US2017054754A1PendingUtilityA1
Malware and exploit campaign detection system and method
Est. expirySep 11, 2033(~7.2 yrs left)· nominal 20-yr term from priority
G06F 17/30864H04L 63/1416H04L 63/0272H04L 63/1491G06F 16/951G06F 21/566G06F 21/56G06F 21/53H04L 63/1466
46
PatentIndex Score
0
Cited by
0
References
0
Claims
Abstract
A malware and exploit campaign detection system and method are provided that cannot be detected by the malware or exploit campaign. The system may provide threat feed data to the vendors that produce in-line network security and end point protection (anti virus) technologies. The system may also be used as a testing platform for 3 rd party products. Due to the massive footprint of the system's cloud infrastructure and disparate network connections and geo-location obfuscation techniques, NSS can locate and monitor malware across the globe and provide detailed threat analysis for each specific region, as they often support and host different malware/cybercrime campaigns.
Claims
exact text as granted — not AI-modified1 . A malware and exploit campaign detection system, comprising:
a plurality of computer systems; a capture stack, implemented on the computer system, that is configured to identify a plurality of malicious uniform resource locators that each have a piece of malicious code; a replay stack, implemented on the computer systems, that is configured to test each piece of malicious code from the capture stack in a live environment using a victim by accessing the malicious uniform resource locator and to generate data about the replay of each piece of malicious code, each victim having a configuration of an operating system, a browser and at least one application that is exploitable by an exploit; and wherein the capture stack has a scout process that gathers the plurality of malicious uniform resource locators and that sends each malicious uniform resource locator to a particular victim of the replay stack.
2 . The system of claim 1 , wherein the scout process defines a first tier comprising a set of victims of the replay stack with each victim having a combination of an operating system, a browser and one or more applications that are targeted by an exploit, each first tier victim testing the uniform resource locators assigned to that first tier victim to identify a plurality of first level malicious uniform resource locators, wherein each first level malicious uniform resource locator exploits the combination of the operating system, the browser and the one or more applications on the first tier victims.
3 . The system of claim 2 , wherein the scout process defines a second tier comprising a set of victims of the replay stack with each victim having a combination of an operating system, a browser and one application that are targeted by an exploit, each second tier victim testing a first level malicious uniform resource locator identified by the first tier to identify a plurality of second level malicious uniform resource locators from the first level malicious uniform resource locators, wherein each second level malicious uniform resource locator exploits the one application.
4 . The system of claim 3 , wherein the scout process defines a third tier comprising a set of victims of the replay stack with each victim having a combination of the same operating system and browser as the second tier victim that identified the second level malicious uniform resource locator and a different version of the application of the second tier victim, each third tier victim testing a second level malicious uniform resource locator identified by the second tier to identify a plurality of third level malicious uniform resource locators from the second level malicious uniform resource locators wherein each third level malicious uniform resource locator exploits the different version of the application.
5 . The system of claim 1 further comprising a proxy stack that is configured to perform testing of the piece of malicious code without accessing the uniform resource locator and a master hypervisor controller that controls the capture stack, the replay stack and the proxy stack.
6 . The system of claim 5 , wherein the capture stack, the replay stack and the proxy stack run in parallel.
7 . The system of claim 5 further comprising a zero day module that identifies zero day attacks.
8 . The system of claim 1 , wherein the capture stack is configured to create a copy of the piece of malicious code and catalogs operating system changes caused by the piece of malicious code.
9 . The system of claim 1 , wherein the capture stack is configured to capture communications with the plurality of computer systems.
10 . The system of claim 5 , wherein each stack is one or more server computers.
11 . The system of claim 10 , wherein each stack has a virtual machine.
12 . A method for malware and exploit campaign detection, comprising:
identifying a plurality of malicious uniform resource locators wherein each malicious uniform resource locator contains a piece of malicious code; sending each of the plurality of malicious uniform resource locator to each of a plurality of victims, each victim having a configuration with an operating system, a browser and at least one application that are exploitable by an exploit of a malicious uniform resource locator; testing, at each victim, each of the plurality of malicious uniform resource locators in a live environment; and generating data about the replay of the malicious uniform resource locator and the piece of malicious code.
13 . The method of claim 12 , wherein testing the plurality of uniform resource locators further comprises accessing each uniform resource locator using a first tier victim that has a combination of an operating system, a browser and one or more applications that are targeted by an exploit and identifying a plurality of first level malicious uniform resource locators, wherein each first level malicious uniform resource locator exploits the combination of the operating system, the browser and the one or more applications on the first tier victims.
14 . The method of claim 13 , wherein testing the plurality of uniform resource locators further comprises accessing each uniform resource locator using a second tier victim that has a combination of an operating system, a browser and one application that are targeted by an exploit and identifying a plurality of second level malicious uniform resource locators from the first level malicious uniform resource locators, wherein each second level malicious uniform resource locator exploits the one application of the second tier victim.
15 . The method of claim 14 , wherein testing the plurality of uniform resource locators further comprises accessing each uniform resource locator using a third tier victim that has a combination of the same operating system and browser as the second tier victims and a different version of the application of the second tier victim and identifying a plurality of third level malicious uniform resource locators from the second level malicious uniform resource locators wherein each third level malicious uniform resource locator exploits the different version of the application of the third tier victim.
16 . The method of claim 12 further comprising performing testing of the piece of malicious code without accessing the uniform resource locator.
17 . The method of claim 16 further comprising identifying a zero day attack.
18 . The method of claim 12 further comprising creating a copy of the piece of malicious code and cataloging operating system changes caused by the piece of malicious code.
19 . The method of claim 12 further comprising capturing communications with the plurality of computer systems.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.