TREA

Exploit of privilege detection framework

Follow

Information

  • Patent Grant
  • 10565378
  • Patent Number
    10,565,378
  • Date Filed
    Wednesday, June 29, 2016
    8 years ago
  • Date Issued
    Tuesday, February 18, 2020
    4 years ago
Information
Abstract
A non-transitory storage medium having stored thereon logic, the logic being executable by one or more processors to perform operations including comparing a current privilege of a first process with an initial privilege of the first process recorded in a privilege list, and responsive to determining a change exists between the current privilege of the first process and the initial privilege of the first process that is greater than a predetermined threshold, determining the first process is operating with the current privilege due to an exploit of privilege attack is shown.
Description
FIELD

Embodiments of the disclosure relate to the field of cyber security. More specifically, embodiments of the disclosure relate to a system for detecting “exploit of privilege” attacks.


GENERAL BACKGROUND

Today, computer systems may execute a plurality of processes in a concurrent manner. Each process is granted a set of privileges at the time the process is created and these privileges may change over the life of the process. Typically, the set of privileges granted to a process is stored in a token structure associated with each process. In a computing device with a Windows® operating system, for example, each token structure is “unique” to a process within the run-time environment in that there is a one-to-one mapping between the process and its associated token (and its included privileges set), and this is established through a kernel object stored in system memory.


However, recently, exploits have been developed that seek to take advantage of vulnerabilities which enable the exploit to modify the privilege of a process and thereafter use the process for unintended purposes. Specifically, exploits may attempt to steal a token of a first process and associate a second process with the stolen token. A second exploit may involve modifying the token structure of a process to alter the set of privileges granted to the corresponding process. For example, an exploit may modify the token structure of a first process by granting the first process additional privileges that were not intended to be obtained by the process.


By the modification of the set of privileges, either by associating one process with the token of another process or by modifying the token structure of a process, the exploit may cause the process to perform unwanted or malicious behavior using the modified privileges. For example, the process having a modified set of privileges may delete or alter one or more files to which the process was not intended to have access. Additionally, a process having a modified set of privileges may open a communication line to a foreign server and download unwanted or malicious payloads. Such exploits may be referred to as exploit of privilege (EoP) attacks, or privilege escalation attacks.


A computer system manages operations performed by each process according to the set of privileges granted to each process. Therefore, when the privileges of a process have been modified, a computer system may unknowingly enable a process to perform operations that the process should be restricted from performing. Additionally, these operations may appear routine or harmless to current malware detection systems. Therefore, detection of EoP attacks present challenges to current malware detection systems.





BRIEF DESCRIPTION OF THE DRAWINGS

Embodiments of the invention are illustrated by way of example and not by way of limitation in the figures of the accompanying drawings, in which like references indicate similar elements and in which:



FIG. 1 is an illustration of a sample process list.



FIG. 2 is an exemplary block diagram illustrating a plurality of processes each being associated with a token in a one-to-one mapping.



FIG. 3 is an illustration of a sample privilege list generated according to the sample process list of FIG. 1.



FIG. 4A is a first graph illustrating a change in privilege levels of a process over time.



FIG. 4B is a second graph illustrating a change in privilege levels of a process over time.



FIG. 4C is a third graph illustrating a change in privilege levels of a process over time.



FIG. 5 is an exemplary block diagram illustrating the plurality of processes of FIG. 1 wherein a process is operating with a first stolen token.



FIG. 6 is an exemplary block diagram illustrating the plurality of processes of FIG. 1 wherein a process is operating with a second stolen token.



FIG. 7 is a flowchart illustrating an exemplary process that occurs when a token is modified and potential points within the process that the modification may be detected.



FIG. 8 is an exemplary timeline illustrating a process of exploiting a vulnerability to create a process have an escalated privilege.



FIG. 9 is a block diagram illustrating an exemplary exploit of a vulnerability that may be utilized to facilitate an exploit of privilege attack.



FIG. 10 is a flowchart illustrating a process for detecting potential exploit of privilege attack using periodic or aperiodic scanning of a list of running processes.



FIG. 11 is a flowchart illustrating a process for detecting potential exploit of privilege attack by hooking one or more predetermined function calls.



FIG. 12 is a flowchart illustrating a process for detecting potential exploit of privilege attack by analyzing scheduling of one or more threads of one or more processes.



FIG. 13 is a flowchart illustrating a process for determining whether a token has been modified or stolen.



FIG. 14 is an exemplary embodiment of a logical representation of an exploit of privilege detection system.





DETAILED DESCRIPTION

Various embodiments of the disclosure relate to an exploit of privilege (EoP) detection system that improves detection of attacks targeting vulnerabilities that allow for an exploit of a privilege of one or more processes. As discussed above, an EoP attack may include the execution of an exploit that takes advantage of a vulnerability, e.g., a vulnerability in software, by modifying a privilege of a process. Such privilege modification may be accomplished by modifying the token associated with the process, associating a token of a first process with a second process (e.g., “steals a token”), and/or causing a first process to create a second process having greater privilege than the first process. The EoP detection system provides the ability to detect an EoP attack by using one or more detection methods.


The EoP detection system may detect a potential EoP attack through a scanning detection method, an explicit detection method, and/or an implicit detection method. In one embodiment, the scanning detection method compares the privileges of each of the processes running at a particular point in time (“current privileges”) with a list of privileges of each process when each process was created (as set forth in a “privilege list”) or at a later point in time selected so as to assure the “trustedness” (i.e., not altered by malware) of the privilege information. For this, the system stores and/or has access to the privilege list for each process for use in the scanning method. The scanning may be repeated from time to time during execution of each of the process being scanned. In some implementations, each scanning may involve comparing the current privilege at times t1, t2, t3 to tn with an initial privilege at time to creation time for a process, or may involve comparing the current privilege at time t1 with the initial privilege at time t0 and then comparing the current privilege at times t2, t3 or to tn a prior current privilege that has already been checked and found to match the initial privilege. In this regard, where the privilege of a process has been subject to a later “authorized” change in privilege level (e.g., authorized by a user or administrator or otherwise and not malicious), the initial privilege for comparison may be the new privilege level after the change. The scanning detection method may utilize aperiodic or periodic scanning of a list of processes running on a machine at a particular point in time (“running process list”). The scanning may be done according to a periodic schedule such that the EoP detection system performs the scanning detection method at predetermined periodic time intervals. Alternatively, the scanning detection method may be performed according to other triggering events that occur in an aperiodic manner (“aperiodic triggering events”). For example, an aperiodic triggering event may be the calling of a predetermined number of function and/or system calls by processes running on the machine. Additionally, an aperiodic triggering event may be an input from a user or network administrator.


In a second embodiment, the scanning detection method may compare the running process list with a “learned privilege list.” The learned privilege list is a list of one or more processes and one or more privilege(s) corresponding to each process, wherein the one or more privilege(s) were known prior to the time of the scanning as a result of prior analyses and/or experimentation (e.g., experiential knowledge). For example, a web browser application may have two running processes: a first process running with the privilege(s) of the user, and a second process running with a second set of privileges (e.g., a default set of privileges, wherein the default set of privilege is included on the learned privilege list). When the scanning detection method (or another detection method disclosed herein) detects that the second process has gained privilege(s) beyond those appearing on the learned privilege list, the EoP detection system may enter the detection phase to determine whether the second process is operating with a stolen token or a maliciously modified token. In another embodiment, when the scanning detection method (or another detection method disclosed herein) detects that the second process has gained privilege(s) beyond those appearing on the learned privilege list, the reporting logic of the EoP detection system may automatically report that the second process is operating with a stolen token or a maliciously modified token.


When the current privilege(s) of a first process are inconsistent with the privilege(s) listed (e.g., listed) for the first process on the privilege list, reporting logic of the EoP detection system analyzes the current privilege(s) of the first process to determine whether the first process is operating with a stolen token or whether the token of the first process has been modified maliciously. Herein, a malicious modification of a token may be interpreted as the modification of the privilege set forth in the token such that the privilege provided in the modified token is greater than the privilege set forth in the original token and the modified privilege is inconsistent with expectations for variations of the privilege of the process with which the token is associated. Expected or “authorized” changes in privilege level may be effected by a trusted system service such as, for example, upon a software update or other event as contemplated or even prompted by a user or administrator and stands in contradistinction to a malicious modification. The expectations for variations of a privilege (e.g., an increase in the privileges of a process) may be based on, inter alia, the type of process (e.g., a browser process, a host process for operating system (OS) tasks, an email client, etc.), and/or the initial privilege(s) of the process. Herein, the term “privilege(s)” may be interpreted as comprising a privilege level associated with a process. For example, a process may have a privilege level of ‘X,’ wherein ‘X’ comprises a plurality of individual privileges.


Additionally, the scanning detection method may also compare identification information of the token of a first running process with (i) identification information of the token of one or more running processes, and/or (ii) identification information of the token of the first process set forth in the privilege list (e.g., the identification information of the token of the first process at the time the first process was created). The comparison of identification information of one or more tokens enables the EoP detection system to detect when a process is operating, for example, with a stolen token. A stolen token may represent a token that is no longer associated with a process in a one-to-one mapping, but is instead associated with a plurality of processes in a one-to-many mapping. In one embodiment, the identification information of a token may be a pointer to a location in memory. In a “clean,” e.g., non-altered or non-maliciously altered, system, each process in these embodiments is associated with an unaltered or non-maliciously altered token in a one-to-one mapping; therefore, no two processes should point to the same location in memory. The privilege list, as discussed above, may also include the identification information of the token associated with each process. Identification information of a process may include, inter alia, a process identifier, a process name, a process description, or any other descriptor.


In a second embodiment, the scanning detection method may compare the identification information of each token of each running process with the identification information of each token of one or more predetermined processes to determine whether a currently running process is operating with a stolen token. For example, the predetermined processes may include one or more system processes. The EoP detection system may analyze each process on the list of currently running processes by comparing the identification information of the token associated with a first process with the identification information of the token of each of the predetermined processes. The EoP detection system may analyze each of the currently running processes in this manner. When the EoP detection system detects a match between the identification information of the token of a first currently running process and the identification information of the token of one of the predetermined processes, the EoP detection system has detected that the first currently running process is operating with a stolen token and may generate an alert detailing such information.


The explicit detection method may intercept or trap, sometimes referred to as “hook,” a software call (e.g., API, library, procedure, function, or system call) appearing on a list of predetermined calls such as system calls (e.g., a request by the process to the kernel of the OS running on the machine) and/or function calls (e.g., a call to a subroutine within the program of which the process making the function call is an executing instance). Herein, the term “hooked” may involve, for example, intercepting or otherwise monitoring a software call or other software activity, such that the EoP detection system, may analyze the call or behavior. In some “in band” embodiments, the analysis may occur prior to or after, for example, servicing (responding to) the software call while other embodiments may operate out of band so as to avoid interruption or introduced delay in execution. In particular, the EoP detection system may analyze the privilege(s) required to make the hooked call and determine whether the privilege(s) required to make the call are consistent with the privilege(s) listed for the process on the privilege list. As discussed above with the scanning detection method, when the privilege(s) required to make the hooked call are inconsistent with the privilege(s) listed for the process on the privilege list, the reporting logic of the EoP detection system analyzes the current privilege(s) of the process to determine whether the process is operating with a stolen token or whether the token of the first process has been maliciously modified.


The implicit detection method may hook into the kernel scheduler and trap on the scheduling of the pending thread of execution. Herein, by hooking the kernel logic (e.g., one or more software calls directed to the kernel) that schedules a thread, the EoP detection system may analyze whether the privilege(s) of one or more of the threads of interest that are scheduled to run are greater than the privilege(s) appearing on one or more of (i) the privilege list or (ii) the learned privilege list (herein the learned privilege list may also include information associated with one or more threads and the privilege(s) of each thread, if applicable). When the privilege(s) of a first thread are greater than expected the privileges of the first thread, the reporting logic of the EoP detection system may report a stolen token or a token that has been maliciously modified based on the analyses.


The implicit detection method may alternatively, in some embodiments, be implemented in a hypervisor virtualization layer provided for use by the EoP detection system, and trap on the scheduling of a thread to execute software. Herein by trapping within the hypervisor all or any threads of interest, the EoP detection system may analyze whether the privilege(s) of the thread scheduled to run are greater than the privilege(s) appearing on one or more of (i) the privilege list or (ii) the learned privilege list. When the privilege(s) of a first thread are greater than expected the privileges of the first thread, the reporting logic of the EoP detection system may report a stolen token or a token that has been maliciously modified based on the analyses.


Herein, the EoP detection system may utilize one or more of the detection methods briefly discussed above to detect malware directed at an EoP attack, wherein “malware” may be broadly construed as including exploits that initiate malicious, anomalous or unwanted behaviors.


Additionally, the EoP detection system may detect the presence of malicious binaries exploiting, or attempting to exploit, the privilege(s) of one or more of their own processes or other processes on the system. A malicious binary may enter the system, e.g., through a download and attempt to infiltrate a network or target device. In some embodiments, the malicious binary, upon execution, will attempt to purposefully cause a change in privilege(s) of one or more processes and use the changed privilege for a malicious purpose, such as accessing secured memory locations to obtain personal or confidential data, or spread throughout a network.


In one embodiment of the disclosure, the EoP detection system includes one or more processors, a communication interface, a persistent storage storing thereon a dynamic analysis logic, an optional static analysis logic, and an alert generation logic. Such an EoP detection system may be implemented in a network device including, but not limited to, an endpoint such as a general-purpose or special-purpose network device. Alternatively, or in addition, the dynamic analysis logic may include one or more virtual machines (VMs) and a virtual machine manager (VMM) wherein the EoP detection system operates within the one or more VMs and the VMM. Such dynamic analysis logic may be implemented by a cyber-threat detection appliance including the EoP detection system, for example. Such an appliance can be a purpose-built cyber-threat detection network device or a general-purpose network device configured with an executable computer program furnishing the EoP detection system.


Herein, the EoP detection system may be implemented in each instance of a VM within the dynamic analysis logic. Alternatively, the EoP detection system may be implemented entirely within the VMM such that the EoP detection monitors the processing within each VM of the dynamic analysis logic. In yet another embodiment, the logic of the EoP detection system may be implemented in both of (i) the VMM, and (ii) each VM of the dynamic analysis logic. In such an embodiment, each VM may include logic providing the full functionality of the EoP detection system, or one or more functionalities (e.g., operations), but less than all, may be provided to each VM, wherein the VMM would include logic providing, at least, the functionalities not provided to each VM. In yet another embodiment, each VM and the VMM may include logic providing full functionality of the EoP detection system, wherein the results of the EoP detection system monitoring a particular VM from the VMM may be compared with the results of the EoP detection system within the particular VM. Additionally, a VM and the VMM may collaborate in the operations performed by the EoP detection system by transmitting data and/or results between the EoP detection system logic included in the VM and the EoP detection system logic included in the VMM. In yet another embodiment, one or more functionalities performed by the EoP detection system logic within the VM and/or the VMM may be disabled and/or enabled dynamically through one or more electronic signals transmitted by, for example, a network administrator during configuration and instantiation of the VM or, in some embodiments, during VM runtime.


I. Terminology

In the following description, certain terminology is used to describe features of the invention. For example, in certain situations, both terms “logic” and “engine” are representative of hardware, firmware and/or software that is configured to perform one or more functions. As hardware, logic (or engine) may include circuitry having data processing or storage functionality. Examples of such circuitry may include, but are not limited or restricted to a microprocessor, one or more processor cores, a programmable gate array, a microcontroller, a controller, an application specific integrated circuit, wireless receiver, transmitter and/or transceiver circuitry, semiconductor memory, or combinatorial logic.


Logic (or engine) may be software in the form of one or more software modules, such as executable code in the form of an executable application, an application programming interface (API), a subroutine, a function, a procedure, an applet, a servlet, a routine, source code, object code, a shared library/dynamic link library, or one or more instructions. These software modules may be stored in any type of a suitable non-transitory (computer-readable) storage medium, or transitory storage medium (e.g., electrical, optical, acoustical or other form of propagated signals such as carrier waves, infrared signals, or digital signals). Examples of non-transitory storage medium may include, but are not limited or restricted to a programmable circuit; a semiconductor memory; non-persistent storage such as volatile memory (e.g., any type of random access memory “RAM”); persistent storage such as non-volatile memory (e.g., read-only memory “ROM”, power-backed RAM, flash memory, phase-change memory, etc.), a solid-state drive, hard disk drive, an optical disc drive, or a portable memory device. As firmware, the executable code is stored in persistent storage.


According to one embodiment, the term “malware” may be construed broadly as any code or activity that initiates a malicious attack and/or operations associated with anomalous or unwanted behavior. For instance, malware may correspond to a type of malicious computer code that executes an exploit to take advantage of a vulnerability, for example, to harm or co-opt operation of a network device or misappropriate, modify or delete data. Malware may also correspond to an exploit, namely information (e.g., executable code, data, command(s), etc.) that attempts to take advantage of a vulnerability in software and/or an action by a person gaining unauthorized access to one or more areas of a network device to cause the network device to experience undesirable or anomalous behaviors. The undesirable or anomalous behaviors may include a communication-based anomaly or an execution-based anomaly, which, for example, could (1) alter the functionality of an network device executing application software in an atypical manner (a file is opened by a first process where the file is configured to be opened by a second process and not the first process); (2) alter the functionality of the network device executing that application software without any malicious intent; and/or (3) provide unwanted functionality which may be generally acceptable in another context. Additionally, malware may be code that initiates unwanted behavior which may be, as one example, uploading a contact list to cloud storage without receiving permission from the user.


The term “processing” may include launching an application wherein launching should be interpreted as placing the application in an open state and performing simulations of actions typical of human interactions with the application. For example, the application, an Internet browsing application may be processed such that the application is opened and actions such as visiting a website, scrolling the website page, and activating a link from the website are performed (e.g., the performance of simulated human interactions).


The term “network device” may be construed as any electronic device with the capability of connecting to a network, downloading and installing mobile applications. Such a network may be a public network such as the Internet or a private network such as a wireless data telecommunication network, wide area network, a type of local area network (LAN), or a combination of networks. Examples of a network device may include, but are not limited or restricted to, a laptop, a mobile phone, a tablet, etc. Herein, the terms “network device,” “endpoint device,” and “mobile device” will be used interchangeably. The terms “mobile application” and “application” should be interpreted as software developed to run specifically on a mobile network device.


The term “malicious” may represent a probability (or level of confidence) that the object is associated with a malicious attack or known vulnerability. For instance, the probability may be based, at least in part, on (i) pattern matches; (ii) analyzed deviations in messaging practices set forth in applicable communication protocols (e.g., HTTP, TCP, etc.) and/or proprietary document specifications (e.g., Adobe PDF document specification); (iii) analyzed compliance with certain message formats established for the protocol (e.g., out-of-order commands); (iv) analyzed header or payload parameters to determine compliance, (v) attempts to communicate with external servers during processing in one or more VMs, (vi) attempts to access memory allocated to the application during virtual processing, and/or other factors that may evidence unwanted or malicious activity.


The term “process” may be interpreted as an executing instance of a computer program. As is known in the art, a process may consist of one or more threads. The term “thread” should be interpreted as an execution of the smallest sequence of instructions that is managed by a scheduler.


The term “token” (or “primary access token”) may be interpreted as an object (e.g., information formatted in a specified structure) that describes the security context of a process or thread associated with the token, wherein one or more thread(s) of the process perform various actions on the behalf of the user that the token represents. The token may be thought of as a badge or identification (ID) of the user account to which the process, and thus any threads associated therewith, belongs. The token may be utilized within the OS to implement security principles of controlled access and isolation.


In one embodiment, the token may have a predetermined structure that is known to both the operating system and the EoP detection system (e.g., the predetermined structure may be advertised to parties other than the operating system developer). In a second embodiment, the token may have a predetermined structure wherein the predetermined structure is shielded from parties other than the operating system developer (i.e., such a token may be referred to as an opaque token). In the second embodiment, the operating system may shield the structure of the token from processes or application by merely requiring a process and/or thread pass the token to the operating system when making a function and/or system call.


In either embodiment, the information comprising the security context in a token may include, inter alia, the identity of the user account associated with the process or thread, identifiers of the groups to which the user is a member, session information, and the privilege(s) of the user and/or groups to which the user is a member. Herein, a privilege is an access right of a process or thread that allows the process or thread to perform various operations on behalf of the user represented by the token. A privilege may relate to the access-control and/or auditing mechanism utilized by operating systems to provide security and isolation. As used herein, the term “privilege” may represent a privilege level, such as, for example, “User,” “Admin,” or “System,” or represent an individual privilege, such as, for example, “SeCreatePagefilePrivilege.”


Additionally, the term privilege may be interpreted as the security context of the process, or its thread(s), which is executing on behalf of the user account specified by the primary access token. In some embodiments, individual threads of a process may act on the behalf of other users through the related “impersonation tokens.” In one embodiment, the term “token” may mean the “primary access token” and/or the “impersonation token.”


As an example, a malicious kernel exploit may involve overwriting the data stored in memory locations associated with the sub-structure containing the privileges of the opaque token associated with a process. Thus when a user directs the process to perform an operation, the process, which previously had a first privilege, now has an escalated second privilege due to the malicious memory overwrite of the data stored in the sub-structure of the opaque token associated with the process.


Embodiments of the disclosure provide illustrative examples of a Microsoft® EoP detection system employing a Windows® operating system and are not meant to limit the scope of the application. Alternative operating systems such as Linux™ (e.g., a UNIX or Unix-like operating system) and Mac OS X have different security model implementations as compared to Windows. Whereas on the Windows operating system, the “token” is an opaque object that stores and maintains the user security context for each process, Linux™ utilizes two primary credentials: creator user credentials and primary user credentials. UNIX and Linux also has the concepts of effective creator and primary credentials to provide security and isolation. These are internally implemented on Linux as opaque kernel structures. Additionally, Mac OS X may add “entitlements” (sand-boxing) and “code-signing” to restrict the actions and activities that a process running on behalf of users are able to perform. On Mac OS X, the entitlements are implemented through a mandatory access control (MAC) layer. For example, a MAC policy (e.g., a security policy that may restrict the ability of a user to deny or grant access to resources in a system) may be implemented as an opaque kernel structure. Thus, the same types and categories of kernel exploits apply to operating systems other than Microsoft® Windows® operating system, and it is envisioned that the detection techniques disclosed herein apply to each of these operating systems.


Lastly, the terms “or” and “and/or” as used herein are to be interpreted as inclusive or meaning any one or any combination. Therefore, “A, B or C” or “A, B and/or C” mean “any of the following: A; B; C; A and B; A and C; B and C; A, B and C.” An exception to this definition will occur only when a combination of elements, functions, steps or acts are in some way inherently mutually exclusive.


The invention may be utilized for detecting exploit of privilege attacks. As this invention is susceptible to embodiments of many different forms, it is intended that the present disclosure is to be considered as an example of the principles of the invention and not intended to limit the invention to the specific embodiments shown and described.


II. Network Appliance Deployment

The EoP detection system may operate in accordance with three phases: (i) a build phase, (ii) a detection phase, which includes one or more of the scanning detection method, the explicit detection method, and/or the implicit detection method, and (iii) a reporting phase. The build phrase may include the generation of a privilege list, which should be interpreted as a list or other data structure of the privilege(s) of each process at the time each process was created (and, in some cases, reflecting later authorized modifications). The detection phase, as mentioned above, may include one or more detection methods. The detection phase may implement one or more of the methods, and in some embodiments, may implement all three detection methods. Additionally, the EoP detection system includes a reporting phase which analyzes the results of the detection phase to determine whether the current privilege(s) of a first process that are inconsistent with the privilege(s) present on the privilege list for the first process are due to operation using a stolen token or the malicious modification of the token associated with the first token.


1. Build Phase


Referring to FIG. 1, an illustration of a sample process list is shown. The sample process list 100 of FIG. 1 displays all of the processes running a particular point in time (e.g., within a virtual machine of the EoP detection system). The process list 100 illustrates a plurality of processes running on a machine and includes information for each of the processes including one or more of: User Name (of the user logged into the machine), the percentage of the CPU used by the process, the amount of memory used by the process, and a description of the process.


Referring to FIG. 2, an exemplary block diagram illustrating a plurality of processes each being associated with a token in a one-to-one mapping is shown. The block diagram illustrates one embodiment of a relationship between the processes of system (e.g., running in a virtual machine of the EoP detection system, or as in the embodiment discussed within the “endpoint device deployment” below) and the token associated with each process. FIG. 2 illustrates that each process of a plurality of processes is associated with a token in a one-to-one mapping. For example, the system token 211 associated with the system process 210 is different than the Token_1 associated with Process_1 and the Token_2 associated with the Process_2 is different than the system token and the Token_1. A computer system may include a plurality of processes including one or more System processes and one or more processes (Process_1-Process_i, i≥1). The illustration of FIG. 2 may construed as being a “clean” computer system wherein no tokens have been stolen or modified.


Referring to FIG. 3, an illustration of a sample privilege list generated according to the sample process list of FIG. 1 is shown. The sample privilege list 300 of FIG. 3 displays a privilege level of each of the running processes running at a particular point in time. The privilege list 300 corresponds to the process list 100 of FIG. 1. The embodiment of FIG. 3 illustrates the use of three privilege levels: User, Administrator (Admin), and System. In one embodiment, the privilege level of User may have the least amount of privilege, the privilege level of Admin may have more privilege than the privilege level User and the privilege level System may provide the most privilege. In other embodiments, the privilege levels may take alternative names or may be ordered differently in terms of an amount of privilege each level provides. In yet other embodiments, additional privilege levels may be included (e.g., an operating system may allow for more than three levels of privilege). Alternatively, an operating system may allow for less than three levels of privilege.


As seen in FIG. 14, the build logic 1436 within the dynamic analysis engine 1430 of the EoP detection system 1400 may be the logic component of the EoP detection system 1400 that analyzes a newly created process and records identification information of the process, identification information of the token associated with the process, the privilege(s) of the process, etc.


2. Detection Phase


Referring to FIG. 4A, a first exemplary graph illustrating a change in privilege level of a process over time is shown. The graph includes a first axis representing time and a second axis representing privilege level such that the graph illustrates a change in the privilege level of Process_1 over time. FIG. 4A illustrates a possible scenario that the EoP detection system would detect. As is illustrated, Process_1 is created having User privileges. However, at time t1, Process_1 may accumulate privileges such that Process_1 obtains a privilege level of System. The EoP detection system may detect the change in privilege via any of the detection methods implemented.


Referring to FIG. 4B, a second exemplary graph illustrating a change in privilege level of a process over time is shown. The graph includes a first axis representing time and a second axis representing privilege level such that the graph illustrates a change in the privilege level of Process_2 over time. As is illustrated, Process_2 is created having administrative privileges. However, at time t2, Process_2 may accumulate privileges such that Process_2 obtains a privilege level of System. The EoP detection system may detect the change in privilege via any of the detection methods implemented.


Referring to FIG. 4C, a third exemplary graph illustrating a change in privilege level of a process over time is shown. The graph includes a first axis representing time and a second axis representing privilege level such that the graph illustrates a change in the privilege level of Process_3 over time. As is illustrated, Process_3 is created having User privileges. However, at time t3, Process_3 may accumulate privileges such that Process_3 obtains a privilege level of Admin. The EoP detection system may detect the change in privilege via any of the detection methods implemented. Additionally, the EoP detection system may detect changes in privilege from System to Admin, System to User and Admin to User.


The EoP detection system may also be utilized to detect destructive privilege attacks. For instance, a malicious exploit or a malware attack (e.g., a malicious attack) may attack an anti-virus or security software by modifying the privilege(s) of the anti-virus or security software before proceeding with additional malicious or unwanted behavior. Specifically if the malicious attack is able to reduce the privileges of a privileged system service (e.g., the anti-virus or other security software), the malicious attack may be able to render the privileged system service useless. Alternatively, the malicious attack may tamper with the privileges associated with update agents, or modify file or registry key privileges so that regular security updates are disabled, or are unable to run successfully.


In one embodiment, the EoP detection system may detect a modification in a token through a detection of an insertion of a flag within one or more fields within the token associated with a process resulting in the disablement or modification of the field(s). For example, a “DENY” flag may be used to disable a particular privilege field within a token such that the process may be prevented from utilizing the privilege associated with the modified or flagged field. A malicious attack may direct its attack by attempting to disable one or more privilege fields of a privileged system service thereby essentially disabling one or more features of the privileged system service by modifying its privilege (e.g., lowering its privilege and/or disabling one or more privileges such that the privileged system service can no longer perform malware or exploit detection operations).


In one embodiment, the EoP detection system may detect the change in privilege level from User to Admin through the scanning detection method during the detection phase. In a second embodiment, the EoP detection system may detect the change in privilege level from User to System, and in a third embodiment, the EoP detection system may detect the change in privilege level from Admin to System. Specifically, when Process_1 is initially created, the EoP detection system add Process_1 having a privilege level of User on the privilege list, as discussed above in accordance with FIG. 1. During a scan of the process list at, for example, time t1 (when privilege level is Admin), the EoP detection system would detect that the privilege level of Process_1, Admin, is inconsistent with the privilege level recorded on the privilege list for Process_1. Upon such a detection, the reporting phase of the EoP detection system detection methodology would be initiated to analyze the inconsistency of the privilege level of Process_1 between the time at which Process_1 was created and time t1.


In other embodiments, the EoP detection system may detect the change in privilege level of Process_1 via either the explicit detection method or the implicit detection method. As will be discussed below, in a first embodiment, the EoP detection system may detect the change in privilege level using the explicit detection method when Process_1 makes a hooked function call. For example, the EoP detection system may hook one or more predetermined function calls such that when a process makes one of the hooked function calls, the EoP detection system may then perform one or more of its detection methods. In a second embodiment, the EoP detection system may detect the change in privilege level using the implicit detection system by detecting the scheduling of a thread by Process_1, wherein the thread has a privilege level of Admin or System.


Referring to FIG. 5, an exemplary block diagram illustrating the plurality of processes of FIG. 1 wherein a process is operating with a first stolen token is shown. In contrast to the “clean” system illustrated in FIG. 1, the block diagram illustrates one embodiment in which Process_1 is operating with a stolen token such that Process_1 has a privilege level of System. As illustrated herein, a stolen token may be interpreted as a token associated with a first process (e.g., “system token” associated with “system_process”) and is subsequently utilized by a second process (e.g., “system token” utilized with “Process_1”), which is not a child process of the first process. Instead, the second process provides a link to the token of the first process when providing proof of privilege when, for example, making a function or system call.


Referring now to FIG. 6, an exemplary block diagram illustrating the plurality of processes of FIG. 1 wherein a process is operating with a second stolen token is shown. In contrast to FIG. 5, the block diagram of FIG. 6 illustrates an embodiment in which Process_i is operating with a stolen token, the token being associated with Process_1. The EoP detection system is more likely to encounter the embodiment illustrated in FIG. 5 as tokens of System processes, having a privilege level of System, typically persistent for the life of the session of the user (e.g., the time a user remains logged into the machine) while non-System processes may have a much shorter lifespan.


Referring to FIG. 7, a flowchart illustrating an exemplary process that occurs when a token is modified and potential points within the process that the modification may be detected is shown. Each block illustrated in FIG. 7 represents an operation performed in the method 700 of detecting the token associated with a process has been modified. Referring to FIG. 7, the Process_N is shown in an initial (e.g., clean) state wherein the Token N is associated with the Process_N (block 701). At block 702, one or more operations are performed causing the modification of Token_N. Herein, the operations performed that cause the modification of Token_N may be a result of function calls made by Process_N and/or may be a result of an exploit of a vulnerability performed by a process other than Process_N. The method 700 is directed at the detection of the modification of the privilege(s) of Process_N; therefore, the modification of Token_N as used herein should be interpreted as the modification of the privileges set forth in Token_N. Specifically, the privilege(s) set forth in Token_N′ are greater than the privilege(s) set forth in Token_N.


At block 703, the EoP detection system may detect the modification of Token_N via the explicit detection method, if implemented, by hooking (i) one or more function and/or system calls (e.g., calls that result in a write to token structures), or (ii) by trapping writes to kernel offsets associated with a token structure within the VMM hypervisor layer or guest kernel layers. Herein, when the EoP detection system traps one or more writes to kernel offsets associated with a token structure, the EoP detection system does not trap specific function or system calls but traps any write to a predetermined kernel offset, determines the function or system call that resulted (directly or indirectly) in the trapped write, and therein detecting the process, and the token associated therewith, responsible for causing the write to the predetermined kernel offset. At block 704, the Process_N is shown in a modified state wherein the modified Token_N is represented by Token_N′. The modification of Token_N to Token_N′ may be detected via the scanning detection method, if implemented (block 705). For example, an automatic scan of the current process list and comparison of the privileges of the current processes to the privilege list (as discussed above, the recordation of the privilege(s) of each process at the time the process was created), would reveal that the privilege(s) of Process_N have been modified from those in Token_N to those in Token_N′.


Additionally, or in the alternative, the EoP detection system may detect the modification of Token_N (Token_N) via the implicit detection method, if implemented (block 706). For example, the EoP detection system may detect the presence of Token_N′ by (i) monitoring the guest kernel scheduler, in the guest OS of a VM, and employ a detection mechanism when a thread of interest (or all threads) is scheduled for execution, and (ii) hook the scheduling of threads within the hypervisor (e.g., the VMM) and employ a detection mechanism when a thread of interest (or all threads) is scheduled for execution. When the scheduling of a thread is hooked, the EoP detection system may determine whether the scheduled thread is operating with Token_N′. Specifically, a thread scheduled by Process_N should not have privilege(s) greater than those of Process_N. Therefore, based on the detection of the thread having the privilege(s) of Token_N′, the EoP detection system has detected that Process_N must be operating with the privilege(s) of Token_N′ which differ from those of Token_N. The difference is determined by a comparison or correlation of the privilege(s) set forth for Process_N on the privilege list and the privilege(s) set forth in Token_N′.


In one embodiment, when the modification of Token_N to Token_N′ is not detected by the explicit detection method via hooking function and/or system calls that result in writing data to a particular location in memory, the scanning detection method or the implicit detection method, Process_N may perform operations (e.g., make function and/or system calls) using the elevated privilege(s) set forth in Token_N′ (block 707). At block 708, the EoP detection system detects the modification of Token_N to Token_N′ via the explicit detection method based on hooking function and/or system calls appearing on a predetermined list of function and/or system calls. For example, via experiential knowledge, the EoP detection system may include a predetermined list of function and/or system calls that are likely to be targeted by malware attempting to exploit a vulnerability providing the malware the ability to modify the privilege(s) set forth in the token associated with a process. As discussed above with respect to the detection of the modification of Token_N to Token_N′ via the implicit detection method, the difference between Token_N and Token_N′ is determined by a comparison or correlation of the privilege(s) set forth for Process_N on the privilege list and the privilege(s) set forth in Token_N′ (herein, those required to request the hooked function or system call).


Referring to FIG. 8, an exemplary timeline illustrating a process of exploiting a vulnerability to create a process having an escalated privilege is shown. The timeline 800 of FIG. 8 illustrates a plurality of events occurring over time, which increases from left to right. At event 801, Process_1 is created, wherein Process_1 is granted a privilege level of User. At event 802, Process_1 performs one or more operations requiring a privilege level of User. The one or more operations performed at event 802 are not of interest to the EoP detection system as the privilege level required to make the function and/or system calls associated therewith is not greater than the privilege level associated with Process_1 on the privilege list (assuming one or more of the operations performed are hooked by the EoP detection system).


At event 803, the execution of an exploit of a vulnerability takes place. In the embodiment illustrated in FIG. 8, the exploit comprises the creation of Token_M in memory having a privilege level of System. Referring to FIG. 9, a block diagram illustrating an exemplary exploit of a vulnerability that may be utilized to facilitate an exploit of privilege attack is shown. The diagram 900 illustrates one embodiment of an exploit of a vulnerability in which a token, e.g., Token_M of FIG. 8, may be created in memory. The diagram 900 includes a portion 910 representing User space in memory and a portion 920 representing Kernel space in memory. Additionally, a process 911, e.g., a browser process, is seen executing in User space. The browser process 911 is seen to open a document 912, e.g., a Microsoft® Word document, which attempts to load a new font 913 into Kernel space 920. The loading of the new font 913 may be the execution of an exploit of a vulnerability within the font renderer within the Kernel space 920, e.g., the kernel exploit 921, as a font is a system resource. The kernel exploit 921 may be, for example, the creation of a token having System privileges such that a process may now create a child process and associate the child process with the newly created token thereby potentially illegitimately granting the child process System privileges.


Referring back to FIG. 8, the exploit of the vulnerability at event 803 may be detected at event 804 by the EoP detection system when the EoP detection system implements an explicit detection method that hooks function and/or system calls that write to and/or create token structures in a specified portion of memory (e.g., a portion of memory determined, via experiential knowledge, to be most likely to be subject to the creation of token structures from the exploitation of a vulnerability, wherein the specified portion of memory is less than the entire memory space). Additionally, the exploit of the vulnerability at event 803 may be detected at event 804 by the EoP detection system through trapping function and/or system calls that write to token structures and/or function and/or system calls that write to predetermined kernel offsets (as discussed above) within the guest kernel layers. When the EoP detection system does not hook the particular function or system call resulting in the exploit of the vulnerability at 803, the Process_1 creates Process_2 associated with Token_M at event 805. The creation of Process_2 associated with Token_M having a privilege level of System by Process_1 having a privilege level of User may be considered an EoP attack as Process_1 has created a process having a greater privilege than it has been granted and/or with which it is currently operating.


The EoP detection system may detect the presence of a potential EoP attack when the EoP detection system implements an explicit detection method that hooks system calls to create a process. By hooking system calls to create a process, the EoP detection system may compare the privilege of the creating process, Process_1, with the privilege of the created process, Process_2. When the privilege of the created process is greater than the privilege of the creating process, the reporting phase of the EoP detection system may further analyze the two processes and their respective tokens to determine whether an EoP attack is present.


Referring to FIG. 10, a flowchart illustrating a process for detecting potential exploit of privilege attacks using periodic or aperiodic scanning of a list of running processes is shown. Each block illustrated in FIG. 10 represents an operation performed in the method 1000 of detecting potential exploit of privilege attacks using a scanning detection method. Referring to FIG. 10, a privilege list, as discussed above in accordance with FIG. 3, is generated and updated by the EoP detection system as new processes are created (block 1001). At block 1002, the EoP detection scans a list of running processes, e.g., as illustrated in FIG. 1, to determine the privileges with which each currently running process is operating.


At block 1003, the EoP detection system compares the privileges of each currently running process with the privilege(s) provided on the privilege list for the corresponding process. The EoP detection system then determines whether the token associated with a first process is stolen or was malicious modified when the current privilege(s) of the first process is greater than the privilege(s) provided on the privilege list for the first process (block 1004).


Referring to FIG. 11, a flowchart illustrating a process for detecting potential exploit of privilege attack by hooking one or more predetermined function calls is shown. Each block illustrated in FIG. 11 represents an operation performed in the method 1100 of detecting potential exploit of privilege attacks using an explicit detection method. Referring to FIG. 11, a privilege list, as discussed above in accordance with FIG. 3, is generated and updated by the EoP detection system as new processes are created (block 1101). At block 1102, the EoP detection system inserts hooks onto one or more function and/or system calls. In one embodiment, this may be performed within the Kernel space (e.g., the Kernel space 920 as illustrated in FIG. 9).


When a function call or system call is hooked, the EoP detection system identifies the process that made the function or system call and identifies the current privilege(s) of the process (block 1103). At block 1104, the EoP detection system determines whether the “current privileges” (i.e., the current privilege(s) of the process) are consistent with the privilege(s) of the process on the privilege list or learned privilege list. When the current privilege(s) of the process are inconsistent with the privilege(s) provided for the process on the privilege list, the EoP detection system determines whether the token associated with the process is stolen or was modified maliciously.


Referring to FIG. 12, a flowchart illustrating a process for detecting potential exploit of privilege attack by analyzing scheduling of one or more threads of one or more processes is shown. Each block illustrated in FIG. 12 represents an operation performed in the method 1200 of detecting potential exploit of privilege attacks using an implicit detection method. Referring to FIG. 12, a privilege list, as discussed above in accordance with FIG. 3, is generated and updated by the EoP detection system as new processes are created (block 1201). At block 1202, the EoP detection system may (i) hook the guest kernel scheduler, in the guest OS of a VM, and employ a detection mechanism when a thread of interest (or all threads) is scheduled for execution, and/or (ii) hook the scheduling of threads within the hypervisor (e.g., the VMM) and employ a detection mechanism when a thread of interest (or all threads) is scheduled for execution.


Once a function or system call is hooked, the EoP detection system makes a determination as to whether the process making the hooked function or system call scheduling the thread should have the privilege to do so (block 1203). Herein, the EoP detection system identifies the process making the hooked function or system call and compares the level of privilege required to make the hooked function or system call with the level of privilege provided for the process on the privilege list. When the privilege level provided for the process scheduling the thread on the privilege list is greater than or equal to the privilege required to schedule the thread (yes at block 1203), the EoP detection then determines whether the privilege of the thread is no greater than the privilege level provided for the process scheduling the thread on the privilege list (block 1204). When the privilege of the thread is less than or equal to (yes at block 1204), the method 1200 ends as the EoP detection system determines no EoP attack is present. In one embodiment, the privilege level of the thread may be the privilege level of the process scheduling the thread. In a second embodiment, a thread have an individual privilege level that may be the same as or different than the process scheduling it. For example, the process scheduling the thread may dictate the privilege level of the thread during the scheduling of the thread.


When the privilege of the thread is greater than the privilege level set forth in the privilege list for the process scheduling the thread (no at block 1204), the EoP detection system determines whether the token associated with the process scheduling the thread is stolen or was modified maliciously (block 1205). Similarly, when the privilege required to schedule the thread is greater than the level of privilege provided for the process scheduling the thread on the privilege list (no at block 1203), the EoP detection system determines whether the token associated with the process scheduling the thread is stolen or was modified maliciously (block 1205). In one embodiment, the privilege of the thread is the privilege of the process that contains the thread. Alternatively, the privilege of the thread may be determined by the user privilege in the impersonation token when a thread in a process is running in the context of another user (e.g., impersonation).


In each of the methods 1000, 1100 and 1200, when the EoP detection system is to determine whether the token associated with a process is stolen or was modified maliciously (block 1004, block 1105 and block 1205, respectively), the reporting phase of the EoP detection system, as discussed below, performs analyses to make such a determination. In one embodiment, at this instance, the detection phase of the EoP detection system ends. However, in a second embodiment, the detection phase may continue to run, e.g., run concurrently (e.g., at least partially overlapping at the same time) with the reporting phase.


3. Reporting Phase


Referring to FIG. 13, a flowchart illustrating a process for determining whether a token has been modified or stolen is shown. Each block illustrated in FIG. 13 represents an operation performed in the method 1300 of determining whether a token has been modified maliciously or stolen. Referring to FIG. 13, at block 1301, the EoP detection system has determined that a process has operated in a manner inconsistent with the privilege(s) provided for the process on the privilege list, via the scanning detection method, the implicit detection method or the explicit detection method, as discussed above. At block 1302, the EoP detection system makes a determination as to whether the token is associated with the process in a one-to-one mapping. For example, the EoP detection system may compare the pointer corresponding to the token associated with the process to the pointer corresponding to the token associated with each running process. As discussed in FIG. 1, each process in a “clean” system will be associated with a token in a one-to-one mapping, and thus, the location to which the pointer points will also have a one-to-one mapping with a process. Therefore, if two pointers point to a single location in memory, the system may be deemed “unclean” or “malicious,” such that at least one token is operating with a stolen token. The one-to-one mapping of a token to a process may be determined in alternative ways, which may include analyzing, inter alia, an opaque structure field present in each token, serial numbers, reference counts, offsets of handles/indexes/pointers/memory locations, or the like. The one-to-one mapping of a token to a process may also be determined by a combination of two or more of the above.


Additional techniques may be utilized to determine one-to-one mapping of the token to the process. Other operating systems such as Mac OS X or those that are Linux-based may have implementation specific (opaque) kernel structure(s) which may also be utilized in exploit of privilege attacks. Alternative embodiments of the detection of exploit of privileges on Linux-based or Mac OS X operating systems involve the determination of kernel objects in these Linux-based or Mac OS X operating systems, wherein the kernel objects should be associated with each process (or thread(s) of each process) in a one-to-one-mapping and are utilized for privilege/security management and have been modified or stolen from other running processes.


When the EoP detection system determines the token is not associated with the process in a one-to-one mapping (no at block 1302), the EoP detection system generates an alert that the process is operating with a stolen token (block 1303). Such an alert may include various types of messages, which may include text messages and/or email messages, video or audio stream, or other types of information over a wired or wireless communication path. An alert may include information such as, for example, identification of the process, identification of the token, an indication the token was stolen, process with which the token was originally associated, the function or system call that was hooked, if applicable, etc.


When the token is determined to be associated with a process in a one-to-one mapping, i.e., the token is not operating with a stolen token (yes at block 1302), a correlation engine of the EoP detection system generates a score of the change in privilege(s) between the current privilege(s) and the privilege(s) provided on the privilege list for the process (block 1304). Information collected by the EoP detection system during the detection phase (e.g., through the scanning detection method, explicit detection method, and/or implicit detection method) is provided to the correlation engine, which generates a score that indicates the likelihood that the change in privilege(s) of the process is malicious. As illustrated in FIG. 4, the privileges of a process may change over time; however, the change may not be unwanted or malicious. Therefore, the correlation engine analyzes the information collected during the detect phase and determines a score indicating the likelihood the change is unwanted or malicious through the application of one or more rules to the collected information. Examples of information that may be collected during the detection phase include, but are not limited or restricted to, process identification, initial privilege level of the process, current privilege level of the process, initial privileges enabled for the process, current privileges enabled for the process, time since the creation of the process, or the like. The fields and sub-structures of the “token” may also be provided to the correlation engine, examples: privilege-structure fields, identification information related to one or more of (i) the user's account, (ii) one or more groups to which the user belongs and/or (iii) the current session, and/or other relevant field.


At block 1305, the EoP detection system determines whether the score is above a predetermined threshold. When the score is not above the predetermined threshold (no at block 1305), the EoP detection system determines the change in privilege is non-malicious (block 1307) and the method 1300 subsequently ends. When the score is above the predetermined threshold (yes at block 1306), the EoP detection system generates an alert that the process is operating with a stolen token. An alert may include information such as, for example, identification of the process, identification of the token, an indication the token was maliciously modified, the modification(s) to the token, the function or system call that was hooked—if applicable, etc.


III. Logical Representation

Referring to FIG. 14, an exemplary embodiment of a logical representation of an exploit of privilege detection system is shown. The exploit of privilege (EoP) detection system 1400 includes one or more processors 1401 that are coupled to communication interface logic 1402 via a first transmission medium 1403. Communication interface logic 1402 enables communication with network devices via the Internet, the cloud computing services and one or more the endpoint devices. According to one embodiment of the disclosure, the communication interface logic 1402 may be implemented as a physical interface including one or more ports for wired connectors. Additionally, or in the alternative, the communication interface logic 1402 may be implemented with one or more radio units for supporting wireless communications with other electronic devices.


The processor(s) 1401 is further coupled to persistent storage 1410 via a second transmission medium 1404. According to one embodiment of the disclosure, persistent storage 1410 may include (a) the static analysis logic 1420 including a heuristics logic 1421, a signature matching logic 1422, a signature database 1403 and a score determination logic 1424, (b) a dynamic analysis logic 1430 including one or more VMs 1431-1432, a virtual machine manager (VMM) 1433, a monitoring logic 1434, a score determination logic 1435, a build logic 1436, a detection logic 1437 and a reporting logic 1438, (c) an alert generation logic 1440, and (d) a correlation engine 1450. Of course, when implemented as hardware, one or more of these logic units could be implemented separately from each other.


IV. Endpoint Device Deployment

In another embodiment, the EoP detection system may be deployed in an endpoint device. Similar to the deployment discussed above regarding the network appliance, the EoP detection system deployed within an endpoint device includes a three phase detection methodology: (1) build phase, (2) detection phase, and (3) reporting phase.


The build phase in the endpoint device deployment is the same as discussed above. The EoP detection system generates a privilege list which stores, for each process, inter alia, a process identifier, and the privilege level of the process. As was also discussed above, the privilege list may optionally include identification information of the token corresponding to the process. FIG. 3 display a sample privilege list 300. Herein, the use of “privilege list” should be interpreted as including the “privilege list” and the “learned privilege list,” as discussed above.


The detection phase in the endpoint device deployment is similar to the detection phase as discussed above in connection with the network appliance deployment. In particular, the detection phase in the endpoint device deployment includes one or more of three detection method: (i) a scanning detection method, (ii) an explicit detection method, and/or (iii) an implicit detection method. The scanning detection method is implemented in the same manner as with the network appliance deployment. Specifically, the scanning detection method implemented in the endpoint device deployment compares the privilege(s) of each currently running process (e.g., running at the time the detection methodology begins) with the privilege(s) corresponding to each currently running process on a privilege list (created in the build phase and updated when a process is created, or at another triggering event, e.g., a predetermined time interval). Additionally, the scanning detection method may compare the identification information of the token associated with one or more currently running processes with (i) the identification information of the token on the privilege list, and/or (ii) the identification information of the token associated with the token of predetermined processes (e.g., those processes most likely to be stolen, which may be one or more System processes determined via experiential knowledge) via direct inspection by the EoP detection system of the predetermined processes.


The explicit detection method implemented in the endpoint device deployment is similar to the explicit detection method implemented in the network appliance; however, when implemented within an endpoint device deployment, the EoP detection system identifies whether each hooked function and/or system call (i.e., each call monitored, for example, by a software agent executing on the endpoint device) was initiated and/or verified by a user of the endpoint device and/or an administrator (e.g., an information technology (IT) group overseeing an enterprise network). Examples of initiation or verification methods that may be performed by a user include, but are not limited to, activation of a button provided on a graphical user interface (GUI), voice confirmation, and/or input of login credentials (e.g., username and/or password)). The identification of whether the initiation of each function and/or system call was verified and/or initiated by a user of the endpoint device and/or a network administrator comprises additional metadata that is provided to the correlation engine and is to be used in the determination of a score indicating the likelihood that an EoP attack is present. For example, when the use of a system call is hooked, the EoP detection system identifies whether the system call was initiated and/or verified by a user action and/or an action of a network administrator.


The implicit detection method implemented in the endpoint device deployment is similar to the implicit detection method implemented in the network appliance; however, as discussed above with the explicit detection method implemented in an endpoint device deployment, when implemented within an endpoint device deployment, the EoP detection system identifies whether each hooked function and/or system call was initiated and/or verified by a user of the endpoint device and/or a network administrator. Similarly, the identification of whether the initiation of each function and/or system call was verified and/or initiated by a user of the endpoint device and/or a network administrator comprises additional metadata that is provided to the correlation engine and is to be used in the determination of a score indicating the likelihood that an EoP attack is present.


Finally, the reporting phase in the endpoint device deployment is similar to the reporting phase as discussed above in connection with the network appliance deployment. Specifically, at a high level, the EoP detection system enters the reporting phase when the EoP detection system has detected that a first process has operated in a manner inconsistent with the privilege(s) provided on the privilege list corresponding to the first process. When in the reporting phase while in an endpoint device deployment, the EoP detection system determines whether the token of the first process is associated with the first process in a one-to-one mapping and generates an alert indicating that the first process is operating with a stolen token when the token is not associated with the first process in a one-to-one mapping. When the token of the first process is associated with the first process in a one-to-one mapping, the information collected during the detection phase, including the additional metadata discussed above, is provided to a correlation engine, which generates a score indicating the likelihood that an EoP attack is present (e.g., whether the change in privilege(s) of the first process is malicious or unwanted). When the score is determined to be above a predetermined threshold, an alert is generated indicating that the first process is operating with a malicious modified token.


In the foregoing description, the invention is described with reference to specific exemplary embodiments thereof. It will, however, be evident that various modifications and changes may be made thereto without departing from the broader spirit and scope of the invention as set forth in the appended claims.

Claims
  • 1. A non-transitory storage medium having stored thereon logic, the logic being executable by one or more processors to perform operations including: responsive to detecting creation of a first process, adding data to a privilege list, the data including (i) identification information of the first process and (ii) an initial privilege of the first process, wherein the data added to the privilege list is set forth in a first token associated with the first process, and the first token being associated with the first process in a one-to-one mapping at a time the data is added to the privilege list;detecting performance of one or more operations and a modification of the first token that is associated with the first process, wherein the modification of the first token alters a current privilege of the first process to be greater than the initial privilege;responsive to detecting the performance of the one or more operations and the modification of the first token, comparing a current privilege of the first process with the initial privilege of the first process recorded in the privilege list;determining a change exists between the current privilege of the first process and the initial privilege of the first process that is greater than a predetermined threshold;responsive to determining the change exists between the current privilege of the first process and the initial privilege of the first process that is greater than the predetermined threshold, determining the first process is operating with the current privilege due to an exploit of privilege attack; andresponsive to determining the first process is operating with the current privilege due to an exploit of privilege attack, generating an alert that the first process operating with the current privilege due to the exploit of privilege attack.
  • 2. The non-transitory storage medium of claim 1, wherein the first process is running within a virtual machine and a virtual machine monitor performs intercepting of a request by the first process, the comparing of the current privilege of the first process with the initial privilege of the first process performed in response to intercepting the request by the first process, the request being one of a predetermined set of software calls.
  • 3. The non-transitory storage medium of claim 1, wherein the logic being executable by the one or more processors to perform operations further including: intercepting execution of an instruction to write data to a predetermined offset in memory by the first process;responsive to intercepting the execution of the instruction to write data to the predetermined offset in memory by the first process, comparing the current privilege of the first process with the initial privilege of the first process recorded in the privilege list.
  • 4. The non-transitory storage medium of claim 1, wherein the logic being executable by the one or more processors to perform operations further including: monitoring scheduling of threads by the first process; andresponsive to detecting scheduling of a thread by the first process, comparing the current privilege of the first process with the initial privilege of the first process recorded in the privilege list.
  • 5. The non-transitory storage medium of claim 1, wherein the logic being executable by the one or more processors to perform operations further including: responsive to determining a change exists between the current privilege of the first process and the initial privilege of the first process, generating, by a correlation engine, a score indicating whether the change in the current privilege of the first process and the initial privilege of the first process is due to an exploit of privilege attack.
  • 6. The non-transitory storage medium of claim 1, wherein the initial privilege is recorded in the privilege list at a first time, and the current privilege is determined at a second time, the second time subsequent to the first time.
  • 7. The non-transitory storage medium of claim 1, wherein the first token is an object having a specified structure that stores information describing privileges granted to the first process.
  • 8. The non-transitory storage medium of claim 1, wherein a privilege comprises a privilege level.
  • 9. A system comprising: one or more processors; anda non-transitory storage medium having stored thereon instructions, the instructions being executable by one or more processors to perform operations including:responsive to detecting creation of a first process, adding data to a privilege list, the data including (i) identification information of the first process and (ii) an initial privilege of the first process, wherein the data added to the privilege list is set forth in a first token associated with the first process, and the first token being associated with the first process in a one-to-one mapping at a time the data is added to the privilege list;detecting performance of one or more operations and a modification of the first token that is associated with the first process, wherein the modification of the first token alters a current privilege of the first process to be greater than the initial privilege;responsive to detecting the performance of the one or more operations and the modification of the first token, comparing a current privilege of the first process with the initial privilege of the first process recorded in the privilege list;determining a change exists between the current privilege of the first process and the initial privilege of the first process that is greater than a predetermined threshold;responsive to determining the change exists between the current privilege of the first process and the initial privilege of the first process that is greater than the predetermined threshold, determining the first process is operating with the current privilege due to an exploit of privilege attack; andresponsive to determining the first process is operating with the current privilege due to an exploit of privilege attack, generating an alert that the first process operating with the current privilege due to the exploit of privilege attack.
  • 10. The system of claim 9, wherein the running processes are running within a virtual machine.
  • 11. The system of claim 9, wherein the data added to the privilege list is set forth in the first token associated with the first running process, the first token being associated with the first running process in a first one-to-one mapping at a time the data is added to the privilege list.
  • 12. The system of claim 11, wherein determining the change exists between the current privilege of the first running process and the initial privilege of the first running process is performed by determining whether the first token is associated with the first running process in the first one-to-one mapping at a time of a scanning of a list of all running processes.
  • 13. The system of claim 12, wherein determining whether the first token is associated with the first running process in the first one-to-one mapping at the time of the scanning of the list of all running processes is performed by determining whether a location in memory at which the first token is stored is associated with the first token in a second one-to-one mapping.
  • 14. The system of claim 9, wherein the instructions being executable by the one or more processors to perform operations further including: responsive to determining the first running process is operating with the current privilege due to an exploit of privilege attack, generating an alert that the first running process operating with the current privilege due to the exploit of privilege attack.
  • 15. The system of claim 9, wherein the initial privilege is recorded in the privilege list at a first time, and the current privilege is determined at a second time, the second time subsequent to the first time.
  • 16. The system of claim 9, wherein the first token is an object having a specified structure that stores information describing privileges granted to the first running process.
  • 17. The system of claim 9, wherein a privilege comprises a privilege level.
  • 18. A method for detecting an exploit of privilege attack comprising: responsive to detecting creation of a first process, adding data to a privilege list, the data including (i) identification information of the first process and (ii) an initial privilege of the first process, wherein the data added to the privilege list is set forth in a first token associated with the first process, and the first token being associated with the first process in a one-to-one mapping at a time the data is added to the privilege list;detecting performance of one or more operations and a modification of the first token that is associated with the first process, wherein the modification of the first token alters a current privilege of the first process to be greater than the initial privilege;responsive to detecting the performance of the one or more operations and the modification of the first token, comparing a current privilege of the first process with the initial privilege of the first process recorded in the privilege list;determining a change exists between the current privilege of the first process and the initial privilege of the first process that is greater than a predetermined threshold;responsive to determining the change exists between the current privilege of the first process and the initial privilege of the first process that is greater than the predetermined threshold, determining the first process is operating with the current privilege due to an exploit of privilege attack; andresponsive to determining the first process is operating with the current privilege due to an exploit of privilege attack, generating an alert that the first process operating with the current privilege due to the exploit of privilege attack.
  • 19. The method of claim 18, wherein the first process is running within a virtual machine and the comparing of the current privilege of the first process with the initial privilege of the first process is performed in response to intercepting a request by the first process, the request being one of a predetermined set of software calls.
  • 20. The method of claim 18 further comprising: intercepting execution of an instruction to write data to a predetermined offset in memory by the first process;responsive to intercepting execution of the instruction to write data to the predetermined offset in the memory by the first process, comparing the current privilege of the first process with the initial privilege of the first process recorded in the privilege list.
  • 21. The method of claim 18 further comprising: monitoring scheduling of threads by the first process; andresponsive to detecting scheduling of a thread by the first process, comparing the current privilege of the first process with the initial privilege of the first process recorded in the privilege list.
  • 22. The method of claim 18, wherein the data added to the privilege list is set forth in the first token associated with the first process, and first token being associated with the first process in a one-to-one mapping at a time the data is added to the privilege list.
  • 23. The method of claim 18 further comprising: responsive to determining the first process is operating with the current privilege due to an exploit of privilege attack, generating an alert that the first process operating with the current privilege due to the exploit of privilege attack.
  • 24. The method of claim 18 further comprising: responsive to determining a change exists between the current privilege of the first process and the initial privilege of the first process, generating, by a correlation engine, a score indicating whether the change in the current privilege of the first process and the initial privilege of the first process is due to an exploit of privilege attack.
  • 25. The method of claim 18, wherein the initial privilege is recorded in the privilege list at a first time, and the current privilege is determined at a second time, the second time subsequent to the first time.
  • 26. The method of claim 18, wherein the first token is an object having a specified structure that stores information describing privileges granted to the first process.
  • 27. The method of claim 18, wherein a privilege comprises a privilege level.
CROSS-REFERENCE TO RELATED APPLICATIONS

This application claims the benefit of priority on U.S. Provisional Application No. 62/273,394, filed Dec. 30, 2015, the entire contents of which are incorporated by reference herein.

US Referenced Citations (717)
Number Name Date Kind
4292580 Ott et al. Sep 1981 A
5175732 Hendel et al. Dec 1992 A
5319776 Hile et al. Jun 1994 A
5440723 Arnold et al. Aug 1995 A
5490249 Miller Feb 1996 A
5657473 Killean et al. Aug 1997 A
5802277 Cowlard Sep 1998 A
5842002 Schnurer et al. Nov 1998 A
5960170 Chen et al. Sep 1999 A
5978917 Chi Nov 1999 A
5983348 Ji Nov 1999 A
6088803 Tso et al. Jul 2000 A
6092194 Touboul Jul 2000 A
6094677 Capek et al. Jul 2000 A
6108799 Boulay et al. Aug 2000 A
6154844 Touboul et al. Nov 2000 A
6269330 Cidon et al. Jul 2001 B1
6272641 Ji Aug 2001 B1
6279113 Vaidya Aug 2001 B1
6298445 Shostack et al. Oct 2001 B1
6357008 Nachenberg Mar 2002 B1
6424627 Sorhaug et al. Jul 2002 B1
6442696 Wray et al. Aug 2002 B1
6484315 Ziese Nov 2002 B1
6487666 Shanklin et al. Nov 2002 B1
6493756 O'Brien et al. Dec 2002 B1
6550012 Villa et al. Apr 2003 B1
6775657 Baker Aug 2004 B1
6831893 Ben Nun et al. Dec 2004 B1
6832367 Choi et al. Dec 2004 B1
6895550 Kanchirayappa et al. May 2005 B2
6898632 Gordy et al. May 2005 B2
6907396 Muttik et al. Jun 2005 B1
6941348 Petry et al. Sep 2005 B2
6971097 Wallman Nov 2005 B1
6981279 Arnold et al. Dec 2005 B1
7007107 Ivchenko et al. Feb 2006 B1
7028179 Anderson et al. Apr 2006 B2
7043757 Hoefelmeyer et al. May 2006 B2
7058822 Edery et al. Jun 2006 B2
7069316 Gryaznov Jun 2006 B1
7080407 Zhao et al. Jul 2006 B1
7080408 Pak et al. Jul 2006 B1
7093002 Wolff et al. Aug 2006 B2
7093239 van der Made Aug 2006 B1
7096498 Judge Aug 2006 B2
7100201 Izatt Aug 2006 B2
7107617 Hursey et al. Sep 2006 B2
7159149 Spiegel et al. Jan 2007 B2
7213260 Judge May 2007 B2
7231667 Jordan Jun 2007 B2
7240364 Branscomb et al. Jul 2007 B1
7240368 Roesch et al. Jul 2007 B1
7243371 Kasper et al. Jul 2007 B1
7249175 Donaldson Jul 2007 B1
7287278 Liang Oct 2007 B2
7308716 Danford et al. Dec 2007 B2
7328453 Merkle, Jr. et al. Feb 2008 B2
7346486 Ivancic et al. Mar 2008 B2
7356736 Natvig Apr 2008 B2
7386888 Liang et al. Jun 2008 B2
7392542 Bucher Jun 2008 B2
7418729 Szor Aug 2008 B2
7428300 Drew et al. Sep 2008 B1
7441272 Durham et al. Oct 2008 B2
7448084 Apap et al. Nov 2008 B1
7458098 Judge et al. Nov 2008 B2
7464404 Carpenter et al. Dec 2008 B2
7464407 Nakae et al. Dec 2008 B2
7467408 O'Toole, Jr. Dec 2008 B1
7478428 Thomlinson Jan 2009 B1
7480773 Reed Jan 2009 B1
7487543 Arnold et al. Feb 2009 B2
7496960 Chen et al. Feb 2009 B1
7496961 Zimmer et al. Feb 2009 B2
7519990 Xie Apr 2009 B1
7523493 Liang et al. Apr 2009 B2
7530104 Thrower et al. May 2009 B1
7540025 Tzadikario May 2009 B2
7546638 Anderson et al. Jun 2009 B2
7565550 Liang et al. Jul 2009 B2
7568233 Szor et al. Jul 2009 B1
7584455 Ball Sep 2009 B2
7603715 Costa et al. Oct 2009 B2
7607171 Marsden et al. Oct 2009 B1
7639714 Stolfo et al. Dec 2009 B2
7644441 Schmid et al. Jan 2010 B2
7657419 van der Made Feb 2010 B2
7665139 Szor Feb 2010 B1
7676841 Sobchuk et al. Mar 2010 B2
7698548 Shelest et al. Apr 2010 B2
7707633 Danford et al. Apr 2010 B2
7712136 Sprosts et al. May 2010 B2
7730011 Deninger et al. Jun 2010 B1
7739740 Nachenberg et al. Jun 2010 B1
7779463 Stolfo et al. Aug 2010 B2
7784097 Stolfo et al. Aug 2010 B1
7832008 Kraemer Nov 2010 B1
7836502 Zhao et al. Nov 2010 B1
7849506 Dansey et al. Dec 2010 B1
7854007 Sprosts et al. Dec 2010 B2
7869073 Oshima Jan 2011 B2
7877803 Enstone et al. Jan 2011 B2
7904959 Sidiroglou et al. Mar 2011 B2
7908660 Bahl Mar 2011 B2
7930738 Petersen Apr 2011 B1
7937387 Frazier et al. May 2011 B2
7937761 Bennett May 2011 B1
7949849 Lowe et al. May 2011 B2
7996556 Raghavan et al. Aug 2011 B2
7996836 McCorkendale et al. Aug 2011 B1
7996904 Chiueh et al. Aug 2011 B1
7996905 Arnold et al. Aug 2011 B2
8006305 Aziz Aug 2011 B2
8010667 Zhang et al. Aug 2011 B2
8020206 Hubbard et al. Sep 2011 B2
8028338 Schneider et al. Sep 2011 B1
8042184 Batenin Oct 2011 B1
8045094 Teragawa Oct 2011 B2
8045458 Alperovitch et al. Oct 2011 B2
8069484 McMillan et al. Nov 2011 B2
8087086 Lai et al. Dec 2011 B1
8171553 Aziz et al. May 2012 B2
8176049 Deninger et al. May 2012 B2
8176480 Spertus May 2012 B1
8201246 Wu et al. Jun 2012 B1
8204984 Aziz et al. Jun 2012 B1
8214905 Doukhvalov et al. Jul 2012 B1
8220055 Kennedy Jul 2012 B1
8225288 Miller et al. Jul 2012 B2
8225373 Kraemer Jul 2012 B2
8233882 Rogel Jul 2012 B2
8234640 Fitzgerald et al. Jul 2012 B1
8234709 Viljoen et al. Jul 2012 B2
8239944 Nachenberg et al. Aug 2012 B1
8260914 Ranjan Sep 2012 B1
8266091 Gubin et al. Sep 2012 B1
8286251 Eker et al. Oct 2012 B2
8291499 Aziz et al. Oct 2012 B2
8307435 Mann et al. Nov 2012 B1
8307443 Wang et al. Nov 2012 B2
8312545 Tuvell et al. Nov 2012 B2
8321936 Green et al. Nov 2012 B1
8321941 Tuvell et al. Nov 2012 B2
8332571 Edwards, Sr. Dec 2012 B1
8365286 Poston Jan 2013 B2
8365297 Parshin et al. Jan 2013 B1
8370938 Daswani et al. Feb 2013 B1
8370939 Zaitsev et al. Feb 2013 B2
8375444 Aziz et al. Feb 2013 B2
8381299 Stolfo et al. Feb 2013 B2
8402529 Green et al. Mar 2013 B1
8464340 Ahn et al. Jun 2013 B2
8479174 Chiriac Jul 2013 B2
8479276 Vaystikh et al. Jul 2013 B1
8479291 Bodke Jul 2013 B1
8510827 Leake et al. Aug 2013 B1
8510828 Guo et al. Aug 2013 B1
8510842 Amit et al. Aug 2013 B2
8516478 Edwards et al. Aug 2013 B1
8516590 Ranadive et al. Aug 2013 B1
8516593 Aziz Aug 2013 B2
8522348 Chen et al. Aug 2013 B2
8528086 Aziz Sep 2013 B1
8533824 Hutton et al. Sep 2013 B2
8539582 Aziz et al. Sep 2013 B1
8549638 Aziz Oct 2013 B2
8555391 Demir et al. Oct 2013 B1
8561177 Aziz et al. Oct 2013 B1
8566476 Shifter et al. Oct 2013 B2
8566946 Aziz et al. Oct 2013 B1
8584094 Dadhia et al. Nov 2013 B2
8584234 Sobel et al. Nov 2013 B1
8584239 Aziz et al. Nov 2013 B2
8595834 Xie et al. Nov 2013 B2
8627476 Satish et al. Jan 2014 B1
8635696 Aziz Jan 2014 B1
8682054 Xue et al. Mar 2014 B2
8682812 Ranjan Mar 2014 B1
8689333 Aziz Apr 2014 B2
8695096 Zhang Apr 2014 B1
8713631 Pavlyushchik Apr 2014 B1
8713681 Silberman et al. Apr 2014 B2
8726392 McCorkendale et al. May 2014 B1
8739280 Chess et al. May 2014 B2
8776229 Aziz Jul 2014 B1
8782792 Bodke Jul 2014 B1
8789172 Stolfo et al. Jul 2014 B2
8789178 Kejriwal et al. Jul 2014 B2
8793278 Frazier et al. Jul 2014 B2
8793787 Ismael et al. Jul 2014 B2
8805947 Kuzkin et al. Aug 2014 B1
8806647 Daswani et al. Aug 2014 B1
8832829 Manni et al. Sep 2014 B2
8850570 Ramzan Sep 2014 B1
8850571 Staniford et al. Sep 2014 B2
8881234 Narasimhan et al. Nov 2014 B2
8881271 Butler, II Nov 2014 B2
8881282 Aziz et al. Nov 2014 B1
8898788 Aziz et al. Nov 2014 B1
8935779 Manni et al. Jan 2015 B2
8949257 Shiffer et al. Feb 2015 B2
8984638 Aziz et al. Mar 2015 B1
8990939 Staniford et al. Mar 2015 B2
8990944 Singh et al. Mar 2015 B1
8997219 Staniford et al. Mar 2015 B2
9009822 Ismael et al. Apr 2015 B1
9009823 Ismael et al. Apr 2015 B1
9027135 Aziz May 2015 B1
9071638 Aziz et al. Jun 2015 B1
9104867 Thioux et al. Aug 2015 B1
9106630 Frazier et al. Aug 2015 B2
9106694 Aziz et al. Aug 2015 B2
9118715 Staniford et al. Aug 2015 B2
9159035 Ismael et al. Oct 2015 B1
9171160 Vincent et al. Oct 2015 B2
9176843 Ismael et al. Nov 2015 B1
9189627 Islam Nov 2015 B1
9195829 Goradia et al. Nov 2015 B1
9197664 Aziz et al. Nov 2015 B1
9223972 Vincent et al. Dec 2015 B1
9225740 Ismael et al. Dec 2015 B1
9241010 Bennett et al. Jan 2016 B1
9251343 Vincent et al. Feb 2016 B1
9262635 Paithane et al. Feb 2016 B2
9268936 Butler Feb 2016 B2
9275229 LeMasters Mar 2016 B2
9282109 Aziz et al. Mar 2016 B1
9292686 Ismael et al. Mar 2016 B2
9294501 Mesdaq et al. Mar 2016 B2
9300686 Pidathala et al. Mar 2016 B2
9306960 Aziz Apr 2016 B1
9306974 Aziz et al. Apr 2016 B1
9311479 Manni et al. Apr 2016 B1
9355247 Thioux et al. May 2016 B1
9356944 Aziz May 2016 B1
9363280 Rivlin et al. Jun 2016 B1
9367681 Ismael et al. Jun 2016 B1
9398028 Karandikar et al. Jul 2016 B1
9413781 Cunningham et al. Aug 2016 B2
9426071 Caldejon et al. Aug 2016 B1
9430646 Mushtaq et al. Aug 2016 B1
9432389 Khalid et al. Aug 2016 B1
9438613 Paithane et al. Sep 2016 B1
9438622 Staniford et al. Sep 2016 B1
9438623 Thioux et al. Sep 2016 B1
9459901 Jung et al. Oct 2016 B2
9467460 Otvagin et al. Oct 2016 B1
9483644 Paithane et al. Nov 2016 B1
9495180 Ismael Nov 2016 B2
9497213 Thompson et al. Nov 2016 B2
9507935 Ismael et al. Nov 2016 B2
9516057 Aziz Dec 2016 B2
9519782 Aziz et al. Dec 2016 B2
9536091 Paithane et al. Jan 2017 B2
9537972 Edwards et al. Jan 2017 B1
9560059 Islam Jan 2017 B1
9565202 Kindlund et al. Feb 2017 B1
9591015 Amin et al. Mar 2017 B1
9591020 Aziz Mar 2017 B1
9594904 Jain et al. Mar 2017 B1
9594905 Ismael et al. Mar 2017 B1
9594912 Thioux et al. Mar 2017 B1
9609007 Rivlin et al. Mar 2017 B1
9626509 Khalid et al. Apr 2017 B1
9628498 Aziz et al. Apr 2017 B1
9628507 Haq et al. Apr 2017 B2
9633134 Ross Apr 2017 B2
9635039 Islam et al. Apr 2017 B1
9641546 Manni et al. May 2017 B1
9654485 Neumann May 2017 B1
9661009 Karandikar et al. May 2017 B1
9661018 Aziz May 2017 B1
9674298 Edwards et al. Jun 2017 B1
9680862 Ismael et al. Jun 2017 B2
9690606 Ha et al. Jun 2017 B1
9690933 Singh et al. Jun 2017 B1
9690935 Shiffer et al. Jun 2017 B2
9690936 Malik et al. Jun 2017 B1
9736179 Ismael Aug 2017 B2
9740857 Ismael et al. Aug 2017 B2
9747446 Pidathala et al. Aug 2017 B1
9756074 Aziz et al. Sep 2017 B2
9773112 Rathor et al. Sep 2017 B1
9781144 Otvagin et al. Oct 2017 B1
9787700 Amin et al. Oct 2017 B1
9787706 Otvagin et al. Oct 2017 B1
9792196 Ismael et al. Oct 2017 B1
9824209 Ismael et al. Nov 2017 B1
9824211 Wilson Nov 2017 B2
9824216 Khalid et al. Nov 2017 B1
9825976 Gomez et al. Nov 2017 B1
9825989 Mehra et al. Nov 2017 B1
9838408 Karandikar et al. Dec 2017 B1
9838411 Aziz Dec 2017 B1
9838416 Aziz Dec 2017 B1
9838417 Khalid et al. Dec 2017 B1
9846776 Paithane et al. Dec 2017 B1
9876701 Caldejon et al. Jan 2018 B1
9888016 Amin et al. Feb 2018 B1
9888019 Pidathala et al. Feb 2018 B1
9910988 Vincent et al. Mar 2018 B1
9912644 Cunningham Mar 2018 B2
9912681 Ismael et al. Mar 2018 B1
9912684 Aziz et al. Mar 2018 B1
9912691 Mesdaq et al. Mar 2018 B2
9912698 Thioux et al. Mar 2018 B1
9916440 Paithane et al. Mar 2018 B1
9921978 Chan et al. Mar 2018 B1
9934376 Ismael Apr 2018 B1
9934381 Kindlund et al. Apr 2018 B1
9946568 Ismael et al. Apr 2018 B1
9954890 Staniford et al. Apr 2018 B1
9973531 Thioux May 2018 B1
10002252 Ismael et al. Jun 2018 B2
10019338 Goradia et al. Jul 2018 B1
10019573 Silberman et al. Jul 2018 B2
10025691 Ismael et al. Jul 2018 B1
10025927 Khalid et al. Jul 2018 B1
10027689 Rathor et al. Jul 2018 B1
10027690 Aziz et al. Jul 2018 B2
10027696 Rivlin et al. Jul 2018 B1
10033747 Paithane et al. Jul 2018 B1
10033748 Cunningham et al. Jul 2018 B1
10033753 Islam et al. Jul 2018 B1
10033759 Kabra et al. Jul 2018 B1
10050998 Singh Aug 2018 B1
10068091 Aziz et al. Sep 2018 B1
10075455 Zafar et al. Sep 2018 B2
10083302 Paithane et al. Sep 2018 B1
10084813 Eyada Sep 2018 B2
10089461 Ha et al. Oct 2018 B1
10097573 Aziz Oct 2018 B1
10104102 Neumann Oct 2018 B1
10108446 Steinberg et al. Oct 2018 B1
10121000 Rivlin et al. Nov 2018 B1
10122746 Manni et al. Nov 2018 B1
10133863 Bu et al. Nov 2018 B2
10133866 Kumar et al. Nov 2018 B1
10146810 Shiffer et al. Dec 2018 B2
10148693 Singh et al. Dec 2018 B2
10165000 Aziz et al. Dec 2018 B1
10169585 Pilipenko et al. Jan 2019 B1
10176321 Abbasi et al. Jan 2019 B2
10181029 Ismael et al. Jan 2019 B1
10191861 Steinberg et al. Jan 2019 B1
10192052 Singh et al. Jan 2019 B1
10198574 Thioux et al. Feb 2019 B1
10200384 Mushtaq et al. Feb 2019 B1
10210329 Malik et al. Feb 2019 B1
10216927 Steinberg Feb 2019 B1
10218740 Mesdaq et al. Feb 2019 B1
10242185 Goradia Mar 2019 B1
20010005889 Albrecht Jun 2001 A1
20010047326 Broadbent et al. Nov 2001 A1
20020018903 Kokubo et al. Feb 2002 A1
20020038430 Edwards et al. Mar 2002 A1
20020091819 Melchione et al. Jul 2002 A1
20020095607 Lin-Hendel Jul 2002 A1
20020116627 Tarbotton et al. Aug 2002 A1
20020144156 Copeland Oct 2002 A1
20020162015 Tang Oct 2002 A1
20020166063 Lachman et al. Nov 2002 A1
20020169952 DiSanto et al. Nov 2002 A1
20020184528 Shevenell et al. Dec 2002 A1
20020188887 Largman et al. Dec 2002 A1
20020194490 Halperin et al. Dec 2002 A1
20030021728 Sharpe et al. Jan 2003 A1
20030074578 Ford et al. Apr 2003 A1
20030084318 Schertz May 2003 A1
20030101381 Mateev et al. May 2003 A1
20030115483 Liang Jun 2003 A1
20030188190 Aaron et al. Oct 2003 A1
20030191957 Hypponen et al. Oct 2003 A1
20030200460 Morota et al. Oct 2003 A1
20030212902 van der Made Nov 2003 A1
20030229801 Kouznetsov et al. Dec 2003 A1
20030237000 Denton et al. Dec 2003 A1
20040003323 Bennett et al. Jan 2004 A1
20040006473 Mills et al. Jan 2004 A1
20040015712 Szor Jan 2004 A1
20040019832 Arnold et al. Jan 2004 A1
20040044906 England Mar 2004 A1
20040047356 Bauer Mar 2004 A1
20040083408 Spiegel et al. Apr 2004 A1
20040088581 Brawn et al. May 2004 A1
20040093513 Cantrell et al. May 2004 A1
20040111531 Staniford et al. Jun 2004 A1
20040117478 Triulzi et al. Jun 2004 A1
20040117624 Brandt et al. Jun 2004 A1
20040128355 Chao et al. Jul 2004 A1
20040165588 Pandya Aug 2004 A1
20040236963 Danford et al. Nov 2004 A1
20040243349 Greifeneder et al. Dec 2004 A1
20040249911 Alkhatib et al. Dec 2004 A1
20040255161 Cavanaugh Dec 2004 A1
20040268147 Wiederin et al. Dec 2004 A1
20050005159 Oliphant Jan 2005 A1
20050021740 Bar et al. Jan 2005 A1
20050033960 Vialen et al. Feb 2005 A1
20050033989 Poletto et al. Feb 2005 A1
20050050148 Mohammadioun et al. Mar 2005 A1
20050086523 Zimmer et al. Apr 2005 A1
20050091513 Mitomo et al. Apr 2005 A1
20050091533 Omote et al. Apr 2005 A1
20050091652 Ross et al. Apr 2005 A1
20050108562 Khazan et al. May 2005 A1
20050114663 Cornell et al. May 2005 A1
20050125195 Brendel Jun 2005 A1
20050149726 Joshi et al. Jul 2005 A1
20050157662 Bingham et al. Jul 2005 A1
20050183143 Anderholm et al. Aug 2005 A1
20050201297 Peikari Sep 2005 A1
20050210533 Copeland et al. Sep 2005 A1
20050238005 Chen et al. Oct 2005 A1
20050240781 Gassoway Oct 2005 A1
20050262562 Gassoway Nov 2005 A1
20050265331 Stolfo Dec 2005 A1
20050283839 Cowbum Dec 2005 A1
20060010495 Cohen et al. Jan 2006 A1
20060015416 Hoffman et al. Jan 2006 A1
20060015715 Anderson Jan 2006 A1
20060015747 Van de Ven Jan 2006 A1
20060021029 Brickell et al. Jan 2006 A1
20060021054 Costa et al. Jan 2006 A1
20060031476 Mathes et al. Feb 2006 A1
20060047665 Neil Mar 2006 A1
20060070130 Costea et al. Mar 2006 A1
20060075496 Carpenter et al. Apr 2006 A1
20060095968 Portolani et al. May 2006 A1
20060101516 Sudaharan et al. May 2006 A1
20060101517 Banzhof et al. May 2006 A1
20060117385 Mester et al. Jun 2006 A1
20060123477 Raghavan et al. Jun 2006 A1
20060143709 Brooks et al. Jun 2006 A1
20060150249 Gassen et al. Jul 2006 A1
20060161983 Cothrell et al. Jul 2006 A1
20060161987 Levy-Yurista Jul 2006 A1
20060161989 Reshef et al. Jul 2006 A1
20060164199 Glide et al. Jul 2006 A1
20060173992 Weber et al. Aug 2006 A1
20060179147 Tran et al. Aug 2006 A1
20060184632 Marino et al. Aug 2006 A1
20060191010 Benjamin Aug 2006 A1
20060221956 Narayan et al. Oct 2006 A1
20060236393 Kramer et al. Oct 2006 A1
20060242709 Seinfeld et al. Oct 2006 A1
20060248519 Jaeger et al. Nov 2006 A1
20060248582 Panjwani et al. Nov 2006 A1
20060251104 Koga Nov 2006 A1
20060288417 Bookbinder et al. Dec 2006 A1
20070006288 Mayfield et al. Jan 2007 A1
20070006313 Porras et al. Jan 2007 A1
20070011174 Takaragi et al. Jan 2007 A1
20070016951 Piccard et al. Jan 2007 A1
20070019286 Kikuchi Jan 2007 A1
20070033645 Jones Feb 2007 A1
20070038943 FitzGerald et al. Feb 2007 A1
20070064689 Shin et al. Mar 2007 A1
20070074169 Chess et al. Mar 2007 A1
20070094730 Bhikkaji et al. Apr 2007 A1
20070101435 Konanka et al. May 2007 A1
20070128855 Cho et al. Jun 2007 A1
20070142030 Sinha et al. Jun 2007 A1
20070143827 Nicodemus et al. Jun 2007 A1
20070156895 Vuong Jul 2007 A1
20070157180 Tillmann et al. Jul 2007 A1
20070157306 Elrod et al. Jul 2007 A1
20070168988 Eisner et al. Jul 2007 A1
20070171824 Ruello et al. Jul 2007 A1
20070174915 Gribble et al. Jul 2007 A1
20070192500 Lum Aug 2007 A1
20070192858 Lum Aug 2007 A1
20070198275 Malden et al. Aug 2007 A1
20070208822 Wang et al. Sep 2007 A1
20070220607 Sprosts et al. Sep 2007 A1
20070240218 Tuvell et al. Oct 2007 A1
20070240219 Tuvell et al. Oct 2007 A1
20070240220 Tuvell et al. Oct 2007 A1
20070240222 Tuvell et al. Oct 2007 A1
20070250930 Aziz et al. Oct 2007 A1
20070256132 Oliphant Nov 2007 A2
20070271446 Nakamura Nov 2007 A1
20080005782 Aziz Jan 2008 A1
20080018122 Zierler et al. Jan 2008 A1
20080028463 Dagon et al. Jan 2008 A1
20080040710 Chiriac Feb 2008 A1
20080046781 Childs et al. Feb 2008 A1
20080047010 Marceau Feb 2008 A1
20080066179 Liu Mar 2008 A1
20080072326 Danford et al. Mar 2008 A1
20080077793 Tan et al. Mar 2008 A1
20080080518 Hoeflin et al. Apr 2008 A1
20080086720 Lekel Apr 2008 A1
20080098476 Syversen Apr 2008 A1
20080120722 Sima et al. May 2008 A1
20080134178 Fitzgerald et al. Jun 2008 A1
20080134334 Kim et al. Jun 2008 A1
20080141376 Clausen et al. Jun 2008 A1
20080184367 McMillan et al. Jul 2008 A1
20080184373 Traut et al. Jul 2008 A1
20080189787 Arnold et al. Aug 2008 A1
20080201778 Guo et al. Aug 2008 A1
20080209557 Herley et al. Aug 2008 A1
20080215742 Goldszmidt et al. Sep 2008 A1
20080222729 Chen et al. Sep 2008 A1
20080263665 Ma et al. Oct 2008 A1
20080282354 Wobber Nov 2008 A1
20080295172 Bohacek Nov 2008 A1
20080301810 Lehane et al. Dec 2008 A1
20080307524 Singh et al. Dec 2008 A1
20080313738 Enderby Dec 2008 A1
20080320594 Jiang Dec 2008 A1
20090003317 Kasralikar et al. Jan 2009 A1
20090007100 Field et al. Jan 2009 A1
20090013408 Schipka Jan 2009 A1
20090031423 Liu et al. Jan 2009 A1
20090036111 Danford et al. Feb 2009 A1
20090037835 Goldman Feb 2009 A1
20090044024 Oberheide et al. Feb 2009 A1
20090044274 Budko et al. Feb 2009 A1
20090064332 Porras et al. Mar 2009 A1
20090077666 Chen et al. Mar 2009 A1
20090083369 Marmor Mar 2009 A1
20090083855 Apap et al. Mar 2009 A1
20090089879 Wang et al. Apr 2009 A1
20090094697 Provos et al. Apr 2009 A1
20090113425 Ports et al. Apr 2009 A1
20090125976 Wassermann et al. May 2009 A1
20090126015 Monastyrsky et al. May 2009 A1
20090126016 Sobko et al. May 2009 A1
20090133125 Choi et al. May 2009 A1
20090144823 Lamastra et al. Jun 2009 A1
20090158430 Borders Jun 2009 A1
20090172815 Gu et al. Jul 2009 A1
20090187992 Poston Jul 2009 A1
20090193293 Stolfo et al. Jul 2009 A1
20090198651 Shiffer et al. Aug 2009 A1
20090198670 Shiffer et al. Aug 2009 A1
20090198689 Frazier et al. Aug 2009 A1
20090199274 Frazier et al. Aug 2009 A1
20090199296 Xie et al. Aug 2009 A1
20090228233 Anderson et al. Sep 2009 A1
20090241187 Troyansky Sep 2009 A1
20090241190 Todd et al. Sep 2009 A1
20090260050 George Oct 2009 A1
20090265692 Godefroid et al. Oct 2009 A1
20090271867 Zhang Oct 2009 A1
20090300415 Zhang et al. Dec 2009 A1
20090300761 Park et al. Dec 2009 A1
20090328185 Berg et al. Dec 2009 A1
20090328221 Blumfield et al. Dec 2009 A1
20100005146 Drako et al. Jan 2010 A1
20100011205 McKenna Jan 2010 A1
20100017546 Poo et al. Jan 2010 A1
20100030996 Butler, II Feb 2010 A1
20100031353 Thomas et al. Feb 2010 A1
20100037314 Perdisci et al. Feb 2010 A1
20100043073 Kuwamura Feb 2010 A1
20100054278 Stolfo et al. Mar 2010 A1
20100058474 Hicks Mar 2010 A1
20100064044 Nonoyama Mar 2010 A1
20100077481 Polyakov et al. Mar 2010 A1
20100083376 Pereira et al. Apr 2010 A1
20100115621 Staniford et al. May 2010 A1
20100132038 Zaitsev May 2010 A1
20100154056 Smith et al. Jun 2010 A1
20100180344 Malyshev et al. Jul 2010 A1
20100192223 Ismael et al. Jul 2010 A1
20100220863 Dupaquis et al. Sep 2010 A1
20100235831 Dittmer Sep 2010 A1
20100251104 Massand Sep 2010 A1
20100281102 Chinta et al. Nov 2010 A1
20100281541 Stolfo et al. Nov 2010 A1
20100281542 Stolfo et al. Nov 2010 A1
20100287260 Peterson et al. Nov 2010 A1
20100299754 Amit et al. Nov 2010 A1
20100306173 Frank Dec 2010 A1
20100318569 Munday Dec 2010 A1
20110004737 Greenebaum Jan 2011 A1
20110025504 Lyon et al. Feb 2011 A1
20110041179 St Hlberg Feb 2011 A1
20110047594 Mahaffey et al. Feb 2011 A1
20110047620 Mahaffey et al. Feb 2011 A1
20110055907 Narasimhan et al. Mar 2011 A1
20110078794 Manni et al. Mar 2011 A1
20110093951 Aziz Apr 2011 A1
20110099620 Stavrou et al. Apr 2011 A1
20110099633 Aziz Apr 2011 A1
20110099635 Silberman et al. Apr 2011 A1
20110113231 Kaminsky May 2011 A1
20110145918 Jung et al. Jun 2011 A1
20110145920 Mahaffey et al. Jun 2011 A1
20110145934 Abramovici et al. Jun 2011 A1
20110167493 Song et al. Jul 2011 A1
20110167494 Bowen et al. Jul 2011 A1
20110173213 Frazier et al. Jul 2011 A1
20110173460 Ito et al. Jul 2011 A1
20110219449 St. Neitzel et al. Sep 2011 A1
20110219450 McDougal et al. Sep 2011 A1
20110225624 Sawhney et al. Sep 2011 A1
20110225655 Niemela et al. Sep 2011 A1
20110247072 Staniford et al. Oct 2011 A1
20110265182 Peinado et al. Oct 2011 A1
20110289582 Kejriwal et al. Nov 2011 A1
20110302587 Nishikawa et al. Dec 2011 A1
20110307954 Melnik et al. Dec 2011 A1
20110307955 Kaplan et al. Dec 2011 A1
20110307956 Yermakov et al. Dec 2011 A1
20110314546 Aziz et al. Dec 2011 A1
20120023593 Puder et al. Jan 2012 A1
20120054869 Yen et al. Mar 2012 A1
20120066698 Yanoo Mar 2012 A1
20120079596 Thomas et al. Mar 2012 A1
20120084859 Radinsky et al. Apr 2012 A1
20120096553 Srivastava et al. Apr 2012 A1
20120110667 Zubrilin et al. May 2012 A1
20120117652 Manni et al. May 2012 A1
20120121154 Xue et al. May 2012 A1
20120124426 Maybee et al. May 2012 A1
20120174186 Aziz et al. Jul 2012 A1
20120174196 Bhogavilli et al. Jul 2012 A1
20120174218 McCoy et al. Jul 2012 A1
20120198279 Schroeder Aug 2012 A1
20120210423 Friedrichs et al. Aug 2012 A1
20120222121 Staniford et al. Aug 2012 A1
20120255015 Sahita et al. Oct 2012 A1
20120255017 Sallam Oct 2012 A1
20120260342 Dube et al. Oct 2012 A1
20120266244 Green et al. Oct 2012 A1
20120278886 Luna Nov 2012 A1
20120297489 Dequevy Nov 2012 A1
20120330801 McDougal et al. Dec 2012 A1
20120331553 Aziz et al. Dec 2012 A1
20130014259 Gribble et al. Jan 2013 A1
20130036472 Aziz Feb 2013 A1
20130047257 Aziz Feb 2013 A1
20130074185 McDougal et al. Mar 2013 A1
20130086684 Mohler Apr 2013 A1
20130097699 Balupari et al. Apr 2013 A1
20130097706 Titonis et al. Apr 2013 A1
20130111587 Goel et al. May 2013 A1
20130117852 Stute May 2013 A1
20130117855 Kim et al. May 2013 A1
20130139264 Brinkley et al. May 2013 A1
20130160125 Likhachev et al. Jun 2013 A1
20130160127 Jeong et al. Jun 2013 A1
20130160130 Mendelev et al. Jun 2013 A1
20130160131 Madou et al. Jun 2013 A1
20130167236 Sick Jun 2013 A1
20130174214 Duncan Jul 2013 A1
20130185789 Hagiwara et al. Jul 2013 A1
20130185795 Winn et al. Jul 2013 A1
20130185798 Saunders et al. Jul 2013 A1
20130191915 Antonakakis et al. Jul 2013 A1
20130196649 Paddon et al. Aug 2013 A1
20130227691 Aziz et al. Aug 2013 A1
20130246370 Bartram et al. Sep 2013 A1
20130247186 LeMasters Sep 2013 A1
20130263260 Mahaffey et al. Oct 2013 A1
20130291109 Staniford et al. Oct 2013 A1
20130298243 Kumar et al. Nov 2013 A1
20130318038 Shiffer et al. Nov 2013 A1
20130318073 Shiffer et al. Nov 2013 A1
20130325791 Shiffer et al. Dec 2013 A1
20130325792 Shiffer et al. Dec 2013 A1
20130325871 Shiffer et al. Dec 2013 A1
20130325872 Shiffer et al. Dec 2013 A1
20140032875 Butler Jan 2014 A1
20140053260 Gupta et al. Feb 2014 A1
20140053261 Gupta et al. Feb 2014 A1
20140130158 Wang et al. May 2014 A1
20140137180 Lukacs et al. May 2014 A1
20140169762 Ryu Jun 2014 A1
20140179360 Jackson et al. Jun 2014 A1
20140181131 Ross Jun 2014 A1
20140189687 Jung et al. Jul 2014 A1
20140189866 Shiffer et al. Jul 2014 A1
20140189882 Jung et al. Jul 2014 A1
20140237600 Silberman et al. Aug 2014 A1
20140280245 Wilson Sep 2014 A1
20140283037 Sikorski et al. Sep 2014 A1
20140283063 Thompson et al. Sep 2014 A1
20140328204 Klotsche et al. Nov 2014 A1
20140337836 Ismael Nov 2014 A1
20140344926 Cunningham et al. Nov 2014 A1
20140351935 Shao et al. Nov 2014 A1
20140380473 Bu et al. Dec 2014 A1
20140380474 Paithane et al. Dec 2014 A1
20150007312 Pidathala et al. Jan 2015 A1
20150096022 Vincent et al. Apr 2015 A1
20150096023 Mesdaq et al. Apr 2015 A1
20150096024 Haq et al. Apr 2015 A1
20150096025 Ismael Apr 2015 A1
20150180886 Staniford et al. Jun 2015 A1
20150186645 Aziz et al. Jul 2015 A1
20150199513 Ismael et al. Jul 2015 A1
20150199531 Ismael et al. Jul 2015 A1
20150199532 Ismael et al. Jul 2015 A1
20150220455 Chen Aug 2015 A1
20150220735 Paithane et al. Aug 2015 A1
20150372980 Eyada Dec 2015 A1
20160004869 Ismael et al. Jan 2016 A1
20160006756 Ismael et al. Jan 2016 A1
20160044000 Cunningham Feb 2016 A1
20160127393 Aziz et al. May 2016 A1
20160191547 Zafar et al. Jun 2016 A1
20160191550 Ismael et al. Jun 2016 A1
20160261612 Mesdaq et al. Sep 2016 A1
20160285914 Singh et al. Sep 2016 A1
20160301703 Aziz Oct 2016 A1
20160335110 Paithane et al. Nov 2016 A1
20170083703 Abbasi et al. Mar 2017 A1
20180013770 Ismael Jan 2018 A1
20180048660 Paithane et al. Feb 2018 A1
20180121316 Ismael et al. May 2018 A1
20180288077 Siddiqui et al. Oct 2018 A1
Foreign Referenced Citations (11)
Number Date Country
2439806 Jan 2008 GB
2490431 Oct 2012 GB
0206928 Jan 2002 WO
0223805 Mar 2002 WO
2007117636 Oct 2007 WO
2008041950 Apr 2008 WO
2011084431 Jul 2011 WO
2011112348 Sep 2011 WO
2012075336 Jun 2012 WO
2012145066 Oct 2012 WO
2013067505 May 2013 WO
Non-Patent Literature Citations (57)
Entry
“Mining Specification of Malicious Behavior”—Jha et al, UCSB, Sep. 2007 https://www.cs.ucsb.edu/.about.chris/research/doc/esec07.sub.--mining.pdf-.
“Network Security: NetDetector—Network Intrusion Forensic System (NIFS) Whitepaper”, (“NetDetector Whitepaper”), (2003).
“When Virtual is Better Than Real”, IEEEXplore Digital Library, available at, http://ieeexplore.ieee.org/xpl/articleDetails.isp?reload=true&arnumbe- r=990073, (Dec. 7, 2013).
Abdullah, et al., Visualizing Network Data for Intrusion Detection, 2005 IEEE Workshop on Information Assurance and Security, pp. 100-108.
Adetoye, Adedayo , et al., “Network Intrusion Detection & Response System”, (“Adetoye”), (Sep. 2003).
Apostolopoulos, George; hassapis, Constantinos; “V-eM: A cluster of Virtual Machines for Robust, Detailed, and High-Performance Network Emulation”, 14th IEEE International Symposium on Modeling, Analysis, and Simulation of Computer and Telecommunication Systems, Sep. 11-14, 2006, pp. 117-126.
Aura, Tuomas, “Scanning electronic documents for personally identifiable information”, Proceedings of the 5th ACM workshop on Privacy in electronic society. ACM, 2006.
Baecher, “The Nepenthes Platform: An Efficient Approach to collect Malware”, Springer-verlag Berlin Heidelberg, (2006), pp. 165-184.
Bayer, et al., “Dynamic Analysis of Malicious Code”, J Comput Virol, Springer-Verlag, France., (2006), pp. 67-77.
Boubalos, Chris , “extracting syslog data out of raw pcap dumps, seclists.org, Honeypots mailing list archives”, available at http://seclists.org/honeypots/2003/q2/319 (“Boubalos”), (Jun. 5, 2003).
Chaudet, C. , et al., “Optimal Positioning of Active and Passive Monitoring Devices”, International Conference on Emerging Networking Experiments and Technologies, Proceedings of the 2005 ACM Conference on Emerging Network Experiment and Technology, CoNEXT '05, Toulousse, France, (Oct. 2005), pp. 71-82.
Chen, P. M. and Noble, B. D., “When Virtual is Better Than Real, Department of Electrical Engineering and Computer Science”, University of Michigan (“Chen”) (2001).
Cisco “Intrusion Prevention for the Cisco ASA 5500-x Series” Data Sheet (2012).
Cohen, M.I. , “PyFlag—An advanced network forensic framework”, Digital investigation 5, Elsevier, (2008), pp. S112-S120.
Costa, M. , et al., “Vigilante: End-to-End Containment of Internet Worms”, SOSP '05, Association for Computing Machinery, Inc., Brighton U.K., (Oct. 23-26, 2005).
Didier Stevens, “Malicious PDF Documents Explained”, Security & Privacy, IEEE, IEEE Service Center, Los Alamitos, CA, US, vol. 9, No. 1, Jan. 1, 2011, pp. 80-82, XP011329453, ISSN: 1540-7993, DOI: 10.1109/MSP.2011.14_.
Distler, “Malware Analysis: An Introduction”, SANS Institute InfoSec Reading Room, SANS Institute, (2007).
Dunlap, George W. , et al., “ReVirt: Enabling Intrusion Analysis through Virtual-Machine Logging and Replay”, Proceeding of the 5th Symposium on Operating Systems Design and Implementation, USENIX Association, (“Dunlap”), (Dec. 9, 2002).
FireEye Malware Analysis & Exchange Network, Malware Protection System, FireEye Inc., 2010.
FireEye Malware Analysis, Modern Malware Forensics, FireEye Inc., 2010.
FireEye v.6.0 Security Target, pp. 1-35, Version 1.1, FireEye Inc., May 2011.
Goel, et al., Reconstructing System State for Intrusion Analysis, Apr. 2008 SIGOPS Operating Systems Review, vol. 42 Issue 3, pp. 21-28.
Gregg Keizer: “Microsoft's HoneyMonkeys Show Patching Windows Works”, Aug. 8, 2005, XP055143386, Retrieved from the Internet: URL:http://www.informationweek.com/microsofts-honeymonkeys-show-patching-windows-works/d/d-id/1035069? [retrieved on Jun. 1, 2016].
Heng Yin et al, Panorama: Capturing System-Wide Information Flow for Malware Detection and Analysis, Research Showcase @ CMU, Carnegie Mellon University, 2007.
Hiroshi Shinotsuka, Malware Authors Using New Techniques to Evade Automated Threat Analysis Systems, Oct. 26, 2012, http://www.symantec.com/connect/blogs/, pp. 1-4.
Idika et al., A-Survey-of-Malware-Detection-Techniques, Feb. 2, 2007, Department of Computer Science, Purdue University.
Isohara, Takamasa, Keisuke Takemori, and Ayumu Kubota. “Kernel-based behavior analysis for android malware detection.” Computational intelligence and Security (CIS), 2011 Seventh International Conference on. IEEE, 2011.
Kaeo, Merike , “Designing Network Security”, (“Kaeo”), (Nov. 2003).
Kevin A Roundy et al: “Hybrid Analysis and Control of Malware”, Sep. 15, 2010, Recent Advances in Intrusion Detection, Springer Berlin Heidelberg, Berlin, Heidelberg, pp. 317-338, XP019150454 ISBN:978-3-642-15511-6.
Khaled Salah et al: “Using Cloud Computing to Implement a Security Overlay Network”, Security & Privacy, IEEE, IEEE Service Center, Los Alamitos, CA, US, vol. 11, No. 1, Jan. 1, 2013 (Jan. 1, 2013).
Kim, H. , et al., “Autograph: Toward Automated, Distributed Worm Signature Detection”, Proceedings of the 13th Usenix Security Symposium (Security 2004), San Diego, (Aug. 2004), pp. 271-286.
King, Samuel T., et al., “Operating System Support for Virtual Machines”, (“King”), (2003).
Kreibich, C. , et al., “Honeycomb-Creating Intrusion Detection Signatures Using Honeypots”, 2nd Workshop on Hot Topics in Networks (HotNets-11), Boston, USA, (2003).
Kristoff, J. , “Botnets, Detection and Mitigation: DNS-Based Techniques”, NU Security Day, (2005), 23 pages.
Lastline Labs, The Threat of Evasive Malware, Feb. 25, 2013, Lastline Labs, pp. 1-8.
Li et al., A VMM-Based System Call Interposition Framework for Program Monitoring, Dec. 2010, IEEE 16th International Conference on Parallel and Distributed Systems, pp. 706-711.
Lindorfer, Martina, Clemens Kolbitsch, and Paolo Milani Comparetti. “Detecting environment-sensitive malware.” Recent Advances in Intrusion Detection. Springer Berlin Heidelberg, 2011.
Marchette, David J., “Computer Intrusion Detection and Network Monitoring: A Statistical Viewpoint”, (“Marchette”), (2001).
Moore, D. , et al., “Internet Quarantine: Requirements for Containing Self-Propagating Code”, INFOCOM, vol. 3, (Mar. 30-Apr. 3, 2003), pp. 1901-1910.
Morales, Jose A., et al., ““Analyzing and exploiting network behaviors of malware.””, Security and Privacy in Communication Networks. Springer Berlin Heidelberg, 2010. 20-34.
Mori, Detecting Unknown Computer Viruses, 2004, Springer-Verlag Berlin Heidelberg.
Natvig, Kurt , “SANDBOXII: Internet”, Virus Bulletin Conference, (“Natvig”), (Sep. 2002).
NetBIOS Working Group. Protocol Standard for a NetBIOS Service on a TCP/UDP transport: Concepts and Methods. STD 19, RFC 1001, Mar. 1987.
Newsome, J. , et al., “Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software”, In Proceedings of the 12th Annual Network and Distributed System Security, Symposium (NDSS '05), (Feb. 2005).
Nojiri, D. , et al., “Cooperation Response Strategies for Large Scale Attack Mitigation”, DARPA Information Survivability Conference and Exposition, vol. 1, (Apr. 22-24, 2003), pp. 293-302.
Oberheide et al., CloudAV.sub.—N-Version Antivirus in the Network Cloud, 17th USENIX Security Symposium USENIX Security '08 Jul. 28-Aug. 1, 2008 San Jose, CA.
Reiner Sailer, Enriquillo Valdez, Trent Jaeger, Roonald Perez, Leendert van Doom, John Linwood Griffin, Stefan Berger., sHype: Secure Hypervisor Appraoch to Trusted Virtualized Systems (Feb. 2, 2005) (“Sailer”).
Silicon Defense, “Worm Containment in the Internal Network”, (Mar. 2003), pp. 1-25.
Singh, S. , et al., “Automated Worm Fingerprinting”, Proceedings of the ACM/USENIX Symposium on Operating System Design and Implementation, San Francisco, California, (Dec. 2004).
Thomas H. Ptacek, and Timothy N. Newsham , “Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection”, Secure Networks, (“Ptacek”), (Jan. 1998).
Venezia, Paul , “NetDetector Captures Intrusions”, InfoWorld Issue 27, (“Venezia”), (Jul. 14, 2003).
Vladimir Getov: “Security as a Service in Smart Clouds—Opportunities and Concerns”, Computer Software and Applications Conference (COMPSAC), 2012 IEEE 36th Annual, IEEE, Jul. 16, 2012 (Jul. 16, 2012).
Wahid et al., Characterising the Evolution in Scanning Activity of Suspicious Hosts, Oct. 2009, Third International Conference on Network and System Security, pp. 344-350.
Whyte, et al., “DNS-Based Detection of Scanning Works in an Enterprise Network”, Proceedings of the 12th Annual Network and Distributed System Security Symposium, (Feb. 2005), 15 pages.
Williamson, Matthew M., “Throttling Viruses: Restricting Propagation to Defeat Malicious Mobile Code”, ACSAC Conference, Las Vegas, NV, USA, (Dec. 2002), pp. 1-9.
Yuhei Kawakoya et al: “Memory behavior-based automatic malware unpacking in stealth debugging environment”, Malicious and Unwanted Software (Malware), 2010 5th International Conference on, IEEE, Piscataway, NJ, USA, Oct. 19, 2010, pp. 39-46, XP031833827, ISBN:978-1-4244-8-9353-1.
Zhang et al., The Effects of Threading, Infection Time, and Multiple-Attacker Collaboration on Malware Propagation, Sep. 2009, IEEE 28th International Symposium on Reliable Distributed Systems, pp. 73-82.
Provisional Applications (1)
Number Date Country
62273394 Dec 2015 US