events with a portion of the reference model, the machine learning logic 211 may infer that all of the events occurred although not all of the events were observed based on the sequential ordering of the reference model. The matching logic 213 may determine that one or more events in the reference model were not observed, or were not observed with at least a first confidence. For example, based on the sequential ordering of the events and the time axis of the reference model, the machine learning logic 211 may infer that an event_B occurred prior to an event_C but subsequent to an event_A, although event_B was not observed by at least one source (e.g., the endpoint device 2501).


In addition, the machine learning logic 211 may trace the root cause of the exploitation back to the initial visit to the compromised URL based on a time axis and the sequential ordering of the events in the reference model. In one embodiment, the presence of a time axis on an interactive display screen may allow a viewer, such as a network administrator, to visually understand which event was the root cause of the exploit.


Referring to FIG. 13, an exemplary illustration of a detailed embodiment of the interactive display screen of FIG. 12 is shown. In addition to events 1201-1208 of FIG. 12, interactive display screen 1300 illustrates events 1301-1306 corresponding to the Registry_2, the Registry_3, the Registry_4, the File_4, the Folder_1 and the File_5, respectively. In particular, the Process_3 1207 causes the performance of one or more actions or operations that result in events 1301-1306.


In addition to providing a visual representation of how the events 1201-1208 and 1301-1306 are related, the interactive display screen 1300 displays one or more particulars of each event. For example, the path (“c:/doc1/local1/temp/4.exe”) and the PID (“1676”) are displayed for the Process_1 1202. The particulars displayed for each event may differ, for example, only the path of an event may be displayed as is the case with the File_1 1204 in the present embodiment.


Furthermore, the interactive display screen 1300 provides the viewer with the relationship between two events and the timing of the observation of the relationship. For example, the relationship between the Process_1 1202 and the File_1 1208 is the third relationship generated of the relationships displayed in the interactive display screen 1300. In addition, the relationship between the Process_1 1202 and the File_1 1208 is seen to be “created.” Therefore, from the interactive display screen 1300, a viewer can easily determine that, of the events and relationships included in the display screen 1300, the operation of the Process_1 1202 creating the File_1 1204 was the third relationship created. The Process_1 1202 then opens the File_2 1205 and starts the Process_3 1207 (which is the File_1 1204 being launched as a process as the File_1 1204 is an executable file). In addition, the Process_1 1202 starts the Process_2 1206 as the seventh relationship.


The Process_2 1206 deletes the File_3 1208 as the eighth relationship. Subsequently, the Process_3 1207 sets the name/value pair for the Registry_2, the Registry_3 and the Registry_4 as the ninth, tenth and eleventh relationships respectively. The Process_3 1207 then opens the Registry_5, the Folder_1 and the File_5 as the twelfth, thirteenth and fourteenth relationships respectively.


V. Signature Generation


As mentioned above, one embodiment of the invention enables a viewer to generate one or more signatures from the interactive display screens of, for example, FIGS. 10 and 12-14B. In one embodiment, the viewer may select an event and generate a signature based on the event including any events that directly and/or indirectly branched from the selected event. In a second embodiment, the viewer may select a particular grouping of events and generate a signature limited to those selected events. The generated signatures may be stored in the machine learning data store 214 of FIG. 2 to be used in future comparisons of one or more reference models of a plurality of events and at least one or more relationships where at least one of these events and/or relationships is an anomalous behavior or known to be malicious. In addition, signatures generated from a first set of data received from a first endpoint device may be compared to similar signatures generated from a second set of data received from a second endpoint device in order to determine whether an event frequently appears across multiple endpoint devices (e.g., correlated operations or actions across endpoint devices). The frequent appearance of an event across multiple endpoint devices may imply that the event is malicious (e.g., an exploit), or at least suspicious. In addition, the frequent appearance of one or more events across multiple endpoint devices (or other sources that supply data to the MDVS 200) may indicate that the one or more sources is associated with a malware family.


Referring to FIG. 14A, an exemplary illustration of a portion of an interactive display screen for enabling a viewer to generate a signature of a selected event, display particulars of the selected event and/or generate an alert for a selected event is shown. FIG. 14A illustrates a viewer selecting an event (e.g., the Process_2 1206 of FIG. 12) which brings up an overlaying pop-up box 1410 allowing the viewer to select to “Generate Signature 1411,” “Display Info Parameters 1412” or “Generate Alert 1413.” The selection of “Generate Signature 1411” enables the viewer to generate a signature (e.g., a reference model) based on the selected event. The signature may include all events that are a direct or indirect branch from the selected event. For example, a viewer selecting “Generate Signature 1411” for the Process_2 1206 may generate a signature including the Process_2 1206 and the File_3 1208 (as is seen in FIG. 12). The selection of “Display Info Parameters 1412” for the Process_2 1206 would display an interactive display screen including the information included in the row 10206 of FIG. 10. The selection of “Generate Alert 1413” enables a viewer to generate a rule for the MDVS 200 to issue an alert when the selected event is observed by an endpoint device or other source. Therefore, according to the example in FIG. 14A, when a viewer selects “Generate Alert 1413” for the Process_2 1206, the MDVS 200 will issue an alert to the viewer notifying the viewer of the observation of the Process_2 1206 at an endpoint device. In one embodiment, the MDVS 200 will issue the alert when the MDVS 200 receives data containing an observation of the Process_2 1206. In a second embodiment, the MDVS 200 may notify the management system 242 of the creation of the rule and the management system 242 may propagate the rule to each source connected to the network 240 (the endpoint devices 2501-2502, the TDS 2601-2603 and the cloud computing services 241).


Referring back to FIG. 1, the selection of one or more of “Generate Signature 1411,” “Display Info Parameters 1412” or “Generate Alert 1413” is equivalent to the “Interactive Display Screen Input” illustrated in FIG. 1. The interactive display screen input is transmitted from block 150 to block 120. In particular, the data obtained from the selecting “Generate Signature 1411” includes the particulars of the selected event (e.g., the Process_2 1206 as seen in FIG. 14A) and potentially the events branching from the selected event and the relationships that connect the selected event and any branched events. This data obtained from the selection of “Generate Signature 1411” may be stored as a signature/reference model in the machine learning data store 214 for use in future exploit detection processes and/or reference model generation processes.


The selection of “Display Info Parameters 1412” may result in a query by the gathering logic 212 to the machine learning data store 214 and/or the event log 232 to gather the particulars of the selected process. The machine learning logic 211 may generate interactive display screen information based on the data gathered by the gathering logic 212. The display generation logic 221 may use the interactive display screen information to generate a display in a layout similar to the display screen of FIG. 10.


The selection of “Generate Alert 1413” may result in the gathering of the particulars of the selected process, any events that are branched from the selected event and any relationships connecting the branched events by the gathering logic 212 and the generation of an alert by the machine learning logic 211.


It should be noted that, although in the above paragraphs information (e.g., the particulars) of branched events and the corresponding relationships may be gathered as well as the selected event, the particulars of only the selected event may be gathered as well. The system may be set up to gather either, or a network administrator may be able to adjust how the system responds to a selection of one or more of “Generate Signature 1411,” “Display Info Parameters 1412” and/or “Generate Alert 1413.”


Referring to FIG. 14B, an exemplary illustration of a second embodiment of an interactive display screen for enabling a viewer to generate a signature of a selected event is shown. FIG. 14B illustrates that a viewer has selected a particular grouping of events (the Process_3, the Registry_2, the Registry_3, the File_4 and the Folder_1) for which the viewer may generate a signature by selecting “Generate Signature 1411.” The generated signature in FIG. 14B differs slightly from that of FIG. 14A in the sense that the signature of 14A may include all of the events branching directly and/or indirectly from the selected from. FIG. 14B does not include the event File_5 1406. The exclusion of the event File_5 1406 may be a result of the viewer knowing whether the event File_5 1406 are not malicious and therefore should be not included in a reference model. The selection of “Generate Signature 1411” in FIG. 14B has the same effect as discussed in reference to FIG. 14A above.


Referring to FIG. 15, is an exemplary portion of the generated signature (corresponding to the selected section in FIG. 14B) expressed in XML. The data illustrated by FIG. 15 represents the XML generated when a viewer generates a signature from the interactive display screen 1300 as illustrated in FIG. 14B. As seen in FIG. 14B, a portion of the interactive display screen 1300 has been manually selected by a user and an input (e.g., clicking of a button on a mouse) allows the viewer to generate a signature by activating the option labeled “Generate Signature” 1411. The data illustrated in FIG. 15 may be stored in the machine learning data store 214 and used by the reference model generation logic 215 and/or the matching logic 213 to either generate a reference model or perform an exploit detection process, respectively.


In the foregoing description, the invention is described with reference to specific exemplary embodiments thereof. It will, however, be evident that various modifications and changes may be made thereto without departing from the broader spirit and scope of the invention as set forth in the appended claims.

Claims
  • 1. A computerized method for detecting malware comprising: accessing information associated with one or more observed events, wherein the one or more observed events are associated via one or more observed relationships;accessing a reference model of a plurality of reference models, the reference model is based on a first plurality of events and comprises a first event, a second event and a first relationship that identifies that the second event is based on the first event, wherein a combination of at least the first plurality of events and the first relationship indicates a known cyber-attack;based on a correlation between the reference model and the accessed information, inferring that at least a third event of the first plurality of events has occurred or a second relationship between two events of the one or more observed events existed, wherein neither the third event nor the second relationship is indicated by the accessed information;analyzing (i) the information associated with the one or more observed events, and at least one of the third event or the second relationship that were inferred, and (ii) the reference model to determine whether a level of correlation between (a) the one or more observed events, and including at least one of the third event or the second relationship that were inferred, and (b) the reference model is at least a first threshold; andresponsive to determining the level of correlation is at least the first threshold, determining that a combination of the one or more observed events, the one or more observed relationships, and at least one of the third event that was inferred or the second relationship that was inferred are associated with the known cyber-attack,wherein each of the first relationship and the second relationship comprises a connection that occurs during computer processing between at least two events, andwherein each of the one or more observed events, and the third event is an action or operation resulting from an execution of code.
  • 2. The computerized method of claim 1, wherein accessing the information associated with one or more observed events further comprises: accessing one or more particulars of at least a first observed event of the one or more observed events, wherein the analyzing includes analysis of the one or more particulars.
  • 3. The computerized method of claim 1, wherein accessing the reference model further comprises accessing one or more relationships wherein a second relationship of the one or more relationships identifies that a fourth event is based on the first event.
  • 4. The computerized method of claim 1 further comprising: enhancing, the reference model by adding at least an added first event to the reference model as a result of determining whether the level of correlation between at least the one or more observed events and the reference model is at least a second predetermined threshold, the added first event being present in the one or more observed events and not present in the reference model.
  • 5. The computerized method of claim 4 further comprising: enhancing the reference model by adding at least an added first relationship to the reference model as the result of determining whether the level of correlation between at least the one or more observed events and the reference model is at least the second predetermined threshold, the added first relationship being present in the one or more observed events and not present in the reference model.
  • 6. The computerized method of claim 4, further comprising: updating, as a result of the analyzing using the machine learning technique, one or more correlation rules for classifying malware.
  • 7. The method of claim 1 further comprising: generating a visual representation illustrating a potential malware infection based on the analyzing of the information associated with the one or more observed events and the reference model, the visual representation comprising one or more nodal diagrams.
  • 8. The computerized method of claim 1 further comprising: inferring that a second relationship exists without detection between the first event and a fourth event based on the reference model, wherein the second relationship is included in the reference model and the fourth event is included in the one or more observed events.
  • 9. The computerized method of claim 1 further comprising: inferring that a second relationship exists between the first event and the third event, wherein the second relationship is included in the reference model.
  • 10. The computerized method of claim 1 further comprising: generating an interactive display screen that displays a visual representation of the reference model, including the first plurality of events including the first event and the second event, and the first relationship; anddisplaying the interactive display screen.
  • 11. The computerized method of claim 10, wherein the interactive display screen further includes a visual representation of the one or more observed events and the third event, the visual representation of the reference and the visual representation of the one or more observed events and the third event displayed in a side-by-side comparison.
  • 12. The computerized method of claim 1, wherein the reference model is accessed from a data store that stores the plurality of reference of models.
  • 13. The computerized method of claim 1, wherein the reference model is selected from a plurality of reference models based on a type of a file included in the information associated with one or more observed events.
  • 14. The computerized method of claim 1, wherein each connection is a causal connection.
  • 15. The computerized method of claim 1, further comprising: generating a display including a first nodal diagram and a second nodal diagram, the first nodal diagram including the reference model and the second nodal diagram including the information associated with one or more observed events, wherein (1) the events of the reference model and the one or more observed events are represented by nodes, and(2) relationships of the reference model are displayed as connections corresponding to the events of the reference model and relationships corresponding to the one or more observed events are displayed as connections between the one or more observed events.
  • 16. A computerized method comprising: accessing information associated with a first plurality of observed events comprising a first observed event, a second observed event and an observed relationship that identifies that the second observed event is based on the first observed event;accessing a reference model of a plurality of reference models, the reference model is based on a second plurality of events comprising a first event, a second event and a relationship that identifies that the second event is based on the first event, wherein a combination of at least the first event, the second event and the relationship indicates a known cyber-attack;based on a correlation between the reference model and the accessed information, inferring that at least a third event has occurred or a second relationship between two events of the first plurality of observed events existed, wherein neither the third event or the second relationship is indicated by the accessed information;analyzing the information associated with the first plurality of observed events, and at least one of the third event or the second relationship that were inferred and the reference model to determine whether a level of correlation between (i) the first plurality of observed events, and at least one of the second relationship or the third event, and (ii) the reference model is at least a first threshold;responsive to determining the level of correlation is at least the first threshold, determining a combination of the first plurality of observed events and at least one of the third event and the second relationship are associated with the known cyber-attack,wherein each of the first relationship and the second relationship comprises a connection that occurs during computer processing between at least two events, andwherein each of the one or more observed events, and the third event is an action or operation resulting from an execution of code.
  • 17. The computerized method of claim 16, wherein accessing the first set of information further comprises: accessing one or more particulars of at least one of the first observed event or the second observed.
  • 18. The computerized method of claim 16, wherein accessing the reference model further comprises accessing one or more relationships wherein a second relationship of the one or more relationships identifies that a fourth event is based on the first event.
  • 19. The computerized method of claim 16 further comprising: enhancing the reference model by adding, to the reference model, at least a second relationship identifying that the third event is based on the first event, the added second relationship being included in the information associated with the first plurality of observed events.
  • 20. The computerized method of claim 16, wherein each connection is a causal connection.
  • 21. The computerized method of claim 16, further comprising: generating a display including a first nodal diagram and a second nodal diagram, the first nodal diagram including the reference model and the second nodal diagram including the information associated with one or more observed events, wherein (1) the events of the reference model and the one or more observed events are represented by nodes, and(2) relationships of the reference model are displayed as connections corresponding to the events of the reference model and relationships corresponding to the one or more observed events are displayed as connections between the one or more observed events.
  • 22. A system comprising: one or more hardware processors; anda non-transitory storage module communicatively coupled to the one or more processors, the storage module comprises(i) an event log to receive and store information associated with one or more observed events, wherein each of the one or more observed events is associated with at least one of an action or operation occurring during computer processing,(ii) a data store to store one or more reference models,(iii) a gathering logic in communication with the data store and the event log that, upon execution by the one or more processors, (a) accesses the information associated with the one or more observed events, and(b) accesses a first reference model of the one or more reference models, wherein a combination of one or more events or one or more relationships included in the first reference model indicates a known cyber-attack, and(iv) a first logic in communication with the data store and the event log control logic that, when executed by the one or more processors, based on a correlation between the first reference model and the accessed information, infers that at least a first inferred event has occurred or a first inferred relationship existed, wherein neither the first inferred event nor the first inferred relationship is indicated by the accessed information; and(v) a matching logic in communication with the gathering logic that, upon execution by the one or more processors, (1) analyzes the information associated with the one or more observed events, the first inferred event, the first inferred relationship and the first reference model to determine whether a level of correlation between (a) the one or more observed events, and at least one of the first inferred event or the first inferred relationship and (b) the first reference model is at least a first threshold, and (2) responsive to determining the level of correlation is at least the first threshold, determining a combination of the one or more observed events, one or more observed relationships and at least one of the first inferred event or the first inferred relationship is associated with the known cyber-attack,wherein each of the one or more observed events, and the first inferred event is an action or operation resulting from an execution of code, andwherein each of the first relationship and the second relationship comprises a connection that occurs during computer processing between at least two events.
  • 23. The system of claim 22, wherein a first reference model of the one or more reference models includes a first event, a second event and a relationship identifying that the second event is based on the first event.
  • 24. The system of claim 22, wherein a first reference model of the one or more reference models includes a mathematical union of a second reference model and a third reference model.
  • 25. The system of claim 22, wherein the accessing of the information associated with the one or more observed events and the accessing of the one or more reference models is triggered by reception of a predetermined amount of data.
  • 26. The system of claim 22, further comprising: the first logic in communication with the data store and the event log control logic that, when executed by the one or more processors, enhances the first reference model by adding at least an added first event to the first reference model, the added first event being included in the information associated with one or more observed events.
  • 27. The system of claim 22, wherein each connection is a causal connection.
  • 28. The system of claim 22, further comprising: a display screen generation logic configured to generate a display including a first nodal diagram and a second nodal diagram, the first nodal diagram including the first reference model and the second nodal diagram including the information associated with one or more observed events, wherein (1) the events of the first reference model and the one or more observed events are represented by nodes, and(2) relationships of the first reference model are displayed as connections corresponding to the events of the first reference model and relationships corresponding to the one or more observed events are displayed as connections between the one or more observed events.
  • 29. A system comprising: one or more hardware processors; anda non-transitory storage module communicatively coupled to the one or more processors, the storage module comprises (i) an event log to store received information associated with one or more observed events, (ii) a data store to store one or more reference models, and (iii) logic that, upon execution by the one or more processors, accesses information associated with one or more observed events, wherein a first observed event and a second observed event are associated via a first observed relationship;accesses a reference model of a plurality of reference models, the reference model is based on a first plurality of events and comprises a first event, a second event and a first relationship that identifies that the second event is based on the first event, wherein a combination of at least the first plurality of events and the first relationship indicates a known cyber-attack;based on a correlation between the reference model and the accessed information, infers that at least a third event of the first plurality of events has occurred or a second relationship existed, wherein neither the third event nor the second relationship is indicated by the accessed information;analyzes (i) the information associated with the one or more observed events, and at least one of the third event or the second relationship that were inferred, and (ii) the reference model to determine whether a level of correlation between (a) the one or more observed events, and at least one of the third event or the second relationship that were inferred, and (b) the reference model is at least a first threshold; andresponsive to determining the level of correlation is at least the first threshold, determines that a combination of the one or more observed events, the one or more observed relationships and at least one of the third event or the second relationship is associated with the known cyber-attack,wherein each of the first relationship and the second relationship comprises a connection that occurs during computer processing between at least two events, andwherein each of the one or more observed events and the third event is an action or operation resulting from an execution of code.
  • 30. The system of claim 29 further comprising: the first in communication with the data store and the event log that, when executed by the one or more processors, enhances the first reference model by adding at least third event to the first reference model, the third event being included in the information associated with one or more observed events.
  • 31. The system of claim 29, wherein each connection is a causal connection.
  • 32. The system of claim 29, further comprising: a display screen generation logic configured to generate a display including a first nodal diagram and a second nodal diagram, the first nodal diagram including the reference model and the second nodal diagram including the information associated with one or more observed events, wherein (1) the events of the reference model and the one or more observed events are represented by nodes, and(2) relationships of the reference model are displayed as connections corresponding to the events of the reference model and relationships corresponding to the one or more observed events are displayed as connections between the one or more observed events.
  • 33. A system for detecting malware comprising: one or more hardware processors; anda non-transitory storage module communicatively coupled to the one or more processors, the storage module comprising logic that, upon execution by the one or more processors, performs operations comprising: observing one or more events during processing of an object within a virtual machine;selecting a reference model of a plurality of reference models based on the one or more observed events, the reference model comprising a first event of a first plurality of events, a second event of the first plurality of events and a relationship that identifies that the second event is based on the first event, wherein a combination of at least the first event, the second event and the relationship indicates a known cyber-attack; andbased on a correlation between the reference model and the accessed information, inferring that at least a third event has occurred or a second relationship existed, wherein neither the third event not the second relationship is indicated by the accessed information;analyzing the information associated with the one or more observed events, the reference model, and at least one of the third event or the second relationship to determine whether a level of correlation of (i) the one or more observed events, and at least one of the second relationship or the third event, and (ii) the reference model is at least a first threshold; andresponsive to determining the level of correlation is at least the first threshold, determining a combination of the one or more observed events, and at least one of the third event or the second relationship is associated with the known cyber-attack; andwherein each of the first relationship and the second relationship comprises a connection that occurs during computer processing between at least two events, andwherein each of the one or more observed events, is an action or operation resulting from an execution of code.
  • 34. The system of claim 33, wherein the one or more processors and the storage module are included within an endpoint device.
  • 35. The system of claim 33, wherein each connection is a causal connection.
  • 36. The system of claim 33, further comprising: generating a display including a first nodal diagram and a second nodal diagram, the first nodal diagram including the reference model and the second nodal diagram including the information associated with one or more observed events, wherein (1) the events of the reference model and the one or more observed events are represented by nodes, and(2) relationships of the reference model are displayed as connections corresponding to the events of the reference model and relationships corresponding to the one or more observed events are displayed as connections between the one or more observed events.
US Referenced Citations (537)
Number Name Date Kind
4292580 Ott et al. Sep 1981 A
5175732 Hendel et al. Dec 1992 A
5440723 Arnold et al. Aug 1995 A
5490249 Miller Feb 1996 A
5657473 Killean et al. Aug 1997 A
5842002 Schnurer et al. Nov 1998 A
5978917 Chi Nov 1999 A
6088803 Tso et al. Jul 2000 A
6094677 Capek et al. Jul 2000 A
6108799 Boulay et al. Aug 2000 A
6118382 Hibbs et al. Sep 2000 A
6269330 Cidon et al. Jul 2001 B1
6272641 Ji Aug 2001 B1
6279113 Vaidya Aug 2001 B1
6298445 Shostack et al. Oct 2001 B1
6357008 Nachenberg Mar 2002 B1
6417774 Hibbs et al. Jul 2002 B1
6424627 Sørhaug et al. Jul 2002 B1
6442696 Wray et al. Aug 2002 B1
6484315 Ziese Nov 2002 B1
6487666 Shanklin et al. Nov 2002 B1
6493756 O'Brien et al. Dec 2002 B1
6550012 Villa et al. Apr 2003 B1
6700497 Hibbs et al. Mar 2004 B2
6775657 Baker Aug 2004 B1
6831893 Ben Nun et al. Dec 2004 B1
6832367 Choi et al. Dec 2004 B1
6895550 Kanchirayappa et al. May 2005 B2
6898632 Gordy et al. May 2005 B2
6907396 Muttik et al. Jun 2005 B1
6941348 Petry et al. Sep 2005 B2
6971097 Wallman Nov 2005 B1
6981279 Arnold et al. Dec 2005 B1
6995665 Appelt et al. Feb 2006 B2
7007107 Ivchenko et al. Feb 2006 B1
7028179 Anderson et al. Apr 2006 B2
7043757 Hoefelmeyer et al. May 2006 B2
7069316 Gryaznov Jun 2006 B1
7080407 Zhao et al. Jul 2006 B1
7080408 Pak et al. Jul 2006 B1
7093002 Wolff et al. Aug 2006 B2
7093239 van der Made Aug 2006 B1
7096498 Judge Aug 2006 B2
7100201 Izatt Aug 2006 B2
7107617 Hursey et al. Sep 2006 B2
7159149 Spiegel et al. Jan 2007 B2
7213260 Judge May 2007 B2
7231667 Jordan Jun 2007 B2
7240364 Branscomb et al. Jul 2007 B1
7240368 Roesch et al. Jul 2007 B1
7243371 Kasper et al. Jul 2007 B1
7249175 Donaldson Jul 2007 B1
7287278 Liang Oct 2007 B2
7308716 Danford et al. Dec 2007 B2
7328453 Merkle, Jr. et al. Feb 2008 B2
7346486 Ivancic et al. Mar 2008 B2
7356736 Natvig Apr 2008 B2
7386888 Liang et al. Jun 2008 B2
7392542 Bucher Jun 2008 B2
7418729 Szor Aug 2008 B2
7428300 Drew et al. Sep 2008 B1
7441272 Durham et al. Oct 2008 B2
7448084 Apap et al. Nov 2008 B1
7458098 Judge et al. Nov 2008 B2
7464404 Carpenter et al. Dec 2008 B2
7464407 Nakae et al. Dec 2008 B2
7467408 O'Toole, Jr. Dec 2008 B1
7478428 Thomlinson Jan 2009 B1
7480773 Reed Jan 2009 B1
7487543 Arnold et al. Feb 2009 B2
7496960 Chen et al. Feb 2009 B1
7496961 Zimmer et al. Feb 2009 B2
7519990 Xie Apr 2009 B1
7523493 Liang et al. Apr 2009 B2
7530104 Thrower et al. May 2009 B1
7540025 Tzadikario May 2009 B2
7540027 Achanta May 2009 B2
7565550 Liang et al. Jul 2009 B2
7568233 Szor et al. Jul 2009 B1
7584455 Ball Sep 2009 B2
7603715 Costa et al. Oct 2009 B2
7607171 Marsden et al. Oct 2009 B1
7639714 Stolfo et al. Dec 2009 B2
7644441 Schmid et al. Jan 2010 B2
7657419 van der Made Feb 2010 B2
7676841 Sobchuk et al. Mar 2010 B2
7698548 Shelest et al. Apr 2010 B2
7707633 Danford et al. Apr 2010 B2
7712136 Sprosts et al. May 2010 B2
7730011 Deninger et al. Jun 2010 B1
7739740 Nachenberg et al. Jun 2010 B1
7779463 Stolfo et al. Aug 2010 B2
7784097 Stolfo et al. Aug 2010 B1
7832008 Kraemer Nov 2010 B1
7836502 Zhao et al. Nov 2010 B1
7849506 Dansey et al. Dec 2010 B1
7854007 Sprosts et al. Dec 2010 B2
7869073 Oshima Jan 2011 B2
7877803 Enstone et al. Jan 2011 B2
7904959 Sidiroglou et al. Mar 2011 B2
7908660 Bahl Mar 2011 B2
7930738 Petersen Apr 2011 B1
7937761 Bennett May 2011 B1
7949849 Lowe et al. May 2011 B2
7996556 Raghavan et al. Aug 2011 B2
7996836 McCorkendale et al. Aug 2011 B1
7996904 Chiueh et al. Aug 2011 B1
7996905 Arnold et al. Aug 2011 B2
8006305 Aziz Aug 2011 B2
8010667 Zhang et al. Aug 2011 B2
8020206 Hubbard et al. Sep 2011 B2
8028338 Schneider et al. Sep 2011 B1
8042184 Batenin Oct 2011 B1
8045094 Teragawa Oct 2011 B2
8045458 Alperovitch et al. Oct 2011 B2
8069484 McMillan et al. Nov 2011 B2
8087086 Lai et al. Dec 2011 B1
8171553 Aziz et al. May 2012 B2
8176049 Deninger et al. May 2012 B2
8176480 Spertus May 2012 B1
8201246 Wu et al. Jun 2012 B1
8204984 Aziz et al. Jun 2012 B1
8214905 Doukhvalov et al. Jul 2012 B1
8220055 Kennedy Jul 2012 B1
8225288 Miller et al. Jul 2012 B2
8225373 Kraemer Jul 2012 B2
8233882 Rogel Jul 2012 B2
8234640 Fitzgerald et al. Jul 2012 B1
8234709 Viljoen et al. Jul 2012 B2
8239944 Nachenberg et al. Aug 2012 B1
8260914 Ranjan Sep 2012 B1
8266091 Gubin et al. Sep 2012 B1
8286251 Eker et al. Oct 2012 B2
8291499 Aziz et al. Oct 2012 B2
8307435 Mann et al. Nov 2012 B1
8307443 Wang et al. Nov 2012 B2
8312545 Tuvell et al. Nov 2012 B2
8321936 Green et al. Nov 2012 B1
8321941 Tuvell et al. Nov 2012 B2
8332571 Edwards, Sr. Dec 2012 B1
8365286 Poston Jan 2013 B2
8365297 Parshin et al. Jan 2013 B1
8370938 Daswani et al. Feb 2013 B1
8370939 Zaitsev et al. Feb 2013 B2
8375444 Aziz et al. Feb 2013 B2
8381299 Stolfo et al. Feb 2013 B2
8402529 Green et al. Mar 2013 B1
8464340 Ahn et al. Jun 2013 B2
8479174 Chiriac Jul 2013 B2
8479276 Vaystikh et al. Jul 2013 B1
8479291 Bodke Jul 2013 B1
8510827 Leake et al. Aug 2013 B1
8510828 Guo et al. Aug 2013 B1
8510842 Amit et al. Aug 2013 B2
8516478 Edwards et al. Aug 2013 B1
8516590 Ranadive et al. Aug 2013 B1
8516593 Aziz Aug 2013 B2
8522348 Chen et al. Aug 2013 B2
8528086 Aziz Sep 2013 B1
8533824 Hutton et al. Sep 2013 B2
8539582 Aziz et al. Sep 2013 B1
8549638 Aziz Oct 2013 B2
8555391 Demir et al. Oct 2013 B1
8561177 Aziz et al. Oct 2013 B1
8566946 Aziz et al. Oct 2013 B1
8584094 Dadhia et al. Nov 2013 B2
8584234 Sobel et al. Nov 2013 B1
8584239 Aziz et al. Nov 2013 B2
8595834 Xie et al. Nov 2013 B2
8627476 Satish et al. Jan 2014 B1
8635696 Aziz Jan 2014 B1
8682054 Xue et al. Mar 2014 B2
8682812 Ranjan Mar 2014 B1
8689333 Aziz Apr 2014 B2
8695096 Zhang Apr 2014 B1
8713631 Pavlyushchik Apr 2014 B1
8713681 Silberman et al. Apr 2014 B2
8726392 McCorkendale et al. May 2014 B1
8739280 Chess et al. May 2014 B2
8776229 Aziz Jul 2014 B1
8782792 Bodke Jul 2014 B1
8787532 Adam Jul 2014 B1
8789172 Stolfo et al. Jul 2014 B2
8789178 Kejriwal et al. Jul 2014 B2
8793787 Ismael Jul 2014 B2
8805947 Kuzkin et al. Aug 2014 B1
8806647 Daswani et al. Aug 2014 B1
8832829 Manni et al. Sep 2014 B2
8850570 Ramzan Sep 2014 B1
8850571 Staniford et al. Sep 2014 B2
8881234 Narasimhan et al. Nov 2014 B2
8881282 Aziz et al. Nov 2014 B1
8898788 Aziz et al. Nov 2014 B1
8935779 Manni et al. Jan 2015 B2
8984638 Aziz et al. Mar 2015 B1
8990939 Staniford et al. Mar 2015 B2
8990944 Singh et al. Mar 2015 B1
8997219 Staniford et al. Mar 2015 B2
9009822 Ismael et al. Apr 2015 B1
9009823 Ismael et al. Apr 2015 B1
9027135 Aziz May 2015 B1
9069954 Anurag Jun 2015 B2
9071638 Aziz et al. Jun 2015 B1
9104867 Thioux et al. Aug 2015 B1
9106694 Aziz et al. Aug 2015 B2
9118715 Staniford et al. Aug 2015 B2
9238467 Hoye Jan 2016 B1
9270689 Wang et al. Feb 2016 B1
9361463 Ferragut Jun 2016 B2
20010005889 Albrecht Jun 2001 A1
20010047326 Broadbent et al. Nov 2001 A1
20020018903 Kokubo et al. Feb 2002 A1
20020038430 Edwards et al. Mar 2002 A1
20020091819 Melchione et al. Jul 2002 A1
20020095607 Lin-Hendel Jul 2002 A1
20020116627 Tarbotton et al. Aug 2002 A1
20020129363 McGuire Sep 2002 A1
20020144156 Copeland Oct 2002 A1
20020162015 Tang Oct 2002 A1
20020166063 Lachman et al. Nov 2002 A1
20020169952 DiSanto et al. Nov 2002 A1
20020184528 Shevenell et al. Dec 2002 A1
20020188887 Largman et al. Dec 2002 A1
20020194490 Halperin et al. Dec 2002 A1
20030074578 Ford et al. Apr 2003 A1
20030084318 Schertz May 2003 A1
20030101381 Mateev et al. May 2003 A1
20030115483 Liang Jun 2003 A1
20030188190 Aaron et al. Oct 2003 A1
20030191957 Hypponen et al. Oct 2003 A1
20030200460 Morota et al. Oct 2003 A1
20030212902 van der Made Nov 2003 A1
20030220753 Pickerd Nov 2003 A1
20030229801 Kouznetsov et al. Dec 2003 A1
20030237000 Denton et al. Dec 2003 A1
20040003323 Bennett et al. Jan 2004 A1
20040015712 Szor Jan 2004 A1
20040019832 Arnold et al. Jan 2004 A1
20040047356 Bauer Mar 2004 A1
20040083408 Spiegel et al. Apr 2004 A1
20040088581 Brawn et al. May 2004 A1
20040093513 Cantrell et al. May 2004 A1
20040111531 Staniford et al. Jun 2004 A1
20040117478 Triulzi et al. Jun 2004 A1
20040117624 Brandt et al. Jun 2004 A1
20040128355 Chao et al. Jul 2004 A1
20040165588 Pandya Aug 2004 A1
20040236963 Danford et al. Nov 2004 A1
20040243349 Greifeneder et al. Dec 2004 A1
20040243829 Jordan Dec 2004 A1
20040249911 Alkhatib et al. Dec 2004 A1
20040255161 Cavanaugh Dec 2004 A1
20040268147 Wiederin et al. Dec 2004 A1
20050005159 Oliphant Jan 2005 A1
20050021740 Bar et al. Jan 2005 A1
20050033960 Vialen et al. Feb 2005 A1
20050033989 Poletto et al. Feb 2005 A1
20050050148 Mohammadioun et al. Mar 2005 A1
20050086523 Zimmer et al. Apr 2005 A1
20050091513 Mitomo et al. Apr 2005 A1
20050091533 Omote et al. Apr 2005 A1
20050091652 Ross et al. Apr 2005 A1
20050108562 Khazan et al. May 2005 A1
20050114663 Cornell et al. May 2005 A1
20050125195 Brendel Jun 2005 A1
20050149726 Joshi et al. Jul 2005 A1
20050157662 Bingham et al. Jul 2005 A1
20050183143 Anderholm et al. Aug 2005 A1
20050201297 Peikari Sep 2005 A1
20050210533 Copeland et al. Sep 2005 A1
20050238005 Chen et al. Oct 2005 A1
20050240781 Gassoway Oct 2005 A1
20050262562 Gassoway Nov 2005 A1
20050265331 Stolfo Dec 2005 A1
20050283839 Cowburn Dec 2005 A1
20060010495 Cohen et al. Jan 2006 A1
20060015416 Hoffman et al. Jan 2006 A1
20060015715 Anderson Jan 2006 A1
20060015747 Van de Ven Jan 2006 A1
20060021029 Brickell et al. Jan 2006 A1
20060021054 Costa et al. Jan 2006 A1
20060031476 Mathes et al. Feb 2006 A1
20060047665 Neil Mar 2006 A1
20060070130 Costea et al. Mar 2006 A1
20060075496 Carpenter et al. Apr 2006 A1
20060095968 Portolani et al. May 2006 A1
20060101516 Sudaharan et al. May 2006 A1
20060101517 Banzhof et al. May 2006 A1
20060117385 Mester et al. Jun 2006 A1
20060123477 Raghavan et al. Jun 2006 A1
20060143709 Brooks et al. Jun 2006 A1
20060150249 Gassen et al. Jul 2006 A1
20060161983 Cothrell et al. Jul 2006 A1
20060161987 Levy-Yurista Jul 2006 A1
20060161989 Reshef et al. Jul 2006 A1
20060164199 Gilde et al. Jul 2006 A1
20060173992 Weber et al. Aug 2006 A1
20060179147 Tran et al. Aug 2006 A1
20060184632 Marino et al. Aug 2006 A1
20060191010 Benjamin Aug 2006 A1
20060221956 Narayan et al. Oct 2006 A1
20060236393 Kramer et al. Oct 2006 A1
20060242709 Seinfeld et al. Oct 2006 A1
20060248519 Jaeger et al. Nov 2006 A1
20060248582 Panjwani et al. Nov 2006 A1
20060251104 Koga Nov 2006 A1
20060288417 Bookbinder et al. Dec 2006 A1
20070006288 Mayfield et al. Jan 2007 A1
20070006313 Porras et al. Jan 2007 A1
20070011174 Takaragi et al. Jan 2007 A1
20070016951 Piccard et al. Jan 2007 A1
20070033645 Jones Feb 2007 A1
20070038943 FitzGerald et al. Feb 2007 A1
20070064689 Shin et al. Mar 2007 A1
20070074169 Chess et al. Mar 2007 A1
20070094730 Bhikkaji et al. Apr 2007 A1
20070101435 Konanka et al. May 2007 A1
20070128855 Cho et al. Jun 2007 A1
20070142030 Sinha et al. Jun 2007 A1
20070143827 Nicodemus et al. Jun 2007 A1
20070156895 Vuong Jul 2007 A1
20070157180 Tillmann et al. Jul 2007 A1
20070157306 Elrod et al. Jul 2007 A1
20070168988 Eisner et al. Jul 2007 A1
20070171824 Ruello et al. Jul 2007 A1
20070174911 Kronenberg et al. Jul 2007 A1
20070174915 Gribble et al. Jul 2007 A1
20070192500 Lum Aug 2007 A1
20070192858 Lum Aug 2007 A1
20070198275 Malden et al. Aug 2007 A1
20070208822 Wang et al. Sep 2007 A1
20070220607 Sprosts et al. Sep 2007 A1
20070240218 Tuvell et al. Oct 2007 A1
20070240219 Tuvell et al. Oct 2007 A1
20070240220 Tuvell et al. Oct 2007 A1
20070240222 Tuvell et al. Oct 2007 A1
20070250930 Aziz et al. Oct 2007 A1
20070256132 Oliphant Nov 2007 A2
20070271446 Nakamura Nov 2007 A1
20080005782 Aziz Jan 2008 A1
20080028463 Dagon et al. Jan 2008 A1
20080032556 Schreier Feb 2008 A1
20080040710 Chiriac Feb 2008 A1
20080046781 Childs et al. Feb 2008 A1
20080066179 Liu Mar 2008 A1
20080066180 Repasi et al. Mar 2008 A1
20080072326 Danford et al. Mar 2008 A1
20080077793 Tan et al. Mar 2008 A1
20080080518 Hoeflin et al. Apr 2008 A1
20080086720 Lekel Apr 2008 A1
20080098476 Syversen Apr 2008 A1
20080120722 Sima et al. May 2008 A1
20080134178 Fitzgerald et al. Jun 2008 A1
20080134334 Kim et al. Jun 2008 A1
20080141376 Clausen et al. Jun 2008 A1
20080184373 Traut et al. Jul 2008 A1
20080189787 Arnold et al. Aug 2008 A1
20080201778 Guo et al. Aug 2008 A1
20080209557 Herley et al. Aug 2008 A1
20080215742 Goldszmidt et al. Sep 2008 A1
20080222729 Chen et al. Sep 2008 A1
20080263665 Ma et al. Oct 2008 A1
20080295172 Bohacek Nov 2008 A1
20080301810 Lehane et al. Dec 2008 A1
20080307524 Singh et al. Dec 2008 A1
20080313738 Enderby Dec 2008 A1
20080320594 Jiang Dec 2008 A1
20090003317 Kasralikar et al. Jan 2009 A1
20090007100 Field et al. Jan 2009 A1
20090007227 Burgess Jan 2009 A1
20090013408 Schipka Jan 2009 A1
20090031423 Liu et al. Jan 2009 A1
20090036111 Danford et al. Feb 2009 A1
20090037835 Goldman Feb 2009 A1
20090044024 Oberheide et al. Feb 2009 A1
20090044274 Budko et al. Feb 2009 A1
20090064332 Porras et al. Mar 2009 A1
20090077666 Chen et al. Mar 2009 A1
20090083369 Marmor Mar 2009 A1
20090083855 Apap et al. Mar 2009 A1
20090089879 Wang et al. Apr 2009 A1
20090094697 Provos et al. Apr 2009 A1
20090113425 Ports et al. Apr 2009 A1
20090125976 Wassermann et al. May 2009 A1
20090126015 Monastyrsky et al. May 2009 A1
20090126016 Sobko et al. May 2009 A1
20090133125 Choi et al. May 2009 A1
20090144823 Lamastra et al. Jun 2009 A1
20090158430 Borders Jun 2009 A1
20090172815 Gu et al. Jul 2009 A1
20090187992 Poston Jul 2009 A1
20090193293 Stolfo et al. Jul 2009 A1
20090199296 Xie et al. Aug 2009 A1
20090228233 Anderson et al. Sep 2009 A1
20090241187 Troyansky Sep 2009 A1
20090241190 Todd et al. Sep 2009 A1
20090265692 Godefroid et al. Oct 2009 A1
20090271867 Zhang Oct 2009 A1
20090300415 Zhang et al. Dec 2009 A1
20090300761 Park et al. Dec 2009 A1
20090328185 Berg et al. Dec 2009 A1
20090328221 Blumfield et al. Dec 2009 A1
20100005146 Drako et al. Jan 2010 A1
20100011205 McKenna Jan 2010 A1
20100017546 Poo et al. Jan 2010 A1
20100027432 Gopalan Feb 2010 A1
20100031353 Thomas et al. Feb 2010 A1
20100037314 Perdisci et al. Feb 2010 A1
20100043073 Kuwamura Feb 2010 A1
20100054278 Stolfo et al. Mar 2010 A1
20100058474 Hicks Mar 2010 A1
20100064044 Nonoyama Mar 2010 A1
20100077481 Polyakov et al. Mar 2010 A1
20100083376 Pereira et al. Apr 2010 A1
20100115621 Staniford May 2010 A1
20100132038 Zaitsev May 2010 A1
20100154056 Smith et al. Jun 2010 A1
20100180344 Malyshev et al. Jul 2010 A1
20100192223 Ismael et al. Jul 2010 A1
20100220863 Dupaquis et al. Sep 2010 A1
20100235831 Dittmer Sep 2010 A1
20100251104 Massand Sep 2010 A1
20100275263 Bennett et al. Oct 2010 A1
20100281102 Chinta et al. Nov 2010 A1
20100281541 Stolfo et al. Nov 2010 A1
20100281542 Stolfo et al. Nov 2010 A1
20100287260 Peterson et al. Nov 2010 A1
20100299754 Amit et al. Nov 2010 A1
20100306173 Frank Dec 2010 A1
20110004737 Greenebaum Jan 2011 A1
20110023115 Wright Jan 2011 A1
20110023118 Wright Jan 2011 A1
20110025504 Lyon et al. Feb 2011 A1
20110041179 St Hlberg Feb 2011 A1
20110047594 Mahaffey et al. Feb 2011 A1
20110047620 Mahaffey et al. Feb 2011 A1
20110055907 Narasimhan et al. Mar 2011 A1
20110078794 Manni et al. Mar 2011 A1
20110093951 Aziz Apr 2011 A1
20110099620 Stavrou et al. Apr 2011 A1
20110099633 Aziz Apr 2011 A1
20110113231 Kaminsky May 2011 A1
20110141915 Choi Jun 2011 A1
20110145918 Jung et al. Jun 2011 A1
20110145920 Mahaffey et al. Jun 2011 A1
20110145934 Abramovici et al. Jun 2011 A1
20110167493 Song et al. Jul 2011 A1
20110167494 Bowen et al. Jul 2011 A1
20110173460 Ito et al. Jul 2011 A1
20110219449 St. Neitzel et al. Sep 2011 A1
20110219450 McDougal et al. Sep 2011 A1
20110225624 Sawhney et al. Sep 2011 A1
20110225655 Niemela et al. Sep 2011 A1
20110247072 Staniford et al. Oct 2011 A1
20110265182 Peinado et al. Oct 2011 A1
20110271343 Kim Nov 2011 A1
20110289582 Kejriwal et al. Nov 2011 A1
20110302587 Nishikawa et al. Dec 2011 A1
20110307954 Melnik et al. Dec 2011 A1
20110307955 Kaplan et al. Dec 2011 A1
20110307956 Yermakov et al. Dec 2011 A1
20110314546 Aziz et al. Dec 2011 A1
20120023593 Puder et al. Jan 2012 A1
20120054869 Yen et al. Mar 2012 A1
20120066698 Yanoo Mar 2012 A1
20120079596 Thomas et al. Mar 2012 A1
20120084859 Radinsky et al. Apr 2012 A1
20120110667 Zubrilin et al. May 2012 A1
20120117652 Manni et al. May 2012 A1
20120121154 Xue et al. May 2012 A1
20120124426 Maybee et al. May 2012 A1
20120137367 Dupont May 2012 A1
20120159519 Matsuda Jun 2012 A1
20120174186 Aziz et al. Jul 2012 A1
20120174196 Bhogavilli et al. Jul 2012 A1
20120174218 McCoy et al. Jul 2012 A1
20120198279 Schroeder Aug 2012 A1
20120210423 Friedrichs et al. Aug 2012 A1
20120222121 Staniford et al. Aug 2012 A1
20120255012 Sallam Oct 2012 A1
20120255015 Sahita et al. Oct 2012 A1
20120255017 Sallam Oct 2012 A1
20120260342 Dube et al. Oct 2012 A1
20120266244 Green et al. Oct 2012 A1
20120278886 Luna Nov 2012 A1
20120297489 Dequevy Nov 2012 A1
20120330801 McDougal et al. Dec 2012 A1
20130014259 Gribble et al. Jan 2013 A1
20130019309 Strayer Jan 2013 A1
20130036472 Aziz Feb 2013 A1
20130047257 Aziz Feb 2013 A1
20130074185 McDougal et al. Mar 2013 A1
20130086684 Mohler Apr 2013 A1
20130097699 Balupari et al. Apr 2013 A1
20130097706 Titonis Apr 2013 A1
20130111587 Goel et al. May 2013 A1
20130117852 Stute May 2013 A1
20130117855 Kim et al. May 2013 A1
20130139264 Brinkley et al. May 2013 A1
20130160125 Likhachev et al. Jun 2013 A1
20130160127 Jeong et al. Jun 2013 A1
20130160130 Mendelev et al. Jun 2013 A1
20130160131 Madou et al. Jun 2013 A1
20130167236 Sick Jun 2013 A1
20130174214 Duncan Jul 2013 A1
20130185789 Hagiwara et al. Jul 2013 A1
20130185795 Winn et al. Jul 2013 A1
20130185798 Saunders et al. Jul 2013 A1
20130191915 Antonakakis et al. Jul 2013 A1
20130196649 Paddon et al. Aug 2013 A1
20130227691 Aziz et al. Aug 2013 A1
20130246370 Bartram et al. Sep 2013 A1
20130263260 Mahaffey et al. Oct 2013 A1
20130291109 Staniford et al. Oct 2013 A1
20130298243 Kumar et al. Nov 2013 A1
20140053260 Gupta et al. Feb 2014 A1
20140053261 Gupta Feb 2014 A1
20140082407 Kochut Mar 2014 A1
20140090056 Manadhata et al. Mar 2014 A1
20140122391 Mugan May 2014 A1
20140130158 Wang et al. May 2014 A1
20140137180 Lukacs et al. May 2014 A1
20140165140 Singla Jun 2014 A1
20140169762 Ryu Jun 2014 A1
20140179360 Jackson et al. Jun 2014 A1
20140201526 Burgess Jul 2014 A1
20140205099 Christodorescu Jul 2014 A1
20140223553 Gupta et al. Aug 2014 A1
20140328204 Klotsche et al. Nov 2014 A1
20140337836 Ismael Nov 2014 A1
20140351935 Shao et al. Nov 2014 A1
20150096025 Ismael Apr 2015 A1
20150121524 Fawaz Apr 2015 A1
20150172300 Cochenour Jun 2015 A1
20150254162 Baril Sep 2015 A1
20150341372 Brand Nov 2015 A1
20160078362 Christodorescu Mar 2016 A1
Foreign Referenced Citations (11)
Number Date Country
2439806 Jan 2008 GB
2490431 Oct 2012 GB
0206928 Jan 2002 WO
0223805 Mar 2002 WO
2007117636 Oct 2007 WO
2008041950 Apr 2008 WO
2011084431 Jul 2011 WO
2011112348 Sep 2011 WO
2012075336 Jun 2012 WO
2012145066 Oct 2012 WO
2013067505 May 2013 WO
Non-Patent Literature Citations (81)
Entry
Adobe Systems Incorporated, “PDF 32000-1:2008, Document management—Portable document format—Part1:PDF 1.7”, First Edition, Jul. 1, 2008, 756 pages.
Apostolopoulos, George; hassapis, Constantinos; “V-eM: A cluster of Virtual Machines for Robust, Detailed, and High-Performance Network Emulation”, 14th IEEE International Symposium on Modeling, Analysis, and Simulation of Computer and Telecommunication Systems, Sep. 11-14, 2006, pp. 117-126.
Clark, John, Sylvian Leblanc,and Scott Knight. “Risks associated with usb hardware trojan devices used by insiders.” Systems Conference (SysCon), 2011 IEEE International. IEEE, 2011.
FireEye Malware Analysis & Exchange Network, Malware Protection System, FireEye Inc., 2010.
FireEye Malware Analysis, Modern Malware Forensics, FireEye Inc., 2010.
FireEye v.6.0 Security Target, pp. 1-35, Version 1.1, FireEye Inc., May 2011.
Gibler, Clint, et al. AndroidLeaks: automatically detecting potential privacy leaks in android applications on a large scale. Springer Berlin Heidelberg, 2012.
Gregg Keizer: “Microsoft's HoneyMonkeys Show Patching Windows Works”, Aug. 8, 2005, XP055143386, Retrieved from the Internet: URL:https://web.archive.org/web/20121022220617/http://www.informationweek- .com/microsofts-honeymonkeys-show-patching-wi/167600716 [retrieved on Sep. 29, 2014].
Heng Yin et al, Panorama: Capturing System-Wide Information Flow for Malware Detection and Analysis, Research Showcase @ CMU, Carnegie Mellon University, 2007.
Idika et al., A-Survey-of-Malware-Detection-Techniques, Feb. 2, 2007, Department of Computer Science, Purdue University.
Isohara, Takamasa, Keisuke Takemori, and Ayumu Kubota. “Kernel-based behavior analysis for android malware detection.” Computational intelligence and Security (CIS), 2011 Seventh International Conference on. IEEE, 2011.
Kevin A Roundy et al: “Hybrid Analysis and Control of Malware”, Sep. 15, 2010, Recent Advances in Intrusion Detection, Springer Berlin Heidelberg, Berlin, Heidelberg, pp. 317-338, XP019150454 ISBN:978-3-642-15511-6.
Leading Colleges Select FireEye to Stop Malware-Related Data Breaches, FireEye Inc., 2009.
Li et al., A VMM-Based System Call Interposition Framework for Program Monitoring, Dec. 2010, IEEE 16th International Conference on Parallel and Distributed Systems, pp. 706-711.
Lindorfer, Martina, Clemens Kolbitsch, and Paolo Milani Comparetti. “Detecting environment-sensitive malware.” Recent Advances in Intrusion Detection. Springer Berlin Heidelberg, 2011.
Mori, Detecting Unknown Computer Viruses, 2004, Springer-Verlag Berlin Heidelberg.
Oberheide et al., CloudAV.sub.—N-Version Antivirus in the Network Cloud, 17th USENIX Security Symposium USENIX Security '08 Jul. 28-Aug. 1, 2008 San Jose, CA.
U.S. Pat. No. 8,171,553 filed Apr. 20, 2006, Inter Parties Review Decision dated Jul. 10, 2015.
U.S. Pat. No. 8,291,499 filed Mar. 16, 2012, Inter Parties Review Decision dated Jul. 10, 2015.
Wahid et al., Characterising the Evolution in Scanning Activity of Suspicious Hosts, Oct. 2009, Third International Conference on Network and System Security, pp. 344-350.
Yuhei Kawakoya et al: “Memory behavior-based automatic malware unpacking in stealth debugging environment”, Malicious and Unwanted Software (Malware), 2010 5th International Conference on, IEEE, Piscataway, NJ, USA, Oct. 19, 2010, pp. 39-46, XP031833827, ISBN:978-1-4244-8-9353-1.
Zhang et al., The Effects of Threading, Infection Time, and Multiple-Attacker Collaboration on Malware Propagation, Sep. 2009, IEEE 28th International Symposium on Reliable Distributed Systems, pp. 73-82.
Thomas H. Ptacek, and Timothy N. Newsham , “Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection”, Secure Networks, (“Ptacek”), (Jan. 1998).
U.S. Appl. No. 11/717,475, filed Mar. 12, 2007 Final Office Action dated Feb. 27, 2013.
U.S. Appl. No. 11/717,475, filed Mar. 12, 2007 Final Office Action dated Nov. 22, 2010.
U.S. Appl. No. 11/717,475, filed Mar. 12, 2007 Non-Final Office Action dated Aug. 28, 2012.
U.S. Appl. No. 11/717,475, filed Mar. 12, 2007 Non-Final Office Action dated May 6, 2010.
U.S. Appl. No. 14/059,381, filed Oct. 21, 2013 Non-Final Office Action dated Oct. 29, 2014.
Venezia, Paul, “NetDetector Captures Intrusions”, InfoWorld Issue 27, (“Venezia”), (Jul. 14, 2003).
Whyte, et al., “DNS-Based Detection of Scanning Works in an Enterprise Network”, Proceedings of the 12th Annual Network and Distributed System Security Symposium, (Feb. 2005), 15 pages.
Williamson, Mathew M., “Throttling Virses: Restricting Propagation to Defeat Malicious Mobile Code”, ACSAC Conference, Las Vegas, NV, USA, (Dec. 2002), pp. 1-9.
“Network Security: NetDetector—Network Intrusion Forensic System (NIFS) Whitepaper”, (“NetDetector Whitepaper”), (2003).
“Packet”, Microsoft Computer Dictionary Microsoft Press, (Mar. 2002), 1 page.
“When Virtual is Better Than Real”, IEEEXplore Digital Library, available at, http://ieeexplore.ieee.org/xpl/articleDetails.jso?reload=true&arnumber=990073, (Dec. 7, 2013).
Abdullah, et al., Visualizing Network Data for Intrusion Detection, 2005 IEEE Workshop on Information Assurance and Security, pp. 100-108.
Adetoye, Adedayo, et al., “Network Intrusion Detection & Response System”, (“Adetoye”) (Sep. 2003).
AltaVista Advanced Search Results. “attack vector identifier” Http://www.altavista.com/web/results?Itag=ody&pg=aq&aqmode=aqa=Event+Orchestrator..., (Accessed on Sep. 15, 2009).
AltaVista Advanced Search Results. “Event Orchestrator”. Http://www.altavista.com/web/results?Itag=ody&pg=aq&aqmode=aqa=Event+Orchesrator..., (Accessed on Sep. 3, 2009).
Aura, Tuomas, “Scanning electronic documents for personally identifiable information”, Proceedings of the 5th ACM workshop on Privacy in electronic society. ACM, 2006.
Aziz, Ashar, System and Method for Malware Containment, U.S. Appl. No. 14/620,060, filed Feb. 11, 2015, non-Final Office Action dated Apr. 3, 2015.
Baecher, “The Nepenthes Platform: An Efficient Approach to collect Malware”, Springer-verlaq Berlin Heidelberg, (2006), pp. 165-184.
Baldi, Mario; Risso, Fulvio; “A Framework for Rapid Development and Portable Execution of Packet-Handling Applications”, 5th IEEE International Symposium Processing and Information Technology, Dec. 21, 2005, pp. 233-238.
Bayer, et al., “Dynamic Analysis of Malicious Code”, J Comput Virol, Springer-Verlag, France., (2006), pp. 67-77.
Boubalos, Chris , “extracting syslog data out of raw pcap dumps, seclists.org, Honeypots mailing list archives”, available at http://seclists,org/honeypots/2003/q2/319 (“Boubalos”), (Jun. 5, 2003).
Chaudet, C., et al., “Optimal Positioning of Active and Passive Monitoring Devices”, International Conference on Emerging Networking Experiments and Technologies, Proceedings of the 2005 ACM Conference on Emerging Network Experiment and Technology, CoNEXT '05, Toulousse, France, (Oct. 2005), pp. 71-82.
Cisco “Intrusion Prevention for the Cisco ASA 5500-x Series” Data Sheet (2012).
Cisco, Configuring the Catalyst Switched Port Analyzer (SPAN) (“Cisco”), (1992-2003).
Cohen, M.I., “PyFlag—An advanced network forensic framework”, Digital investigation 5, ELSEVIER, (2008), pp. S112-S120.
Costa, M., et al., “Vigilante: End-to-End Containment of Internet Worms”, SOSP '05 Association for Computing Machinery, Inc., Brighton U.K., (Oct. 23-26, 2005).
Crandall, J.R., et al., “Minos:Control Data Attack Prevention Orthogonal to Memory Model”, 37th International Symposium on Microarchitecture, Portland, Oregon, (Dec. 2004).
Deutsch, P., ““Zlib compressed data format specification version 3.3” RFC 1950, (1996)”.
Distler, “Malware Analysis: An Introduction”, SANS Institute InfoSec Reading Room, SANS Institute, (2007).
Dunlap, George W. , et al., “ReVirt: Enabling Intrusion Analysis through Virtual-Machine Logging and Replay”, Proceeding of the 5th Symposium on Operating Systems Design and Implementation, USENIX Association, (“Dunlap”), (Dec. 9, 2002).
Excerpt regarding First Printing Date for Merike Kaeo, Designing Network Security (“Kaeo”), (2005).
Filiol, Eric , et al., “Combinatorial Optimisation of Worm Propagation on an Unknown Network”, International Journal of Computer Science 2.2 (2007).
Goel, et al., Reconstructing System State for Intrusion Analysis, Apr. 2008 SIGOPS Operating Systems Review vol. 42 Issue 3, pp. 21-28.
Hjelmvik, Erik, “Passive Network Security Analysis with NetworkMiner”, (IN)Secure, Issue 18, (Oct. 2008), pp. 1-100.
IEEE Xplore Digital Library Sear Results for “detection of unknown computer worms”. Http//ieeexplore.ieee.org/searchresult.jsp?SortField=Score&SortOrder=desc&ResultC... (Accessed on Aug. 28, 2009).
Kaeo, Merike, “Designing Network Security”, (“Kaeo”), (Nov. 2003).
Kim, H., et al., “Autograph: Toward Automated, Distributed Worm Signature Detection”, Proceedings of the 13th Usenix Security Symposium (Security 2004), San Diego, (Aug. 2004), pp. 271-286.
King, Samuel T., et al., “Operating System Support for Virtual Machines”, (“King”).
Krasnyansky, Max, et al., Universal TUN/TAP driver, available at https://www.kernel.org/doc/Documentation/networking/tuntap.txt (2002) (“Krasnyansky”).
Kreibich, C., et al., “Honeycomb-Creating Intrusion Detection Signatures Using Honeypots”, 2nd Workshop on Hot Topics in Networks (HotNets-11), Boston, USA, (2003).
Kristoff, J., “Botnets, Detection and Mitigation: DNS-Based Techniques”, NU Security Day, (2005), 23 pages.
Liljenstam, Michael, et al., “Simulating Realistic Network Traffic for Worm Warning System Design and Testing”, Institute for Security Technology studies, Dartmouth College, (“Liljenstam”), (Oct. 27, 2003).
Lok Kwong et al: “DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis”, Aug. 10, 2012, XP055158513, Retrieved from the Internet: URL:https://www.usenix.org/system/files/conference/usenixsecurity12/sec12- -final107.pdf [retrieved on Dec. 15, 2014].
Marchette, David J., Computer Intrusion Detection and Network Monitoring: A Statistical (“Marchette”), (2001).
Margolis, P.E., “Random House Webster's Computer & Internet Dictionary 3rd Edition”, ISBN 0375703519, (Dec. 1998).
Moore, D., et al., “Internet Quarantine: Requirements for Containing Self-Propagating Code”, INFOCOM, vol. 3, (Mar. 30-Apr. 3, 2003), pp. 1901-1910.
Morales, Jose A., et al., ““Analyzing and exploiting network behaviors of malware.””, Security and Privacy in Communication Networks. Springer Berlin Heidelberg, 2010. 20-34.
Natvig, Kurt, “Sandboxii: Internet”, Virus Bulletin Conference, (“Natvig”), (Sep. 2002).
NetBIOS Working Group. Protocol Standard for a NetBIOS Service on a TCP/UDP transport: Concepts and Methods. STD 19, RFC 1001, Mar. 1987.
Newsome, J., et al., “Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software”, In Proceedings of the 12th Annual Network and Distributed System Security, Symposium (NDSS '05), (Feb. 2005).
Newsome, J., et al., “Polygraph: Automatically Generating Signatures for Polymorphic Worms”, In Proceedings of the IEEE Symposium on Security and Privacy, (May 2005).
Nojiri, D. , et al., “Cooperation Response Strategies for Large Scale Attack Mitigation”, DARPA Information Survivability Conference and Exposition, vol. 1, (Apr. 22-24, 2003), pp. 293-302.
Peter M. Chen, and Brian D. Noble, “When Virtual Is Better Than Real, Department of Electrical Engineering and Computer Science”, University of Michigan (“Chen”).
Reiner Sailer, Enriquillo Valdez, Trent Jaeger, Roonald Perez, Leendert van Doom, John Linwood Griffin, Stefan Berger., sHype: Secure Hypervisor Approach to Trusted Virtualized Systems (Feb. 2, 2005) (“Sailer”).
Silicon Defense, “Worm Containment in the Internal Network”, (Mar. 2003), pp. 1-25.
Singh, S., et al., “Automated Worm Fingerprinting”, Proceedings of the ACM/USENIX Symposium on Operating System Design and Implementation, San Francisco, California, (Dec. 2004).
Spitzner, Lance, “Honeypots: Tracking Hackers”, (“Spizner”), (Sep. 17, 2002).
The Sniffers's Guide to Raw Traffic available at: yuba.stanford.edu/˜casado/pcap/sectionl.html, (Jan. 6, 2014).