Patent Grant
11947669
Embodiments of the disclosure relate to the field of cybersecurity. More specifically, one embodiment of the disclosure relates to a system configured to improve detection of cybersecurity threats (hereinafter, “cyberthreats”) that are initiated by scripts having code to evade detection, and the corresponding method thereof.
Conventional cybersecurity devices are designed to detect cyberthreats caused by an executable within an object, such as a file, electronic mail (email) message or web content for example. When processed, the executable causes a targeted device to perform unauthorized, unexpected, anomalous, and/or unwanted behaviors or operations (hereinafter, “malicious behaviors”). These malicious behaviors may be conducted automatically or may be conducted in response to human interaction prompted by the executable.
Currently, to detect cyberthreats, cybersecurity devices deploy an analysis system. One type of analysis system features a virtual machine provisioned with one or more software profiles, which are identical or similar to a device targeted to receive the object. The provisioned virtual machine conducts behavioral analyses of the executable or script. Stated differently, the cybersecurity analysis system processes the executable, where the object is deemed to be “malicious” when the cybersecurity analysis system observes malicious behaviors caused by this executable.
Recently, various scripts (e.g., macros or other executable content such as PowerShells, JavaScripts®, etc.) are becoming an increasingly common cybersecurity attack vector. As a result, some security administrators are taking precautions by restricting the execution of unauthorized scripts, especially scripts contained within web content received over a network. However, these restrictions impose a number of disadvantages. For example, one disadvantage is that these restrictions would significantly decrease a user's overall web experience because dynamic content, such as web content controlled by a script for example, would be prevented from being fully displayed. Another disadvantage is that these restrictions would eliminate or mitigate operability of some applications that rely on dynamic scripts.
Furthermore, malicious scripts are more commonly being configured with evasive code, namely code structured to attempt to evade detection, especially when the malicious script discovers that it is being processed within a cybersecurity analysis system. The evasive code may be structured to perform an “active evasion” in which the script performs operations in efforts to evade detection by the cybersecurity analysis system or “passive evasion” in which no malicious behaviors are conducted until the malicious script detects an occurrence of a specific event (e.g., user interaction evidenced by mouse movement, selection of an object, etc.). In accordance with conventional cybersecurity techniques, evasive code has additional complexity to the detection of malicious scripts, increasing the difficulty of detecting a cyberattack prior to activation and commencement of execution of the script.
Embodiments of the invention are illustrated by way of example and not by way of limitation in the figures of the accompanying drawings, in which like references indicate similar elements and in which:
Embodiments of the present disclosure generally relate to a cybersecurity system that is configured to identify script objects (e.g., objects including one or more scripts) and, for each script object, the cybersecurity system (i) recovers code associated with a script included as part of the script object, (ii) identifies functional code blocks within the recovered code, (iii) identifies “suspicious” functional code blocks which may include a critical code statement and/or an evasive code statement along with their relationships with other functional code blocks, and (iv) encourages execution over a code execution path that includes one or more functional code blocks (hereinafter, “functional code block(s)”) including at least one critical code statement while attempting to bypass functional code block(s) including at least one evasive code statement. The cybersecurity system may be deployed to support a cloud service, an on-premises network device, or even a hybrid deployment as illustrated in
Herein, a functional code block is a block of code that includes a plurality of code statements, where the functional code block may be determined to be “suspicious” if the code block include one or more code statements that may constitute a critical code statement and/or an evasive code statement. As a “code statement” pertains to a set (one or more) of instructions that form a portion of software (e.g., program, etc.) and expresses an activity to be performed by that portion of software, a “critical code statement” includes one or more instructions having at least (i) a first level of correlation with code statements associated with known malware and/or (ii) a second level of correlation with code statements associated with known goodware. Additionally, an “evasive code statement” includes a portion of code that halts the script from completing its execution (e.g., terminates, causes a system crash, etc.) or intentionally delays execution of other functional code blocks based on event-driven evasion (e.g., occurrence of an event that prompts execution or non-execution of the code such as a dialog box interfering with script processing) or through a change of control (e.g., one or more BRANCH code statements, IF code statements, IF-ELSE code statements, JUMP code statements, or the like). The presence of an evasive code statement may be ascertained by determining at least (i) a first level of correlation between the evasive code statement and code statements associated with known malware with evasive capabilities and/or (ii) a second level of correlation between the evasive code statement and code statements associated with known goodware. The levels of correlation may be the same or may differ from each other.
According to one embodiment of the disclosure, the cybersecurity system features cyberthreat analytic logic, which includes a multi-stage analytic engine, a classification engine, and an alert engine. The multi-stage analytic engine is configured to generate and collect event data (also referred to as “behaviors”), namely information associated with the operations of an isolated, virtual environment processing the script object. The classification engine is configured to determine whether the script object is malicious based on the collected behaviors while the alert engine is configured to report the results associated with the analyses performed on a script associated with the script object by the multi-stage analytic engine and the classification engine.
For an embodiment of the invention described below, the multi-stage analytic engine includes a first (initial) analytic stage, a second (intermediary) analytic stage and a third (behavior) analytic stage. Herein, the first analytic stage is configured to conduct an initial evaluation of an incoming object to determine whether the object includes a script (constitutes a script object), given that script objects are commonly being used as cybersecurity attack vectors. The second analytic stage is configured to generate a weighted conditional flow graph by at least (i) identifying whether any functional code blocks potentially include a critical code statement, (ii) identifying whether any functional code blocks potentially include an evasive code statement, and (iii) assigning cybersecurity metrics (e.g., certain indicia such as weights or other parameters) to identify which of these functional code blocks may include a critical code statement and/or an evasive code statement, where these cybersecurity metrics may be used to identify code execution paths that are directed to malware and/or evasive code. The second analytic stage is further configured to modify code within the script object to attempt to direct execution along code execution paths featuring one or more functional code blocks including at least one “critical” code statement and thereby, at least initially, bypass code execution paths directed to evasive code. The modification of the code within the script may enable execution of certain functional code blocks having at least one critical code statement earlier than would occur in normal execution.
The third analytic stage of the multi-stage analytic engine is configured to collect behaviors generated during execution of the modified script, namely behaviors generated by functional code blocks associated with the code execution paths starting with the one or more critical code execution paths. As described below, the second analytic stage may support iterative modification of the script to control the execution flow of code within the script so as to collect behaviors of functional code block(s) along critical code execution path(s) and initially avoid the evasive code path(s).
More specifically, the first analytic stage is configured to conduct an initial classification of an incoming object to determine whether the object is “suspicious” or “benign.” According to one embodiment of the disclosure, the object may be initially classified as “suspicious” when the object includes one or more scripts (i.e., constitutes a script object). Optionally, the first analytic stage may be configured to conduct further analyses, such as a comparison of certain content within the script object (e.g., source of the script object, etc.) with black list content to determine whether the script object is malicious. Responsive to an initial malicious classification, the first analytic stage may bypass further analyses of the script object by the second analytic stage and/or the third analytic stage, as described below. For convenient, a visual representation of the conditional flow graph is provided, although the content of the conditional flow graph includes code blocks and context information obtained from the control flow (e.g., which functional code blocks prompts execution of another functional code block, whether the functional code block is conditional thereby being a starting point for multiple execution code paths therefrom, etc.)
The second (intermediary) analytic stage features conditional flow graph generation logic, functional code block weighting logic, code execution path prioritization logic, script code coverage logic, script code modification logic, and a data store. According to one embodiment of the disclosure, the conditional flow graph generation logic receives the script and generates a conditional flow graph representing the functional code blocks and the relationships between the functional code blocks forming the script. The functional code blocks forming the conditional flow graph are made available to the functional code block weighting logic.
Herein, according to one embodiment of the disclosure, the functional code block weighting logic analyzes the content of the functional code blocks and identifies those functional code blocks that include one or more critical code statements (e.g., code with a prescribed likelihood of being associated with a cyberthreat) and/or one or more evasive code statements, as described above. Thereafter, the functional code block weighting logic assigns threat weight values to the functional code blocks.
Stated differently, the functional code block weighting logic assigns a threat weight value to each of the functional code blocks, where a particular value signifies the likelihood of one or more critical code statements (hereinafter, “critical code statement(s)”) being located in that functional code block. The threat weight values associated with a series of functional code blocks identify the likelihood of a particular code execution path including the functional code blocks as being associated with a cyberattack. As an illustrative example, the threat weight value may be determined, at least in part, on the level of correlation between the critical code statement(s) associated with the particular functional code block and critical code statements associated with known malware. Hence, the functional code blocks including critical code statement(s) associated with known malware may be assigned certain threat weight values that are different from those threat weight values assigned to functional code blocks without a critical code statement (e.g., more positive values identify a greater likelihood of maliciousness). Stated differently, the assignment of threat and/or evasive weight values may occur through a mapping between known critical code statements and/or evasive code statements and their corresponding weight values maintained within a data store (see
Similarly, the functional code block weighting logic assigns an evasive weight value to each of the functional code blocks, where a particular value signifies the likelihood of one or more evasive code statements (hereinafter, “evasive code statement(s)”) being located in that functional code block. The evasive weight value may operate as a secondary parameter for use in selecting code execution path when the threat weight values for two functional code blocks along the same layer of the conditional flow graph are equivalent, where a “layer” is identified as a number of “hops” along an execution code flow from a top (or highest) layer, where the top layer occupies the start of an execution code path. Hence, neighboring layers may be associated with functional code blocks that are directly dependent on which other.
Herein, according to one embodiment of the disclosure, the evasive weight values may be determined, at least in part, on the level of correlation between the evasive code statement(s) associated with the particular functional code block and evasive code statements associated with known malware. Hence, functional code blocks including evasive code statement(s) correlated with known evasive code statements may be assigned certain evasive weight values that are different from the evasive weight values for functional code blocks without evasive code statements. For example, the evasive weight value may be greater to identify a greater likelihood of that functional code block including evasive code.
Additionally, the code execution path prioritization logic of the second analytic stage is configured to generated a weighted, conditional flow graph by at least determining the threat weight value associated with each lowest level functional code block(s) represented within the conditional flow graph and propagating this threat weight value upward in the conditional flow graph to neighboring higher-level functional code block(s), until a highest level functional code block within the conditional flow graph is reached. Stated differently, the threat weight value of each “child” functional code block, which is set based on the likelihood of critical code statement(s) residing in that “child” functional code block, is combined with the threat weight value of its neighboring “sibling” functional code block to generate a reassigned threat weight value for “parent” functional code blocks being part of the conditional flow graph. The reassigning of threat weight values continue until a highest layer of the conditional flow graph is reached.
As a result, the code execution path prioritization logic modifies a threat weight value associated with a particular functional code block in the conditional flow graph, provided the particular functional code block includes one or more neighboring, lower-level functional code block(s) that collectively amount to a non-zero threat weight value. This produces top-layer functional code blocks being assigned an aggregate of the collective threat weight values for any lower-layer functional code blocks originating therefrom. Also, code execution paths with different threat weight values may be produced, given that a change of control (e.g., a BRANCH code statement, IF code statement, IF-ELSE code statement) may feature conditional functional code blocks with different threat weight values, as illustrated in
Thereafter, the code execution path prioritization logic is configured to store the content associated with the conditional flow graphs (e.g., content of the functional code blocks, threat (and/or evasive) weight values associated with these functional code blocks, relationships such as one or more code execution paths to which a functional code block pertains, etc.) within a data store that is accessible by the script code coverage logic. The script code coverage logic is configured to initially select, for processing and analysis, the code execution path within the conditional flow graph with the highest likelihood of its functional code blocks including a critical code statement. Upon selection of the particular critical code execution path, the script code modification logic may be configured to alter content (code) of the script to allow for execution of the script over the selected critical code execution path and avoid functional blocks with high evasive weight values. This enable the behavioral analytic stage to initially avoid evasive code and concentrate on portions of the script that may include malware. This avoidance may continue by selecting different critical code execution paths over the same execution thread in efforts to delay execution of the functional code blocks that potentially include evasive code statements.
In summary, based on prioritization of code execution paths as described above, the second analytic stage may be configured to initially bypass evasive code within the script in efforts to execute the code associated with critical code statements that would have been avoided (or at least delayed) during normal execution of the script, as the evasive code within the script may be analyzed to provide complete analytics of the script. The bypassing of evasive code may lead to a more accurate classification of the script object by avoiding code designed in efforts to obfuscate a presence of malware within the script.
Once some or all of the code execution paths have been analyzed, the behavioral analytic stage may determine a verdict (e.g., malicious, benign, or perhaps still suspicious requiring further analysis) for the script object. In particular, for each code execution path, the behavioral analytic stage receives the modified script and, in response to the processing of the modified script, behaviors are observed and stored within an event log. According to one embodiment of the disclosure, the behavioral analytic stage may include, for example, a virtualization engine for generating a virtual machine instance configured with a guest image (e.g., containing an operating system and one or more applications). Herein, the script is modified and run multiple times (iterative) to cover some or all non-zero weighted execution paths (depending on the size of the script), which occurs in a single instance of a VM. The guest image is used in establishing a monitored run-time environment in the virtual machine instance used in executing the modified script. The guest image may be factory-provided and configurable and/or customer provided and configurable.
The behaviors along with meta-information identifying the code execution path and thread associated with the script may be stored as part of an event log, which is accessible by the classification engine. The classification engine may assign a maliciousness score to each identified behavior and/or to sets of identified behaviors, based on prior classifications of malware, e.g., verified through reverse engineering of previously identified malware and/or legitimate code. If the maliciousness score exceeds a threshold, the submitted script object is classified as malicious. If the script object is classified as malicious, an alert (e.g., “threat warning” text or other electronic message or a displayable report) may be generated and issued by the alert logic via a communication interface, for example, to a security administrator.
I. Terminology
In the following description, certain terminology is used to describe aspects of the invention. In certain situations, the terms “logic” and “engine” are representative of hardware, firmware, and/or software that is configured to perform one or more functions. As hardware, the logic (or engine) may include circuitry having data processing and/or storage functionality. Examples of such circuitry may include, but are not limited or restricted to a processor, a programmable gate array, a microcontroller, an application specific integrated circuit, wireless receiver, transmitter and/or transceiver circuitry, semiconductor memory, or combinatorial logic.
Alternatively, or in combination with the hardware circuitry described above, the logic (or engine) may be software in the form of one or more software modules, which may be configured to operate as its counterpart circuitry. For instance, a software module may be a software instance that operates as a processor, namely a virtual processor whose underlying operations is based on a physical processor such as an EC2 instance within the Amazon® AWS infrastructure for example.
Additionally, a software module may include an executable application, a daemon application, an application programming interface (API), a subroutine, a function, a procedure, an applet, a servlet, a routine, source code, a shared library/dynamic load library, or even one or more instructions. The software module(s) may be stored in any type of a suitable non-transitory storage medium, or transitory storage medium (e.g., electrical, optical, acoustical or other form of propagated signals such as carrier waves, infrared signals, or digital signals). Examples of non-transitory storage medium may include, but are not limited or restricted to a programmable circuit; a semiconductor memory; non-persistent storage such as volatile memory (e.g., any type of random access memory “RAM”); persistent storage such as non-volatile memory (e.g., read-only memory “ROM”, power-backed RAM, flash memory, phase-change memory, etc.), a solid-state drive, hard disk drive, an optical disc drive, a portable memory device, or storage instances as described below. As firmware, the logic (or engine) may be stored in persistent storage.
The term “computerized” generally represents that any corresponding operations are conducted by hardware in combination with software and/or firmware.
The term “malware” is directed to software that produces a malicious behavior upon execution, where the behavior is deemed to be “malicious” based on customer-specific rules, manufacturer-based rules, or any other type of rules formulated by public opinion or a particular governmental or commercial entity. This malicious behavior may include any unauthorized, unexpected, anomalous, and/or unwanted behavior. An example of a malicious behavior may include a communication-based anomaly or an execution-based anomaly that (1) alters the functionality of an electronic device executing that application software in a malicious manner; and/or (2) provides an unwanted functionality which is generally acceptable in other context.
The term “network device” should be generally construed as physical or virtualized device with data processing capability and/or a capability of connecting to any type of network, such as a public cloud network, a private cloud network, or any other network type. Examples of a network device may include, but are not limited or restricted to, the following: a server, a router or other intermediary communication device, an endpoint (e.g., a laptop, a smartphone, a tablet, a desktop computer, a netbook, IoT device, industrial controller, etc.) or virtualized devices being software with the functionality of the network device.
The term “conditional flow graph” generally refers to a collection of information, including segments of code directed to one or more functions (e.g., a functional code block) along with information associated with the relationships between these segments of code. Visually, the conditional flow graph may be represented using graph notifications, in which each segment of code may be represented by a node and the information associated with the relationships between these segments of code (e.g., the control flow) may be represented by edges (lines) between the nodes. The information may identify one or more code execution paths to which a functional code block pertains, especially where changes of control occur in which a flow of execution from one functional code block may propagate to one or more different functional code blocks depending on state information at the time of execution.
The term “message” generally refers to as information placed in a prescribed format that is transmitted in accordance with a suitable delivery protocol or accessible through a logical data structure such as an Application Programming Interface (API). Examples of the delivery protocol include, but are not limited or restricted to HTTP (Hypertext Transfer Protocol); HTTPS (HTTP Secure); Simple Mail Transfer Protocol (SMTP); File Transfer Protocol (FTP); iMES SAGE; Instant Message Access Protocol (IMAP); or the like. For example, a message may be provided as one or more packets, frames, or any other series of bits having the prescribed, structured format.
As described herein, cybersecurity analytic logic may be deployed, for example, as a part of a “cloud-based hosted service,” a “hosted service,” or a combination thereof, any of which operates to protect customer cloud-hosted resources maintained within a public cloud network. As a cloud-based hosted service, the cybersecurity analytic logic may be configured to operate as a multi-tenant service; namely a service made available to tenants (also referred to as “customers”) on demand via a public network (e.g., Internet). The multi-tenant service may feature virtual resources, such as virtual compute engines and/or virtual data stores for example, which are partitioned for use among the customers in accessing and/or analyzing data maintained within that customer's specific cloud account. The partitioning protects the security and privacy of the customer data. As a hosted service, the cybersecurity analytic logic may be configured as a single-tenant service provided by a customer's own on-premises server(s) to access and collect meta-information from that customer's cloud accounts(s). Examples of a hosted service may include, but is not limited or restricted to a Microsoft® Exchange® server, a file repository, or the like.
In certain instances, the terms “compare,” comparing,” “comparison,” or other tenses thereof generally mean determining if a match (e.g., identical or a prescribed level of correlation) is achieved between meta-information associated with two items under analysis.
The term “transmission medium” generally refers to a physical or logical communication link (or path) between two or more network devices. For instance, as a physical communication path, wired and/or wireless interconnects in the form of electrical wiring, optical fiber, cable, bus trace, or a wireless channel using infrared, radio frequency (RF), may be used.
Finally, the terms “or” and “and/or” as used herein are to be interpreted as inclusive or meaning any one or any combination. As an example, “A, B or C” or “A, B and/or C” mean “any of the following: A; B; C; A and B; A and C; B and C; A, B and C.” An exception to this definition will occur only when a combination of elements, functions, steps or acts are in some way inherently mutually exclusive.
As this invention is susceptible to embodiments of many different forms, it is intended that the present disclosure is to be considered as an example of the principles of the invention and not intended to limit the invention to the specific embodiments shown and described.
II. Cybersecurity Analytic Logic Deployments
Referring to
Herein, the cloud network 110 (e.g., a public cloud network such as Microsoft Azure®, or Amazon Web Services®, or Google Cloud®, etc.) is a fully virtualized, multi-tenant cloud service made available through one or more data centers (not shown). Each data center(s) includes a plurality of servers maintained by a provider of the cloud network 110. The servers include logic, operating as virtual resources, which are offered by the cloud network 110 and made available to the general public over the Internet, over which the script object 120 may be provided. As an illustrative example, the cybersecurity analytic logic 100 may be maintained with cloud-based storage (e.g., non-transitory storage medium represented as a storage instance such one or more S3 storage instances within Amazon Web Services®, etc.) and processed by processor (e.g., a virtual processor as one or more processor-based instances such as EC2 instances within Amazon Web Services®, etc.).
Herein, the operations of the cybersecurity analytic logic 100 (deployed within the cloud network 110) include identifying certain functional code blocks of the script object 120 having critical and/or evasive code statements and directing execution, within a virtual environment, of certain functional code blocks including the critical code statement(s) while attempting to bypass other functional code blocks including evasive code statement(s). In particular, the execution of the script may be controlled by modifying the script to promote the execution of functional code blocks having critical code statements over one or more critical code execution paths. The modification of the script may be conducted iteratively so that, for each iterative processing cycle by the virtual environment, the code associated with that modified script is executed to propagate along a particular code execution path, which is selected in an attempt to avoid one or more functional code blocks that may operate as evasive code.
The event data produced by execution of the script along different critical code execution paths (e.g., behaviors of the virtual machine executing the script along the code execution paths) are gathered for analysis by a classification engine (see
Although not shown in
Referring to
Referring now to
If the first cybersecurity analytic stage 160 determines that the script 180 is suspicious, at least the script 180 is accessible to the second cybersecurity analytic stage 170 operating as part of the cloud services 110 (operation C). As shown, the suspicious script 180 may be uploaded to the second cybersecurity analytic stage 170. Alternatively, in lieu of the script 180 itself, a reference to a stored location with the contents of the script 180 may be uploaded or the script object 120 may be uploaded to operate as part of cloud services within the cloud network 110.
Upon receipt of the suspicious script object 180 (operation D), the second cybersecurity analytic stage 170 identifies certain functional code blocks of the script 180 that may include evasive code statements. Logic within the second cybersecurity analytic stage 170 is configured to control execution of functional code blocks, within a virtual environment, in efforts to bypass the functional code blocks with the evasive code (operation E). The bypassing may be accomplished by modifying the script 180 in an iterative manner to promote the execution of code associated with code execution paths in efforts to avoid one or more functional code blocks including the evasive code.
During this code execution, behaviors associated with the script 180 and/or the virtual machine of the virtual environment are gathered for analysis by a classification engine deployed within the second cybersecurity analytic stage 170 (operation F). The classification engine may be configured to perform analytics on the collected behaviors to determine a presence of any cyberthreats, where the alert message(s) 130 are issued to one or more administrators that identify detected cyberthreats (operation G). The processing/storage architecture would be a combination of the architectures described for
Referring now to
Herein, the analytics are conducted by logic within the multi-stage analytic engine 200 to determine what modifications to the code within the script 180, if any, are necessary to direct execution to the functional code block(s) with one or more critical code statements instead of the functional code blocks with one or more evasive code statements. Such code modifications may be made in an iterative manner (e.g., sequential and independent modification of the script 180) to promote the execution of functional code blocks, within a virtual environment, where evasive code statements may have intentionally delayed or precluded their execution if analyzed by conventional analysis systems. The multi-stage analytic engine 200 is further configured to monitor for behaviors 210 that occur during execution of a modified script (e.g., behaviors 210 of the virtual environment and/or the script 180).
The multi-stage analytic engine 200 may be further configured to determine whether the submitted object 120 is malicious or benign, based on prior analytic results conducted on the submitted object. Upon detecting malicious results for the submitted object 120, the multi-stage analytic engine 200 may route the uncovered malicious results to the alert engine 250 via a first communication path 270 for subsequent reporting through the alert message(s) 130. Alternatively, upon detecting benign results for the submitted object 120, the multi-stage analytic engine 200 may route the uncovered benign results to the alert engine 250 via a second communication path 280 for subsequent reporting through the alert message(s) 130.
The classification engine 230 may be configured to receive (passively or actively retrieve) some or all of the behaviors 210 along with meta-information 220 associated with the script object 120. This meta-information 220 may include information identifying a source of the script object 120 (e.g., source address, host name, etc.), a destination of the script object 120 (e.g., destination address, etc.), name of the script object 120, time of receipt, or the like. As part of the meta-information 220, the classification engine 230 may be configured to receive information associated with the conditional flow graph (e.g., names of functional code blocks including critical code statements and/or evasive code statements, representation of the conditional flow graph, etc.).
Thereafter, the classification engine 230 is configured to determine whether the script object 120 is malicious based at least on the behaviors 210 monitored by the multi-stage analytic engine 200. The collected behaviors 210 may be received by the classification engine 230 (i) after execution of each modified script that encourages execution away from any evasive code execution path of the script 180 or (ii) as an aggregate of behaviors produced by execution of one or more modified scripts targeting all of the code execution paths forming the script 180, or (iii) as an aggregate of behaviors produced by execution of one or more modified scripts over a subset of these code execution paths if the total time allocated for analysis of the modified scripts would be exceeded if all of the code execution paths are analyzed. This subset of code execution paths may be selected based, at least in part, on a priority assigned to each code execution path using threat weight values as described below (e.g., choosing code execution paths starting at a top-level functional code block with the highest threat weight value and selecting subsequent functional code blocks based on the threat weight value associated with the functional code block).
The classification engine 230 may assign a cyberthreat score to the script object 120 based on a level of correlation between the monitored events (e.g., behaviors, sequence of behaviors, meta-information associated with the script object 120, etc.) and events associated with known malware (e.g., malicious behaviors and/or sequences of behaviors of previously identified malware, behaviors and/or sequences of behaviors of legitimate code). If the cyberthreat score exceeds a threshold, the script object 120 is associated with a cyberthreat, and thus, the script object 120 is classified as malicious.
Analytic results 240 produced by the classification engine 230 are provided to the alert engine 250. The alert engine 250 is configured to organize the results 240 associated with the analyses performed on the script object 120 and provide an alert message(s) 260 in the form of a message (e.g., “threat warning” text or other electronic message) or a displayable report generated and made available to a security administrator (e.g., accessible via a portal or received as part of a message). The analytic results 240 may include the cyberthreat score determined for the script object 120 as well as behavior(s) associated with a determination of maliciousness, the meta-information 220 associated with the script object 120, which may further include information associated with the conditional flow graph.
Referring now to
Referring still to
According to one embodiment of the disclosure, the conditional flow graph generation logic 312 is configured to receive the script 180 extracted from the script object 120 and generate a conditional flow graph. The conditional flow graph may correspond to a graphical representation of the functional code blocks forming the script 180 and the relationships between these functional code blocks.
More specifically, as shown in
For example, as shown in
Referring to both
Herein, according to one embodiment of the disclosure, as shown in
Thereafter, the functional code block weighting logic 314 assigns a first metric type 3701-3705 (hereinafter, “threat weight value”) to each functional code block 3501-3505, where each threat weight value 3701-3705 identifies the likelihood of a corresponding functional code blocks 3501-3505 including one or more critical code statements. Similarly, the functional code block weighting logic 314 assigns a second metric type 3721-3725 (hereinafter, “evasive weight value”) to each functional code block 3501-3505, where each evasive weight value 3721-3725 identifies the likelihood of a corresponding functional code blocks 3501-3505 including one or more evasive code statements.
According to one embodiment, each assigned threat weight value 3701, . . . , or 3705 may be based, at least in part, on (1) a presence of one or more critical code statements within a particular functional code block and (2) a degree of correlation between the critical code statement(s) within a particular functional code block and critical code statements associated with known malware and/or known goodware. Also, each assigned evasive weight value 3721, . . . , or 3725 may be based, at least in part, on (1) a presence of one or more evasive code statement(s) within a particular functional code block and/or (2) a degree of correlation between the evasive code statement(s) and evasive code statements associated with known malware. To determine the correlation between the critical (or evasive) code statement(s) within the particular functional code block and the code statements associated with known malware and/or known goodware, the functional code block weighting logic 314 may be configured with access to a data store 325 including cybersecurity intelligence, including code statements associated with known malicious code or known benign code that are previously detected by the cybersecurity analytic logic 100, other cybersecurity analytic logic deployments, third party sources, or the like. Also, threat weight values, evasive weight values, and a mapping between the values and corresponding condition/evasive code statements may be stored.
Furthermore, if multiple (i.e., two or more) critical (or evasive) code statements are included as part of a certain functional code block, the total threat weight value for a certain functional code block may be computed in accordance with any number of weighting computations. For instance, if multiple critical code statements are included within a functional code block, the threat weight value for this functional code block may be an aggregate of the threat weight values assigned to each critical code statement. Alternatively, the threat weight value for this functional code block may be assigned an average of the threat weight values assigned to each critical code statement, a minimum threat weight value for multiple critical code statements, a maximum threat weight value for multiple critical code statements, a determined threat weight value with an additional threat weight value enhancement given multiple critical code statements are included as part of the certain functional code block. Similarly, a threat weight value applied to a functional code block with no critical code statements (e.g., functional code block 3501-3504) may be set to “zero”, where the threat weight values are increased based on a potential severity of malicious of the critical code statements.
Similarly, if multiple evasive code statements are included within a functional code block, the evasive weight value for this functional code block may be an aggregate of the evasive weight values assigned to each critical code statement. Alternatively, the evasive weight value for this functional code block may be assigned the average of the evasive weight values assigned to each evasive code statement, the minimum evasive weight value for multiple evasive code statements, the maximum evasive weight value for multiple evasive code statements, a determined evasive weight value with a prescribed reduction in the evasive weight value given multiple evasive code statements are included as part of the certain functional code block. Similarly, an evasive weight value applied to a functional code block with no evasive code statements (e.g., functional code block 3501-3503 and 3505) may be set to “zero”, where the evasive weight values may be static or decreased based on a potential severity of evasiveness of the evasive code statements.
Referring to
More specifically, as shown in
Thereafter, the code execution path prioritization logic 316 is configured to store the content associated with the conditional flow graph 360. The contents may include, but is not restricted or limited to the following: content of the functional code blocks 3501-3505; reassigned threat weight values 3801-3803 (as initial threat weight values 3704-3705 remain unchanged); reassigned evasive weight values 3821-3822 (as initial evasive weight values 3723-3725 associated with these functional code blocks 3503-3505; and/or identifiers are associated with each code execution paths 3751-3752 to which each functional code block 3501-3505 pertains. The contents may be stored within the data store 318 for subsequent access by the script code coverage logic 320.
Referring to both
According to one embodiment of the disclosure, the script code coverage logic 320 may rely on the reassigned threat weight value 3801 to determine a particular top-layer functional block (and corresponding code execution paths) to evaluate. Thereafter, the script code coverage logic 320 may select code execution paths based on the reassigned (and original) threat weight values, thereby ordering analysis of the code execution paths based on threat level (and taking into account evasive weight values when a code execution path branches with the same threat weight values, but different evasive weight values—avoiding the path with the functional code block with a greater likelihood of including an evasive code statement (e.g., higher evasive weight value). According to another embodiment of the disclosure, again, the script code coverage logic 320 may rely on the reassigned threat weight value 3801 to determine a particular top-layer functional block (and code execution paths) to evaluate. However, the script code coverage logic 320 may select code execution paths based on the reassigned (and original) evasive weight values and avoiding code execution paths with evasive code by selecting the paths where the evasive weight values decrease for subsequent layered functional code blocks as shown in
Herein, as shown in
Referring back to
The object processing logic 345 is further configured to collect behaviors generated during successive execution of each modified script 3901, . . . , 390N, especially behaviors generated by functional code blocks along some or all of the non-evasive code execution paths. As described above, the object processing logic 345 receives modified scripts 3901, . . . , 390N in an iterative manner as controlled over a feedback loop 395 that signals a request for a next modified script associated with the script object 120 (if any), executes these modified script 3901, . . . , 390N and collects behaviors of the virtual machine instance(s) and/or objects themselves for evaluation by the classification engine 230, as described above.
Referring to
As shown in
Returning back to
After identification, the functional code blocks are parsed to identify certain types of content (code statements) from each of these functional code blocks (operations 435). From the content, the functional code block weighting logic determines whether any of the functional code blocks include a critical code statement and/or an evasive code statement (operation 440). The presence (or absence) of critical code statements is relied upon by the functional code block weighting logic in the assignment of threat weight values to each of the functional code blocks in order to generate a weighted conditional flow graph (operations 445, 450 and 455). The weighted conditional flow graph is generated by the code path prioritization logic re-adjusting threat weight values for functional code blocks forming the code execution paths so that a representation of each top-layer functional code blocks identifies aggregated weight values for code execution paths initiating from that top-layer functional code block. The evasive weight values assigned to each of the functional code blocks by the functional code block weighting logic are similarly altered to identify which functional code block(s) may include evasive code statements (based on lesser evasive weight value changes evaluated from top-layer functional code blocks to their lower layer functional code blocks so as to select code execution paths that avoid (or at least delay) execution of the functional code block(s).
According to one embodiment of the disclosure, the functional code block weighting logic may be configured to assign (i) a first cybersecurity metric (e.g., threat weight value) to identify a functional code block including one or more critical code statements and (ii) a second cybersecurity metric (e.g., evasive weight value) to identify a functional code block that includes one or more evasive code statements. Herein, each threat weight value conveys both a presence of one or more critical code statements and a degree of potential maliciousness of the critical code statement(s) (e.g., greater likelihood of malicious code being assigned a greater threat weight value). Each evasive weight value conveys both a presence of one or more evasive code statements and a likelihood of the code statement being evasive (e.g., greater likelihood of evasive code being assigned a lesser (more negative) evasive weight value).
Referring to
Herein, the evasion handler identifies a particular thread that is responsible for generation of the event by processing of a particular portion of the script associated with a particular code execution path. The path identifier represents the code execution path in which the event was generated. The path identifier may be configured to correspond to the priority assigned to the code execution path, where a first path identifier corresponds to a code execution path with a highest priority, a second path identifier corresponds to a code execution path with a next highest priority, and the like. This meta-information may be used to identify a location of evasive code and/or malicious code during classification, which may be included as part of the analytic results 240 provided from the classification engine 230 of
Referring now to
For example, the script code modification logic 322 may be configured to determine if the change of control condition causes early termination (exit) of the script (block 610). If so, the script code modification logic 322 is configured to modify code associated with the change of control condition to include an “AND” statement to direct execution of the script object to avoid a portion of the script object causing the early termination to occur (block 620).
The script code modification logic 322 may be configured to further determine if execution of the change of control condition is desired to ensure execution of a particular critical code statement (block 630). If so, the script code modification logic 322 may be configured to modify code associated with the change of control condition to include an “OR TRUE” statement to direct execution of the script object to a portion of the script object including the critical code statement (block 640).
As further shown in
Lastly, the script code modification logic 322 may be further configured to determine if a split of a functional code block to avoid certain code and continue execution of the script object is desired (block 670). If so, the script code modification logic 322 may be configured to modify code associated with the change of control condition to include a “RESUME NEXT” operator to direct execution of the script object to certain code with the change of control condition instead of precluding execution of code associated with the particular functional code block (block 680).
Referring to
The conditional flow graph 700 may further include one or more changes in control, such as a first change of control 715 (e.g., IF code statement) represented as a third node 720 and a second change of control (e.g., ELSEIF code statement) represented by a fourth node 725. As shown, the first change in control 715 transitions to a third functional code block, represented by a fifth node 730, when the IF code statement returns a TRUE. Otherwise, the second change of control 725 transitions to either a fourth functional code block (represented by a sixth node 735) when the ELSEIF code statement is TRUE or a fifth functional code block (represented by an eighth node 745) when the ELSEIF code statement is FALSE and the ELSE code statement (represented by an eighth node 740) is TRUE.
According to this illustrative embodiment, the functional code block weighting logic is configured to identify functional code blocks that include one or more critical code statements and assign a first metric to those functional code blocks. Herein, the functional code block weighting logic identifies the third, fourth and fifth functional code blocks 730, 735, 745 may include one or more critical code statements while the IF code statement 720 may be potentially classified as another critical code statement. The threat weight values (wt) 7503, 7505-7506 and 7508 associated with nodes 720, 730, 735 and 745 correspond to a different values, such as a first threat weight value (e.g., wt=5), a second threat weight value (e.g., wt=10), a third threat weight value (e.g., wt=8) and a fourth threat weight value (e.g., wt=6), respectively. As stated above, the assignment of the threat weight values would be based on levels of correlation of the critical code statements to code statements associated with known malware and/or code statements associated with known goodware. A threat weight value of zero identifies that, according to the analyses of the corresponding code does not include any critical code statements.
Similarly, the functional code block weighting logic is configured to identify the fourth functional code block 735 includes one or more evasive code statements, and thus, is fourth functional code block 735 is assigned an evasive weight value 7706 (ewt=5) to identify the code block 735 potentially includes evasive code. As stated above, the assignment of the evasive weight value could be based on levels of correlation of the evasive code statement to code statements associated with known malware with evasive capabilities and/or to code statements associated with known goodware.
Referring now to
Thereafter, as shown in
Thereafter, the script code coverage logic may be configured to select a second code execution path 781 originating from the first functional code block 710. According to one embodiment of the disclosure, as the behavioral stage analyses may be conducted concurrently, the second code execution path 781 may be selected from the sequence of nodes reassigned the next highest threat weight value (e.g., third code execution path 782), given that execution of the code associated with the code execution paths may be conducted concurrently. Alternatively, the script code coverage logic may detect that the potential second code execution path 781 includes one or more evasive code statements (e.g., by maintaining a consistent evasive weight value of 5 until the path separation at functional block 725), and as a result, modifies the script to execute the third code execution path 782 prior to the execution of code associated with the second code execution path 781 to delay execution of the evasive code within the script.
In the foregoing description, the invention is described with reference to specific exemplary embodiments thereof. However, it will be evident that various modifications and changes may be made thereto without departing from the broader spirit and scope of the invention as set forth in the appended claims.
This application is a continuation of U.S. application Ser. No. 17/133,379 filed Dec. 23, 2020, now U.S. Pat. No. 11,436,327 issued Sep. 6, 2022 which claims the benefit of priority on U.S. Provisional Application No. 62/953,415 filed on Dec. 24, 2019, the entire content of which are incorporated by reference herein.
| Number | Name | Date | Kind |
|---|---|---|---|
| 6898632 | Gordy et al. | May 2005 | B2 |
| 6941348 | Petry et al. | Sep 2005 | B2 |
| 7080407 | Zhao et al. | Jul 2006 | B1 |
| 7080408 | Pak et al. | Jul 2006 | B1 |
| 7243371 | Kasper et al. | Jul 2007 | B1 |
| 7308716 | Danford et al. | Dec 2007 | B2 |
| 7448084 | Apap et al. | Nov 2008 | B1 |
| 7458098 | Judge et al. | Nov 2008 | B2 |
| 7467408 | O'Toole, Jr. | Dec 2008 | B1 |
| 7496961 | Zimmer et al. | Feb 2009 | B2 |
| 7519990 | Xie | Apr 2009 | B1 |
| 7540025 | Tzadikario | May 2009 | B2 |
| 7639714 | Stolfo et al. | Dec 2009 | B2 |
| 7698548 | Shelest et al. | Apr 2010 | B2 |
| 7779463 | Stolfo et al. | Aug 2010 | B2 |
| 7801840 | Repasi | Sep 2010 | B2 |
| 7854007 | Sprosts et al. | Dec 2010 | B2 |
| 7937387 | Frazier et al. | May 2011 | B2 |
| 7949849 | Lowe et al. | May 2011 | B2 |
| 8006305 | Aziz | Aug 2011 | B2 |
| 8020206 | Hubbard et al. | Sep 2011 | B2 |
| 8045458 | Alperovitch et al. | Oct 2011 | B2 |
| 8069484 | McMillan et al. | Nov 2011 | B2 |
| 8171553 | Aziz et al. | May 2012 | B2 |
| 8201246 | Wu et al. | Jun 2012 | B1 |
| 8204984 | Aziz et al. | Jun 2012 | B1 |
| 8214905 | Doukhvalov et al. | Jul 2012 | B1 |
| 8291499 | Aziz et al. | Oct 2012 | B2 |
| 8370938 | Daswani et al. | Feb 2013 | B1 |
| 8370939 | Zaitsev et al. | Feb 2013 | B2 |
| 8375444 | Aziz et al. | Feb 2013 | B2 |
| 8438644 | Watters et al. | May 2013 | B2 |
| 8464340 | Ahn et al. | Jun 2013 | B2 |
| 8494974 | Watters et al. | Jul 2013 | B2 |
| 8516593 | Aziz | Aug 2013 | B2 |
| 8528086 | Aziz | Sep 2013 | B1 |
| 8539582 | Aziz et al. | Sep 2013 | B1 |
| 8549638 | Aziz | Oct 2013 | B2 |
| 8561177 | Aziz et al. | Oct 2013 | B1 |
| 8566476 | Shiffer et al. | Oct 2013 | B2 |
| 8566946 | Aziz et al. | Oct 2013 | B1 |
| 8584239 | Aziz et al. | Nov 2013 | B2 |
| 8635696 | Aziz | Jan 2014 | B1 |
| 8689333 | Aziz | Apr 2014 | B2 |
| 8713681 | Silberman et al. | Apr 2014 | B2 |
| 8719939 | Krasser et al. | May 2014 | B2 |
| 8776229 | Aziz | Jul 2014 | B1 |
| 8793278 | Frazier et al. | Jul 2014 | B2 |
| 8793787 | Ismael et al. | Jul 2014 | B2 |
| 8813050 | Watters et al. | Aug 2014 | B2 |
| 8832829 | Manni et al. | Sep 2014 | B2 |
| 8850571 | Staniford et al. | Sep 2014 | B2 |
| 8881271 | Butler, II | Nov 2014 | B2 |
| 8881282 | Aziz et al. | Nov 2014 | B1 |
| 8898788 | Aziz et al. | Nov 2014 | B1 |
| 8935779 | Manni et al. | Jan 2015 | B2 |
| 8949257 | Shiffer et al. | Feb 2015 | B2 |
| 8984638 | Aziz et al. | Mar 2015 | B1 |
| 8990939 | Staniford et al. | Mar 2015 | B2 |
| 8990944 | Singh et al. | Mar 2015 | B1 |
| 8997219 | Staniford et al. | Mar 2015 | B2 |
| 9009822 | Ismael et al. | Apr 2015 | B1 |
| 9009823 | Ismael et al. | Apr 2015 | B1 |
| 9015846 | Watters et al. | Apr 2015 | B2 |
| 9027135 | Aziz | May 2015 | B1 |
| 9071638 | Aziz et al. | Jun 2015 | B1 |
| 9104867 | Thioux et al. | Aug 2015 | B1 |
| 9106630 | Frazier et al. | Aug 2015 | B2 |
| 9106694 | Aziz et al. | Aug 2015 | B2 |
| 9118715 | Staniford et al. | Aug 2015 | B2 |
| 9159035 | Ismael et al. | Oct 2015 | B1 |
| 9171160 | Vincent et al. | Oct 2015 | B2 |
| 9176843 | Ismael et al. | Nov 2015 | B1 |
| 9189627 | Islam | Nov 2015 | B1 |
| 9195829 | Goradia et al. | Nov 2015 | B1 |
| 9197664 | Aziz et al. | Nov 2015 | B1 |
| 9223972 | Vincent et al. | Dec 2015 | B1 |
| 9225740 | Ismael et al. | Dec 2015 | B1 |
| 9241010 | Bennett et al. | Jan 2016 | B1 |
| 9251343 | Vincent et al. | Feb 2016 | B1 |
| 9262635 | Paithane et al. | Feb 2016 | B2 |
| 9268936 | Butler | Feb 2016 | B2 |
| 9275229 | LeMasters | Mar 2016 | B2 |
| 9282109 | Aziz et al. | Mar 2016 | B1 |
| 9292686 | Ismael et al. | Mar 2016 | B2 |
| 9294501 | Mesdaq et al. | Mar 2016 | B2 |
| 9300686 | Pidathala et al. | Mar 2016 | B2 |
| 9306960 | Aziz | Apr 2016 | B1 |
| 9306974 | Aziz et al. | Apr 2016 | B1 |
| 9311479 | Manni et al. | Apr 2016 | B1 |
| 9355247 | Thioux et al. | May 2016 | B1 |
| 9356944 | Aziz | May 2016 | B1 |
| 9363280 | Rivlin et al. | Jun 2016 | B1 |
| 9367681 | Ismael et al. | Jun 2016 | B1 |
| 9398028 | Karandikar et al. | Jul 2016 | B1 |
| 9413781 | Cunningham et al. | Aug 2016 | B2 |
| 9426071 | Caldejon et al. | Aug 2016 | B1 |
| 9430646 | Mushtaq et al. | Aug 2016 | B1 |
| 9432389 | Khalid et al. | Aug 2016 | B1 |
| 9438613 | Paithane et al. | Sep 2016 | B1 |
| 9438622 | Staniford et al. | Sep 2016 | B1 |
| 9438623 | Thioux et al. | Sep 2016 | B1 |
| 9459901 | Jung et al. | Oct 2016 | B2 |
| 9467460 | Otvagin et al. | Oct 2016 | B1 |
| 9483644 | Paithane et al. | Nov 2016 | B1 |
| 9495180 | Ismael | Nov 2016 | B2 |
| 9497213 | Thompson et al. | Nov 2016 | B2 |
| 9507935 | Ismael et al. | Nov 2016 | B2 |
| 9516057 | Aziz | Dec 2016 | B2 |
| 9519782 | Aziz et al. | Dec 2016 | B2 |
| 9536091 | Paithane et al. | Jan 2017 | B2 |
| 9537972 | Edwards et al. | Jan 2017 | B1 |
| 9560059 | Islam | Jan 2017 | B1 |
| 9565202 | Kindlund et al. | Feb 2017 | B1 |
| 9591015 | Amin et al. | Mar 2017 | B1 |
| 9591020 | Aziz | Mar 2017 | B1 |
| 9594904 | Jain et al. | Mar 2017 | B1 |
| 9594905 | Ismael et al. | Mar 2017 | B1 |
| 9594912 | Thioux et al. | Mar 2017 | B1 |
| 9609007 | Rivlin et al. | Mar 2017 | B1 |
| 9626509 | Khalid et al. | Apr 2017 | B1 |
| 9628498 | Aziz et al. | Apr 2017 | B1 |
| 9628507 | Haq et al. | Apr 2017 | B2 |
| 9633134 | Ross | Apr 2017 | B2 |
| 9635039 | Islam et al. | Apr 2017 | B1 |
| 9641546 | Manni et al. | May 2017 | B1 |
| 9654485 | Neumann | May 2017 | B1 |
| 9661009 | Karandikar et al. | May 2017 | B1 |
| 9661018 | Aziz | May 2017 | B1 |
| 9674298 | Edwards et al. | Jun 2017 | B1 |
| 9680862 | Ismael et al. | Jun 2017 | B2 |
| 9690606 | Ha et al. | Jun 2017 | B1 |
| 9690933 | Singh et al. | Jun 2017 | B1 |
| 9690935 | Shiffer et al. | Jun 2017 | B2 |
| 9690936 | Malik et al. | Jun 2017 | B1 |
| 9736179 | Ismael | Aug 2017 | B2 |
| 9740857 | Ismael et al. | Aug 2017 | B2 |
| 9747446 | Pidathala et al. | Aug 2017 | B1 |
| 9749343 | Watters et al. | Aug 2017 | B2 |
| 9749344 | Watters et al. | Aug 2017 | B2 |
| 9756074 | Aziz et al. | Sep 2017 | B2 |
| 9773112 | Rathor et al. | Sep 2017 | B1 |
| 9781144 | Otvagin et al. | Oct 2017 | B1 |
| 9787700 | Amin et al. | Oct 2017 | B1 |
| 9787706 | Otvagin et al. | Oct 2017 | B1 |
| 9792196 | Ismael et al. | Oct 2017 | B1 |
| 9824209 | Ismael et al. | Nov 2017 | B1 |
| 9824211 | Wilson | Nov 2017 | B2 |
| 9824216 | Khalid et al. | Nov 2017 | B1 |
| 9825976 | Gomez et al. | Nov 2017 | B1 |
| 9825989 | Mehra et al. | Nov 2017 | B1 |
| 9838408 | Karandikar et al. | Dec 2017 | B1 |
| 9838411 | Aziz | Dec 2017 | B1 |
| 9838416 | Aziz | Dec 2017 | B1 |
| 9838417 | Khalid et al. | Dec 2017 | B1 |
| 9846776 | Paithane et al. | Dec 2017 | B1 |
| 9876701 | Caldejon et al. | Jan 2018 | B1 |
| 9888016 | Amin et al. | Feb 2018 | B1 |
| 9888019 | Pidathala et al. | Feb 2018 | B1 |
| 9892261 | Joram et al. | Feb 2018 | B2 |
| 9904955 | Watters et al. | Feb 2018 | B2 |
| 9910988 | Vincent et al. | Mar 2018 | B1 |
| 9912644 | Cunningham | Mar 2018 | B2 |
| 9912681 | Ismael et al. | Mar 2018 | B1 |
| 9912684 | Aziz et al. | Mar 2018 | B1 |
| 9912691 | Mesdaq et al. | Mar 2018 | B2 |
| 9912698 | Thioux et al. | Mar 2018 | B1 |
| 9916440 | Paithane et al. | Mar 2018 | B1 |
| 9921978 | Chan et al. | Mar 2018 | B1 |
| 9934376 | Ismael | Apr 2018 | B1 |
| 9934381 | Kindlund et al. | Apr 2018 | B1 |
| 9946568 | Ismael et al. | Apr 2018 | B1 |
| 9954890 | Staniford et al. | Apr 2018 | B1 |
| 9973531 | Thioux | May 2018 | B1 |
| 10002252 | Ismael et al. | Jun 2018 | B2 |
| 10019338 | Goradia et al. | Jul 2018 | B1 |
| 10019573 | Silberman et al. | Jul 2018 | B2 |
| 10025691 | Ismael et al. | Jul 2018 | B1 |
| 10025927 | Khalid et al. | Jul 2018 | B1 |
| 10027689 | Rathor et al. | Jul 2018 | B1 |
| 10027690 | Aziz et al. | Jul 2018 | B2 |
| 10027696 | Rivlin et al. | Jul 2018 | B1 |
| 10033747 | Paithane et al. | Jul 2018 | B1 |
| 10033748 | Cunningham et al. | Jul 2018 | B1 |
| 10033753 | Islam et al. | Jul 2018 | B1 |
| 10033759 | Kabra et al. | Jul 2018 | B1 |
| 10050998 | Singh | Aug 2018 | B1 |
| 10063583 | Watters et al. | Aug 2018 | B2 |
| 10068091 | Aziz et al. | Sep 2018 | B1 |
| 10075455 | Zafar et al. | Sep 2018 | B2 |
| 10083302 | Paithane et al. | Sep 2018 | B1 |
| 10084813 | Eyada | Sep 2018 | B2 |
| 10089461 | Ha et al. | Oct 2018 | B1 |
| 10097573 | Aziz | Oct 2018 | B1 |
| 10104102 | Neumann | Oct 2018 | B1 |
| 10108446 | Steinberg et al. | Oct 2018 | B1 |
| 10121000 | Rivlin et al. | Nov 2018 | B1 |
| 10122746 | Manni et al. | Nov 2018 | B1 |
| 10133863 | Bu et al. | Nov 2018 | B2 |
| 10133866 | Kumar et al. | Nov 2018 | B1 |
| 10146810 | Shiffer et al. | Dec 2018 | B2 |
| 10148693 | Singh et al. | Dec 2018 | B2 |
| 10165000 | Aziz et al. | Dec 2018 | B1 |
| 10169585 | Pilipenko et al. | Jan 2019 | B1 |
| 10176321 | Abbasi et al. | Jan 2019 | B2 |
| 10181029 | Ismael et al. | Jan 2019 | B1 |
| 10191861 | Steinberg et al. | Jan 2019 | B1 |
| 10192052 | Singh et al. | Jan 2019 | B1 |
| 10198574 | Thioux et al. | Feb 2019 | B1 |
| 10200384 | Mushtaq et al. | Feb 2019 | B1 |
| 10210329 | Malik et al. | Feb 2019 | B1 |
| 10216927 | Steinberg | Feb 2019 | B1 |
| 10218740 | Mesdaq et al. | Feb 2019 | B1 |
| 10242185 | Goradia | Mar 2019 | B1 |
| 10282548 | Aziz et al. | May 2019 | B1 |
| 10284574 | Aziz et al. | May 2019 | B1 |
| 10284575 | Paithane et al. | May 2019 | B2 |
| 10296437 | Ismael et al. | May 2019 | B2 |
| 10335738 | Paithane et al. | Jul 2019 | B1 |
| 10341363 | Vincent et al. | Jul 2019 | B1 |
| 10341365 | Ha | Jul 2019 | B1 |
| 10366231 | Singh et al. | Jul 2019 | B1 |
| 10380343 | Jung et al. | Aug 2019 | B1 |
| 10395029 | Steinberg | Aug 2019 | B1 |
| 10404725 | Rivlin et al. | Sep 2019 | B1 |
| 10417031 | Paithane et al. | Sep 2019 | B2 |
| 10430586 | Paithane et al. | Oct 2019 | B1 |
| 10432649 | Bennett et al. | Oct 2019 | B1 |
| 10445502 | Desphande et al. | Oct 2019 | B1 |
| 10447728 | Steinberg | Oct 2019 | B1 |
| 10454950 | Aziz | Oct 2019 | B1 |
| 10454953 | Amin et al. | Oct 2019 | B1 |
| 10462173 | Aziz et al. | Oct 2019 | B1 |
| 10467411 | Pidathala et al. | Nov 2019 | B1 |
| 10467414 | Kindlund et al. | Nov 2019 | B1 |
| 10469512 | Ismael | Nov 2019 | B1 |
| 10474813 | Ismael | Nov 2019 | B1 |
| 10476906 | Siddiqui | Nov 2019 | B1 |
| 10476909 | Aziz et al. | Nov 2019 | B1 |
| 10491627 | Su | Nov 2019 | B1 |
| 10503904 | Singh et al. | Dec 2019 | B1 |
| 10505956 | Pidathala et al. | Dec 2019 | B1 |
| 10511614 | Aziz | Dec 2019 | B1 |
| 10515214 | Vincent et al. | Dec 2019 | B1 |
| 10523609 | Subramanian | Dec 2019 | B1 |
| 10528726 | Ismael | Jan 2020 | B1 |
| 10534906 | Paithane et al. | Jan 2020 | B1 |
| 10552610 | Vashisht et al. | Feb 2020 | B1 |
| 10554507 | Siddiqui et al. | Feb 2020 | B1 |
| 10565376 | Jung | Feb 2020 | B1 |
| 10565378 | Vincent et al. | Feb 2020 | B1 |
| 10567405 | Aziz | Feb 2020 | B1 |
| 10572665 | Jung et al. | Feb 2020 | B2 |
| 10581874 | Khalid et al. | Mar 2020 | B1 |
| 10581879 | Paithane et al. | Mar 2020 | B1 |
| 10581898 | Singh | Mar 2020 | B1 |
| 10587636 | Aziz et al. | Mar 2020 | B1 |
| 10587647 | Khalid et al. | Mar 2020 | B1 |
| 10592678 | Ismael et al. | Mar 2020 | B1 |
| 10601848 | Jeyaraman et al. | Mar 2020 | B1 |
| 10601863 | Siddiqui | Mar 2020 | B1 |
| 10601865 | Mesdaq et al. | Mar 2020 | B1 |
| 10616266 | Otvagin | Apr 2020 | B1 |
| 10621338 | Pfoh et al. | Apr 2020 | B1 |
| 10623434 | Aziz et al. | Apr 2020 | B1 |
| 10637880 | Islam et al. | Apr 2020 | B1 |
| 10642753 | Steinberg | May 2020 | B1 |
| 10657251 | Malik et al. | May 2020 | B1 |
| 10666686 | Singh et al. | May 2020 | B1 |
| 10671721 | Otvagin et al. | Jun 2020 | B1 |
| 10671726 | Paithane et al. | Jun 2020 | B1 |
| 10701091 | Cunningham et al. | Jun 2020 | B1 |
| 10706149 | Vincent | Jul 2020 | B1 |
| 10713358 | Sikorski et al. | Jul 2020 | B2 |
| 10713362 | Vincent et al. | Jul 2020 | B1 |
| 10715542 | Wei et al. | Jul 2020 | B1 |
| 10726127 | Steinberg | Jul 2020 | B1 |
| 10728263 | Neumann | Jul 2020 | B1 |
| 10735458 | Haq et al. | Aug 2020 | B1 |
| 10740456 | Ismael et al. | Aug 2020 | B1 |
| 10747872 | Ha et al. | Aug 2020 | B1 |
| 10757120 | Aziz et al. | Aug 2020 | B1 |
| 10757134 | Eyada | Aug 2020 | B1 |
| 10785255 | Otvagin et al. | Sep 2020 | B1 |
| 10791138 | Siddiqui et al. | Sep 2020 | B1 |
| 10795991 | Ross et al. | Oct 2020 | B1 |
| 10798112 | Siddiqui et al. | Oct 2020 | B2 |
| 10798121 | Khalid et al. | Oct 2020 | B1 |
| 10805340 | Goradia | Oct 2020 | B1 |
| 10805346 | Kumar et al. | Oct 2020 | B2 |
| 10812513 | Manni et al. | Oct 2020 | B1 |
| 10817606 | Vincent | Oct 2020 | B1 |
| 10826931 | Quan et al. | Nov 2020 | B1 |
| 10826933 | Ismael et al. | Nov 2020 | B1 |
| 10834107 | Paithane et al. | Nov 2020 | B1 |
| 10846117 | Steinberg | Nov 2020 | B1 |
| 10848397 | Siddiqui et al. | Nov 2020 | B1 |
| 10848521 | Thioux et al. | Nov 2020 | B1 |
| 10855700 | Jeyaraman et al. | Dec 2020 | B1 |
| 10868818 | Rathor et al. | Dec 2020 | B1 |
| 10872151 | Kumar et al. | Dec 2020 | B1 |
| 10873597 | Mehra et al. | Dec 2020 | B1 |
| 10887328 | Paithane et al. | Jan 2021 | B1 |
| 10893059 | Aziz et al. | Jan 2021 | B1 |
| 10893068 | Khalid et al. | Jan 2021 | B1 |
| 10902117 | Singh et al. | Jan 2021 | B1 |
| 10902119 | Vashisht et al. | Jan 2021 | B1 |
| 10904286 | Liu | Jan 2021 | B1 |
| 10929266 | Goradia et al. | Feb 2021 | B1 |
| 11436327 | Vashisht et al. | Sep 2022 | B1 |
| 20020016918 | Tucker | Feb 2002 | A1 |
| 20020038430 | Edwards et al. | Mar 2002 | A1 |
| 20020091819 | Melchione et al. | Jul 2002 | A1 |
| 20020095607 | Lin-Hendel | Jul 2002 | A1 |
| 20020169952 | DiSanto et al. | Nov 2002 | A1 |
| 20020184528 | Shevenell et al. | Dec 2002 | A1 |
| 20020188887 | Largman et al. | Dec 2002 | A1 |
| 20030084318 | Schertz | May 2003 | A1 |
| 20030188190 | Aaron et al. | Oct 2003 | A1 |
| 20030191957 | Hypponen et al. | Oct 2003 | A1 |
| 20040015712 | Szor | Jan 2004 | A1 |
| 20040019832 | Arnold et al. | Jan 2004 | A1 |
| 20040117478 | Triulzi et al. | Jun 2004 | A1 |
| 20040117624 | Brandt et al. | Jun 2004 | A1 |
| 20040236963 | Danford et al. | Nov 2004 | A1 |
| 20040255161 | Cavanaugh | Dec 2004 | A1 |
| 20040268147 | Wiederin et al. | Dec 2004 | A1 |
| 20050021740 | Bar et al. | Jan 2005 | A1 |
| 20050086523 | Zimmer et al. | Apr 2005 | A1 |
| 20050091513 | Mitomo et al. | Apr 2005 | A1 |
| 20050108562 | Khazan et al. | May 2005 | A1 |
| 20050125195 | Brendel | Jun 2005 | A1 |
| 20050149726 | Joshi et al. | Jul 2005 | A1 |
| 20050157662 | Bingham et al. | Jul 2005 | A1 |
| 20050238005 | Chen et al. | Oct 2005 | A1 |
| 20050262562 | Gassoway | Nov 2005 | A1 |
| 20050283839 | Cowburn | Dec 2005 | A1 |
| 20060010495 | Cohen et al. | Jan 2006 | A1 |
| 20060015715 | Anderson | Jan 2006 | A1 |
| 20060015747 | Van de Ven | Jan 2006 | A1 |
| 20060021029 | Brickell et al. | Jan 2006 | A1 |
| 20060031476 | Mathes et al. | Feb 2006 | A1 |
| 20060070130 | Costea et al. | Mar 2006 | A1 |
| 20060117385 | Mester et al. | Jun 2006 | A1 |
| 20060123477 | Raghavan et al. | Jun 2006 | A1 |
| 20060150249 | Gassen et al. | Jul 2006 | A1 |
| 20060161987 | Levy-Yurista | Jul 2006 | A1 |
| 20060173992 | Weber et al. | Aug 2006 | A1 |
| 20060191010 | Benjamin | Aug 2006 | A1 |
| 20060242709 | Seinfeld et al. | Oct 2006 | A1 |
| 20060251104 | Koga | Nov 2006 | A1 |
| 20060288417 | Bookbinder et al. | Dec 2006 | A1 |
| 20070006288 | Mayfield et al. | Jan 2007 | A1 |
| 20070006313 | Porras et al. | Jan 2007 | A1 |
| 20070011174 | Takaragi et al. | Jan 2007 | A1 |
| 20070016951 | Piccard et al. | Jan 2007 | A1 |
| 20070064689 | Shin et al. | Mar 2007 | A1 |
| 20070143827 | Nicodemus et al. | Jun 2007 | A1 |
| 20070157306 | Elrod et al. | Jul 2007 | A1 |
| 20070192858 | Lum | Aug 2007 | A1 |
| 20070208822 | Wang et al. | Sep 2007 | A1 |
| 20070240217 | Tuvell et al. | Oct 2007 | A1 |
| 20070240218 | Tuvell et al. | Oct 2007 | A1 |
| 20070240220 | Tuvell et al. | Oct 2007 | A1 |
| 20070240222 | Tuvell et al. | Oct 2007 | A1 |
| 20070250930 | Aziz et al. | Oct 2007 | A1 |
| 20080005782 | Aziz | Jan 2008 | A1 |
| 20080016339 | Shukla | Jan 2008 | A1 |
| 20080040710 | Chiriac | Feb 2008 | A1 |
| 20080072326 | Danford et al. | Mar 2008 | A1 |
| 20080077793 | Tan et al. | Mar 2008 | A1 |
| 20080134334 | Kim et al. | Jun 2008 | A1 |
| 20080141376 | Clausen et al. | Jun 2008 | A1 |
| 20080184367 | McMillan et al. | Jul 2008 | A1 |
| 20080189787 | Arnold et al. | Aug 2008 | A1 |
| 20080307524 | Singh et al. | Dec 2008 | A1 |
| 20080320594 | Jiang | Dec 2008 | A1 |
| 20090003317 | Kasralikar et al. | Jan 2009 | A1 |
| 20090064332 | Porras et al. | Mar 2009 | A1 |
| 20090083855 | Apap et al. | Mar 2009 | A1 |
| 20090125976 | Wassermann et al. | May 2009 | A1 |
| 20090126015 | Monastyrsky et al. | May 2009 | A1 |
| 20090144823 | Lamastra et al. | Jun 2009 | A1 |
| 20090158430 | Borders | Jun 2009 | A1 |
| 20090172815 | Gu et al. | Jul 2009 | A1 |
| 20090198651 | Shiffer et al. | Aug 2009 | A1 |
| 20090198670 | Shiffer et al. | Aug 2009 | A1 |
| 20090198689 | Frazier et al. | Aug 2009 | A1 |
| 20090199274 | Frazier et al. | Aug 2009 | A1 |
| 20090241190 | Todd et al. | Sep 2009 | A1 |
| 20090300589 | Watters et al. | Dec 2009 | A1 |
| 20100017546 | Poo et al. | Jan 2010 | A1 |
| 20100030996 | Butler, II | Feb 2010 | A1 |
| 20100058474 | Hicks | Mar 2010 | A1 |
| 20100077481 | Polyakov et al. | Mar 2010 | A1 |
| 20100115621 | Staniford et al. | May 2010 | A1 |
| 20100132038 | Zaitsev | May 2010 | A1 |
| 20100154056 | Smith et al. | Jun 2010 | A1 |
| 20100192223 | Ismael et al. | Jul 2010 | A1 |
| 20100281542 | Stolfo et al. | Nov 2010 | A1 |
| 20110078794 | Manni et al. | Mar 2011 | A1 |
| 20110093951 | Aziz | Apr 2011 | A1 |
| 20110099633 | Aziz | Apr 2011 | A1 |
| 20110099635 | Silberman et al. | Apr 2011 | A1 |
| 20110167493 | Song et al. | Jul 2011 | A1 |
| 20110173213 | Frazier et al. | Jul 2011 | A1 |
| 20110178942 | Watters et al. | Jul 2011 | A1 |
| 20110219450 | McDougal et al. | Sep 2011 | A1 |
| 20110225624 | Sawhney et al. | Sep 2011 | A1 |
| 20110247072 | Staniford et al. | Oct 2011 | A1 |
| 20110307954 | Melnik et al. | Dec 2011 | A1 |
| 20110307955 | Kaplan et al. | Dec 2011 | A1 |
| 20110307956 | Yermakov et al. | Dec 2011 | A1 |
| 20110314546 | Aziz et al. | Dec 2011 | A1 |
| 20120117652 | Manni et al. | May 2012 | A1 |
| 20120174186 | Aziz et al. | Jul 2012 | A1 |
| 20120174218 | McCoy et al. | Jul 2012 | A1 |
| 20120210423 | Friedrichs et al. | Aug 2012 | A1 |
| 20120222121 | Staniford et al. | Aug 2012 | A1 |
| 20120233698 | Watters et al. | Sep 2012 | A1 |
| 20120278886 | Luna | Nov 2012 | A1 |
| 20120331553 | Aziz et al. | Dec 2012 | A1 |
| 20130036472 | Aziz | Feb 2013 | A1 |
| 20130047257 | Aziz | Feb 2013 | A1 |
| 20130097706 | Titonis et al. | Apr 2013 | A1 |
| 20130185795 | Winn et al. | Jul 2013 | A1 |
| 20130227691 | Aziz et al. | Aug 2013 | A1 |
| 20130232577 | Watters et al. | Sep 2013 | A1 |
| 20130247186 | LeMasters | Sep 2013 | A1 |
| 20130282426 | Watters et al. | Oct 2013 | A1 |
| 20130291109 | Staniford et al. | Oct 2013 | A1 |
| 20130318038 | Shiffer et al. | Nov 2013 | A1 |
| 20130318073 | Shiffer et al. | Nov 2013 | A1 |
| 20130325791 | Shiffer et al. | Dec 2013 | A1 |
| 20130325792 | Shiffer et al. | Dec 2013 | A1 |
| 20130325871 | Shiffer et al. | Dec 2013 | A1 |
| 20130325872 | Shiffer et al. | Dec 2013 | A1 |
| 20140032875 | Butler | Jan 2014 | A1 |
| 20140165204 | Williams | Jun 2014 | A1 |
| 20140181131 | Ross | Jun 2014 | A1 |
| 20140189687 | Jung et al. | Jul 2014 | A1 |
| 20140189866 | Shiffer et al. | Jul 2014 | A1 |
| 20140189882 | Jung et al. | Jul 2014 | A1 |
| 20140237600 | Silberman et al. | Aug 2014 | A1 |
| 20140280245 | Wilson | Sep 2014 | A1 |
| 20140283037 | Sikorski et al. | Sep 2014 | A1 |
| 20140283063 | Thompson et al. | Sep 2014 | A1 |
| 20140297494 | Watters et al. | Oct 2014 | A1 |
| 20140337836 | Ismael | Nov 2014 | A1 |
| 20140344926 | Cunningham et al. | Nov 2014 | A1 |
| 20140380473 | Bu et al. | Dec 2014 | A1 |
| 20140380474 | Paithane et al. | Dec 2014 | A1 |
| 20150007312 | Pidathala et al. | Jan 2015 | A1 |
| 20150096022 | Vincent et al. | Apr 2015 | A1 |
| 20150096023 | Mesdaq et al. | Apr 2015 | A1 |
| 20150096024 | Haq et al. | Apr 2015 | A1 |
| 20150096025 | Ismael | Apr 2015 | A1 |
| 20150180886 | Staniford et al. | Jun 2015 | A1 |
| 20150186645 | Aziz et al. | Jul 2015 | A1 |
| 20150199513 | Ismael et al. | Jul 2015 | A1 |
| 20150199531 | Ismael et al. | Jul 2015 | A1 |
| 20150199532 | Ismael et al. | Jul 2015 | A1 |
| 20150220735 | Paithane et al. | Aug 2015 | A1 |
| 20150363598 | Xu et al. | Dec 2015 | A1 |
| 20150372980 | Eyada | Dec 2015 | A1 |
| 20160004869 | Ismael et al. | Jan 2016 | A1 |
| 20160006756 | Ismael et al. | Jan 2016 | A1 |
| 20160044000 | Cunningham | Feb 2016 | A1 |
| 20160099963 | Mahaffey et al. | Apr 2016 | A1 |
| 20160127393 | Aziz et al. | May 2016 | A1 |
| 20160191547 | Zafar et al. | Jun 2016 | A1 |
| 20160191550 | Ismael et al. | Jun 2016 | A1 |
| 20160241580 | Watters et al. | Aug 2016 | A1 |
| 20160241581 | Watters et al. | Aug 2016 | A1 |
| 20160261612 | Mesdaq et al. | Sep 2016 | A1 |
| 20160285914 | Singh et al. | Sep 2016 | A1 |
| 20160301703 | Aziz | Oct 2016 | A1 |
| 20160314301 | Johns | Oct 2016 | A1 |
| 20160323295 | Joram et al. | Nov 2016 | A1 |
| 20160335110 | Paithane et al. | Nov 2016 | A1 |
| 20170083703 | Abbasi et al. | Mar 2017 | A1 |
| 20180013770 | Ismael | Jan 2018 | A1 |
| 20180048660 | Paithane et al. | Feb 2018 | A1 |
| 20180069891 | Watters et al. | Mar 2018 | A1 |
| 20180121316 | Ismael et al. | May 2018 | A1 |
| 20180288077 | Siddiqui et al. | Oct 2018 | A1 |
| 20190104154 | Kumar et al. | Apr 2019 | A1 |
| 20190132334 | Johns et al. | May 2019 | A1 |
| 20190207966 | Vashisht et al. | Jul 2019 | A1 |
| 20190207967 | Vashisht et al. | Jul 2019 | A1 |
| 20200252428 | Gardezi et al. | Aug 2020 | A1 |
| 20210319105 | Whitmore | Oct 2021 | A1 |
| 20220116411 | Melicher | Apr 2022 | A1 |
| 20220210202 | Crabtree | Jun 2022 | A1 |
| Number | Date | Country |
|---|---|---|
| 2439806 | Jan 2008 | GB |
| 2490431 | Mar 2014 | GB |
| 0206928 | Jan 2002 | WO |
| 0223805 | Mar 2002 | WO |
| 2007117636 | Oct 2007 | WO |
| 2008041950 | Apr 2008 | WO |
| 2011084431 | Jul 2011 | WO |
| 2011112348 | Sep 2011 | WO |
| 2012075336 | Jun 2012 | WO |
| 2012145066 | Oct 2012 | WO |
| 2013067505 | May 2013 | WO |
| Entry |
|---|
| “Mining Specification of Malicious Behavior”—Jha et al, UCSB, Sep. 2007 https://www.cs.ucsb.edu/.about.chris/research/doc/esec07.sub.—mining.pdf-. |
| “Network Security: NetDetector—Network Intrusion Forensic System (NIFS) Whitepaper”, (“NetDetector Whitepaper”), (2003). |
| “When Virtual is Better Than Real”, IEEEXplore Digital Library, available at, http://ieeexplore.ieee.org/xpl/articleDetails.isp?reload=true&arnumbe- r=990073, (Dec. 7, 2013). |
| Abdullah, et al., Visualizing Network Data for Intrusion Detection, 2005 IEEE Workshop on Information Assurance and Security, pp. 100-108. |
| Adetoye, Adedayo , et al., “Network Intrusion Detection & Response System”, (“Adetoye”), (Sep. 2003). |
| Apostolopoulos, George; hassapis, Constantinos; “V-eM: A cluster of Virtual Machines for Robust, Detailed, and High-Performance Network Emulation”, 14th IEEE International Symposium on Modeling, Analysis, and Simulation of Computer and Telecommunication Systems, Sep. 11-14, 2006, pp. 117-126. |
| Aura, Tuomas, “Scanning electronic documents for personally identifiable information”, Proceedings of the 5th ACM workshop on Privacy in electronic society. ACM, 2006. |
| Baecher, “The Nepenthes Platform: An Efficient Approach to collect Malware”, Springer-verlag Berlin Heidelberg, (2006), pp. 165-184. |
| Bayer, et al., “Dynamic Analysis of Malicious Code”, J Comput Virol, Springer-Verlag, France., (2006), pp. 67-77. |
| Boubalos, Chris , “extracting syslog data out of raw pcap dumps, seclists.org, Honeypots mailing list archives”, available at http://seclists.org/honeypots/2003/q2/319 (“Boubalos”), (Jun. 5, 2003). |
| Chaudet, C. , et al., “Optimal Positioning of Active and Passive Monitoring Devices”, International Conference on Emerging Networking Experiments and Technologies, Proceedings of the 2005 ACM Conference on Emerging Network Experiment and Technology, CoNEXT '05, Toulousse, France, (Oct. 2005), pp. 71-82. |
| Chen, P. M. and Noble, B. D., “When Virtual is Better Than Real, Department of Electrical Engineering and Computer Science”, University of Michigan (“Chen”) (2001). |
| Cisco “Intrusion Prevention for the Cisco ASA 5500-x Series” Data Sheet (2012). |
| Cohen, M.I. , “PyFlag—An advanced network forensic framework”, Digital investigation 5, Elsevier, (2008), pp. S112-S120. |
| Costa, M. , et al., “Vigilante: End-to-End Containment of Internet Worms”, SOSP '05, Association for Computing Machinery, Inc., Brighton U.K., (Oct. 23-26, 2005). |
| Didier Stevens, “Malicious PDF Documents Explained”, Security & Privacy, IEEE, IEEE Service Center, Los Alamitos, CA, US, vol. 9, No. 1, Jan. 1, 2011, pp. 80-82, XP011329453, ISSN: 1540-7993, DOI: 10.1109/MSP.2011.14. |
| Distler, “Malware Analysis: An Introduction”, SANS Institute InfoSec Reading Room, SANS Institute, (2007). |
| Dunlap, George W. , et al., “ReVirt: Enabling Intrusion Analysis through Virtual-Machine Logging and Replay”, Proceeding of the 5th Symposium on Operating Systems Design and Implementation, USENIX Association, (“Dunlap”), (Dec. 9, 2002). |
| FireEye Malware Analysis & Exchange Network, Malware Protection System, FireEye Inc., 2010. |
| FireEye Malware Analysis, Modern Malware Forensics, FireEye Inc., 2010. |
| FireEye v.6.0 Security Target, pp. 1-35, Version 1.1, FireEye Inc., May 2011. |
| Goel, et al., Reconstructing System State for Intrusion Analysis, Apr. 2008 SIGOPS Operating Systems Review, vol. 42 Issue 3, pp. 21-28. |
| Gregg Keizer: “Microsoft's HoneyMonkeys Show Patching Windows Works”, Aug. 8, 2005, XP055143386, Retrieved from the Internet: URL:http://www.informationweek.com/microsofts-honeymonkeys-show-patching-windows-works/d/d-d/1035069? [retrieved on Jun. 1, 2016]. |
| Heng Yin et al, Panorama: Capturing System-Wide Information Flow for Malware Detection and Analysis, Research Showcase @ CMU, Carnegie Mellon University, 2007. |
| Hiroshi Shinotsuka, Malware Authors Using New Techniques to Evade Automated Threat Analysis Systems, Oct. 26, 2012, http://www.symantec.com/connect/blogs/, pp. 1-4. |
| Idika et al., A-Survey-of-Malware-Detection-Techniques, Feb. 2, 2007, Department of Computer Science, Purdue University. |
| Isohara, Takamasa, Keisuke Takemori, and Ayumu Kubota. “Kernel-based behavior analysis for android malware detection.” Computational intelligence and Security (CIS), 2011 Seventh International Conference on. IEEE, 2011. |
| Kaeo, Merike , “Designing Network Security”, (“Kaeo”), (Nov. 2003). |
| Kevin A Roundy et al: “Hybrid Analysis and Control of Malware”, Sep. 15, 2010, Recent Advances in Intrusion Detection, Springer Berlin Heidelberg, Berlin, Heidelberg, pp. 317-338, XP019150454 ISBN:978-3-642-15511-6. |
| Khaled Salah et al: “Using Cloud Computing to Implement a Security Overlay Network”, SECURITY & Privacy, IEEE, IEEE Service Center, Los Alamitos, CA, US, vol. 11, No. 1, Jan. 1, 2013 (Jan. 1, 2013). |
| Kim, H. , et al., “Autograph: Toward Automated, Distributed Worm Signature Detection”, Proceedings of the 13th Usenix Security Symposium (Security 2004), San Diego, (Aug. 2004), pp. 271-286. |
| King, Samuel T., et al., “Operating System Support for Virtual Machines”, (“King”), (2003). |
| Kreibich, C. , et al., “Honeycomb—Creating Intrusion Detection Signatures Using Honeypots”, 2nd Workshop on Hot Topics in Networks (HotNets-11), Boston, USA, (2003). |
| Kristoff, J. , “Botnets, Detection and Mitigation: DNS-Based Techniques”, NU Security Day, (2005), 23 pages. |
| Lastline Labs, The Threat of Evasive Malware, Feb. 25, 2013, Lastline Labs, pp. 1-8. |
| Li et al., A VMM-Based System Call Interposition Framework for Program Monitoring, Dec. 2010, IEEE 16th International Conference on Parallel and Distributed Systems, pp. 706-711. |
| Lindorfer, Martina, Clemens Kolbitsch, and Paolo Milani Comparetti. “Detecting environment-sensitive malware.” Recent Advances in Intrusion Detection. Springer Berlin Heidelberg, 2011. |
| Marchette, David J., “Computer Intrusion Detection and Network Monitoring: A Statistical Viewpoint”, (“Marchette”), (2001). |
| Moore, D. , et al., “Internet Quarantine: Requirements for Containing Self-Propagating Code”, INFOCOM, vol. 3, (Mar. 30-Apr. 3, 2003), pp. 1901-1910. |
| Morales, Jose A., et al., ““Analyzing and exploiting network behaviors of malware.””, Security and Privacy in Communication Networks. Springer Berlin Heidelberg, 2010. 20-34. |
| Mori, Detecting Unknown Computer Viruses, 2004, Springer-Verlag Berlin Heidelberg. |
| Natvig, Kurt , “SANDBOXII: Internet”, Virus Bulletin Conference, (“Natvig”), (Sep. 2002). |
| NetBIOS Working Group. Protocol Standard for a NetBIOS Service on a TCP/UDP transport: Concepts and Methods. STD 19, RFC 1001, Mar. 1987. |
| Newsome, J. , et al., “Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software”, In Proceedings of the 12th Annual Network and Distributed System Security, Symposium (NDSS '05), (Feb. 2005). |
| Nojiri, D. , et al., “Cooperation Response Strategies for Large Scale Attack Mitigation”, DARPA Information Survivability Conference and Exposition, vol. 1, (Apr. 22-24, 2003), pp. 293-302. |
| Oberheide et al., CloudAV.sub.—N-Version Antivirus in the Network Cloud, 17th USENIX Security Symposium USENIX Security '08 Jul. 28-Aug. 1, 2008 San Jose, CA. |
| Reiner Sailer, Enriquillo Valdez, Trent Jaeger, Roonald Perez, Leendert van Doorn, John Linwood Griffin, Stefan Berger., sHype: Secure Hypervisor Appraoch to Trusted Virtualized Systems (Feb. 2, 2005) (“Sailer”). |
| Silicon Defense, “Worm Containment in the Internal Network”, (Mar. 2003), pp. 1-25. |
| Singh, S. , et al., “Automated Worm Fingerprinting”, Proceedings of the ACM/USENIX Symposium on Operating System Design and Implementation, San Francisco, California, (Dec. 2004). |
| Thomas H. Placek, and Timothy N. Newsham , “Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection”, Secure Networks, (“Ptacek”), (Jan. 1998). |
| U.S. Appl. No. 17/133,379, filed Dec. 23, 2020 Notice of Allowance dated Jan. 24, 2022. |
| Venezia, Paul , “NetDetector Captures Intrusions”, InfoWorld Issue 27, (“Venezia”), (Jul. 14, 2003). |
| Vladimir Getov: “Security as a Service in Smart Clouds—Opportunities and Concerns”, Computer Software and Applications Conference (COMPSAC), 2012 IEEE 36th Annual, IEEE, Jul. 16, 2012 (Jul. 16, 2012). |
| Wahid et al., Characterising the Evolution in Scanning Activity of Suspicious Hosts, Oct. 2009, Third International Conference on Network and System Security, pp. 344-350. |
| Whyte, et al., “DNS-Based Detection of Scanning Works in an Enterprise Network”, Proceedings of the 12th Annual Network and Distributed System Security Symposium, (Feb. 2005), 15 pages. |
| Williamson, Matthew M., “Throttling Viruses: Restricting Propagation to Defeat Malicious Mobile Code”, ACSAC Conference, Las Vegas, NV, USA, (Dec. 2002), pp. 1-9. |
| Yuhei Kawakoya et al: “Memory behavior-based automatic malware unpacking in stealth debugging environment”, Malicious and Unwanted Software (Malware), 2010 5th International Conference on, IEEE, Piscataway, NJ, USA, Oct. 19, 2010, pp. 39-46, XP031833827, ISBN:978-1-4244-8-9353-1. |
| Zhang et al., The Effects of Threading, Infection Time, and Multiple-Attacker Collaboration on Malware Propagation, Sep. 2009, IEEE 28th International Symposium on Reliable Distributed Systems, pp. 73-82. |
| Number | Date | Country | |
|---|---|---|---|
| 62953415 | Dec 2019 | US |
| Number | Date | Country | |
|---|---|---|---|
| Parent | 17133379 | Dec 2020 | US |
| Child | 17902878 | US |
