公开(公告)号：US11936666B1

公开(公告)日：2024-03-19

申请号：US17146417

申请日：2021-01-11

申请人： FireEye, Inc.

发明人： Ashar Aziz ,  Osman Abdoul Ismael

IPC分类号： G06F21/53 ,  H04L9/40 ,  H04W12/128

CPC分类号： H04L63/1416 ,  G06F21/53 ,  H04L63/14 ,  H04L63/145 ,  H04W12/128

摘要： Computerized techniques to determine and verify maliciousness of an object are described. A malware detection system intercepts in-bound network traffic at a periphery of a network to capture and analyze behaviors of content of network traffic monitored during execution in a virtual machine. One or more endpoint devices on the network also monitor for behaviors during normal processing. Correlation of the behaviors captured by the malware detection system and the one or more endpoint devices may verify a classification by the malware detection system of maliciousness of the content. The malware detection system may communicate with the one or more endpoint devices to influence detection and reporting of behaviors by those device(s).

公开(公告)号：US11637857B1

公开(公告)日：2023-04-25

申请号：US16791933

申请日：2020-02-14

申请人： FireEye, Inc.

发明人： Ashar Aziz

IPC分类号： G06F21/00 ,  H04L9/40 ,  G06F9/455

摘要： A system for detecting malware is described. The system features a traffic analysis device and a network device. The traffic analysis device is configured to receive data over a communication network, selectively filter the data, and output a first portion of the data to the network device. The network device is communicatively coupled with and remotely located from the traffic analysis device. The network device features software that, upon execution, (i) monitors behaviors of one or more virtual machines processing the first portion of the data received as output from the traffic analysis device, and (ii) detects, based on the monitored behaviors, a presence of malware in the first virtual machine.

公开(公告)号：US11381578B1

公开(公告)日：2022-07-05

申请号：US14481801

申请日：2014-09-09

申请人： FireEye, Inc.

发明人： Jayaraman Manni ,  Ashar Aziz ,  Fengmin Gong ,  Upendran Loganathan ,  Muhammad Amin

IPC分类号： H04L29/06 ,  G06N20/00 ,  H04L9/40

摘要： A system and method are disclosed for network-based file analysis for malware detection. Network content is received from a network tap. A binary packet is identified in the network content. A binary file, including the binary packet, is extracted from the network content. It is determined whether the extracted binary file is detected to be malware.

公开(公告)号：US09954890B1

公开(公告)日：2018-04-24

申请号：US15256367

申请日：2016-09-02

申请人： FireEye, Inc.

发明人： Stuart Gresley Staniford ,  Ashar Aziz

IPC分类号： H04L29/06 ,  G06F21/56

CPC分类号： H04L63/145 ,  G06F21/562 ,  G06F21/566 ,  G06F2221/033 ,  H04L63/1408 ,  H04L63/1416 ,  H04L63/1491 ,  H04L2463/144

摘要： A system and method for detecting malicious activity within a Portable Document Format (PDF) document. The system includes a parser and one or more virtual machines. The parser that, when executed by a hardware processor, examines one or more portions of the PDF document to determine if one or more suspicious characteristics indicative of malicious network content are included in the one or more examined portions of the PDF document. The examined portion(s) in total are less than an entirety of the PDF document. The virtual machine(s) are adapted to receive the PDF document in response to the one or more examined portions of the PDF document being determined to include one or more suspicious characteristics indicative of malicious network content. The virtual machine(s) to process at least the one or more examined portions of the PDF document so as to determine whether the PDF document includes malicious network content.

公开(公告)号：US09946568B1

公开(公告)日：2018-04-17

申请号：US15009664

申请日：2016-01-28

申请人： FireEye, Inc.

发明人： Osman Abdoul Ismael ,  Ashar Aziz

IPC分类号： G06F9/455 ,  G06F9/50

CPC分类号： G06F21/552 ,  G06F9/45533 ,  G06F9/45558 ,  G06F9/5027 ,  G06F21/53 ,  G06F21/629 ,  G06F2009/45587

摘要： A micro-virtualization architecture deploys a threat-aware microvisor as a module of a virtualization system configured to facilitate real-time security analysis, including exploit detection and threat intelligence, of operating system processes executing in a memory of a node in a network environment. The micro-virtualization architecture organizes the memory as a user space and kernel space, wherein the microvisor executes in the kernel space of the architecture, while the operating system processes, an operating system kernel, a virtual machine monitor (VMM) and its spawned virtual machines (VMs) execute in the user space. Notably, the microvisor executes at the highest privilege level of a central processing unit of the node to virtualize access to kernel resources. The operating system kernel executes under control of the microvisor at a privilege level lower than a highest privilege level of the microvisor. The VMM and its spawned VMs execute at the highest privilege level of the microvisor.

公开(公告)号：US09838411B1

公开(公告)日：2017-12-05

申请号：US15369714

申请日：2016-12-05

申请人： FireEye, Inc.

发明人： Ashar Aziz

IPC分类号： H04L29/06 ,  G06F9/455 ,  G06F11/00 ,  G06F12/14 ,  G06F12/16 ,  G08B23/00

CPC分类号： H04L63/1425 ,  G06F9/45537 ,  G06F9/45558 ,  G06F21/53 ,  G06F21/55 ,  G06F21/554 ,  G06F21/56 ,  G06F21/566 ,  G06F2009/45587 ,  G06F2009/45591 ,  G06F2009/45595 ,  G06F2221/034 ,  H04L63/0227 ,  H04L63/10 ,  H04L63/101 ,  H04L63/1408 ,  H04L63/1416 ,  H04L63/1433 ,  H04L63/145 ,  H04L63/1491 ,  H04L63/20

摘要： A system features one or more network devices communicatively coupled to a management system. Configured to receive a portion of the network traffic, a first network device features one or more virtual machines that, based on a subscribed protection level, (i) perform network activities in response to a processing of the received portion of the analyzed network traffic, (ii) monitor behaviors of the one or more virtual machines during processing of the portion of the analyzed network traffic, (iii) determine whether the behaviors are anomalous, and (iv) generate an identifier for the portion of the analyzed network traffic associated with monitored behaviors being anomalous. The management system controls a setting of the protection level for the first network device to alter a frequency of receipt of identifiers associated with analyzed network traffic from a second network device of the one or more network devices different from the first network device.

公开(公告)号：US09792196B1

公开(公告)日：2017-10-17

申请号：US14930385

申请日：2015-11-02

申请人： FIREEYE, INC.

发明人： Osman Abdoul Ismael ,  Dawn Song ,  Ashar Aziz ,  Noah Johnson ,  Prshanth Mohan ,  Hui Xue

IPC分类号： G06F21/00 ,  G06F11/36 ,  G06N99/00 ,  G06F21/54 ,  G06F21/57 ,  G06F21/56 ,  G06F21/53 ,  H04L29/06

CPC分类号： G06F11/3604 ,  G06F11/28 ,  G06F11/36 ,  G06F11/3612 ,  G06F11/362 ,  G06F11/3664 ,  G06F21/50 ,  G06F21/53 ,  G06F21/54 ,  G06F21/56 ,  G06F21/563 ,  G06F21/566 ,  G06F21/577 ,  G06F2221/033 ,  G06N5/04 ,  G06N99/005 ,  H04L63/12 ,  H04L63/1433

摘要： A method is described that includes receiving an application and generating a representation of the application that describes specific states of the application and specific state transitions of the application. The method further includes identifying a region of interest of the application based on rules and observations of the application's execution. The method further includes determining specific stimuli that will cause one or more state transitions within the application to reach the region of interest. The method further includes enabling one or more monitors within the application's run time environment and applying the stimuli. The method further includes generating monitoring information from the one or more monitors. The method further includes applying rules to the monitoring information to determine a next set of stimuli to be applied to the application in pursuit of determining whether the region of interest corresponds to improperly behaving code.

公开(公告)号：US09740857B2

公开(公告)日：2017-08-22

申请号：US14229533

申请日：2014-03-28

申请人： FireEye, Inc.

发明人： Osman Abdoul Ismael ,  Ashar Aziz

IPC分类号： G06F21/00 ,  G06F21/55 ,  G06F9/455 ,  G06F21/62 ,  G06F21/53

CPC分类号： G06F21/552 ,  G06F9/45533 ,  G06F9/45558 ,  G06F9/5027 ,  G06F21/53 ,  G06F21/629 ,  G06F2009/45587

摘要： A threat-aware microvisor is configured to facilitate real-time security analysis, including exploit detection and threat intelligence, of operating system processes executing on a node of a network environment. The microvisor may be embodied as a module disposed or layered beneath (underlying) an operating system kernel executing on the node to thereby control privileges (i.e., access permissions) to kernel resources, such as one or more central processing units (CPUs), network interfaces, memory, and/or devices, of the node. Illustratively, the microvisor may be configured to control access to one or more of the resources in response to a request by an operating system process to access the resource.

公开(公告)号：US20160301703A1

公开(公告)日：2016-10-13

申请号：US15090563

申请日：2016-04-04

申请人： FireEye, Inc.

发明人： Ashar Aziz

IPC分类号： H04L29/06 ,  G06F21/53 ,  G06F9/455

CPC分类号： H04L63/1425 ,  G06F9/45537 ,  G06F9/45558 ,  G06F21/53 ,  G06F21/55 ,  G06F21/554 ,  G06F21/56 ,  G06F21/566 ,  G06F2009/45587 ,  G06F2009/45591 ,  G06F2009/45595 ,  G06F2221/034 ,  H04L63/0227 ,  H04L63/10 ,  H04L63/101 ,  H04L63/1408 ,  H04L63/1416 ,  H04L63/1433 ,  H04L63/145 ,  H04L63/1491 ,  H04L63/20

摘要： A computer worm defense system comprises multiple containment systems tied together by a management system. Each containment system is deployed on a separate communication network and contains a worm sensor and a blocking system. In various embodiments, the computer worm may be transported from a production network, where the computer worm is not readily identifiable, to an alternate network in the worm sensor where the computer worm may be readily identifiable. Computer worm identifiers generated by a worm sensor of one containment system can be provided not only to the blocking system of the same containment system, but can also be distributed by the management system to blocking systems of other containment systems.

摘要翻译： 计算机蠕虫防御系统包括由管理系统捆绑在一起的多个遏制系统。 每个收容系统部署在单独的通信网络上，并包含蠕虫传感器和阻塞系统。 在各种实施例中，计算机蠕虫可以从计算机蠕虫不易识别的生产网络传输到蠕虫传感器中的可替代网络，其中计算机蠕虫可以容易地被识别。 由一个遏制系统的蠕虫传感器产生的计算机蠕虫标识符不仅可以被提供给相同遏制系统的阻塞系统，而且还可以由管理系统分配给其他遏制系统的阻塞系统。

公开(公告)号：US09430646B1

公开(公告)日：2016-08-30

申请号：US13830573

申请日：2013-03-14

申请人： FireEye, Inc.

发明人： Atif Mushtaq ,  Todd Rosenberry ,  Ashar Aziz ,  Ali Islam

IPC分类号： G06F11/00 ,  G06F21/56 ,  G06F21/57

CPC分类号： G06F21/554 ,  G06F21/566 ,  G06F21/567 ,  G06F21/57 ,  H04L63/1416 ,  H04L63/145

摘要： Techniques may automatically detect bots or botnets running in a computer or other digital device by detecting command and control communications, called “call-backs,” from malicious code that has previously gained entry into the digital device. Callbacks are detected using a distributed approach employing one or more local analyzers and a central analyzer. The local analyzers capture packets of outbound communications, generate header signatures, and analyze the captured packets using various techniques. The techniques may include packet header signature matching against verified callback signatures, deep packet inspection. The central analyzer receives the header signatures and related header information from the local analyzers, may perform further analysis (for example, on-line host reputation analysis); determines using a heuristics analysis whether the signatures correspond to callbacks; and generally coordinates among the local analyzers.

摘要翻译： 技术可以通过从先前已经进入数字设备的恶意代码中检测到称为“回叫”的命令和控制通信来自动检测在计算机或其他数字设备中运行的机器人或僵尸网络。 使用采用一个或多个本地分析器和中央分析器的分布式方法来检测回调。 本地分析仪捕获出站通信的数据包，生成报头签名，并使用各种技术分析捕获的数据包。 这些技术可以包括针对经验证的回叫签名的分组报头签名匹配，深度分组检查。 中央分析仪从本地分析仪接收标题签名和相关标题信息，可以进行进一步分析（例如在线主机信誉分析）; 使用启发式分析确定签名是否对应于回调; 并且通常在本地分析仪之间进行协调。