News Column

"System and Method for Advanced Malware Analysis" in Patent Application Approval Process

August 20, 2014



By a News Reporter-Staff News Editor at Defense & Aerospace Week -- A patent application by the inventors SMITH, Calvin H. (Centreville, VA); MACLEAN, Kenneth (Hingham, MA); LIU, Jason J. (Potomac, MD); MANN, Stephen (Sterling, VA); MANN, Wendy (Sterling, VA); CHAPIN, Ryan (West Friendship, MD), filed on January 31, 2013, was made available online on August 7, 2014, according to news reporting originating from Washington, D.C., by VerticalNews correspondents.

This patent application is assigned to Northrop Grumman Systems Corporation.

The following quote was obtained by the news editors from the background information supplied by the inventors: "Networks and Information Technology (IT) resources are under constant attack from Advanced Persistent Threat (APT) actors that exploit unknown, 'Zero-Day' vulnerabilities. These attacks use spear-phishing emails containing malicious attachments or embedded web links directed at key end-users. APT actors send zero day malware as email attachments to key end-users. Once an end-user system is infected, APT actors use that system to target and exfiltrate sensitive data. APT actors trick end users into downloading and executing zero day malware using social engineering techniques. APT email attacks have resulted in numerous recent security breaches, and they are the prime threat vector targeting a broad range of Government, military, educational, and commercial organizations.

"APT exploits are designed to run covertly on networks and systems, quietly collecting sensitive or personal data, and remaining undetected for long periods of time. Usually, standard security tools do not detect the zero day malware employed by APT actors; a recent report stated only 24% of all APT malware is detected by traditional signature-based security software. APT actors often target users and their endpoint platforms using spear-phishing email with embedded zero-day malware.

"Zero day malware is malware that targets a vulnerability that is not publicly known, and for which a signature has not yet been developed. Because no signature exists for zero day malware, it cannot be reliably detected by traditional security products. In contrast to signature-based detection techniques, behavioral analysis can reveal the malicious nature of zero day malware."

In addition to the background information obtained for this patent application, VerticalNews journalists also obtained the inventors' summary information for this patent application: "Embodiments herein overcome disadvantages described above and provide other advantages. These advantages may be achieved by a method for advanced malware detection. The method filters incoming messages with a watch-list, the incoming messages including attachments, if an incoming message matches the watch-list, forwards the message to a malware detection engine, strips the attachments from the forwarded message, the one or more attachments including one or more executable files, launches a plurality of sandboxes, executes each of the executable files in the plurality of sandboxes, the sandboxes generating analysis results that may be used to determine whether each executable file is malicious, normalizes the analysis results, evaluates the risk level of the attachments to the forwarded message based on the normalized analysis results of the executable files in the attachments to the forwarded message, and, if the risk level of an attachment to the forwarded message is above a certain level, determines that the forwarded message is malicious and permanently quarantines the forwarded message.

"These advantages may also be achieved by a system for advanced malware analysis. The system includes an advanced malware detection engine that determines whether a forwarded message is malicious. The advanced malware detection engine receives the forwarded message and strips one or more attachments from the forwarded message, the attachments including one or more executable files. The system also includes a sandbox control manager that receives the executable files and launches a plurality of malware analysis platform (MAP) sandboxes. Tach of the MAP sandboxes execute each of the executable files and produce analysis results indicative of the effects of executing the executable files on a computer system. The system also includes a results normalizer that receives the analysis results from the MAP sandboxes and normalizes the analysis results and a risk evaluator that assigns a risk level to the attachments based on the analysis results and indicates whether the forwarded message is malicious based on the assigned risk level of the attachments of the message.

"These advantages may also be achieved by a tangible computer readable medium that includes instructions for performing a method for advanced malware analysis by filtering incoming messages with a watch-list, the incoming messages including one or more attachments, if an incoming message matches the watch-list, forwarding the message to a malware detection engine, stripping the one or more attachments from the forwarded message, the one or more attachments including one or more executable files, launching a plurality of sandboxes, executing each of the one or more executable files in the plurality of sandboxes, the sandboxes generate analysis results that may be used to determine whether each executable file is malicious, normalizing the analysis results, evaluating the risk level of the attachments to the forwarded message based on the normalized analysis results of the executable files in the attachments to the forwarded message and if the risk level of an attachment to the forwarded message is above a certain level, determining that the forwarded message is malicious and permanently quarantining the forwarded message.

BRIEF DESCRIPTION OF DRAWINGS

"The detailed description will refer to the following drawings, wherein like numerals refer to like elements, and wherein:

"FIG. 1 is a block diagram illustrating an embodiment of a system for advanced malware analysis.

"FIG. 2 is a flowchart illustrating an embodiment of a method for advanced malware analysis.

"FIG. 3 is a block diagram illustrating exemplary hardware for implementing an embodiment of a system for advanced malware analysis."

URL and more information on this patent application, see: SMITH, Calvin H.; MACLEAN, Kenneth; LIU, Jason J.; MANN, Stephen; MANN, Wendy; CHAPIN, Ryan. System and Method for Advanced Malware Analysis. Filed January 31, 2013 and posted August 7, 2014. Patent URL: http://appft.uspto.gov/netacgi/nph-Parser?Sect1=PTO2&Sect2=HITOFF&u=%2Fnetahtml%2FPTO%2Fsearch-adv.html&r=56&p=2&f=G&l=50&d=PG01&S1=20140731.PD.&OS=PD/20140731&RS=PD/20140731

Keywords for this news article include: Northrop Grumman Systems Corporation.

Our reports deliver fact-based news of research and discoveries from around the world. Copyright 2014, NewsRx LLC


For more stories covering the world of technology, please see HispanicBusiness' Tech Channel



Source: Defense & Aerospace Week


Story Tools






HispanicBusiness.com Facebook Linkedin Twitter RSS Feed Email Alerts & Newsletters