Embodiments of the disclosure relate to the field of cyber security. More specifically, embodiments of the disclosure relate to a system for detecting malware and/or exploits through the comparison of incoming data with reference models describing known instances of malicious behavior.
Over the last decade, malicious software has become a pervasive problem for Internet users as many networked resources include vulnerabilities that are subject to cyber-attacks. For instance, over the past few years, more and more vulnerabilities are being discovered in software that is loaded onto endpoint devices present on the network, such as vulnerabilities within operating systems for example. These vulnerabilities may be exploited by a person allowing the person to gain access to one or more areas within the network not typically accessible. For example, a person may exploit a vulnerability to gain unauthorized access to email accounts and/or data files.
While some vulnerabilities continue to be addressed through software patches, prior to the release of such software patches, network devices will continue to be targeted for cyber-attacks, for example, by exploits, namely malicious computer code that attempts to acquire sensitive information or adversely influence or attack normal operations of the network device or the entire enterprise network by taking advantage of a vulnerability in computer software.
Currently, a threat detection system observes suspicious or malicious exploits and presents the information regarding the exploits in a list format. While the list format may provide security personnel information directed to uncovered exploits or other detected malicious actions, it fails to identify any relationships between the exploits that would allow security personnel to better understand potential effects, both detected and undetected, caused by the malicious exploit.
In addition, current systems fail to generate reference models based on observed exploits, malicious behaviors, anomalous behaviors (e.g., deviating from typical or expected behavior) or the like for comparison against events observed at a later time.
Embodiments of the invention are illustrated by way of example and not by way of limitation in the figures of the accompanying drawings, in which like references indicate similar elements and in which:
Various embodiments of the disclosure relate to a malware detection and visualization system that improves exploit detection and/or visual representation of the detection of suspected malware. The malware detection and visualization system includes a machine learning engine that generates reference models used in exploit detection as well as interactive display screen information based on data transmitted to the malware detection and visualization system from one or more endpoint devices, one or more threat detection systems and/or cloud computing services. The generated reference models may be combined to generate malware family reference models allowing the malware detection and visualization system to compare observed events on the network to particularized malware threats in the form of malware affecting a specific file type or malware detected in a common location (e.g., email). Alternatively, a comparison with several reference models or with a large malware family reference model may provide detection against a large range of malware threats. The malware detection and visualization system may take the form of a security appliance or security cloud service, for example. Alternatively, an electronic device may be configured with software, hardware or firmware that includes a malware detection and visualization system. The malware detection and visualization system may be implemented in real-time (e.g., as incoming data is being processed) or as a forensic investigative tool (e.g., after the incoming data has been processed to determine the root cause of a malware exploited has been executed).
The malware detection and visualization system also includes a user interface rendering subsystem that generates interactive display screens from the interactive display screen information and allows security personnel to select displayed malicious events in order to acquire additional information concerning such events as well as generate an alert or a (malware) signature that may be used for subsequent detection of malware associated with these malicious events. The interactive display screens provide a network administrator with a visual representation that compares a reference model of events (e.g., known exploits) and the relationships connecting the events with a group of potentially malicious events and their relationships to one another. The group of potentially malicious events may be derived from observations of endpoint devices, threat detection systems and/or cloud computing services connected to the malware detection and visualization system over a network.
Specifically, in one embodiment, the visual representation allows a viewer to convert a list of events into a nodal diagram in either a top-down representation or a left-to-right representation. The nodal diagrams may enable a view, such as network security personnel, to see how each event relates to one another, if at all. Furthermore, the nodal diagrams provide the visual representation necessary for a viewer to select one or more events, referred to herein as a “grouping” of events, to generate a signature or alert. The signature of a grouping of events may be used as a reference model to check for a particular sequence of events in data received in the future or added to an existing reference model. The alert may be used to notify the network administrator of the observation of a grouping of events that typically implies malicious activity on the network thereby allowing prevention actions to be taken to guard against the malicious activity.
Embodiments of the invention may be employed by or take the form of a network device or apparatus implementing a malware detection and visualization system (MDVS), where the malware detection and visualization system includes a machine learning engine for analyzing data received by the MDVS. The data may include information regarding the observation of events by a server or client device or other system (called an “endpoint”), a threat detection systems (TDS) and/or a cloud computing service. In some embodiments, the observations of events may take place while an endpoint device is operating in real-time or the observations may take place while incoming data is being processed in one or more virtual machines. Examples of incoming data may include, but are not limited or restricted to, network traffic, static files containing structured or unstructured data maintained locally or on a peripheral device and/or executable files. According to one embodiment of the disclosure, an endpoint device, TDS or cloud computing service transmits data regarding an observation of one or more events and/or relationships when an anomalous characteristic of incoming data is observed and thus indicative of an exploit. If so, one or more portions of data may be labeled “suspicious.” Throughout the specification, claims and figures, the term “network traffic” will be used in the discussion but any form of incoming data may be substituted.
A TDS may perform static and/or dynamic analyses on incoming data (e.g., network traffic) to determine whether an object of the incoming data is suspicious or malicious. An illustrative example of the static and dynamic analyses is illustrated in the threat detection and prevention (TDP) system in a prior U.S. patent application entitled “System, Apparatus and Method for Automatically Verifying Exploits Within Suspect Objects and Highlighting the Display Information Associated with the Verified Exploits,” U.S. patent application Ser. No. 14/228,073 filed Mar. 27, 2014, the contents of which are incorporated by reference.
In particular, the machine learning engine may be activated automatically in response to an alert condition that signifies detection of a malicious event by an endpoint device, a TDS and/or a cloud computing service within the network. Alternatively, the machine learning engine may be activated in accordance with a time-based schedule or manually by a user such as security personnel. For instance, the machine learning engine may be activated manually upon selecting a particular visual representation associated with the observance of a malicious event, where one or more events may be concurrently presented on an interactive display screen, and then subsequently selecting a prescribed item on the display screen (e.g., “exploit visualization” button or “timeline visualization” button).
After activation, the machine learning engine may be adapted to obtain received data from a machine learning data store and/or event log, where the received data may include metadata associated with malicious events detected by one or more endpoint devices, TDSes and/or a cloud computing service. The machine learning engine generates a visual representation in the form of a nodal diagram illustrating a potential malware infection, where each node or relationship included in the nodal diagram represents an action, operation, file, process, etc. associated with an anomalous event or relationship. This provides a network administrator with one or more displays directed to the sequence of events to identify which network device(s) and or file(s) within the network may have been infected by the anomalous event. For example, the anomalous event may be an atypical, but non-malicious, operation or relationship; alternatively, the anomalous event may be realized as a malicious event or relationship.
In the nodal diagrams, each event may be selected to display additional information, including, any or all of the following metadata directed to the observance of the selected event: (1) time and date of observance; (2) address information such as the path within the file system in which the affected file is located; (3) process identification of the affected process (if applicable); (4) the particulars of the particular electronic device or cloud computing service that detected the event; and/or (5) the relationship to one or more events associated with the selected event.
I. Terminology
In the following description, certain terminology is used to describe features of the invention. For example, in certain situations, both terms “logic” and “engine” are representative of hardware, firmware and/or software that is configured to perform one or more functions. As hardware, logic (or engine) may include circuitry having data processing or storage functionality. Examples of such circuitry may include, but are not limited or restricted to a microprocessor, one or more processor cores, a programmable gate array, a microcontroller, a controller, an application specific integrated circuit, wireless receiver, transmitter and/or transceiver circuitry, semiconductor memory, or combinatorial logic.
Logic (or engine) may be software in the form of one or more software modules, such as executable code in the form of an executable application, an application programming interface (API), a subroutine, a function, a procedure, an applet, a servlet, a routine, source code, object code, a shared library/dynamic load library, or one or more instructions. These software modules may be stored in any type of a suitable non-transitory storage medium, or transitory storage medium (e.g., electrical, optical, acoustical or other form of propagated signals such as carrier waves, infrared signals, or digital signals). Examples of non-transitory storage medium may include, but are not limited or restricted to a programmable circuit; a semiconductor memory; non-persistent storage such as volatile memory (e.g., any type of random access memory “RAM”); persistent storage such as non-volatile memory (e.g., read-only memory “ROM”, power-backed RAM, flash memory, phase-change memory, etc.), a solid-state drive, hard disk drive, an optical disc drive, or a portable memory device. As firmware, the executable code is stored in persistent storage.
An “exploit” may be construed broadly as information (e.g., executable code, data, command(s), etc.) that attempts to take advantage of a vulnerability and/or an action by a person gaining unauthorized access to one or more areas of a network, a computer and/or an electronic device. Typically, a “vulnerability” is a coding error or artifact of software (e.g., computer program) that allows an attacker to alter legitimate control flow during processing of the software (computer program) by a network device, and thus, causes the network device to experience undesirable or anomalous behaviors. The undesired or anomalous behaviors may include a communication-based anomaly or an execution-based anomaly, which, for example, could (1) alter the functionality of an network device executing application software in an atypical manner (a file is opened by a first process where the file is configured to be opened by a second process and not the first process); (2) alter the functionality of the network device executing that application software without any malicious intent; and/or (3) provide unwanted functionality which may be generally acceptable in another context. To illustrate, a computer program may be considered as a state machine, where all valid states (and transitions between states) are managed and defined by the program, in which case an exploit may be viewed as seeking to alter one or more of the states (or transitions) from those defined by the program. The term “anomalous behavior” should be understood to include either (i) a first event that is an atypical occurrence or a malicious occurrence, or (ii) a relationship identifying that the first event is based on a second event, the relationship being an atypical relationship between the first and second event or a relationship between the first and second events that is malicious to the network, electronic device on which the relationship appears, or to one or more users of the electronic device or of the network.
According to one embodiment, malware may be construed broadly as computer code that executes an exploit to take advantage of a vulnerability, for example, to harm or co-opt operation of a network device or misappropriate, modify or delete data. Conventionally, malware is often said to be designed with malicious intent.
The term “transmission medium” is a physical or logical communication path between two or more network devices (e.g., any devices with data processing and network connectivity such as, for example, a security appliance, a server, a mainframe, a computer such as a desktop or laptop, netbook, tablet, firewall, smart phone, router, switch, bridge, etc.). For instance, the communication path may include wired and/or wireless segments. Examples of wired and/or wireless segments include electrical wiring, optical fiber, cable, bus trace, or a wireless channel using infrared, radio frequency (RF), or any other wired/wireless signaling mechanism.
The term “network device” should be construed as any electronic device with the capability of connecting to a network. Such a network may be a public network such as the Internet or a private network such as a wireless data telecommunication network, wide area network, a type of local area network (LAN), or a combination of networks. Examples of a network device may include, but are not limited or restricted to, a laptop, a mobile phone, a tablet, a computer, etc.
The term “computerized” generally represents that any corresponding operations are conducted by hardware in combination with software and/or firmware. Also, the terms “compare” or “comparison” generally mean determining if a match (e.g., a certain level of correlation) is achieved between two items where one of the items may include a particular signature pattern.
The term “signature” designates an indicator of a set of characteristics and/or behaviors exhibited by one or more exploits that may not be unique to those exploit(s). Thus, a match of the signature may indicate to some level of probability, often well less than 100%, that a portion of received data constitutes an exploit. In some contexts, those of skill in the art have used the term “signature” as a unique identifier or “fingerprint,” for example of a specific virus or virus family (or other exploit), which is generated for instance as a hash of its machine code, and that is a special sub-case for purposes of this disclosure.
The term “observed” indicates that an event or relationship has been detected with a prescribed level of confidence (or probability). A first event or relationship may be observed with a first confidence while a second event or relationship may be observed with a second confidence, the second confidence being lower or higher than the first confidence. Examples of an event may include, but are not limited or restricted to, a process (e.g., an executable file), a non-executable file (e.g., a text document or a registry file), a unique address or location (e.g., a particular website, Internet Protocol (IP) address, or file location).
The term “reference model” should be interpreted as an association of a plurality of events wherein each event is connected to another event and the association includes at least one anomalous behavior (e.g., anomalous event or relationship). For example, a reference model may include a process that (1) injects code into a file unexpectedly and (2) opens multiple files wherein the opening of the files constitutes anomalous behavior. Throughout the specification and claims, the terms “reference model” and “signature” will be used interchangeably.
The term “relationship” means the connection or association of a first event with a second event. Examples of a relationship may include, but are not limited or restricted to, an event: starting a process, terminating a process, modifying a file, generating a file, opening a file, closing a file, deleting a file, infecting a file and/or process, injecting code into file and/or process and/or generating a mutual exclusion (mutex) on a particular file, process, application, etc.
The term “particular” should be interpreted as a characteristic of an event. Examples of particulars include, but are not limited or restricted to, a process identification (PID), a process name, a file name, a process or file path (i.e., unique location on an electronic device), the date and/or time the event was observed and/or occurred, an application programming interface (API) call involved and/or a hash value of the one or more processes or files involved.
Lastly, the terms “or” and “and/or” as used herein are to be interpreted as inclusive or meaning any one or any combination. Therefore, “A, B or C” or “A, B and/or C” mean “any of the following: A; B; C; A and B; A and C; B and C; A, B and C.” An exception to this definition will occur only when a combination of elements, functions, steps or acts are in some way inherently mutually exclusive.
The invention may be utilized for displaying an interactive infection visualization detailing detection, verification and/or prioritization of malicious content. As this invention is susceptible to embodiments of many different forms, it is intended that the present disclosure is to be considered as an example of the principles of the invention and not intended to limit the invention to the specific embodiments shown and described.
II. Malware Detection and Visualization System
Referring to
At block 120, the MDVS generates a reference model based on, at least, the received data. The MDVS may use the generated reference to: (i) perform an exploit detection process by comparing data received from one or more sources at a later time to the generated reference model and provide exploit detection feedback to block 120, if applicable (block 130); (ii) generate a malware family reference model from a plurality of generated reference models or reference models received over the network (block 140); and/or (iii) generate one or more interactive display screens to aid in the detection and tracing of exploits and/or one or more anomalous behaviors and provide interactive display screen input to block 120, if applicable (block 150).
Referring to
As shown in
In general, the endpoint devices 2501 and 2502 may observe one or more events during operation of the device and transmit a log of the events along with particulars of the events to the MDVS 200. In addition, the TDSes 2601-2603 may observe one or more events while processing, for instance in one or more virtual machines, one or more portions of data received over the network 240. The TDSes 2601-2603 may then transmit a log containing the events and their particulars to the MDVS 200. The management system 242 controls the transmission of the event logs by the endpoint devices 2501 and 2502 and/or the TDSes 2601-2603. For example, the management system 242 may transmit notifications to the endpoint devices 2501 and 2502 and/or the TDSes 2601-2603 instructing the sources that the event logs should be transmitted to the MDVS 200.
As illustrated in
In one embodiment, the event log control logic 231 is responsible for receiving data associated with a malicious event that may be detected at and transmitted by the one or more sources over the network 240. Upon receiving the data, the event log control logic 231 may categorize the event and any associated events included in the data, for example, according to the type of event (e.g., executable file, text file, registry file, etc.). The data associated with a malicious event includes the particulars of the malicious event and the particulars of any observed events associated with the malicious event. The event log control logic 231 further adds the particulars of each observed event to the event log 232. Therefore, the MDVS 200 is able to easily access the event particulars in a sorted manner when generating an interactive display screen.
In a second embodiment wherein the MDVS 200 is deployed within an endpoint device 2501, the event log control logic 231 is also responsible for observing the events at the endpoint device on which the MDVS 200 is deployed and for adding data associated with an observed malicious event to the event log 232 as well.
The machine learning logic 211 is responsible for analyzing the data associated with the observed events. The gathering logic 212 of the machine learning logic 211 may query the event log 232 to obtain the one or more portions of the data. The matching logic 213 of the machine learning logic 211 may analyze the one or more portions of the data to generate associations of one or more events based on the particulars of the events. For instance, the machine learning logic 211 may realize a first process (e.g., a parent process) launched several secondary processes (e.g., child processes) and that the child processes subsequently modified one or more files. In addition, the machine learning logic 211 may perform a comparison between the above-referenced realization and one or more reference models formed by events and relationships where one of these events or relationships may be characterized as a known anomalous behavior. Furthermore, the reference model generation logic 215 of the machine learning logic 211 may generate reference models of malware families from the data stored in the event log 232 and data stored in the machine learning data store 214 (the generation of reference models of malware families will be described in detail below). The machine learning logic 211 also generates the interactive display screen information based on the data in the machine learning data store 214 and the event log 232. In one embodiment, the generated reference models of malware families and the interactive display screen information may be expressed in eXtensible Markup Language (XML) and stored in the machine learning data store 214 (as will be discussed below with
The machine learning data store 214 stores the reference models generated by the machine learning logic 211 or received over the network 240 if applicable. For example, an MDVS may be deployed within an endpoint device 2501 and/or 2502, within one or more TDSes 2601-2603, or within the cloud computing services 241. In that such an embodiment, the MDVS 200 may receive one or more reference models generated by the MDVS deployed within the endpoint device 2501. The machine learning data store 214 also stores interactive display screens generated by the machine learning logic 211. In the embodiment wherein an MDVS is deployed within the endpoint device 2501, the data received over the network may include previously generated reference models and/or interactive display screen information. The MDVS 200 may adopt such data without modification or analyze such data to generate its own reference models and/or interactive display screen data in combination with previously received data.
The display generation logic 221 is responsible for displaying the interactive display screens generated from the interactive display screen information generated by the machine learning logic 211. When a request to display an interactive display screen is received by the MDVS 200, the user interface logic 222 notifies the machine learning logic 211. The machine learning logic 211 then queries the machine learning data store 214 and the event log 232 for the appropriate data (e.g., data pertaining to the relevant event(s)) and generates the interactive display screen information. The machine learning logic 211 may transmit the interactive display screen information to the display generation logic 221 or the display generation logic 221 may query the machine learning data store 214 to obtain the interactive display screen information. Upon obtaining the interactive display screen information, the display generation logic 221 generates the physical display screen that illustrates the association of one or more anomalous events and/or a comparison of one or more reference models of events that constitute known anomalous behaviors with an association of one or more observed events. In some embodiments, the display screen may contain the particulars of the events.
The UI logic 222 is responsible for receiving requests for the generation of an interactive display screen, requests to display particulars of an event and/or requests to generate signatures (e.g., reference models).
Referring to
The processor(s) 300 is further coupled to the persistent storage 310 via transmission medium 325. According to one embodiment of the disclosure, persistent storage 310 may include (a) the machine learning engine 210, including the machine learning logic 211 and/or the machine learning data store 214; (b) the UI rendering subsystem 220 that includes the display generation logic 221 and the UI logic 222; and (c) the event log engine 230 including the event log control logic 231 and the event log 232. Of course, when implemented as hardware, one or more of these logic units could be implemented separately from each other.
III. Reference Model Generation
Referring to
Based on the data illustrated in
Referring to
The modifications to the data as illustrated in
IV. Applications of Reference Model(s)
A. Improved Exploit Detection
Referring now to
The determination of selecting which reference model(s) to use in a comparison such as that illustrated in
Upon the triggering of the exploit detection process, the gathering logic 212 of the machine learning logic 211 initially gathers the data received over the network 240 and stored in the event log 232. The gathering logic 212 also gathers the one or more reference models that will be used in the comparison. The matching logic 213 of the machine learning logic 211 compares the received data and the one or more reference models gathered by the gathering logic 212.
In
The events Event_1 602, and Event_2 603 through Event_m 604 were observed as a result of the performance of an action or operation caused by the Process_A 601. The events appearing in the reference model 620 are present as a result of one or more events or relationships being deemed at least anomalous, where one or more events or relationships may have been deemed malicious. In one embodiment, the Process_A 601 may have been deemed malicious by the TDS 2601 of
Referring to the association 630, the solid lines appearing in the association 630 signify that the events and/or relationships (i.e., the line connecting two events) were observed with at least a first confidence (e.g., observation that the event occurred or existed exceeds a first predetermined probability threshold). The dotted lines appearing in the association 630 signify that the events and/or relationships were observed with a second confidence, wherein the second confidence is different and less than the first confidence.
In the comparison performed by the matching logic 213 as illustrated in
Referring to
The following discussion of
Referring to
In addition, the reference model 730 details the relationships between the events. For example,
The association 740 includes the event 1.exe 701 that is seen to cause the performance of an action or operation resulting in the events 1_M.exe 721, “hidden files” 722, “tampered files” 723, “disabled taskmanager” 724 and C:/Windows/4.exe 725. In contrast to the reference model 730, not all of the relationships between the events included in the association 740 are illustrated in
Therefore, as one embodiment,
Referring to
Alternatively, the dotted lines may represent that the event was not detected at any one source but instead is an inference from the event's appearance in the reference model 730. For example, the dotted box surrounding the “www.web1.com resolves to 199.16.199.2” event 750 may represent that no source connected to the MDVS 200 via the network 240 observed the “www.web1.com resolves to 199.16.199.2” event 750. Instead, based on the similarities between the association 740 and the reference model 730, the matching logic 213 inferred that the “www.web1.com resolves to 199.16.199.2” event 750 should be included and may have occurred but its observance did not occur.
In one embodiment, the data may have only provided one source of evidence of the occurrence of existence of the events illustrated using dotted lines whereas the first confidence requires Y or more sources of evidence are state that an event occurred or existed (wherein Y≧2). Alternatively, or in addition, the dotted lines may represent that the machine learning logic 211 has inferred that the events illustrated using dotted lines occurred or existed. Through machine learning, the machine learning logic 211 may have recognized that the events illustrated using dotted lines typically occur or exist when one or more of the events illustrated using solid lines were observed and therefore infer that it is likely the events illustrated dotted lines occurred or existed but were not observed with the first confidence. For example, the machine learning logic 211 may recognize that when an executable file (e.g., 4.exe 720) generates a mutex which is followed by the hiding of files and tampering with network settings, it is likely that the website “www.web1.com” resolves to the IP address “199.16.199.2” and source (e.g., TDP 2601) connected to the IP address “199.16.199.2” based on the reference model 730.
Referring to
Based on
Furthermore, the matching logic 213 may determine whether a correlation exists between the reference model 730 and the association 740 depending on predetermined characteristics and thresholds. For example, the matching logic 213 may find a correlation when Z specific events are found to match in the reference model 730 and the association 740 (wherein Z is a predetermined number). Alternatively, the matching logic 213 may determine a correlation exists if a predetermined number of events and/or relationships are found to match between the reference model 730 and the association 740. In yet another embodiment, the matching logic 213 may find a correlation if a predetermined number of events and/or relationships are found to match and one or more events and/or relationships are not present in both of the reference model 730 and the association 740. Any combination of the above scenarios may be used to determine whether a correlation is present between the reference model 730 and the association 740. The machine learning logic 211 may store these correlations in the machine learning data store 211 as a way of “learning” when one or more malicious events and/or relationships may be inferred.
Referring to
In one embodiment, a “sufficient correlation” may include the event and/or relationship appearing within a grouping of events a predetermined number of times. For example, if the event “Disabled TaskManager 724” appears X number of times (wherein X is a predetermined threshold) when a process (e.g., 4.exe 720) generates a mutex, hides files and tampers with network settings, the event “Disabled TaskManager” 724 will be added to the reference model including those events. Referring back to
The enhanced reference model 730 may be used to update and/or allow for more particularized exploit detection. For example, the enhanced reference model 730 may be used by, among others, the management system 242 to further configure or reconfigure one or more of the sources (e.g., the endpoint device 2501 and/or the TDS 2601). The reconfiguration or further configuration may entail, for example, configuring the one or more sources to search one or more pieces of network traffic for an extended amount of time, search the one or more pieces of network traffic multiple times and/or search for different malware exploits and/or certain events and/or relationships.
Alternatively, or in addition to, the enhanced reference model 730 may provide a means for updating one or more correlation rules for classifying malware (e.g., updating signatures or rules for determining whether an object of network traffic is suspicious and/or configuring and/or reconfiguring one or more virtual machines (VMs) included in one or more sources). Such updated signatures may be more robust due to the more complete picture of a malware exploit the updated signature provides. In one embodiment, the enhanced reference model 730 may provide improved alerts and recognition of malware based on the enhancement.
Referring to
In
Furthermore, the events Event_D_1 805 and Event_F_1 807 as well as the connections between the Process_C_1 810 and the events Event_D_1 805 and Event_F_1 807 are illustrated as dotted lines meaning these events and connections were inferred from the Process_A_1 801 and/or the Process_B_1 809. As can be seen in
B. Malware Family Reference Model Generation
Malware family generation is the generation of comprehensive signatures used to identify one or more anomalous, or more specifically malicious, files, processes, etc., and/or relationships that are related through, among others, the evolution of a malware, a common point of attack or attack pattern (e.g., multiple pieces of malware gaining unauthorized access to the same file or process within an operating system), a common method of entering a network or electronic device (e.g., embedded software in an email or embedded software in a portable document format (PDF) file), a common targeted vulnerability (e.g., a common exploit kit), a common targeted information and/or a common targeted unauthorized access point. The generation of a malware family reference model may be triggered, for example, at predetermined time intervals, after receipt of a predetermined amount of data from the network 240, and/or manually by a system administrator or the like.
Upon the triggering of the generation of a malware family reference model, the gathering logic 212 of the machine learning logic 211 initially gathers a plurality of appropriate reference models stored in the machine learning data store 214. The gathering logic 212 determines which reference models are appropriate for generation of a malware family reference model based on one or more characteristics of the triggering event and/or the plurality of reference models currently stored in the machine learning data store 214. The matching logic 213 of the machine learning logic 211 compares the received data and the one or more reference models gathered by the gathering logic 212.
In one embodiment, the reference models stored in the machine learning data store 214 may all include one or more common events and/or relationships and therefore all reference models may be used to generate a family malware reference model. Alternatively, appropriate reference models for generating a malware family reference model may be selected based on file types included in the reference models and/or a source that observed the events included in the reference models (e.g., email TDS, web TDS, file TDS and/or mobile TDS). Furthermore, if a network administrator manually triggers the generation of a reference model, the network administrator may manually select one or more of the above characteristics for the gathering logic 212 to use in its determination of what reference models in the machine learning data store 214 are appropriate to include in the reference model generation.
Once the reference models that will be used to generate a malware family reference model have been gathered by the gathering logic 212, the reference models are passed to the reference model generating logic 215. As will be discussed below in relation to
Referring to
The malware family reference model 940 has been generated from the reference models 930 and 931. The reference model generation logic 215 compares two or more reference models in order to generate a malware family reference model. The reference model generation logic 215 generates the malware family reference model by placing all distinct events in the two or more reference models compared (e.g., the mathematical union of the two or more reference models compared) into the malware family reference model (e.g., the malware family reference model 940).
As illustrated in
The malware family reference model 940 also includes the process Process_C_2 910. This process may be equivalent to any of the processes included in one or more of the reference models compared to generate the malware family reference model (e.g., the processes Process_A_2 901 and Process_B_2 908).
The reference models used by the machine learning logic 211 to generate malware family reference models may be stored in the machine learning data store 214 and/or the event log 232, and/or received over the network 240. In addition, signatures generated in accordance with the discussion of
C. Visualization
As mentioned above, interactive display screens comprising
Referring to now
According to one embodiment, the display area 1010 displays a plurality of entries 10201-1020R (R≧1, where R=9 for this embodiment) that provides information directed to observed events, where one or more events are anomalous or malicious. As shown, each row of entries (e.g., row 10201) rendered by the UI rendering subsystem 220 features a plurality of fields, including one or more of the following: (1) a date and time of the observation 421; (2) an event name 422; (3) a process identification (PID) 423 (if applicable); (4) a path directing the viewer to the location at which the event may be located 424; and/or (5) a source that observed the event (e.g., email TDS, web TDS, file TDS and/or mobile TDS).
A second area 1030 may be configured to allow selection of one or more observed potentially malicious events for viewing on a second visual representation. In one embodiment, when an observed event has been selected, the row may appear highlighted as is seen in
One or more interactive display screens may be comprised of, among other things, a top-down nodal or tree diagram (e.g., an “exploit visualization”) or a left-to-right nodal or tree diagram (e.g., “a timeline visualization”). A time axis is illustrated in
In addition, a rank may be assigned to the events included in a nodal diagram. For example, when an association of events are illustrated as a top-down nodal diagram, each row of events may be considered to have the same rank, wherein a first event appearing above a second event has a higher rank than the second event. Alternatively, when an association of events are illustrated as a left-to-right nodal diagram, each column of events may be considered to have the same rank, wherein a first event appearing to the left of a second event has a higher rank than the second event.
Referring to
The data illustrated as
Referring now to
In
In addition, the Process_1 1202 causes the performance of one or more actions or operations that result in the events including: (i) the Registry_1 1203; (ii) the File_1 1204; (iii) the File_2 1205; and (iv) the Process_2 1206. Similarly, the File_1 1204 is depicted as causing the performance of an action or operation that results in the Process_3 1207. Furthermore, the Process_2 1206 is depicted as causing the performance of an action or operation that results in the File_3 1208.
Therefore, according to one embodiment, when the interactive display screen 1000 of
As mentioned above, a time axis 1210 is illustrated in
In addition, a time axis may be present in an interactive display screen illustrating a left-to-right nodal diagram (e.g., an embodiment in which
Referring back to
In addition, the machine learning logic 211 may trace the root cause of the exploitation back to the initial visit to the compromised URL based on a time axis and the sequential ordering of the events in the reference model. In one embodiment, the presence of a time axis on an interactive display screen may allow a viewer, such as a network administrator, to visually understand which event was the root cause of the exploit.
Referring to
In addition to providing a visual representation of how the events 1201-1208 and 1301-1306 are related, the interactive display screen 1300 displays one or more particulars of each event. For example, the path (“c:/doc1/local1/temp/4.exe”) and the PID (“1676”) are displayed for the Process_1 1202. The particulars displayed for each event may differ, for example, only the path of an event may be displayed as is the case with the File_1 1204 in the present embodiment.
Furthermore, the interactive display screen 1300 provides the viewer with the relationship between two events and the timing of the observation of the relationship. For example, the relationship between the Process_1 1202 and the File_1 1208 is the third relationship generated of the relationships displayed in the interactive display screen 1300. In addition, the relationship between the Process_1 1202 and the File_1 1208 is seen to be “created.” Therefore, from the interactive display screen 1300, a viewer can easily determine that, of the events and relationships included in the display screen 1300, the operation of the Process_1 1202 creating the File_1 1204 was the third relationship created. The Process_1 1202 then opens the File_2 1205 and starts the Process_3 1207 (which is the File_1 1204 being launched as a process as the File_1 1204 is an executable file). In addition, the Process_1 1202 starts the Process_2 1206 as the seventh relationship.
The Process_2 1206 deletes the File_3 1208 as the eighth relationship. Subsequently, the Process_3 1207 sets the name/value pair for the Registry_2, the Registry_3 and the Registry_4 as the ninth, tenth and eleventh relationships respectively. The Process_3 1207 then opens the Registry_5, the Folder_1 and the File_5 as the twelfth, thirteenth and fourteenth relationships respectively.
V. Signature Generation
As mentioned above, one embodiment of the invention enables a viewer to generate one or more signatures from the interactive display screens of, for example,
Referring to
Referring back to
The selection of “Display Info Parameters 1412” may result in a query by the gathering logic 212 to the machine learning data store 214 and/or the event log 232 to gather the particulars of the selected process. The machine learning logic 211 may generate interactive display screen information based on the data gathered by the gathering logic 212. The display generation logic 221 may use the interactive display screen information to generate a display in a layout similar to the display screen of
The selection of “Generate Alert 1413” may result in the gathering of the particulars of the selected process, any events that are branched from the selected event and any relationships connecting the branched events by the gathering logic 212 and the generation of an alert by the machine learning logic 211.
It should be noted that, although in the above paragraphs information (e.g., the particulars) of branched events and the corresponding relationships may be gathered as well as the selected event, the particulars of only the selected event may be gathered as well. The system may be set up to gather either, or a network administrator may be able to adjust how the system responds to a selection of one or more of “Generate Signature 1411,” “Display Info Parameters 1412” and/or “Generate Alert 1413.”
Referring to
Referring to
In the foregoing description, the invention is described with reference to specific exemplary embodiments thereof. It will, however, be evident that various modifications and changes may be made thereto without departing from the broader spirit and scope of the invention as set forth in the appended claims.
Number | Name | Date | Kind |
---|---|---|---|
4292580 | Ott et al. | Sep 1981 | A |
5175732 | Hendel et al. | Dec 1992 | A |
5440723 | Arnold et al. | Aug 1995 | A |
5490249 | Miller | Feb 1996 | A |
5657473 | Killean et al. | Aug 1997 | A |
5842002 | Schnurer et al. | Nov 1998 | A |
5978917 | Chi | Nov 1999 | A |
6088803 | Tso et al. | Jul 2000 | A |
6094677 | Capek et al. | Jul 2000 | A |
6108799 | Boulay et al. | Aug 2000 | A |
6118382 | Hibbs et al. | Sep 2000 | A |
6269330 | Cidon et al. | Jul 2001 | B1 |
6272641 | Ji | Aug 2001 | B1 |
6279113 | Vaidya | Aug 2001 | B1 |
6298445 | Shostack et al. | Oct 2001 | B1 |
6357008 | Nachenberg | Mar 2002 | B1 |
6417774 | Hibbs et al. | Jul 2002 | B1 |
6424627 | Sørhaug et al. | Jul 2002 | B1 |
6442696 | Wray et al. | Aug 2002 | B1 |
6484315 | Ziese | Nov 2002 | B1 |
6487666 | Shanklin et al. | Nov 2002 | B1 |
6493756 | O'Brien et al. | Dec 2002 | B1 |
6550012 | Villa et al. | Apr 2003 | B1 |
6700497 | Hibbs et al. | Mar 2004 | B2 |
6775657 | Baker | Aug 2004 | B1 |
6831893 | Ben Nun et al. | Dec 2004 | B1 |
6832367 | Choi et al. | Dec 2004 | B1 |
6895550 | Kanchirayappa et al. | May 2005 | B2 |
6898632 | Gordy et al. | May 2005 | B2 |
6907396 | Muttik et al. | Jun 2005 | B1 |
6941348 | Petry et al. | Sep 2005 | B2 |
6971097 | Wallman | Nov 2005 | B1 |
6981279 | Arnold et al. | Dec 2005 | B1 |
6995665 | Appelt et al. | Feb 2006 | B2 |
7007107 | Ivchenko et al. | Feb 2006 | B1 |
7028179 | Anderson et al. | Apr 2006 | B2 |
7043757 | Hoefelmeyer et al. | May 2006 | B2 |
7069316 | Gryaznov | Jun 2006 | B1 |
7080407 | Zhao et al. | Jul 2006 | B1 |
7080408 | Pak et al. | Jul 2006 | B1 |
7093002 | Wolff et al. | Aug 2006 | B2 |
7093239 | van der Made | Aug 2006 | B1 |
7096498 | Judge | Aug 2006 | B2 |
7100201 | Izatt | Aug 2006 | B2 |
7107617 | Hursey et al. | Sep 2006 | B2 |
7159149 | Spiegel et al. | Jan 2007 | B2 |
7213260 | Judge | May 2007 | B2 |
7231667 | Jordan | Jun 2007 | B2 |
7240364 | Branscomb et al. | Jul 2007 | B1 |
7240368 | Roesch et al. | Jul 2007 | B1 |
7243371 | Kasper et al. | Jul 2007 | B1 |
7249175 | Donaldson | Jul 2007 | B1 |
7287278 | Liang | Oct 2007 | B2 |
7308716 | Danford et al. | Dec 2007 | B2 |
7328453 | Merkle, Jr. et al. | Feb 2008 | B2 |
7346486 | Ivancic et al. | Mar 2008 | B2 |
7356736 | Natvig | Apr 2008 | B2 |
7386888 | Liang et al. | Jun 2008 | B2 |
7392542 | Bucher | Jun 2008 | B2 |
7418729 | Szor | Aug 2008 | B2 |
7428300 | Drew et al. | Sep 2008 | B1 |
7441272 | Durham et al. | Oct 2008 | B2 |
7448084 | Apap et al. | Nov 2008 | B1 |
7458098 | Judge et al. | Nov 2008 | B2 |
7464404 | Carpenter et al. | Dec 2008 | B2 |
7464407 | Nakae et al. | Dec 2008 | B2 |
7467408 | O'Toole, Jr. | Dec 2008 | B1 |
7478428 | Thomlinson | Jan 2009 | B1 |
7480773 | Reed | Jan 2009 | B1 |
7487543 | Arnold et al. | Feb 2009 | B2 |
7496960 | Chen et al. | Feb 2009 | B1 |
7496961 | Zimmer et al. | Feb 2009 | B2 |
7519990 | Xie | Apr 2009 | B1 |
7523493 | Liang et al. | Apr 2009 | B2 |
7530104 | Thrower et al. | May 2009 | B1 |
7540025 | Tzadikario | May 2009 | B2 |
7540027 | Achanta | May 2009 | B2 |
7565550 | Liang et al. | Jul 2009 | B2 |
7568233 | Szor et al. | Jul 2009 | B1 |
7584455 | Ball | Sep 2009 | B2 |
7603715 | Costa et al. | Oct 2009 | B2 |
7607171 | Marsden et al. | Oct 2009 | B1 |
7639714 | Stolfo et al. | Dec 2009 | B2 |
7644441 | Schmid et al. | Jan 2010 | B2 |
7657419 | van der Made | Feb 2010 | B2 |
7676841 | Sobchuk et al. | Mar 2010 | B2 |
7698548 | Shelest et al. | Apr 2010 | B2 |
7707633 | Danford et al. | Apr 2010 | B2 |
7712136 | Sprosts et al. | May 2010 | B2 |
7730011 | Deninger et al. | Jun 2010 | B1 |
7739740 | Nachenberg et al. | Jun 2010 | B1 |
7779463 | Stolfo et al. | Aug 2010 | B2 |
7784097 | Stolfo et al. | Aug 2010 | B1 |
7832008 | Kraemer | Nov 2010 | B1 |
7836502 | Zhao et al. | Nov 2010 | B1 |
7849506 | Dansey et al. | Dec 2010 | B1 |
7854007 | Sprosts et al. | Dec 2010 | B2 |
7869073 | Oshima | Jan 2011 | B2 |
7877803 | Enstone et al. | Jan 2011 | B2 |
7904959 | Sidiroglou et al. | Mar 2011 | B2 |
7908660 | Bahl | Mar 2011 | B2 |
7930738 | Petersen | Apr 2011 | B1 |
7937761 | Bennett | May 2011 | B1 |
7949849 | Lowe et al. | May 2011 | B2 |
7996556 | Raghavan et al. | Aug 2011 | B2 |
7996836 | McCorkendale et al. | Aug 2011 | B1 |
7996904 | Chiueh et al. | Aug 2011 | B1 |
7996905 | Arnold et al. | Aug 2011 | B2 |
8006305 | Aziz | Aug 2011 | B2 |
8010667 | Zhang et al. | Aug 2011 | B2 |
8020206 | Hubbard et al. | Sep 2011 | B2 |
8028338 | Schneider et al. | Sep 2011 | B1 |
8042184 | Batenin | Oct 2011 | B1 |
8045094 | Teragawa | Oct 2011 | B2 |
8045458 | Alperovitch et al. | Oct 2011 | B2 |
8069484 | McMillan et al. | Nov 2011 | B2 |
8087086 | Lai et al. | Dec 2011 | B1 |
8171553 | Aziz et al. | May 2012 | B2 |
8176049 | Deninger et al. | May 2012 | B2 |
8176480 | Spertus | May 2012 | B1 |
8201246 | Wu et al. | Jun 2012 | B1 |
8204984 | Aziz et al. | Jun 2012 | B1 |
8214905 | Doukhvalov et al. | Jul 2012 | B1 |
8220055 | Kennedy | Jul 2012 | B1 |
8225288 | Miller et al. | Jul 2012 | B2 |
8225373 | Kraemer | Jul 2012 | B2 |
8233882 | Rogel | Jul 2012 | B2 |
8234640 | Fitzgerald et al. | Jul 2012 | B1 |
8234709 | Viljoen et al. | Jul 2012 | B2 |
8239944 | Nachenberg et al. | Aug 2012 | B1 |
8260914 | Ranjan | Sep 2012 | B1 |
8266091 | Gubin et al. | Sep 2012 | B1 |
8286251 | Eker et al. | Oct 2012 | B2 |
8291499 | Aziz et al. | Oct 2012 | B2 |
8307435 | Mann et al. | Nov 2012 | B1 |
8307443 | Wang et al. | Nov 2012 | B2 |
8312545 | Tuvell et al. | Nov 2012 | B2 |
8321936 | Green et al. | Nov 2012 | B1 |
8321941 | Tuvell et al. | Nov 2012 | B2 |
8332571 | Edwards, Sr. | Dec 2012 | B1 |
8365286 | Poston | Jan 2013 | B2 |
8365297 | Parshin et al. | Jan 2013 | B1 |
8370938 | Daswani et al. | Feb 2013 | B1 |
8370939 | Zaitsev et al. | Feb 2013 | B2 |
8375444 | Aziz et al. | Feb 2013 | B2 |
8381299 | Stolfo et al. | Feb 2013 | B2 |
8402529 | Green et al. | Mar 2013 | B1 |
8464340 | Ahn et al. | Jun 2013 | B2 |
8479174 | Chiriac | Jul 2013 | B2 |
8479276 | Vaystikh et al. | Jul 2013 | B1 |
8479291 | Bodke | Jul 2013 | B1 |
8510827 | Leake et al. | Aug 2013 | B1 |
8510828 | Guo et al. | Aug 2013 | B1 |
8510842 | Amit et al. | Aug 2013 | B2 |
8516478 | Edwards et al. | Aug 2013 | B1 |
8516590 | Ranadive et al. | Aug 2013 | B1 |
8516593 | Aziz | Aug 2013 | B2 |
8522348 | Chen et al. | Aug 2013 | B2 |
8528086 | Aziz | Sep 2013 | B1 |
8533824 | Hutton et al. | Sep 2013 | B2 |
8539582 | Aziz et al. | Sep 2013 | B1 |
8549638 | Aziz | Oct 2013 | B2 |
8555391 | Demir et al. | Oct 2013 | B1 |
8561177 | Aziz et al. | Oct 2013 | B1 |
8566946 | Aziz et al. | Oct 2013 | B1 |
8584094 | Dadhia et al. | Nov 2013 | B2 |
8584234 | Sobel et al. | Nov 2013 | B1 |
8584239 | Aziz et al. | Nov 2013 | B2 |
8595834 | Xie et al. | Nov 2013 | B2 |
8627476 | Satish et al. | Jan 2014 | B1 |
8635696 | Aziz | Jan 2014 | B1 |
8682054 | Xue et al. | Mar 2014 | B2 |
8682812 | Ranjan | Mar 2014 | B1 |
8689333 | Aziz | Apr 2014 | B2 |
8695096 | Zhang | Apr 2014 | B1 |
8713631 | Pavlyushchik | Apr 2014 | B1 |
8713681 | Silberman et al. | Apr 2014 | B2 |
8726392 | McCorkendale et al. | May 2014 | B1 |
8739280 | Chess et al. | May 2014 | B2 |
8776229 | Aziz | Jul 2014 | B1 |
8782792 | Bodke | Jul 2014 | B1 |
8787532 | Adam | Jul 2014 | B1 |
8789172 | Stolfo et al. | Jul 2014 | B2 |
8789178 | Kejriwal et al. | Jul 2014 | B2 |
8793787 | Ismael | Jul 2014 | B2 |
8805947 | Kuzkin et al. | Aug 2014 | B1 |
8806647 | Daswani et al. | Aug 2014 | B1 |
8832829 | Manni et al. | Sep 2014 | B2 |
8850570 | Ramzan | Sep 2014 | B1 |
8850571 | Staniford et al. | Sep 2014 | B2 |
8881234 | Narasimhan et al. | Nov 2014 | B2 |
8881282 | Aziz et al. | Nov 2014 | B1 |
8898788 | Aziz et al. | Nov 2014 | B1 |
8935779 | Manni et al. | Jan 2015 | B2 |
8984638 | Aziz et al. | Mar 2015 | B1 |
8990939 | Staniford et al. | Mar 2015 | B2 |
8990944 | Singh et al. | Mar 2015 | B1 |
8997219 | Staniford et al. | Mar 2015 | B2 |
9009822 | Ismael et al. | Apr 2015 | B1 |
9009823 | Ismael et al. | Apr 2015 | B1 |
9027135 | Aziz | May 2015 | B1 |
9069954 | Anurag | Jun 2015 | B2 |
9071638 | Aziz et al. | Jun 2015 | B1 |
9104867 | Thioux et al. | Aug 2015 | B1 |
9106694 | Aziz et al. | Aug 2015 | B2 |
9118715 | Staniford et al. | Aug 2015 | B2 |
9238467 | Hoye | Jan 2016 | B1 |
9270689 | Wang et al. | Feb 2016 | B1 |
9361463 | Ferragut | Jun 2016 | B2 |
20010005889 | Albrecht | Jun 2001 | A1 |
20010047326 | Broadbent et al. | Nov 2001 | A1 |
20020018903 | Kokubo et al. | Feb 2002 | A1 |
20020038430 | Edwards et al. | Mar 2002 | A1 |
20020091819 | Melchione et al. | Jul 2002 | A1 |
20020095607 | Lin-Hendel | Jul 2002 | A1 |
20020116627 | Tarbotton et al. | Aug 2002 | A1 |
20020129363 | McGuire | Sep 2002 | A1 |
20020144156 | Copeland | Oct 2002 | A1 |
20020162015 | Tang | Oct 2002 | A1 |
20020166063 | Lachman et al. | Nov 2002 | A1 |
20020169952 | DiSanto et al. | Nov 2002 | A1 |
20020184528 | Shevenell et al. | Dec 2002 | A1 |
20020188887 | Largman et al. | Dec 2002 | A1 |
20020194490 | Halperin et al. | Dec 2002 | A1 |
20030074578 | Ford et al. | Apr 2003 | A1 |
20030084318 | Schertz | May 2003 | A1 |
20030101381 | Mateev et al. | May 2003 | A1 |
20030115483 | Liang | Jun 2003 | A1 |
20030188190 | Aaron et al. | Oct 2003 | A1 |
20030191957 | Hypponen et al. | Oct 2003 | A1 |
20030200460 | Morota et al. | Oct 2003 | A1 |
20030212902 | van der Made | Nov 2003 | A1 |
20030220753 | Pickerd | Nov 2003 | A1 |
20030229801 | Kouznetsov et al. | Dec 2003 | A1 |
20030237000 | Denton et al. | Dec 2003 | A1 |
20040003323 | Bennett et al. | Jan 2004 | A1 |
20040015712 | Szor | Jan 2004 | A1 |
20040019832 | Arnold et al. | Jan 2004 | A1 |
20040047356 | Bauer | Mar 2004 | A1 |
20040083408 | Spiegel et al. | Apr 2004 | A1 |
20040088581 | Brawn et al. | May 2004 | A1 |
20040093513 | Cantrell et al. | May 2004 | A1 |
20040111531 | Staniford et al. | Jun 2004 | A1 |
20040117478 | Triulzi et al. | Jun 2004 | A1 |
20040117624 | Brandt et al. | Jun 2004 | A1 |
20040128355 | Chao et al. | Jul 2004 | A1 |
20040165588 | Pandya | Aug 2004 | A1 |
20040236963 | Danford et al. | Nov 2004 | A1 |
20040243349 | Greifeneder et al. | Dec 2004 | A1 |
20040243829 | Jordan | Dec 2004 | A1 |
20040249911 | Alkhatib et al. | Dec 2004 | A1 |
20040255161 | Cavanaugh | Dec 2004 | A1 |
20040268147 | Wiederin et al. | Dec 2004 | A1 |
20050005159 | Oliphant | Jan 2005 | A1 |
20050021740 | Bar et al. | Jan 2005 | A1 |
20050033960 | Vialen et al. | Feb 2005 | A1 |
20050033989 | Poletto et al. | Feb 2005 | A1 |
20050050148 | Mohammadioun et al. | Mar 2005 | A1 |
20050086523 | Zimmer et al. | Apr 2005 | A1 |
20050091513 | Mitomo et al. | Apr 2005 | A1 |
20050091533 | Omote et al. | Apr 2005 | A1 |
20050091652 | Ross et al. | Apr 2005 | A1 |
20050108562 | Khazan et al. | May 2005 | A1 |
20050114663 | Cornell et al. | May 2005 | A1 |
20050125195 | Brendel | Jun 2005 | A1 |
20050149726 | Joshi et al. | Jul 2005 | A1 |
20050157662 | Bingham et al. | Jul 2005 | A1 |
20050183143 | Anderholm et al. | Aug 2005 | A1 |
20050201297 | Peikari | Sep 2005 | A1 |
20050210533 | Copeland et al. | Sep 2005 | A1 |
20050238005 | Chen et al. | Oct 2005 | A1 |
20050240781 | Gassoway | Oct 2005 | A1 |
20050262562 | Gassoway | Nov 2005 | A1 |
20050265331 | Stolfo | Dec 2005 | A1 |
20050283839 | Cowburn | Dec 2005 | A1 |
20060010495 | Cohen et al. | Jan 2006 | A1 |
20060015416 | Hoffman et al. | Jan 2006 | A1 |
20060015715 | Anderson | Jan 2006 | A1 |
20060015747 | Van de Ven | Jan 2006 | A1 |
20060021029 | Brickell et al. | Jan 2006 | A1 |
20060021054 | Costa et al. | Jan 2006 | A1 |
20060031476 | Mathes et al. | Feb 2006 | A1 |
20060047665 | Neil | Mar 2006 | A1 |
20060070130 | Costea et al. | Mar 2006 | A1 |
20060075496 | Carpenter et al. | Apr 2006 | A1 |
20060095968 | Portolani et al. | May 2006 | A1 |
20060101516 | Sudaharan et al. | May 2006 | A1 |
20060101517 | Banzhof et al. | May 2006 | A1 |
20060117385 | Mester et al. | Jun 2006 | A1 |
20060123477 | Raghavan et al. | Jun 2006 | A1 |
20060143709 | Brooks et al. | Jun 2006 | A1 |
20060150249 | Gassen et al. | Jul 2006 | A1 |
20060161983 | Cothrell et al. | Jul 2006 | A1 |
20060161987 | Levy-Yurista | Jul 2006 | A1 |
20060161989 | Reshef et al. | Jul 2006 | A1 |
20060164199 | Gilde et al. | Jul 2006 | A1 |
20060173992 | Weber et al. | Aug 2006 | A1 |
20060179147 | Tran et al. | Aug 2006 | A1 |
20060184632 | Marino et al. | Aug 2006 | A1 |
20060191010 | Benjamin | Aug 2006 | A1 |
20060221956 | Narayan et al. | Oct 2006 | A1 |
20060236393 | Kramer et al. | Oct 2006 | A1 |
20060242709 | Seinfeld et al. | Oct 2006 | A1 |
20060248519 | Jaeger et al. | Nov 2006 | A1 |
20060248582 | Panjwani et al. | Nov 2006 | A1 |
20060251104 | Koga | Nov 2006 | A1 |
20060288417 | Bookbinder et al. | Dec 2006 | A1 |
20070006288 | Mayfield et al. | Jan 2007 | A1 |
20070006313 | Porras et al. | Jan 2007 | A1 |
20070011174 | Takaragi et al. | Jan 2007 | A1 |
20070016951 | Piccard et al. | Jan 2007 | A1 |
20070033645 | Jones | Feb 2007 | A1 |
20070038943 | FitzGerald et al. | Feb 2007 | A1 |
20070064689 | Shin et al. | Mar 2007 | A1 |
20070074169 | Chess et al. | Mar 2007 | A1 |
20070094730 | Bhikkaji et al. | Apr 2007 | A1 |
20070101435 | Konanka et al. | May 2007 | A1 |
20070128855 | Cho et al. | Jun 2007 | A1 |
20070142030 | Sinha et al. | Jun 2007 | A1 |
20070143827 | Nicodemus et al. | Jun 2007 | A1 |
20070156895 | Vuong | Jul 2007 | A1 |
20070157180 | Tillmann et al. | Jul 2007 | A1 |
20070157306 | Elrod et al. | Jul 2007 | A1 |
20070168988 | Eisner et al. | Jul 2007 | A1 |
20070171824 | Ruello et al. | Jul 2007 | A1 |
20070174911 | Kronenberg et al. | Jul 2007 | A1 |
20070174915 | Gribble et al. | Jul 2007 | A1 |
20070192500 | Lum | Aug 2007 | A1 |
20070192858 | Lum | Aug 2007 | A1 |
20070198275 | Malden et al. | Aug 2007 | A1 |
20070208822 | Wang et al. | Sep 2007 | A1 |
20070220607 | Sprosts et al. | Sep 2007 | A1 |
20070240218 | Tuvell et al. | Oct 2007 | A1 |
20070240219 | Tuvell et al. | Oct 2007 | A1 |
20070240220 | Tuvell et al. | Oct 2007 | A1 |
20070240222 | Tuvell et al. | Oct 2007 | A1 |
20070250930 | Aziz et al. | Oct 2007 | A1 |
20070256132 | Oliphant | Nov 2007 | A2 |
20070271446 | Nakamura | Nov 2007 | A1 |
20080005782 | Aziz | Jan 2008 | A1 |
20080028463 | Dagon et al. | Jan 2008 | A1 |
20080032556 | Schreier | Feb 2008 | A1 |
20080040710 | Chiriac | Feb 2008 | A1 |
20080046781 | Childs et al. | Feb 2008 | A1 |
20080066179 | Liu | Mar 2008 | A1 |
20080066180 | Repasi et al. | Mar 2008 | A1 |
20080072326 | Danford et al. | Mar 2008 | A1 |
20080077793 | Tan et al. | Mar 2008 | A1 |
20080080518 | Hoeflin et al. | Apr 2008 | A1 |
20080086720 | Lekel | Apr 2008 | A1 |
20080098476 | Syversen | Apr 2008 | A1 |
20080120722 | Sima et al. | May 2008 | A1 |
20080134178 | Fitzgerald et al. | Jun 2008 | A1 |
20080134334 | Kim et al. | Jun 2008 | A1 |
20080141376 | Clausen et al. | Jun 2008 | A1 |
20080184373 | Traut et al. | Jul 2008 | A1 |
20080189787 | Arnold et al. | Aug 2008 | A1 |
20080201778 | Guo et al. | Aug 2008 | A1 |
20080209557 | Herley et al. | Aug 2008 | A1 |
20080215742 | Goldszmidt et al. | Sep 2008 | A1 |
20080222729 | Chen et al. | Sep 2008 | A1 |
20080263665 | Ma et al. | Oct 2008 | A1 |
20080295172 | Bohacek | Nov 2008 | A1 |
20080301810 | Lehane et al. | Dec 2008 | A1 |
20080307524 | Singh et al. | Dec 2008 | A1 |
20080313738 | Enderby | Dec 2008 | A1 |
20080320594 | Jiang | Dec 2008 | A1 |
20090003317 | Kasralikar et al. | Jan 2009 | A1 |
20090007100 | Field et al. | Jan 2009 | A1 |
20090007227 | Burgess | Jan 2009 | A1 |
20090013408 | Schipka | Jan 2009 | A1 |
20090031423 | Liu et al. | Jan 2009 | A1 |
20090036111 | Danford et al. | Feb 2009 | A1 |
20090037835 | Goldman | Feb 2009 | A1 |
20090044024 | Oberheide et al. | Feb 2009 | A1 |
20090044274 | Budko et al. | Feb 2009 | A1 |
20090064332 | Porras et al. | Mar 2009 | A1 |
20090077666 | Chen et al. | Mar 2009 | A1 |
20090083369 | Marmor | Mar 2009 | A1 |
20090083855 | Apap et al. | Mar 2009 | A1 |
20090089879 | Wang et al. | Apr 2009 | A1 |
20090094697 | Provos et al. | Apr 2009 | A1 |
20090113425 | Ports et al. | Apr 2009 | A1 |
20090125976 | Wassermann et al. | May 2009 | A1 |
20090126015 | Monastyrsky et al. | May 2009 | A1 |
20090126016 | Sobko et al. | May 2009 | A1 |
20090133125 | Choi et al. | May 2009 | A1 |
20090144823 | Lamastra et al. | Jun 2009 | A1 |
20090158430 | Borders | Jun 2009 | A1 |
20090172815 | Gu et al. | Jul 2009 | A1 |
20090187992 | Poston | Jul 2009 | A1 |
20090193293 | Stolfo et al. | Jul 2009 | A1 |
20090199296 | Xie et al. | Aug 2009 | A1 |
20090228233 | Anderson et al. | Sep 2009 | A1 |
20090241187 | Troyansky | Sep 2009 | A1 |
20090241190 | Todd et al. | Sep 2009 | A1 |
20090265692 | Godefroid et al. | Oct 2009 | A1 |
20090271867 | Zhang | Oct 2009 | A1 |
20090300415 | Zhang et al. | Dec 2009 | A1 |
20090300761 | Park et al. | Dec 2009 | A1 |
20090328185 | Berg et al. | Dec 2009 | A1 |
20090328221 | Blumfield et al. | Dec 2009 | A1 |
20100005146 | Drako et al. | Jan 2010 | A1 |
20100011205 | McKenna | Jan 2010 | A1 |
20100017546 | Poo et al. | Jan 2010 | A1 |
20100027432 | Gopalan | Feb 2010 | A1 |
20100031353 | Thomas et al. | Feb 2010 | A1 |
20100037314 | Perdisci et al. | Feb 2010 | A1 |
20100043073 | Kuwamura | Feb 2010 | A1 |
20100054278 | Stolfo et al. | Mar 2010 | A1 |
20100058474 | Hicks | Mar 2010 | A1 |
20100064044 | Nonoyama | Mar 2010 | A1 |
20100077481 | Polyakov et al. | Mar 2010 | A1 |
20100083376 | Pereira et al. | Apr 2010 | A1 |
20100115621 | Staniford | May 2010 | A1 |
20100132038 | Zaitsev | May 2010 | A1 |
20100154056 | Smith et al. | Jun 2010 | A1 |
20100180344 | Malyshev et al. | Jul 2010 | A1 |
20100192223 | Ismael et al. | Jul 2010 | A1 |
20100220863 | Dupaquis et al. | Sep 2010 | A1 |
20100235831 | Dittmer | Sep 2010 | A1 |
20100251104 | Massand | Sep 2010 | A1 |
20100275263 | Bennett et al. | Oct 2010 | A1 |
20100281102 | Chinta et al. | Nov 2010 | A1 |
20100281541 | Stolfo et al. | Nov 2010 | A1 |
20100281542 | Stolfo et al. | Nov 2010 | A1 |
20100287260 | Peterson et al. | Nov 2010 | A1 |
20100299754 | Amit et al. | Nov 2010 | A1 |
20100306173 | Frank | Dec 2010 | A1 |
20110004737 | Greenebaum | Jan 2011 | A1 |
20110023115 | Wright | Jan 2011 | A1 |
20110023118 | Wright | Jan 2011 | A1 |
20110025504 | Lyon et al. | Feb 2011 | A1 |
20110041179 | St Hlberg | Feb 2011 | A1 |
20110047594 | Mahaffey et al. | Feb 2011 | A1 |
20110047620 | Mahaffey et al. | Feb 2011 | A1 |
20110055907 | Narasimhan et al. | Mar 2011 | A1 |
20110078794 | Manni et al. | Mar 2011 | A1 |
20110093951 | Aziz | Apr 2011 | A1 |
20110099620 | Stavrou et al. | Apr 2011 | A1 |
20110099633 | Aziz | Apr 2011 | A1 |
20110113231 | Kaminsky | May 2011 | A1 |
20110141915 | Choi | Jun 2011 | A1 |
20110145918 | Jung et al. | Jun 2011 | A1 |
20110145920 | Mahaffey et al. | Jun 2011 | A1 |
20110145934 | Abramovici et al. | Jun 2011 | A1 |
20110167493 | Song et al. | Jul 2011 | A1 |
20110167494 | Bowen et al. | Jul 2011 | A1 |
20110173460 | Ito et al. | Jul 2011 | A1 |
20110219449 | St. Neitzel et al. | Sep 2011 | A1 |
20110219450 | McDougal et al. | Sep 2011 | A1 |
20110225624 | Sawhney et al. | Sep 2011 | A1 |
20110225655 | Niemela et al. | Sep 2011 | A1 |
20110247072 | Staniford et al. | Oct 2011 | A1 |
20110265182 | Peinado et al. | Oct 2011 | A1 |
20110271343 | Kim | Nov 2011 | A1 |
20110289582 | Kejriwal et al. | Nov 2011 | A1 |
20110302587 | Nishikawa et al. | Dec 2011 | A1 |
20110307954 | Melnik et al. | Dec 2011 | A1 |
20110307955 | Kaplan et al. | Dec 2011 | A1 |
20110307956 | Yermakov et al. | Dec 2011 | A1 |
20110314546 | Aziz et al. | Dec 2011 | A1 |
20120023593 | Puder et al. | Jan 2012 | A1 |
20120054869 | Yen et al. | Mar 2012 | A1 |
20120066698 | Yanoo | Mar 2012 | A1 |
20120079596 | Thomas et al. | Mar 2012 | A1 |
20120084859 | Radinsky et al. | Apr 2012 | A1 |
20120110667 | Zubrilin et al. | May 2012 | A1 |
20120117652 | Manni et al. | May 2012 | A1 |
20120121154 | Xue et al. | May 2012 | A1 |
20120124426 | Maybee et al. | May 2012 | A1 |
20120137367 | Dupont | May 2012 | A1 |
20120159519 | Matsuda | Jun 2012 | A1 |
20120174186 | Aziz et al. | Jul 2012 | A1 |
20120174196 | Bhogavilli et al. | Jul 2012 | A1 |
20120174218 | McCoy et al. | Jul 2012 | A1 |
20120198279 | Schroeder | Aug 2012 | A1 |
20120210423 | Friedrichs et al. | Aug 2012 | A1 |
20120222121 | Staniford et al. | Aug 2012 | A1 |
20120255012 | Sallam | Oct 2012 | A1 |
20120255015 | Sahita et al. | Oct 2012 | A1 |
20120255017 | Sallam | Oct 2012 | A1 |
20120260342 | Dube et al. | Oct 2012 | A1 |
20120266244 | Green et al. | Oct 2012 | A1 |
20120278886 | Luna | Nov 2012 | A1 |
20120297489 | Dequevy | Nov 2012 | A1 |
20120330801 | McDougal et al. | Dec 2012 | A1 |
20130014259 | Gribble et al. | Jan 2013 | A1 |
20130019309 | Strayer | Jan 2013 | A1 |
20130036472 | Aziz | Feb 2013 | A1 |
20130047257 | Aziz | Feb 2013 | A1 |
20130074185 | McDougal et al. | Mar 2013 | A1 |
20130086684 | Mohler | Apr 2013 | A1 |
20130097699 | Balupari et al. | Apr 2013 | A1 |
20130097706 | Titonis | Apr 2013 | A1 |
20130111587 | Goel et al. | May 2013 | A1 |
20130117852 | Stute | May 2013 | A1 |
20130117855 | Kim et al. | May 2013 | A1 |
20130139264 | Brinkley et al. | May 2013 | A1 |
20130160125 | Likhachev et al. | Jun 2013 | A1 |
20130160127 | Jeong et al. | Jun 2013 | A1 |
20130160130 | Mendelev et al. | Jun 2013 | A1 |
20130160131 | Madou et al. | Jun 2013 | A1 |
20130167236 | Sick | Jun 2013 | A1 |
20130174214 | Duncan | Jul 2013 | A1 |
20130185789 | Hagiwara et al. | Jul 2013 | A1 |
20130185795 | Winn et al. | Jul 2013 | A1 |
20130185798 | Saunders et al. | Jul 2013 | A1 |
20130191915 | Antonakakis et al. | Jul 2013 | A1 |
20130196649 | Paddon et al. | Aug 2013 | A1 |
20130227691 | Aziz et al. | Aug 2013 | A1 |
20130246370 | Bartram et al. | Sep 2013 | A1 |
20130263260 | Mahaffey et al. | Oct 2013 | A1 |
20130291109 | Staniford et al. | Oct 2013 | A1 |
20130298243 | Kumar et al. | Nov 2013 | A1 |
20140053260 | Gupta et al. | Feb 2014 | A1 |
20140053261 | Gupta | Feb 2014 | A1 |
20140082407 | Kochut | Mar 2014 | A1 |
20140090056 | Manadhata et al. | Mar 2014 | A1 |
20140122391 | Mugan | May 2014 | A1 |
20140130158 | Wang et al. | May 2014 | A1 |
20140137180 | Lukacs et al. | May 2014 | A1 |
20140165140 | Singla | Jun 2014 | A1 |
20140169762 | Ryu | Jun 2014 | A1 |
20140179360 | Jackson et al. | Jun 2014 | A1 |
20140201526 | Burgess | Jul 2014 | A1 |
20140205099 | Christodorescu | Jul 2014 | A1 |
20140223553 | Gupta et al. | Aug 2014 | A1 |
20140328204 | Klotsche et al. | Nov 2014 | A1 |
20140337836 | Ismael | Nov 2014 | A1 |
20140351935 | Shao et al. | Nov 2014 | A1 |
20150096025 | Ismael | Apr 2015 | A1 |
20150121524 | Fawaz | Apr 2015 | A1 |
20150172300 | Cochenour | Jun 2015 | A1 |
20150254162 | Baril | Sep 2015 | A1 |
20150341372 | Brand | Nov 2015 | A1 |
20160078362 | Christodorescu | Mar 2016 | A1 |
Number | Date | Country |
---|---|---|
2439806 | Jan 2008 | GB |
2490431 | Oct 2012 | GB |
0206928 | Jan 2002 | WO |
0223805 | Mar 2002 | WO |
2007117636 | Oct 2007 | WO |
2008041950 | Apr 2008 | WO |
2011084431 | Jul 2011 | WO |
2011112348 | Sep 2011 | WO |
2012075336 | Jun 2012 | WO |
2012145066 | Oct 2012 | WO |
2013067505 | May 2013 | WO |
Entry |
---|
Adobe Systems Incorporated, “PDF 32000-1:2008, Document management—Portable document format—Part1:PDF 1.7”, First Edition, Jul. 1, 2008, 756 pages. |
Apostolopoulos, George; hassapis, Constantinos; “V-eM: A cluster of Virtual Machines for Robust, Detailed, and High-Performance Network Emulation”, 14th IEEE International Symposium on Modeling, Analysis, and Simulation of Computer and Telecommunication Systems, Sep. 11-14, 2006, pp. 117-126. |
Clark, John, Sylvian Leblanc,and Scott Knight. “Risks associated with usb hardware trojan devices used by insiders.” Systems Conference (SysCon), 2011 IEEE International. IEEE, 2011. |
FireEye Malware Analysis & Exchange Network, Malware Protection System, FireEye Inc., 2010. |
FireEye Malware Analysis, Modern Malware Forensics, FireEye Inc., 2010. |
FireEye v.6.0 Security Target, pp. 1-35, Version 1.1, FireEye Inc., May 2011. |
Gibler, Clint, et al. AndroidLeaks: automatically detecting potential privacy leaks in android applications on a large scale. Springer Berlin Heidelberg, 2012. |
Gregg Keizer: “Microsoft's HoneyMonkeys Show Patching Windows Works”, Aug. 8, 2005, XP055143386, Retrieved from the Internet: URL:https://web.archive.org/web/20121022220617/http://www.informationweek- .com/microsofts-honeymonkeys-show-patching-wi/167600716 [retrieved on Sep. 29, 2014]. |
Heng Yin et al, Panorama: Capturing System-Wide Information Flow for Malware Detection and Analysis, Research Showcase @ CMU, Carnegie Mellon University, 2007. |
Idika et al., A-Survey-of-Malware-Detection-Techniques, Feb. 2, 2007, Department of Computer Science, Purdue University. |
Isohara, Takamasa, Keisuke Takemori, and Ayumu Kubota. “Kernel-based behavior analysis for android malware detection.” Computational intelligence and Security (CIS), 2011 Seventh International Conference on. IEEE, 2011. |
Kevin A Roundy et al: “Hybrid Analysis and Control of Malware”, Sep. 15, 2010, Recent Advances in Intrusion Detection, Springer Berlin Heidelberg, Berlin, Heidelberg, pp. 317-338, XP019150454 ISBN:978-3-642-15511-6. |
Leading Colleges Select FireEye to Stop Malware-Related Data Breaches, FireEye Inc., 2009. |
Li et al., A VMM-Based System Call Interposition Framework for Program Monitoring, Dec. 2010, IEEE 16th International Conference on Parallel and Distributed Systems, pp. 706-711. |
Lindorfer, Martina, Clemens Kolbitsch, and Paolo Milani Comparetti. “Detecting environment-sensitive malware.” Recent Advances in Intrusion Detection. Springer Berlin Heidelberg, 2011. |
Mori, Detecting Unknown Computer Viruses, 2004, Springer-Verlag Berlin Heidelberg. |
Oberheide et al., CloudAV.sub.—N-Version Antivirus in the Network Cloud, 17th USENIX Security Symposium USENIX Security '08 Jul. 28-Aug. 1, 2008 San Jose, CA. |
U.S. Pat. No. 8,171,553 filed Apr. 20, 2006, Inter Parties Review Decision dated Jul. 10, 2015. |
U.S. Pat. No. 8,291,499 filed Mar. 16, 2012, Inter Parties Review Decision dated Jul. 10, 2015. |
Wahid et al., Characterising the Evolution in Scanning Activity of Suspicious Hosts, Oct. 2009, Third International Conference on Network and System Security, pp. 344-350. |
Yuhei Kawakoya et al: “Memory behavior-based automatic malware unpacking in stealth debugging environment”, Malicious and Unwanted Software (Malware), 2010 5th International Conference on, IEEE, Piscataway, NJ, USA, Oct. 19, 2010, pp. 39-46, XP031833827, ISBN:978-1-4244-8-9353-1. |
Zhang et al., The Effects of Threading, Infection Time, and Multiple-Attacker Collaboration on Malware Propagation, Sep. 2009, IEEE 28th International Symposium on Reliable Distributed Systems, pp. 73-82. |
Thomas H. Ptacek, and Timothy N. Newsham , “Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection”, Secure Networks, (“Ptacek”), (Jan. 1998). |
U.S. Appl. No. 11/717,475, filed Mar. 12, 2007 Final Office Action dated Feb. 27, 2013. |
U.S. Appl. No. 11/717,475, filed Mar. 12, 2007 Final Office Action dated Nov. 22, 2010. |
U.S. Appl. No. 11/717,475, filed Mar. 12, 2007 Non-Final Office Action dated Aug. 28, 2012. |
U.S. Appl. No. 11/717,475, filed Mar. 12, 2007 Non-Final Office Action dated May 6, 2010. |
U.S. Appl. No. 14/059,381, filed Oct. 21, 2013 Non-Final Office Action dated Oct. 29, 2014. |
Venezia, Paul, “NetDetector Captures Intrusions”, InfoWorld Issue 27, (“Venezia”), (Jul. 14, 2003). |
Whyte, et al., “DNS-Based Detection of Scanning Works in an Enterprise Network”, Proceedings of the 12th Annual Network and Distributed System Security Symposium, (Feb. 2005), 15 pages. |
Williamson, Mathew M., “Throttling Virses: Restricting Propagation to Defeat Malicious Mobile Code”, ACSAC Conference, Las Vegas, NV, USA, (Dec. 2002), pp. 1-9. |
“Network Security: NetDetector—Network Intrusion Forensic System (NIFS) Whitepaper”, (“NetDetector Whitepaper”), (2003). |
“Packet”, Microsoft Computer Dictionary Microsoft Press, (Mar. 2002), 1 page. |
“When Virtual is Better Than Real”, IEEEXplore Digital Library, available at, http://ieeexplore.ieee.org/xpl/articleDetails.jso?reload=true&arnumber=990073, (Dec. 7, 2013). |
Abdullah, et al., Visualizing Network Data for Intrusion Detection, 2005 IEEE Workshop on Information Assurance and Security, pp. 100-108. |
Adetoye, Adedayo, et al., “Network Intrusion Detection & Response System”, (“Adetoye”) (Sep. 2003). |
AltaVista Advanced Search Results. “attack vector identifier” Http://www.altavista.com/web/results?Itag=ody&pg=aq&aqmode=aqa=Event+Orchestrator..., (Accessed on Sep. 15, 2009). |
AltaVista Advanced Search Results. “Event Orchestrator”. Http://www.altavista.com/web/results?Itag=ody&pg=aq&aqmode=aqa=Event+Orchesrator..., (Accessed on Sep. 3, 2009). |
Aura, Tuomas, “Scanning electronic documents for personally identifiable information”, Proceedings of the 5th ACM workshop on Privacy in electronic society. ACM, 2006. |
Aziz, Ashar, System and Method for Malware Containment, U.S. Appl. No. 14/620,060, filed Feb. 11, 2015, non-Final Office Action dated Apr. 3, 2015. |
Baecher, “The Nepenthes Platform: An Efficient Approach to collect Malware”, Springer-verlaq Berlin Heidelberg, (2006), pp. 165-184. |
Baldi, Mario; Risso, Fulvio; “A Framework for Rapid Development and Portable Execution of Packet-Handling Applications”, 5th IEEE International Symposium Processing and Information Technology, Dec. 21, 2005, pp. 233-238. |
Bayer, et al., “Dynamic Analysis of Malicious Code”, J Comput Virol, Springer-Verlag, France., (2006), pp. 67-77. |
Boubalos, Chris , “extracting syslog data out of raw pcap dumps, seclists.org, Honeypots mailing list archives”, available at http://seclists,org/honeypots/2003/q2/319 (“Boubalos”), (Jun. 5, 2003). |
Chaudet, C., et al., “Optimal Positioning of Active and Passive Monitoring Devices”, International Conference on Emerging Networking Experiments and Technologies, Proceedings of the 2005 ACM Conference on Emerging Network Experiment and Technology, CoNEXT '05, Toulousse, France, (Oct. 2005), pp. 71-82. |
Cisco “Intrusion Prevention for the Cisco ASA 5500-x Series” Data Sheet (2012). |
Cisco, Configuring the Catalyst Switched Port Analyzer (SPAN) (“Cisco”), (1992-2003). |
Cohen, M.I., “PyFlag—An advanced network forensic framework”, Digital investigation 5, ELSEVIER, (2008), pp. S112-S120. |
Costa, M., et al., “Vigilante: End-to-End Containment of Internet Worms”, SOSP '05 Association for Computing Machinery, Inc., Brighton U.K., (Oct. 23-26, 2005). |
Crandall, J.R., et al., “Minos:Control Data Attack Prevention Orthogonal to Memory Model”, 37th International Symposium on Microarchitecture, Portland, Oregon, (Dec. 2004). |
Deutsch, P., ““Zlib compressed data format specification version 3.3” RFC 1950, (1996)”. |
Distler, “Malware Analysis: An Introduction”, SANS Institute InfoSec Reading Room, SANS Institute, (2007). |
Dunlap, George W. , et al., “ReVirt: Enabling Intrusion Analysis through Virtual-Machine Logging and Replay”, Proceeding of the 5th Symposium on Operating Systems Design and Implementation, USENIX Association, (“Dunlap”), (Dec. 9, 2002). |
Excerpt regarding First Printing Date for Merike Kaeo, Designing Network Security (“Kaeo”), (2005). |
Filiol, Eric , et al., “Combinatorial Optimisation of Worm Propagation on an Unknown Network”, International Journal of Computer Science 2.2 (2007). |
Goel, et al., Reconstructing System State for Intrusion Analysis, Apr. 2008 SIGOPS Operating Systems Review vol. 42 Issue 3, pp. 21-28. |
Hjelmvik, Erik, “Passive Network Security Analysis with NetworkMiner”, (IN)Secure, Issue 18, (Oct. 2008), pp. 1-100. |
IEEE Xplore Digital Library Sear Results for “detection of unknown computer worms”. Http//ieeexplore.ieee.org/searchresult.jsp?SortField=Score&SortOrder=desc&ResultC... (Accessed on Aug. 28, 2009). |
Kaeo, Merike, “Designing Network Security”, (“Kaeo”), (Nov. 2003). |
Kim, H., et al., “Autograph: Toward Automated, Distributed Worm Signature Detection”, Proceedings of the 13th Usenix Security Symposium (Security 2004), San Diego, (Aug. 2004), pp. 271-286. |
King, Samuel T., et al., “Operating System Support for Virtual Machines”, (“King”). |
Krasnyansky, Max, et al., Universal TUN/TAP driver, available at https://www.kernel.org/doc/Documentation/networking/tuntap.txt (2002) (“Krasnyansky”). |
Kreibich, C., et al., “Honeycomb-Creating Intrusion Detection Signatures Using Honeypots”, 2nd Workshop on Hot Topics in Networks (HotNets-11), Boston, USA, (2003). |
Kristoff, J., “Botnets, Detection and Mitigation: DNS-Based Techniques”, NU Security Day, (2005), 23 pages. |
Liljenstam, Michael, et al., “Simulating Realistic Network Traffic for Worm Warning System Design and Testing”, Institute for Security Technology studies, Dartmouth College, (“Liljenstam”), (Oct. 27, 2003). |
Lok Kwong et al: “DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis”, Aug. 10, 2012, XP055158513, Retrieved from the Internet: URL:https://www.usenix.org/system/files/conference/usenixsecurity12/sec12- -final107.pdf [retrieved on Dec. 15, 2014]. |
Marchette, David J., Computer Intrusion Detection and Network Monitoring: A Statistical (“Marchette”), (2001). |
Margolis, P.E., “Random House Webster's Computer & Internet Dictionary 3rd Edition”, ISBN 0375703519, (Dec. 1998). |
Moore, D., et al., “Internet Quarantine: Requirements for Containing Self-Propagating Code”, INFOCOM, vol. 3, (Mar. 30-Apr. 3, 2003), pp. 1901-1910. |
Morales, Jose A., et al., ““Analyzing and exploiting network behaviors of malware.””, Security and Privacy in Communication Networks. Springer Berlin Heidelberg, 2010. 20-34. |
Natvig, Kurt, “Sandboxii: Internet”, Virus Bulletin Conference, (“Natvig”), (Sep. 2002). |
NetBIOS Working Group. Protocol Standard for a NetBIOS Service on a TCP/UDP transport: Concepts and Methods. STD 19, RFC 1001, Mar. 1987. |
Newsome, J., et al., “Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software”, In Proceedings of the 12th Annual Network and Distributed System Security, Symposium (NDSS '05), (Feb. 2005). |
Newsome, J., et al., “Polygraph: Automatically Generating Signatures for Polymorphic Worms”, In Proceedings of the IEEE Symposium on Security and Privacy, (May 2005). |
Nojiri, D. , et al., “Cooperation Response Strategies for Large Scale Attack Mitigation”, DARPA Information Survivability Conference and Exposition, vol. 1, (Apr. 22-24, 2003), pp. 293-302. |
Peter M. Chen, and Brian D. Noble, “When Virtual Is Better Than Real, Department of Electrical Engineering and Computer Science”, University of Michigan (“Chen”). |
Reiner Sailer, Enriquillo Valdez, Trent Jaeger, Roonald Perez, Leendert van Doom, John Linwood Griffin, Stefan Berger., sHype: Secure Hypervisor Approach to Trusted Virtualized Systems (Feb. 2, 2005) (“Sailer”). |
Silicon Defense, “Worm Containment in the Internal Network”, (Mar. 2003), pp. 1-25. |
Singh, S., et al., “Automated Worm Fingerprinting”, Proceedings of the ACM/USENIX Symposium on Operating System Design and Implementation, San Francisco, California, (Dec. 2004). |
Spitzner, Lance, “Honeypots: Tracking Hackers”, (“Spizner”), (Sep. 17, 2002). |
The Sniffers's Guide to Raw Traffic available at: yuba.stanford.edu/˜casado/pcap/sectionl.html, (Jan. 6, 2014). |