-
公开(公告)号:US11075945B2
公开(公告)日:2021-07-27
申请号:US15676859
申请日:2017-08-14
申请人: FireEye, Inc.
发明人: Osman Abdoul Ismael
摘要: According to one embodiment, a computerized method operates by configuring a virtual machine operating within an electronic device with a first instrumentation for processing of a suspicious object. In response to detecting a type of event during processing of the suspicious object within the virtual machine, the virtual machine is automatically reconfigured with a second instrumentation that is different from the first instrumentation in efforts to achieve reduced configuration time and/or increased effectiveness in exploit detection.
-
22.发明授权公开(公告)号:US10826933B1
公开(公告)日:2020-11-03
申请号:US15258656
申请日:2016-09-07
申请人: FireEye, Inc.
发明人: Osman Abdoul Ismael , Ashar Aziz
摘要: A technique verifies a determination of an exploit or malware in an object at a malware detection system (MDS) appliance through correlation of behavior activity of the object running on endpoints of a network. The appliance may analyze the object to render a determination that the object is suspicious and may contain the exploit or malware. In response, the MDS appliance may poll the endpoints (or receive messages pushed from the endpoints) to determine as to whether any of the endpoints may have analyzed the suspect object and observed its behaviors. If the object was analyzed, the endpoints may provide the observed behavior information to the appliance, which may then correlate that information, e.g., against correlation rules, to verify its determination of the exploit or malware. In addition, the appliance may task the endpoints to analyze the object, e.g., during run time, to determine whether it contains the exploit and provide the results to the appliance for correlation.
-
公开(公告)号:US10592678B1
公开(公告)日:2020-03-17
申请号:US15261104
申请日:2016-09-09
申请人: FireEye, Inc.
发明人: Osman Abdoul Ismael , Hendrik Tews
摘要: The embodiments herein are directed to a technique for providing secure communication between nodes of a network environment or within a node of the network using a verified virtual trusted platform module (TPM) of each node. The verified virtual TPM illustratively emulates a hardware TPM device to provide software key management of cryptographic keys used to provide the secure communication over a computer network of the network environment. Illustratively, the verified virtual TPM is configured to enforce a security policy of a trusted code base (TCB) that includes the virtual TPM. Trustedness denotes a predetermined level of confidence that the security property is demonstrated by the verified virtual TPM. The predetermined level of confidence is based on an assurance (i.e., grounds) that the verified virtual TPM demonstrates the security property. Trustedness of the virtual TPM may be verified by subjecting the virtual TPM to enhanced verification analysis configured to ensure conformance to an operational model with an appropriate level of confidence over an appropriate range of activity. The operational model may then be configured to analyze conformance to the security property. A combination of conformance by the virtual TPM to the operational model and to the security property provides assurance (i.e., grounds) for the level of confidence and, thus, verifies trustedness.
-
公开(公告)号:US10476909B1
公开(公告)日:2019-11-12
申请号:US15298159
申请日:2016-10-19
申请人: FireEye, Inc.
发明人: Ashar Aziz , Muhammad Amin , Osman Abdoul Ismael , Zheng Bu
摘要: According to one embodiment, a threat detection system comprising an intrusion protection system (IPS) logic, a virtual execution logic and a reporting logic is shown. The IPS logic is configured to receive a first plurality of objects and analyze the first plurality of objects to identify a second plurality of objects as potential exploits, the second plurality of objects being a subset of the first plurality of objects and being lesser or equal in number to the first plurality of objects. The virtual execution logic including at least one virtual machine configured to process content within each of the second plurality of objects and monitor for anomalous behaviors during the processing that are indicative of exploits to classify that a first subset of the second plurality of objects includes one or more verified exploits. The reporting logic configured to provide a display of exploit information associated with the one or more verified exploits.
-
公开(公告)号:US10019338B1
公开(公告)日:2018-07-10
申请号:US14949770
申请日:2015-11-23
申请人: FireEye, Inc.
CPC分类号: G06F11/3608 , G06F11/28 , G06F11/36 , G06F11/3604 , G06F11/3612 , G06F11/362 , G06F11/3664 , G06F21/50 , G06F21/53 , G06F21/54 , G06F21/55 , G06F21/554 , G06F21/56 , G06F21/563 , G06F21/566 , G06F21/577 , G06F2221/033 , G06N5/04 , G06N20/00 , H04L63/12 , H04L63/14 , H04L63/1416 , H04L63/1425 , H04L63/1433 , H04L63/145
摘要: An apparatus is described for detecting anomalous behavior by an application software under test that suggests a presence of malware. The apparatus features a hardware processor and a storage device. The storage device stores logic that, when executed by the hardware processor, conducts an analysis of operations of the software for an occurrence of one or more events, generates a video of a display output produced by the operations of the software, and generates, for display contemporaneously with the video, a textual log including information associated with the one or more events, the textual log provides information as to when each event of the one or more events occurs within an execution flow of the operations of the software.
-
公开(公告)号:US09934376B1
公开(公告)日:2018-04-03
申请号:US14962497
申请日:2015-12-08
申请人: FireEye, Inc.
发明人: Osman Abdoul Ismael
CPC分类号: G06F9/45558 , G06F8/60 , G06F21/566 , G06F2009/45587 , G06F2009/45591
摘要: A threat-aware virtualization module may be deployed in a malware detection appliance architecture and execute on a malware detection system (MDS) appliance to provide exploit and malware detection within a network environment. The virtualization module may underlie an operating system kernel of the MDS appliance and execute in kernel space of the architecture to control access to kernel resources of the appliance for any operating system process. A type 0 virtual machine monitor may be disposed over the virtualization module and execute in user space of the architecture as a pass-through module configured to expose the kernel resources of the appliance to the operating system kernel. One or more hypervisors, e.g., type 1 VMM, may be further disposed over the virtualization module and execute in user space of the architecture under control of the virtualization module to support execution of one or more guest operating systems inside one or more full virtual machines.
-
公开(公告)号:US09912681B1
公开(公告)日:2018-03-06
申请号:US14929693
申请日:2015-11-02
申请人: FireEye, Inc.
发明人: Osman Abdoul Ismael , Ashar Aziz
IPC分类号: H04L29/06
CPC分类号: H04L63/1425 , G06F21/55 , H04L63/1466
摘要: A malware detection system (MDS) appliance is configured to inject delay associated with delivery and/or processing of communication traffic directed to one or more endpoints in a network. The appliance may be positioned within the network to intercept and analyze (e.g., replay and instrument) one or more network packets of the communication traffic to detect whether an object of the packet contains malware. However, such analysis, e.g., malware detection analysis, may require extensive processing at the appliance and, thus, consume a considerable amount of time. Accordingly, the MDS appliance may inject delay into the delivery and/or processing of the object on the endpoint until the malware detection analysis completes and the malware is validated.
-
公开(公告)号:US09736179B2
公开(公告)日:2017-08-15
申请号:US14042489
申请日:2013-09-30
申请人: FireEye, Inc.
发明人: Osman Abdoul Ismael
CPC分类号: H04L63/145 , G06F21/566
摘要: According to one embodiment, an electronic device comprises a memory to store information and a processor. The processor is adapted to receive information associated with content such as network traffic, to process the stored information and to conduct operations on the content. These operations may comprise determining, by a virtual machine processed by the processor, an occurrence of an event during malware analysis of an object associated with the content, and dynamically altering a virtual machine instrumentation of the virtual machine based on information associated with the event.
-
公开(公告)号:US20160004869A1
公开(公告)日:2016-01-07
申请号:US14615798
申请日:2015-02-06
申请人: FireEye, Inc.
发明人: Osman Abdoul Ismael , Hendrik Tews
IPC分类号: G06F21/57
CPC分类号: G06F21/577
摘要: A trusted threat-aware microvisor may be deployed as a module of a trusted computing base (TCB). The microvisor is illustratively configured to enforce a security policy of the TCB, which may be implemented as a security property of the microvisor. The microvisor may manifest (i.e., demonstrate) the security property in a manner that enforces the security policy. Trustedness denotes a predetermined level of confidence that the security property is demonstrated by the microvisor. The predetermined level of confidence is based on an assurance (i.e., grounds) that the microvisor demonstrates the security property. Trustedness of the microvisor may be verified by subjecting the TCB to enhanced verification analysis configured to ensure that the TCB conforms to an operational model with an appropriate level of confidence over an appropriate range of activity. The operational model may then be configured to analyze conformance of the microvisor to the security property. A combination of conformance by the microvisor to the operational model and to the security property provides assurance (i.e., grounds) for the level of confidence and, thus, verifies trustedness.
摘要翻译: 可信赖的威胁感知微管理器可以被部署为可信计算基础(TCB)的模块。 示例性地,微管理器配置为执行TCB的安全策略,其可以被实现为微管理器的安全属性。 微管理员可以以强制安全策略的方式来显示(即证明)安全属性。 可信度表示由微观管理员证明安全属性的预定的置信水平。 预定的置信水平是基于微管理员证明安全属性的保证(即理由)。 可以通过对TCB进行增强的验证分析来验证微观管理器的可靠性,该验证分析被配置为确保TCB符合具有适当的置信水平的操作模型,并在适当的活动范围内。 然后可以将操作模型配置为分析微监控程序对安全属性的一致性。 微观层面与操作模型和安全属性的一致性结合提供了对置信水平的保证(即理由),从而验证了信任度。
-
公开(公告)号:US20150199513A1
公开(公告)日:2015-07-16
申请号:US14229533
申请日:2014-03-28
申请人: FireEye, Inc.
发明人: Osman Abdoul Ismael , Ashar Aziz
IPC分类号: G06F21/55
CPC分类号: G06F21/552 , G06F9/45533 , G06F9/45558 , G06F9/5027 , G06F21/53 , G06F21/629 , G06F2009/45587
摘要: A threat-aware microvisor is configured to facilitate real-time security analysis, including exploit detection and threat intelligence, of operating system processes executing on a node of a network environment. The microvisor may be embodied as a module disposed or layered beneath (underlying) an operating system kernel executing on the node to thereby control privileges (i.e., access permissions) to kernel resources, such as one or more central processing units (CPUs), network interfaces, memory, and/or devices, of the node. Illustratively, the microvisor may be configured to control access to one or more of the resources in response to a request by an operating system process to access the resource.
摘要翻译: 威胁感知微管理器被配置为促进在网络环境的节点上执行的操作系统进程的实时安全性分析,包括利用检测和威胁智能。 微管理器可以被实现为在节点上执行的操作系统内核(下面)设置或分层的模块,从而控制诸如一个或多个中央处理单元(CPU),网络等内核资源的权限(即,访问权限) 接口,内存和/或设备。 示例性地,微管理器可以被配置为响应于操作系统进程访问资源的请求来控制对一个或多个资源的访问。
-
-
-
-
-
-
-
-
-
搜索结果
59 条记录 (耗时 0.038 秒)
