-
公开(公告)号:US10476909B1
公开(公告)日:2019-11-12
申请号:US15298159
申请日:2016-10-19
申请人: FireEye, Inc.
发明人: Ashar Aziz , Muhammad Amin , Osman Abdoul Ismael , Zheng Bu
摘要: According to one embodiment, a threat detection system comprising an intrusion protection system (IPS) logic, a virtual execution logic and a reporting logic is shown. The IPS logic is configured to receive a first plurality of objects and analyze the first plurality of objects to identify a second plurality of objects as potential exploits, the second plurality of objects being a subset of the first plurality of objects and being lesser or equal in number to the first plurality of objects. The virtual execution logic including at least one virtual machine configured to process content within each of the second plurality of objects and monitor for anomalous behaviors during the processing that are indicative of exploits to classify that a first subset of the second plurality of objects includes one or more verified exploits. The reporting logic configured to provide a display of exploit information associated with the one or more verified exploits.
-
公开(公告)号:US10432649B1
公开(公告)日:2019-10-01
申请号:US14997443
申请日:2016-01-15
申请人: FireEye, Inc.
发明人: James Bennett , Zheng Bu
摘要: Techniques for detecting malicious behavior of content (object) are described herein. An object is processed within a virtual machine. Responsive to receiving the result of the processing (response object), a parser parses the response object into a plurality of sub-objects. The plurality of sub-objects include a first sub-object and a second sub-object. A first behavior match result is determined based, at least in part, on whether information within the first sub-object corresponds to a identifiers associated with malicious activity. Also, a second behavior match result is determined based, at least in part, on whether information within the second sub-object corresponds to identifiers associated with malicious activity. Thereafter, the first and second behavior match results are aggregated to produce an aggregated result, wherein a malicious behavior score is calculated based, at least in part, on the aggregated result. The object is classified according to the malicious behavior score.
-
公开(公告)号:US09747446B1
公开(公告)日:2017-08-29
申请号:US14228094
申请日:2014-03-27
申请人: FireEye, Inc.
发明人: Vinay K. Pidathala , Zheng Bu , Ashar Aziz
IPC分类号: G06F21/56
CPC分类号: G06F21/566 , G06F21/56
摘要: One embodiment of an electronic device comprises a processor and a memory accessible by the processor. The memory comprises virtual execution logic and run-time classifier logic. The virtual execution logic includes at least one virtual machine that is configured to virtually process content within an object under analysis and monitor for anomalous behaviors during the virtual processing that are indicative of malware. The run-time classifier logic performs, during run-time, a first analysis on the monitored anomalous behaviors and a pre-stored identifier to determine if the monitored anomalous behaviors indicate that the object is malware belonging to a classified malware family. The pre-stored identifier is a collection of data associated with anomalous behaviors that uniquely identify the malware family.
-
4.发明授权System, apparatus and method for automatically verifying exploits within suspect objects and highlighting the display information associated with the verified exploits 有权用于自动验证可疑对象中的漏洞利用的系统,设备和方法,并突出显示与已验证漏洞相关联的显示信息公开(公告)号:US09306974B1
公开(公告)日:2016-04-05
申请号:US14620055
申请日:2015-02-11
申请人: FireEye, Inc.
发明人: Ashar Aziz , Muhammad Amin , Osman Abdoul Ismael , Zheng Bu
CPC分类号: H04L63/1491 , G06F9/45558 , G06F21/56 , G06F21/564 , G06F21/566 , G06F2009/45587 , H04L63/1416 , H04L63/1433 , H04L63/145
摘要: A threat detection system is integrated with intrusion protection system (IPS) logic, virtual execution logic and reporting logic is shown. The IPS logic is configured to identify a first plurality of objects as suspicious objects and outputting information associated with the suspicious objects. The virtual execution logic is configured to receive the suspicious objects and verify whether any of the suspicious objects is an exploit. The virtual execution logic includes at least one virtual machine configured to virtually process content within the suspicious objects and monitor for anomalous behaviors during the virtual processing that are indicative of exploits. The reporting logic is configured to issue a report including the information associated with the suspicious objects from the IPS logic and results of the virtual processing of the content within the suspicious objects.
摘要翻译: 威胁检测系统与入侵保护系统(IPS)逻辑集成,显示虚拟执行逻辑和报告逻辑。 IPS逻辑被配置为将第一多个对象识别为可疑对象并输出与可疑对象相关联的信息。 虚拟执行逻辑被配置为接收可疑对象并且验证任何可疑对象是否是漏洞利用。 虚拟执行逻辑包括至少一个虚拟机,其被配置为虚拟地处理可疑对象内的内容,并监视在虚拟处理期间指示利用的异常行为。 报告逻辑被配置为发布包括与IPS逻辑中的可疑对象相关联的信息的报告以及可疑对象内的虚拟处理的结果。
-
公开(公告)号:US09241010B1
公开(公告)日:2016-01-19
申请号:US14221199
申请日:2014-03-20
申请人: FireEye, Inc.
发明人: James Bennett , Zheng Bu
CPC分类号: H04L63/145 , G06F9/45558 , G06F21/53 , G06F2009/45587 , H04L61/1511 , H04L61/2076 , H04L63/1433
摘要: Techniques for detecting malicious behavior of content or objects are described herein. According to one embodiment, a malicious content suspect is executed within a virtual machine that simulates a target operating environment associated with the malicious content suspect. A communication response object is received as a result of processing the malicious content suspect. A first behavior match result for a first sub-object of the communication response object is determined. A second behavior match result for a second sub-object of the communication response object is also determined. The first and second behavior match results are aggregated and a malicious behavior score is calculated according to the aggregated result from all matches. The malicious content suspect is classified according to the malicious behavior score.
摘要翻译: 本文描述了用于检测内容或对象的恶意行为的技术。 根据一个实施例,在虚拟机内执行恶意内容疑犯,该虚拟机模拟与恶意内容疑犯相关联的目标操作环境。 作为处理恶意内容嫌疑犯的结果,接收到通信响应对象。 确定通信响应对象的第一子对象的第一行为匹配结果。 还确定了通信响应对象的第二子对象的第二行为匹配结果。 第一和第二行为匹配结果被聚合,并根据所有匹配的聚合结果计算恶意行为得分。 恶意内容嫌疑犯根据恶意行为得分进行分类。
-
6.发明申请SYSTEM, APPARATUS AND METHOD FOR AUTOMATICALLY VERIFYING EXPLOITS WITHIN SUSPECT OBJECTS AND HIGHLIGHTING THE DISPLAY INFORMATION ASSOCIATED WITH THE VERIFIED EXPLOITS 有权系统,装置和方法,用于在悬挂物体中自动验证曝光,并显示与验证曝光相关的显示信息公开(公告)号:US20150186645A1
公开(公告)日:2015-07-02
申请号:US14228073
申请日:2014-03-27
申请人: FireEye, Inc.
发明人: Ashar Aziz , Muhammad Amin , Osman Abdoul Ismael , Zheng Bu
IPC分类号: G06F21/56
CPC分类号: H04L63/1491 , G06F9/45558 , G06F21/56 , G06F21/564 , G06F21/566 , G06F2009/45587 , H04L63/1416 , H04L63/1433 , H04L63/145
摘要: According to one embodiment, a threat detection system is integrated with intrusion protection system (IPS) logic and virtual execution logic. The IPS logic is configured to receive a first plurality of objects and filter the first plurality of objects by identifying a second plurality of objects as suspicious objects. The second plurality of objects is a subset of the first plurality of objects and is lesser or equal in number to the first plurality of objects. The virtual execution logic is configured to automatically verify whether any of the suspicious objects is an exploit. The virtual execution logic comprises at least one virtual machine configured to virtually process content within the suspicious objects and monitor for anomalous behaviors during the virtual processing that are indicative of exploits.
摘要翻译: 根据一个实施例,威胁检测系统与入侵保护系统(IPS)逻辑和虚拟执行逻辑集成。 IPS逻辑被配置为通过将第二多个对象识别为可疑对象来接收第一多个对象并过滤第一多个对象。 所述第二多个对象是所述第一多个对象的子集,并且在所述第一多个对象中的数量较小或相等。 虚拟执行逻辑被配置为自动验证任何可疑对象是否是漏洞利用。 虚拟执行逻辑包括至少一个虚拟机,该虚拟机被配置为虚拟地处理可疑对象内的内容并且监视在虚拟处理期间指示利用的异常行为。
-
公开(公告)号:US10133863B2
公开(公告)日:2018-11-20
申请号:US13925688
申请日:2013-06-24
申请人: FireEye, Inc.
发明人: Zheng Bu , Yichong Lin
摘要: A method for determining a zero-day attack by an electronic device is described. According to one embodiment, the method comprises instantiating, by the electronic device, at least one virtual machine, the at least one virtual machine being based on a fortified software profile. The method further comprises executing content capable of behaving as an exploit on the at least one virtual machine, and determining that the exploit is associated with zero-day exploit when the exploit, upon execution of the content on the at least one virtual machine, performs an undesired behavior.
-
公开(公告)号:US10033753B1
公开(公告)日:2018-07-24
申请号:US15495629
申请日:2017-04-24
申请人: FireEye, Inc.
IPC分类号: H04L29/06
CPC分类号: H04L63/1425 , H04L63/1408 , H04L63/1416 , H04L63/145 , H04L2463/144
摘要: One embodiment of a method for detecting a cyber-attack features first and second analyzes. The first analysis is conducted on content of a communication to determine at least a first high quality indicator. The first high quality indicator represents a first probative value for classification. The second analysis is conducted on metadata related to the content to determine supplemental indicator(s). Each of the supplemental indicator(s) is represented by a probative value for classification. The communication is classified as being part of the cyber-attack when the first probative value exceeds a predetermined threshold without consideration of the corresponding probative values for the supplemental indicator(s). In response to the first high quality indicator failing to classify the network communication, using the corresponding probative values associated with the one or more supplemental indicators with at least the first probative value to classify the network communication as being part of the cyber-attack.
-
公开(公告)号:US11089057B1
公开(公告)日:2021-08-10
申请号:US16679030
申请日:2019-11-08
申请人: FireEye, Inc.
发明人: Ashar Aziz , Muhammad Amin , Osman Abdoul Ismael , Zheng Bu
摘要: According to one embodiment, a threat detection system comprising an intrusion protection system (IPS) logic, a virtual execution logic and a reporting logic is shown. The IPS logic is configured to receive a first plurality of objects and analyze the first plurality of objects to identify a second plurality of objects as potential exploits, the second plurality of objects being a subset of the first plurality of objects and being lesser or equal in number to the first plurality of objects. The virtual execution logic including at least one virtual machine configured to process content within each of the second plurality of objects and monitor for anomalous behaviors during the processing that are indicative of exploits to classify that a first subset of the second plurality of objects includes one or more verified exploits. The reporting logic configured to provide a display of exploit information associated with the one or more verified exploits.
-
公开(公告)号:US10467411B1
公开(公告)日:2019-11-05
申请号:US15688727
申请日:2017-08-28
申请人: FireEye, Inc.
发明人: Vinay K. Pidathala , Zheng Bu , Ashar Aziz
IPC分类号: G06F21/56
摘要: One embodiment of the disclosure is directed to a method for generating an identifier for use in malware detection. Herein, a first plurality of indicators of compromise are obtained. These indicators of compromise correspond to a plurality of anomalous behaviors. Thereafter, a filtering operation is performed on the first plurality of indicators of compromise by removing one or more indicators of compromise from the first plurality of indicators of compromise to create a second plurality of indicators of compromise. The identifier represented by the second plurality of indicators of compromise is created.
-
-
-
-
-
-
-
-
-
搜索结果
15 条记录 (耗时 0.031 秒)
