Abstract: A system features one or more network devices communicatively coupled to a management system. Configured to receive a portion of the network traffic, a first network device features one or more virtual machines that, based on a subscribed protection level, (i) perform network activities in response to a processing of the received portion of the analyzed network traffic, (ii) monitor behaviors of the one or more virtual machines during processing of the portion of the analyzed network traffic, (iii) determine whether the behaviors are anomalous, and (iv) generate an identifier for the portion of the analyzed network traffic associated with monitored behaviors being anomalous. The management system controls a setting of the protection level for the first network device to alter a frequency of receipt of identifiers associated with analyzed network traffic from a second network device of the one or more network devices different from the first network device.

Abstract: An electronic message is analyzed for malware contained in the message. Text of an electronic message may be analyzed to detect and process malware content in the electronic message itself. The present technology may analyze an electronic message and attachments to electronic messages to detect a uniform resource location (URL), identify whether the URL is suspicious, and analyze all suspicious URLs to determine if they are malware. The analysis may include re-playing the suspicious URL in a virtual environment which simulates the intended computing device to receive the electronic message. If the re-played URL is determined to be malicious, the malicious URL is added to a black list which is updated throughout the computer system.

Abstract: A method is described that includes receiving an application and creating a representation of the application that describes states and state transitions of the application. The method further includes receiving a description of unwanted behaviors of the application. The method further includes using the description and the representation to determine actions to be added to the application and locations within the application where the actions are to be performed. The method also includes instrumenting the application with the actions in the locations to create an instrumented application that does not perform the unwanted behaviors.

Abstract: A method is described that includes receiving an application and generating a representation of the application that describes specific states of the application and specific state transitions of the application. The method further includes identifying a region of interest of the application based on rules and observations of the application's execution. The method further includes determining specific stimuli that will cause one or more state transitions within the application to reach the region of interest. The method further includes enabling one or more monitors within the application's run time environment and applying the stimuli. The method further includes generating monitoring information from the one or more monitors. The method further includes applying rules to the monitoring information to determine a next set of stimuli to be applied to the application in pursuit of determining whether the region of interest corresponds to improperly behaving code.

Abstract: A threat detection system is integrated with intrusion protection system (IPS) logic and virtual execution logic is shown. The IPS logic is configured to receive a first plurality of objects and filter the first plurality of objects by identifying a second plurality of objects as suspicious objects. The second plurality of objects is a subset of the first plurality of objects and is lesser or equal in number to the first plurality of objects. The virtual execution logic is configured to automatically verify whether any of the suspicious objects is an exploit. The virtual execution logic comprises at least one virtual machine configured to virtually process content within the suspicious objects and monitor for anomalous behaviors during the virtual processing that are indicative of exploits.

Abstract: One embodiment of an electronic device comprises a processor and a memory accessible by the processor. The memory comprises virtual execution logic and run-time classifier logic. The virtual execution logic includes at least one virtual machine that is configured to virtually process content within an object under analysis and monitor for anomalous behaviors during the virtual processing that are indicative of malware. The run-time classifier logic performs, during run-time, a first analysis on the monitored anomalous behaviors and a pre-stored identifier to determine if the monitored anomalous behaviors indicate that the object is malware belonging to a classified malware family. The pre-stored identifier is a collection of data associated with anomalous behaviors that uniquely identify the malware family.

Abstract: A threat-aware microvisor is configured to facilitate real-time security analysis, including exploit detection and threat intelligence, of operating system processes executing on a node of a network environment. The microvisor may be embodied as a module disposed or layered beneath (underlying) an operating system kernel executing on the node to thereby control privileges (i.e., access permissions) to kernel resources, such as one or more central processing units (CPUs), network interfaces, memory, and/or devices, of the node. Illustratively, the microvisor may be configured to control access to one or more of the resources in response to a request by an operating system process to access the resource.

Abstract: A trusted threat-aware microvisor may be deployed as a module of a trusted computing base (TCB) that also includes a root task module configured to cooperate with the microvisor to load and initialize one or more other modules executing on a node of a network environment. The root task may cooperate with the microvisor to allocate one or more kernel resources of the node to those other modules. As a trusted module of the TCB, the microvisor may be configured to enforce a security policy of the TCB that, e.g., prevents alteration of a state related to security of the microvisor by a module of or external to the TCB. The security policy of the TCB may be implemented by a plurality of security properties of the microvisor. Trusted (or trustedness) may therefore denote a predetermined level of confidence that the security property is demonstrated by the microvisor.

Abstract: A network device for detecting malware is described. The network device features a memory storage device and a controller. The controller operating in cooperation with one or more virtual machines that are based on software modules stored within the memory storage device. The controller is configured to (i) monitor behaviors of at least a first virtual machine of the one or more virtual machines processing data received over a network, (ii) identify at least one anomalous behavior that includes either a communication anomaly or an execution anomaly, and (iii) detect, based on the identified at least one anomalous behavior, a presence of malware in the first virtual machine in response to identifying the at least one anomalous behavior.

Abstract: Exemplary systems and methods for detecting a communication channel of a bot. In exemplary embodiments, presence of a communication channel between a first network device and a second network device is detected. Data from the communication channel is scanned and used to determine if a suspected bot communication exists. If a bot communication is detected, then a recovery process may be initiated.

Abstract: According to one embodiment, a method comprises receiving a first portion of network traffic by a virtual machine that is configured to simulate operations of a destination device. Thereafter, one or more anomalous behaviors are observed as the virtual machine processing the first portion of the network traffic. The one or more anomalous behaviors include an unexpected behavior of the virtual machine while the first portion of the network traffic is being processed. As a result, a signature that is associated with the one or more anomalous behaviors is generated for detection of a presence of malicious code within the network traffic.

Abstract: Systems and methods for detecting malicious content on portable data storage devices or remote network servers are provided. In an exemplary embodiment, a system comprises a quarantine module configured to detect one or more portable data storage devices upon insertion of the devices into a security appliance, wherein the security appliance is configured to receive the portable data storage devices, a controller configured to receive from the security appliance, via a communication network, data associated with the portable data storage devices, an analysis module configured to analyze the data to determine whether the data includes malware, and a security module to selectively identify, based on the determination, the one or more portable data storage devices storing the malware.

Abstract: A computer worm defense system comprises multiple containment systems tied together by a management system. Each containment system is deployed on a separate communication network and contains a worm sensor and a blocking system. In various embodiments, the computer worm may be transported from a production network, where the computer worm is not readily identifiable, to an alternate network in the worm sensor where the computer worm may be readily identifiable. Computer worm identifiers generated by a worm sensor of one containment system can be provided not only to the blocking system of the same containment system, but can also be distributed by the management system to blocking systems of other containment systems.

Abstract: An exploit detection system deploys a threat-aware microvisor to facilitate real-time security analysis, including exploit detection and threat intelligence, of an operating system process executing on a node of a network environment. The microvisor may be organized as a main protection domain representative of the operating system process. In response to the process attempting to access a kernel resource for which it does not have permission, a capability violation may be generated at the main protection domain of the microvisor and a micro-virtual machine (VM) may be spawned as a container configured to encapsulate the process. The main protection domain may then be cloned to create a cloned protection domain that is representative of the process and that is bound to the spawned micro-VM. Capabilities of the cloned protection domain may be configured to be more restricted than the capabilities of the main protection domain with respect to access to the kernel resource.

Abstract: A computer worm defense system comprises multiple containment systems tied together by a management system. Each containment system is deployed on a separate communication network and contains a worm sensor and a blocking system. In various embodiments, the computer worm may be transported from a production network, where the computer worm is not readily identifiable, to an alternate network in the worm sensor where the computer worm may be readily identifiable. Computer worm identifiers generated by a worm sensor of one containment system can be provided not only to the blocking system of the same containment system, but can also be distributed by the management system to blocking systems of other containment systems.

Abstract: Systems and methods for analyzing malicious PDF network content are provided herein. According to some embodiments, a PDF parser examines a body portion of a PDF document received over a network and intended for a digital device and determines if one or more suspicious characteristics indicative of malicious network content are included in the examined body portion of the PDF document. The examined body portion of the PDF document is lesser in size than an entirety of the body portion of the PDF document. When the portion of the body section of the PDF document is determined to include one or more suspicious characteristics indicative of malicious network content, the PDF document is provided to one or more virtual machines associated with the digital device to verify the inclusion of malicious network content in the portion of the body section of the PDF document.

Abstract: Techniques may automatically detect bots or botnets running in a computer or other digital device by detecting command and control communications, called “call-backs,” from malicious code that has previously gained entry into the digital device. Callbacks are detected using a distributed approach employing one or more local analyzers and a central analyzer. The local analyzers capture packets of outbound communications, generate header signatures, and analyze the captured packets using various techniques. The techniques may include packet header signature matching against verified callback signatures, deep packet inspection. The central analyzer receives the header signatures and related header information from the local analyzers, may perform further analysis (for example, on-line host reputation analysis); determines using a heuristics analysis whether the signatures correspond to callbacks; and generally coordinates among the local analyzers.

Abstract: A threat-aware microvisor may be deployed in a malware detection endpoint architecture and execute on an endpoint to provide exploit and malware detection within a network environment. Exploit and malware detection on the endpoint may be performed in accordance with one or more processes embodied as software modules or engines configured to detect suspicious and/or malicious behaviors of an operating system process (object), and to correlate and classify the detected behaviors as indicative of malware. Detection of suspicious and/or malicious behaviors may be performed by static and dynamic analysis of the object. Static analysis may perform examination of the object to determine whether it is suspicious, while dynamic analysis may instrument the behavior of the object as the operating system process runs via capability violations of, e.g. operating system events. A behavioral analysis logic engine and a classifier may thereafter cooperate to perform correlation and classification of the detected behaviors.

Abstract: The system comprises a traffic analysis device in communication with a network device. The traffic analysis device can analyze network traffic received over a communication network and duplicate at least select network communications within the network traffic having characteristics associated with malicious traffic when the network communications are determined through heuristic analysis to satisfy a heuristic threshold.

Abstract: An electronic message is analyzed for malware contained in the message. Text of an electronic message may be analyzed to detect and process malware content in the electronic message itself. The present technology may analyze an electronic message and attachments to electronic messages to detect a uniform resource location (URL), identify whether the URL is suspicious, and analyze all suspicious URLs to determine if they are malware. The analysis may include re-playing the suspicious URL in a virtual environment which simulates the intended computing device to receive the electronic message. If the re-played URL is determined to be malicious, the malicious URL is added to a black list which is updated throughout the computer system.