Abstract: According to one embodiment, in response to receiving a plurality of uniform resource locator (URL) links for malicious determination, any known URL links are removed from the URL links based on a list of known link signatures. For each of remaining URL links that are unknown, a link analysis is performed on the URL link based on link heuristics to determine whether the URL link is suspicious. For each of the suspicious URL links, a dynamic analysis is performed on a resource of the suspicious URL link. It is classified whether the suspicious URL link is a malicious link based on a behavior of the resource during the dynamic analysis.

Abstract: Phishing detection techniques for predicting a password for decrypting an attachment for the purpose of malicious content detection are described herein. According to one embodiment, in response to a communication message, as such an electronic mail (email) message having an encrypted attachment, content of the communication message is parsed to predict a password based on a pattern of the content. The encrypted attachment is then decrypted using the predicted password to generate a decrypted attachment. Thereafter, a malicious content analysis is performed on the decrypted attachment to determine a likelihood as to whether the decrypted attachment contains malicious content.

Abstract: An indexing arrangement enables efficient search and retrieval of indexes persistently stored in a metadata repository and used to locate packets captured from a network and persistently stored in a data repository. The packets are captured at a packet capture and retrieval system having persistent storage devices organized as files of the metadata and data repositories. Search and retrieval of the indexes within the files of the metadata repository occur at substantially a same time as one or more other captured packets is written to one or more files of the data repository to realize a substantially high sustained packet transfer rate of the network.

Abstract: According to one embodiment, a computerized method operates by configuring a virtual machine operating within an electronic device with a first instrumentation for processing of a suspicious object. In response to detecting a type of event during processing of the suspicious object within the virtual machine, the virtual machine is automatically reconfigured with a second instrumentation that is different from the first instrumentation in efforts to achieve reduced configuration time and/or increased effectiveness in exploit detection.

Abstract: According to one embodiment, a computerized method for detecting malware is described. The method includes receiving configuration information that identifies (i) at least one type of lure data and (ii) one or more locations of a system operating within a virtual machine for placement of the lure data into the system. The lure data is configured to entice interaction of the lure data by malware associated with an object under analysis. Thereafter, the lure data is placed within the system according to the configuration information and lure data information is selectively modified. The information may include a name or content within a directory including the lure data. During processing of an object within the virtual machine, a determination is made whether the object exhibits file altering behavior based on a comparison of actions performed that are associated with the lure data and one more known file activity patterns.

Abstract: According to one embodiment, a malware detection system is integrated with at least a static analysis engine and a dynamic analysis engine. The static analysis engine is configured to automatically determine an object type of a received object. The dynamic analysis engine is configured to automatically launch the object after selecting an action profile based on the object type. The dynamic analysis engine is further configured to, provide simulated user interaction to the object based on the selected action profile either in response to detecting a request for human interaction or as a result of a lapse of time since a previous simulated human interaction was provided.

Abstract: A system features one or more network devices communicatively coupled to a management system. Configured to receive a portion of the network traffic, a first network device features one or more virtual machines that, based on a subscribed protection level, (i) perform network activities in response to a processing of the received portion of the analyzed network traffic, (ii) monitor behaviors of the one or more virtual machines during processing of the portion of the analyzed network traffic, (iii) determine whether the behaviors are anomalous, and (iv) generate an identifier for the portion of the analyzed network traffic associated with monitored behaviors being anomalous. The management system controls a setting of the protection level for the first network device to alter a frequency of receipt of identifiers associated with analyzed network traffic from a second network device of the one or more network devices different from the first network device.

Abstract: In an embodiment, a system, device and method for detecting a malicious attack is described. Herein, the system includes a security network device that conducts an analysis on received network traffic to detect a suspicious object associated with the network traffic and determine an identifier associated with a source of the suspicious object. Information associated with the suspicious object and/or ancillary data, including information that identifies a return path for analysis results to a customer, are uploaded to a detection cloud. The detection cloud includes provisioning logic and one or more virtual machines that are provisioned by the provisioning logic in accordance with at least a portion of the ancillary data. The provisioning logic to customize functionality of the detection cloud for a specific customer.

Abstract: A computer worm containment system comprises a detection system and a blocking system. The detection system orchestrates a sequence of network activities in a decoy computer network and monitors that network to identify anomalous behavior and determine whether the anomalous behavior is caused by a computer worm. The detection system can then determine an identifier of the computer worm based on the anomalous behavior. The detection system can also generate a recovery script for disabling the computer worm or repairing damage caused by the computer worm. The blocking system is configured to use the computer worm identifier to protect another computer network. The blocking system can also use the recovery script to disable a computer worm within the other network and to repair damage caused to the network by the worm.

Abstract: An electronic message is analyzed for malware contained in the message. Text of an electronic message may be analyzed to detect and process malware content in the electronic message itself. The present technology may analyze an electronic message and attachments to electronic messages to detect a uniform resource location (URL), identify whether the URL is suspicious, and analyze all suspicious URLs to determine if they are malware. The analysis may include re-playing the suspicious URL in a virtual environment which simulates the intended computing device to receive the electronic message. If the re-played URL is determined to be malicious, the malicious URL is added to a black list which is updated throughout the computer system.

Abstract: An early warning system and method for generating an alert regarding a potential attack on a client device is provided for based on real-time analysis. The early warning system and method generally comprise receiving data associated with an attack alert, wherein the attack alert corresponds to an electrical signal that indicates detection of a malware attack from a remote source. The received data is analyzed using an attack-specific engine that is configured to generate an attack-specific result. An attack value is computed based on the attack-specific result and a consideration of potential attack targets, wherein the attack value is compared to a threshold value so as to determine whether or not to generate an early warning alert. An early warning alert is generated when the attack value matches or exceeds the threshold value.

Abstract: A method is described that includes receiving an application and creating a representation of the application that describes states and state transitions of the application. The method further includes receiving a description of unwanted behaviors of the application. The method further includes using the description and the representation to determine actions to be added to the application and locations within the application where the actions are to be performed. The method also includes instrumenting the application with the actions in the locations to create an instrumented application that does not perform the unwanted behaviors.

Abstract: A system and method operable to identify and analyze persistent state information among a plurality of software-related events, and present persistent state information in a unified fashion.

Abstract: A non-transitory computer readable storage medium having stored thereon instructions executable by a processor to perform operations including: responsive to determining that a correlation between a representation of the first portion of network traffic and a representation of a known exploit kit results in a score above a first prescribed score value, classifying the representation of the first portion of the received network traffic into an exploit kit family corresponding to the representation the known exploit kit; and responsive to determining that the score is below the first prescribed score value and above a second prescribed score value, (i) analyzing the representation of the first portion of the received network traffic, and (ii) processing, within a virtual machine, a second portion of the received network traffic to determine whether processing of the received network traffic results in behavior indicative of an exploit kit is shown.

Abstract: A computerized technique wherein a received object is analyzed using a plurality of information sources to determine context information, wherein one information source comprises configuration information determined from a client device. One or more software profiles are generated based on the context information in order to provision one or more virtual machines of a dynamic analysis logic system. One or more work orders are generated based on the one or more software profiles. A priority order is assigned to the one or more software profiles. A dynamic analysis is scheduled based on the work orders and the assigned priority order to determine one or more susceptible software environments, and an alert is generated comprising information to update one or more susceptible environments in real time.

Abstract: A method is described that includes receiving an application and generating a representation of the application that describes specific states of the application and specific state transitions of the application. The method further includes identifying a region of interest of the application based on rules and observations of the application's execution. The method further includes determining specific stimuli that will cause one or more state transitions within the application to reach the region of interest. The method further includes enabling one or more monitors within the application's run time environment and applying the stimuli. The method further includes generating monitoring information from the one or more monitors. The method further includes applying rules to the monitoring information to determine a next set of stimuli to be applied to the application in pursuit of determining whether the region of interest corresponds to improperly behaving code.

Abstract: A modularized architecture using vertical partitioning of a database is configured to store object metadata and processing results of one or more objects analyzed by a state machine, such as an analysis engine of a malware detection system. The database may include data structures, such as one or more master blocks, state sub-blocks, and state co-tables, as well as state transition queues. The modularized architecture may organize the database as one or more stages of the state machine, such that each stage corresponds to a module of the state machine, wherein the module generates results that are stored in its associated state co-table, which then provides information for a next stage. Each next stage may have a dependency on the one or more prior stages that provide input for execution of the next stage module.

Abstract: According to one embodiment, a system features analysis circuitry and detection circuitry. The analysis circuitry features a first processing unit and a first memory that includes a filtering logic configured to produce a second plurality of objects from a received first plurality of objects. The second plurality of objects is a subset of the first plurality of objects. The detection circuitry is communicatively coupled to and remotely located from the analysis circuitry. The detection circuitry includes a second processing unit and a second memory. The second memory includes a virtual execution logic to process content within at least a first object of the second plurality of objects. The virtual execution logic is configured to monitor for behaviors, during the processing of the first object, and determine whether any or all of the monitored behaviors correspond to activities indicative that the first object is associated with a malicious attack.

Abstract: A malware detection system may be configured to enhance analysis of an object when determining whether results for a previously analyzed object may be applied to the object. The enhanced analysis may employ context factors pertaining to an environment within which the objects operate. If an object identifier (ID) of the object matches the object ID of the previously analyzed object, but one or more of the context factors differ, then the results from the previously analyzed object may not be applied to the object and the object is subjected to further analysis, e.g., behavioral analysis. Yet if the context factors do not differ, then the object may be deemed a duplicate of the previously analyzed object, such that a result (such as an alert or “no action”) of the previously analyzed object may be applied to the object.

Abstract: According to one embodiment, a computerized method comprises, accessing information associated with one or more observed events, wherein one or more of the observed events constitutes an anomalous behavior; accessing a reference model based on a first plurality of events, the reference model comprises a first event of the first plurality of events, a second event of the first plurality of events and a relationship that identifies that the second event of the first plurality of events is based on the first event of the first plurality of events, wherein at least one of the first event and the second event constitutes an anomalous behavior; and comparing the information associated with the one or more observed events with the reference model to determine whether at least one observed event of the one or more observed events matches at least one of the first event of the first plurality of events or the second event of the first plurality of events that constitutes the anomalous behavior is provided.