A computer virus detection method includes compiling a list of heuristic events and a chronological order in which they occur, comparing the list of heuristic events and the chronological order with a defined list of heuristic events occurring in a defined
chronological order and determining whether a computer virus is present based on a result of the comparing.
BACKGROUND OF THE DISCLOSURE
1. Field of the Disclosure The present disclosure relates generally to computer virus detection and in particular, to a system and method for computer virus detection utilizing Heuristic analysis. 2. Description of the Related Art Antivirus [AV] systems may use various methods for detecting malicious code. Malicious code as referred to herein may include a computer virus capable of replicating itself and spreading. More specifically, malicious code may be
understood to include, for example, a piece of software that may be designed and written to make additional copies of itself and spread from location to location within a system and/or from system to system. Computer viruses may spread without user knowledge or permission. Computer virus technology has gone through various evolutionary stages since the very first viruses. Early viruses infected files, but were not camouflaged in any substantial way. Accordingly, they could be easily
recognized by even novice users utilizing file viewing software. This also meant that such viruses were relatively easily detected by AV systems. To counter this, viruses were developed to use encryption as a method of disguising the viral code. However, these viruses still left undisguised decryption code visible to anti-virus software, and were thus fairly easily to recognize by AV systems. Virus developers thus sought to address this vulnerability in their computer viruses. To a certain
degree, this was accomplished by a technique called polymorphism. This technique involves pseudo-randomly recreating [usually] different decryption code between each individual infection. With a polymorphic encrypted type of virus, although each individual infection may utilize a different decryption code, the actual unencrypted malicious code itself does not necessarily change. As difficult as viruses protected by polymorphic encryption can be to detect, doing so is now a fairly common
place event. Detection of polymorphic encrypted viruses can be readily accomplished via the emulation of the decryption code to gain access to the then-unencrypted virus body. Currently, state-of-the-art virus technology is going through yet another evolutionary phase which utilizes a form of disguise called “metamorphism.” A metamorphic disguise differs from previous forms of disguise in that such viruses no longer necessarily use encryption at all to disguise their code. Instead, such
viruses reorganize, modify, or even recreate the code that forms the virus body itself. One method of detecting such metamorphic viruses may involve the use of computationally intense, highly specialized algorithms targeted at specific viruses. Various AV systems use heuristic detection methods to scan computer code to detect for malicious code. The methods may include some form of heuristics logic to determine whether particular computer codes is malicious. Heuristics logic applies
rules to distinguish malicious code from non-malicious code. AV systems using heuristics logic may use self-educating techniques to improve performance. AV systems may use a combination of emulation and heuristics to detect malicious code. Systems may include a machine emulator that emulates code in the scanning target, while collecting a set of data [e.g., Boolean flags] relating specifically to possible viral code. These systems can be referred to as utilizing static heuristics in that
they do not pay attention to the order in which events occur in the emulation. A deficiency with the static heuristics type system is that possibly very valuable information is regularly being discarded [e.g., the chronological order in which the heuristic data is being collected]. If utilized properly, this discarded information can be fundamental to a virus scanner's ability to distinguish between false-positive results [e.g., code that seems viral enough to trigger a detection, but is
not actually viral] and true-positive results [e.g., code that seems viral, and actually is]. A computer virus detection method includes compiling a list of heuristic events and a chronological order in which they occur, comparing the list of heuristic events and the chronological order with a defined list of heuristic events occurring in a defined chronological order and determining whether a computer virus is present based on a result of the comparing. A more complete appreciation of the present disclosure and many of the attendant advantages thereof will be readily obtained as the same becomes better understood by reference to the following detailed description when considered in connection with the accompanying drawings, wherein: FIG. 1 is a block diagram of an example of a system to be monitored for malicious code; FIG.
2 depicts event chains for describing various aspects of the present disclosure; FIG. 3 is a block diagram of an emulation analysis process according to an embodiment of the present disclosure; and FIG. 4 is a block diagram of an emulator according to an embodiment of the present disclosure. In describing preferred embodiments of the present disclosure illustrated in the drawings, specific technology is employed for sake of clarity. However, the present disclosure is not intended to be limited to the specific terminology so selected and it is to be understood that each specific element includes all technical equivalents which operate in a similar manner. A system to be monitored for malicious code may be a standard PC, laptop, mainframe, etc. or
a network of such systems. depicts an example of a system 102 that may be monitored for malicious code. Of course, system 102 may not include each component shown and/or may include additional components not shown. As shown, system 102 may include a central processing unit [CPU] 42, a memory 44, a clock circuit 46, a printer interface 48, a display unit 50, a LAN [local area network] data
transmission controller 52, a LAN interface 54, a network controller 56, an internal bus 58 and one or more input devices 60 such as, for example, a keyboard and mouse. CPU 42 controls the operation of system 102 and is capable of running applications stored in memory 44. Memory 44 may include, for example, RAM, ROM, removable CDROM, DVD, etc. Memory 44 may also store various types of data necessary for the
execution of the applications, as well as a work area reserved for use by CPU 42. Clock circuit 46 may include a circuit for generating information indicating the present time, and may be capable of being programmed to count down a predetermined or set amount of time. The LAN interface 54 allows communication between a network [not shown] and the LAN data transmission controller 52. The LAN data transmission controller 52 uses a predetermined protocol
suite to exchange information and data with the other devices on a network. System 102 may also be capable of communicating with devices on other remote networks. System 102 may also be capable of communicating with other devices via a Public Switched Telephone Network [PSTN] using network controller 56. System 102 may also have access to a WAN [wide area network] and the Internet, for example. Internal bus 58, which may actually consist of a plurality of
buses, allows communication between each of the components connected thereto. The present system and method utilizes the anti-virus techniques of emulation and heuristics, in which the anti-virus software contains a machine emulator that emulates code in the scanning target, while collecting a set of data [e.g., Boolean flags] relating specifically to possible viral code, and is capable of analyzing the order of the events that occur. Since the present system and method maintains the
chronological order in which the heuristic data is collected, the present system is able to accurately piece together a collection of small-scale, detailed information into larger, “meta-heuristic” events, which can in turn be used to accurately detect viral behavior. Although Metamorphic viruses may reorganize, modify or even recreate the code forming the virus body, it is important to note that metamorphic viruses still perform the same large-scale actions, independent of whatever form
their code may take. In other words, although the actual code used by metamorphic viruses to perform a particular action may change from infection to infection, the actions being performed by the virus are still the same. This means that by coalescing small-scale actions into large-scale actions [referred to herein as meta-heuristic events] and thus ignoring the details of how this large-scale action is performed, it is possible to circumvent the power of metamorphic viruses. The present system
and method thus take advantage of this inherent weakness of metamorphic viruses. The present system thus utilizes information relating to the chronological ordered chain of heuristic events and its subsequent analysis by algorithms cognizant of the importance of the chronology of events to discover the existence of a virus infection and is particularly useful for detecting a metamorphic virus infection. FIG. 2 will be used to
graphically show how meta-heuristic algorithms according to the present disclosure may function. Several event chains are shown in . That is, each labeled box represents an event as determined by one or more heuristics modules, according to the present disclosure. Different types of events may be detected. For example, certain memory read or write actions, certain decryptions that may be performed, certain types of executions [e.g., API
executions], etc. may indicate viral behavior. In the described examples, like labels represent like events. The event chain labeled 1X represents an actual event chain, consisting of events A, B, C, D, E, C, etc., in that order. As will be described in more detail below, the actual event chain is generated by emulating the code [scanning target] being examined for viruses and using one or more heuristics modules to determine “events” that may or may not indicate viral behavior and saving
information identifying the event and the order in which the events occurred. In this example, a meta-heuristic algorithm used for detecting a particular virus or type of virus may expect to see a particular series of events in a particular order, such as the events and order shown in chain 1Y [e.g., events A, B, D, C, C, etc.] In parsing the actual event chain 1X, the algorithm finds the first four events that it expects [e.g., events A, B, D, C]. However, the algorithm will not
locate the fifth expected event [e.g., event C] sequentially in the chain [even though event C does occur earlier in the chain 1X.] Accordingly, the algorithm will report that the current scanning target does not contain the virus that this algorithm was designed to detect. In contrast, another algorithm may expect an event chain such as event chain 1Z. This algorithm would parse the actual event chain 1X and find all of its expected events in
the correct order, as shown in US7231667B2 - System and method for computer virus detection utilizing heuristic analysis - Google Patents
System and method for computer virus detection utilizing heuristic analysis
Download PDFInfo
Publication numberUS7231667B2
US7231667B2 US10/449,586 US44958603A US7231667B2 US 7231667 B2 US7231667 B2 US 7231667B2 US 44958603 A US44958603 A US 44958603A US 7231667 B2 US7231667 B2 US 7231667B2Authority
USUnited StatesPrior art keywordseventsheuristiclistchronological ordercomputerPrior art date2003-05-29Legal
status [The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.] Active, expires 2025-07-06Application numberUS10/449,586Other versions US20040243829A1 [enInventorMyles JordanCurrent Assignee [The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.] CA Inc
Original AssigneeComputer Associates Think IncPriority date [The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.]2003-05-29Filing date2003-05-29Publication
date2007-06-12 2003-05-29 Application filed by Computer Associates Think Inc filed Critical Computer Associates Think Inc
2003-05-29 Priority to US10/449,586 priority Critical patent/US7231667B2/en 2003-11-10 Assigned to COMPUTER ASSOCIATES THINK, INC.
reassignment COMPUTER ASSOCIATES THINK, INC. ASSIGNMENT OF ASSIGNORS INTEREST [SEE DOCUMENT FOR DETAILS]. Assignors: JORDAN, MYLES 2004-12-02 Publication of US20040243829A1
publication Critical patent/US20040243829A1/en 2007-06-12 Application granted granted Critical
2007-06-12 Publication of US7231667B2 publication Critical patent/US7231667B2/en Status Active legal-status
Critical Current 2025-07-06 Adjusted expiration legal-status CriticalLinks
Images
Classifications
Abstract
Description
. Accordingly, this algorithm would report that it has identified whatever virus, or type of virus, is was designed to detect.
The algorithms in the examples described above are simple in that they look for complete ordering of events [e.g., all events are in inflexible order.] However, this is for ease of description only and it should be understood that this is not necessarily always the case. For example, having found events A, B, D, an algorithm may look for an event B. If an event B is not found after event D in the actual chain, the algorithm may look to events occurring prior to event D for the occurrence of event B. In addition, an algorithm may simply skip an event if it is not found in the actual event chain and look for its next expected event in the chain. The number of events an algorithm looks for to determine whether a virus is present can be preset for each individual algorithm. In the alternative, the maximum number of events that each algorithm will be allowed to search for can be limited by the user of the system. However, the more events an algorithm is allowed to look for, the more accurate the determination by the algorithm will likely be.
The algorithms can be stored in the system 102 and used to detect viruses in the system. The algorithms may be periodically updated with new algorithms for detecting new viruses, automatically or in response to user request. The algorithms may also be stored at a remote website. In this case, the present system will be directed to the remote website so that it can download the algorithms for execution on the system or the system can execute the algorithms directly from the remote website.
FIG. 3
is a flow chart for describing aspects of the present disclosure. The process involves emulating a number of instructions of the code of the file to be analyzed, collecting heuristic events in order as they occur, and storing them in some sequential fashion. The sequential heuristic events are then analyzed with each meta-heuristic algorithm at least once, until a virus is detected or there are no more available algorithms. That is, each algorithm in turn parses the sequential heuristic data [e.g., the heuristic event chain] looking for heuristic events in some form of at least partial order as expected by the algorithm. As noted above, the events may or may not be located in a particular order, depending on the algorithm itself and there can be other irrelevant events between expected events in the chain. Each algorithm will look for its expected events in the proper order.
In more detail, in Step S2, a file to be scanned for viruses is loaded into the emulator. The emulator is then initialized [Step S4]. Initialization may involve setting registers, flags and memory to predefined values. The first instruction [or instructions] in the file is then executed [Step S6]. A determination is then made whether a heuristic event has occurred [Step S8]. If a Heuristic event has occurred [Yes, Step S8], the event is registered [Step S10]. After the event is registered or if no heuristic event has occurred [No, Step S8], a determination is made whether there are more instructions to emulate [Step S12]. If there are more instructions to emulate [Yes, Step S12], the next instruction is emulated in Step S6 and the procedure repeats. If there are no more instructions to emulate [No, Step S12], the heuristic events registered in Step S10 are analyzed utilizing one of the algorithms for detecting a virus or type of virus [Step S14]. A determination is then made whether the algorithm has yielded a positive result [e.g., detected a virus] in Step S16. If a positive result was achieved [Yes, Step S16], a trigger detection operation [Step S18] is performed. For example, Step S18 may provide some type of indication to the user of the system that a virus was detected and may indicate the particular virus or type or virus to the user. Step S18 may also start, either automatically or in response to a user input, a virus removal system for removing the detected virus. If a positive result is not indicated [No, Step S16], a determination is made whether more algorithms exist [Step S20]. As mentioned above, this may involve seeing if any more algorithms are present on the system or going to a remote website to determine if any more algorithms exist. If no more algorithms exist [No, Step S20], a detection is not triggered [Step S22]. This may involve informing the user that no viruses were detected in the file being examined. If more algorithms are available [Yes, Step S20] a next algorithm is selected and is used to analyze the heuristics events [Step S14]. The process then repeats.
FIG. 4
is a block diagram of an emulator according to an embodiment of the present disclosure. When a scanning engine 0 requires emulation of a target file, it invokes emulator controller 1. Emulator controller 1 is responsible for supervising the overall general emulation. After initialization of the system, including Registers 4 and Memory Space 5, and the loading of the scanning target via PE File Loader 7, the Emulator Controller 1 calls out to the CPU 2 to execute a set number of instructions. The number of instructions to be executed may be initially set, for example, as an arbitrary number to provide a balance between speed and accuracy. For example, the more instructions executed, the more heuristic data collected and thus the greater the accuracy of the detection results. However, it should be noted that the scanner may run relatively slow if too many instructions are executed. A feedback system may also be provided. For example, if the heuristic modules are collecting a lot of data that seems to be of interest [e.g., seemingly viral], the modules may request that more instructions be executed. The detection algorithms [meta- and otherwise] may also request that more [or fewer] instructions be executed.
To execute an instruction, CPU 2 requests the relevant instruction bytes from the memory image of the target file that exists within the Memory Space 5. CPU 2 then decodes these bytes into an instruction which it then attempts to execute with the assistance of the ALU 3. As part of the emulation process, this instruction may request and/or modify data stored within Registers 4 and/or Memory Space 5.
Because much of the emulated memory within the Memory Space 5 is uninitialized by default, if an instruction accesses some of this uninitialized memory, then this accessed area will be initialized before that instruction can continue. This is accomplished by the Block Loader 6 and its sub-modules. The sub-modules include a PE File Loader 7, a Faked Kernel32.dll Loader 8 and Faked TIB, VMM, Loader 9. These modules serve to initialize certain areas of memory space 5 to particular values [e.g., a fake image of the common Kernel32.dll]. However, if an area of memory is accessed which no block loader can initialize, the Memory Space 5 reports a serious error to Fault Catcher 14 via the No Memory Notification 13. Errors this serious will normally prematurely halt emulation.
Monitors are placed over particular regions of the Memory Space 5. The monitors are notified of certain types of actions that could be considered unusual and/or destructive to that region of the Memory Space 5. For example, it may not be unusual for a program to read from the Faked Kernel32.dll image. However, should a program attempt to modify the Kernel 32.dll image, this would be considered both unusual and destructive. To allow for easier distinction between innocuous and possibly handful memory accesses, there are separate monitors to receive read notifications [Read Notification monitor 10], write notifications [Write Notification monitor 11] or execute notifications [Execution Notification monitor 12]. This allows only relevant data to be passed into the Memory Heuristics module 24, the Decryption Heuristics module 25, the Execution Heuristics module 26 and the Goat File Heuristics module 27.
In the particular instance that the program executes within the code section of the fake Kernel32.dll [an action which is indicative of an Applications Program Interface [API] call] the Execution Notification module 26 will be notified, and will in turn invoke the API Call Catcher 15. This will determine which API in particular is being called and will invoke the API Pretender 16 to mimic the functionality of that API. The API Pretender 16 invokes the relevant API emulation from either the Return Number sub-module 18, the Return String sub-module 19, the System Operation sub-module 20, the Directory Operation sub-module 21 or the Goat File Operation sub-module 22 via the API Emulation module 17. Each of these sub-modules handles a category of API's that are commonly used by viral code.
If an API called relates specifically to the reading of data from files other than the scanning target, the Goat File Faker 23 will place an image of a specially prepared goat file into the Memory Space 5. This may entice a virus to infect the file image, thus revealing its viral nature.
As mentioned above, when any of the unusual, destructive or goat file related events occur, the relevant heuristics module is notified. These heuristic modules may include Memory Heuristics module 24, Decryption Heuristics module 25, Execution Heuristics module 26 and Goat File Heuristics module 27. These modules are responsible for the diagnosis of viral memory access, viral decryption, viral code tricks, and viral file manipulations, respectively. These modules act as an intermediate analysis layer, collecting data and attempting to coalesce the many small, seemingly insignificant events into fewer large, more significant events. Small events can be coalesced into larger events when the heuristic modules 24–27 recognize that all of the required small events for a larger event have occurred. The heuristic modules may then generate a larger event indication and submit it to the Heuristic Event register 28. For example, if a program writes to the last section of its own image in memory, that may be considered a small-scale, mildly interesting [may be viral] event. This information can be sent to the Heuristic Event Register 28, via the Decryption Heuristic module 25. However, when many [possibly sequential] writes occur to this section of memory, the Decryption Heuristics module 25 may determine that these small events together constitute a decryption-in-progress. Decryption Heuristics module 25 may then generate a “decryption-occurred” type event which may be sent to the Heuristic Event Register 28.
When any viral traits are detected by one or more of the heuristics modules 24–27, the corresponding module will generate a heuristic event indication and send it to the Heuristic Event Register 28 for inclusion into the event chain. When the Scanning Engine 0 decides it has emulated enough instructions, it can query the Heuristic Controller 29 for a heuristic analysis of the scanning target. The Heuristic Controller 29 will then invoke the Meta-heurism module 30, which in turn invokes a series of Meta-heuristic Detection algorithms 31. Each of the detection algorithms analyses the heuristic event chain stored in the Heuristic Event Register 28, searching for a particular series of interrelated events. If an algorithm locates its series, it is considered to have heuristically detected a virus.
Various concepts of the present disclosure may be implemented in different ways. For example, a file which is known to not have a virus may be input to the emulator and the event chain determined. Although the file does not have a virus, it may still perform actions that the heuristics may determine to be suspicious and thus an event chain can be generated. The event chain for this file can then be appended to the file or stored in a safe location on the computer system. When the file is next scanned for malicious code, the event chain determined by the emulation can then be compared to the files original event chain. If the event chains are the same [or substantially similar], the file has likely not been corrupted with a virus.
The present disclosure may be conveniently implemented using one of more conventional general purpose digital computers and/or servers programmed according to the teachings of the present specification. Appropriate software coding can readily be prepared by skilled programmers based on the teachings of the present disclosure. The present disclosure may also be implemented by the preparation of application specific integrated circuits or by interconnecting an appropriate network of conventional component circuits.
Numerous additional modifications and variations of the present disclosure are possible in view of the above-teachings. It is therefore to be understood that within the scope of the appended claims, the present disclosure may be practiced other than as specifically described herein.
Claims [24]
1. A computer virus detection method comprising:
compiling a list of heuristic events and a chronological order in which they occur;
comparing the list of heuristic events and the chronological order with a defined list of heuristic events occurring in a defined chronological order; and
determining whether a computer virus is present based on a result of said comparing.
2. A computer virus detection method as recited in
claim 1, further comprising emulating a target file and determining heuristic events that occur during the emulation and compiling the list of heuristic events based on the determined heuristic events.
3. A computer virus detection method as recited in
claim 1, wherein a heuristic event comprises an action that may indicate viral activity.
4. A computer virus detection method as recited in
claim 1, wherein if the defined list of heuristic events and the defined chronological order concur with the compiled list of heuristic events and the chronological order in which they occur, it is determined that a virus is present.
5. A computer virus detection method as recited in
claim 1, wherein it is determined that a virus is present, when at least some of the heuristic events in the compiled list of heuristic events occur in at least a similar defined order as the defined list of heuristic events.
6. A computer virus detection method as recited in
, wherein the defined list of heuristic events are retrieved from a remote website.
7. A computer virus detection method as recited in
claim 1, wherein if it is determined that a virus is not present based on the result of the comparing, the list of heuristic events and the chronological order are compared with another defined list of heuristic events occurring in a defined chronological order.
8. A programmed computer system including computer executable code for performing a computer virus detection, said system comprising:
code for compiling a list of heuristic events and a chronological order in which they occur;
code for comparing the list of heuristic events and the chronological order with a defined list of heuristic events occurring in a defined chronological order; and
code for determining whether a computer virus is present based on a result of said comparing.
9. A programmed computer system as recited in
claim 8, further comprising code for emulating a target file and determining heuristic events that occur during the emulation.
10. A programmed computer system as recited in
claim 8, wherein a heuristic event comprises an action that may indicate viral activity.
11. A programmed computer system as recited in
claim 8, wherein if the defined list of heuristic events and the defined chronological order concur with the compiled list of heuristic events and the chronological order in which they occur, it is determined that a virus is present.
12. A programmed computer system as recited in
claim 8, wherein it is determined that a virus is present, when at least some of the heuristic events in the compiled list of heuristic events occur in a least a similar defined order as the defined list of heuristic events.
13. A programmed computer system as recited in
claim 8, wherein the defined list of heuristic events are retrieved from a remote web site.
14. A programmed computer system as recited in
claim 8, wherein if it is determined that a virus is not present based on the result of the comparing, the list of heuristic events and the chronological order are compared with another defined list of heuristic events occurring in a defined chronological order.
15. A computer recording medium including computer executable code for performing a computer virus detection, said computer recording medium comprising:
code for compiling a list of heuristic events and a chronological order in which they occur;
code for comparing the list of heuristic events and the chronological order with a defined list of heuristic events occurring in a defined chronological order; and
code for determining whether a computer virus is present based on a result of said comparing.
16. A computer recording medium as recited in
claim 15, further comprising code for emulating a target file and determining heuristic events that occur during the emulation.
17. A computer recording medium as recited in
claim 15, wherein a heuristic event comprises an action that may indicate viral activity.
18. A computer recording medium as recited in
claim 15, wherein if the defined list of heuristic events and the defined chronological order concur with the compiled list of heuristic events and the chronological order in which they occur, it is determined that a virus is present.
19. A computer recording medium as recited in
claim 15, wherein it is determined that a virus is present, when at least some of the heuristic events in the compiled list of heuristic events occur in at least a similar defined order as the defined list of heuristic events.
20. A computer recording medium as recited in
claim 15, wherein the defined list of heuristic events are retrieved from a remote website.
21. A computer recording medium as recited in
claim 1, wherein if it is determined that a virus is not present based on the result of the comparing, the list of heuristic events and the chronological order are compared with another defined list of heuristic events occurring in a defined chronological order.
22. A computer virus detection method comprising:
compiling a list of possibly viral events and a chronological order in which they occur;
comparing the list of possibly viral events and the chronological order with a defined list of possibly viral events occurring in a defined chronological order; and
determining whether a computer virus is present based on a result of said comparing.
23. A programmed computer system computer including computer executable code for performing a computer virus detection, said system comprising:
code for compiling a list of possibly viral events and a chronological ordering which they occur;
code for comparing the list of possibly viral events and the chronological order with a defined list of possibly viral events occurring in a defined chronological order; and
code for determining whether a computer virus is present based on a result of said comparing.
24. A computer recording medium including computer executable code for performing a computer virus detection, said computer recording medium comprising:
code for compiling a list of possibly viral events and a chronological order in which they occur;
code for comparing the list of possibly viral events and the chronological order with a defined list of possibly viral events occurring in a defined chronological order; and
code for determining whether a computer virus is present based on a result of said comparing.
Priority Applications [1]
US10/449,586 US7231667B2 [en] | 2003-05-29 | 2003-05-29 | System and method for computer virus detection utilizing heuristic analysis |
Applications Claiming Priority [1]
US10/449,586 US7231667B2 [en] | 2003-05-29 | 2003-05-29 | System and method for computer virus detection utilizing heuristic analysis |
Publications [2]
US20040243829A1 US20040243829A1 [en] | 2004-12-02 |
US7231667B2 true US7231667B2 [en] | 2007-06-12 |
Family
ID=33451823
Family Applications [1]
US10/449,586 Active 2025-07-06 US7231667B2 [en] | 2003-05-29 | 2003-05-29 | System and method for computer virus detection utilizing heuristic analysis |
Country Status [1]
US [1] | US7231667B2 [en] |
Cited By [158]
* Cited by examiner, † Cited by third partyUS20050206650A1 [en] * | 2004-03-16 | 2005-09-22 | Nazzal Robert N | Service detection |
US20060137012A1 [en] * | 2004-12-16 | 2006-06-22 | Aaron Jeffrey A | Methods and systems for deceptively trapping electronic worms |
US20070113281A1 [en] * | 2003-10-31 | 2007-05-17 | John Leach | Method used in the control of a physical system affected by threats |
US20070168982A1 [en] * | 2006-01-18 | 2007-07-19 | Horne Jefferson D | Method and system for detecting obfuscatory pestware in a computer memory |
US20070243357A1 [en] * | 2006-03-30 | 2007-10-18 | Ngk Insulators, Ltd. | Honeycomb structure and method of producing the same |
US20070250930A1 [en] * | 2004-04-01 | 2007-10-25 | Ashar Aziz | Virtual machine with dynamic data flow analysis |
US20080005782A1 [en] * | 2004-04-01 | 2008-01-03 | Ashar Aziz | Heuristic based capture with replay to virtual machine |
US20090089040A1 [en] * | 2007-10-02 | 2009-04-02 | Monastyrsky Alexey V | System and method for detecting multi-component malware |
US7539871B1 [en] * | 2004-02-23 | 2009-05-26 | Sun Microsystems, Inc. | System and method for identifying message propagation |
US20100192223A1 [en] * | 2004-04-01 | 2010-07-29 | Osman Abdoul Ismael | Detecting Malicious Network Content Using Virtual Environment Components |
US20110078794A1 [en] * | 2009-09-30 | 2011-03-31 | Jayaraman Manni | Network-Based Binary File Extraction and Analysis for Malware Detection |
US8006305B2 [en] | 2004-06-14 | 2011-08-23 | Fireeye, Inc. | Computer worm defense system and method |
US20120150887A1 [en] * | 2010-12-08 | 2012-06-14 | Clark Christopher F | Pattern matching |
US8204984B1 [en] | 2004-04-01 | 2012-06-19 | Fireeye, Inc. | Systems and methods for detecting encrypted bot command and control communication channels |
US8375444B2 [en] | 2006-04-20 | 2013-02-12 | Fireeye, Inc. | Dynamic signature creation and enforcement |
US8528086B1 [en] | 2004-04-01 | 2013-09-03 | Fireeye, Inc. | System and method of detecting computer worms |
US8539582B1 [en] | 2004-04-01 | 2013-09-17 | Fireeye, Inc. | Malware containment and security analysis on connection |
US8549638B2 [en] | 2004-06-14 | 2013-10-01 | Fireeye, Inc. | System and method of containing computer worms |
US8561177B1 [en] | 2004-04-01 | 2013-10-15 | Fireeye, Inc. | Systems and methods for detecting communication channels of bots |
US8566946B1 [en] | 2006-04-20 | 2013-10-22 | Fireeye, Inc. | Malware containment on connection |
US8850571B2 [en] | 2008-11-03 | 2014-09-30 | Fireeye, Inc. | Systems and methods for detecting malicious network content |
US8881282B1 [en] | 2004-04-01 | 2014-11-04 | Fireeye, Inc. | Systems and methods for malware attack detection and identification |
US8898788B1 [en] | 2004-04-01 | 2014-11-25 | Fireeye, Inc. | Systems and methods for malware attack prevention |
US8990944B1 [en] | 2013-02-23 | 2015-03-24 | Fireeye, Inc. | Systems and methods for automatically detecting backdoors |
US8997219B2 [en] | 2008-11-03 | 2015-03-31 | Fireeye, Inc. | Systems and methods for detecting malicious PDF network content |
US9009822B1 [en] | 2013-02-23 | 2015-04-14 | Fireeye, Inc. | Framework for multi-phase analysis of mobile applications |
US9009823B1 [en] | 2013-02-23 | 2015-04-14 | Fireeye, Inc. | Framework for efficient security coverage of mobile software applications installed on mobile devices |
US9027135B1 [en] | 2004-04-01 | 2015-05-05 | Fireeye, Inc. | Prospective client identification using malware attack detection |
US9104867B1 [en] | 2013-03-13 | 2015-08-11 | Fireeye, Inc. | Malicious content analysis using simulated user interaction without user involvement |
US9106694B2 [en] | 2004-04-01 | 2015-08-11 | Fireeye, Inc. | Electronic message analysis for malware detection |
US9159035B1 [en] | 2013-02-23 | 2015-10-13 | Fireeye, Inc. | Framework for computer application analysis of sensitive information tracking |
US9171160B2 [en] | 2013-09-30 | 2015-10-27 | Fireeye, Inc. | Dynamically adaptive framework and method for classifying malware using intelligent static, emulation, and dynamic analyses |
US9176843B1 [en] | 2013-02-23 | 2015-11-03 | Fireeye, Inc. | Framework for efficient security coverage of mobile software applications |
US9189627B1 [en] | 2013-11-21 | 2015-11-17 | Fireeye, Inc. | System, apparatus and method for conducting on-the-fly decryption of encrypted objects for malware detection |
US9195829B1 [en] | 2013-02-23 | 2015-11-24 | Fireeye, Inc. | User interface with real-time visual playback along with synchronous textual analysis log display and event/time index for anomalous behavior detection in applications |
US9223972B1 [en] | 2014-03-31 | 2015-12-29 | Fireeye, Inc. | Dynamically remote tuning of a malware content detection system |
US9241010B1 [en] | 2014-03-20 | 2016-01-19 | Fireeye, Inc. | System and method for network behavior detection |
US9251343B1 [en] | 2013-03-15 | 2016-02-02 | Fireeye, Inc. | Detecting bootkits resident on compromised computers |
US9262635B2 [en] | 2014-02-05 | 2016-02-16 | Fireeye, Inc. | Detection efficacy of virtual machine-based analysis with application specific events |
US9294501B2 [en] | 2013-09-30 | 2016-03-22 | Fireeye, Inc. | Fuzzy hash of behavioral results |
US9300686B2 [en] | 2013-06-28 | 2016-03-29 | Fireeye, Inc. | System and method for detecting malicious links in electronic messages |
US9306974B1 [en] | 2013-12-26 | 2016-04-05 | Fireeye, Inc. | System, apparatus and method for automatically verifying exploits within suspect objects and highlighting the display information associated with the verified exploits |
US9311479B1 [en] | 2013-03-14 | 2016-04-12 | Fireeye, Inc. | Correlation and consolidation of analytic data for holistic view of a malware attack |
US9355247B1 [en] | 2013-03-13 | 2016-05-31 | Fireeye, Inc. | File extraction from memory dump for malicious content analysis |
US9363280B1 [en] | 2014-08-22 | 2016-06-07 | Fireeye, Inc. | System and method of detecting delivery of malware using cross-customer data |
US9367681B1 [en] | 2013-02-23 | 2016-06-14 | Fireeye, Inc. | Framework for efficient security coverage of mobile software applications using symbolic execution to reach regions of interest within an application |
US9398028B1 [en] | 2014-06-26 | 2016-07-19 | Fireeye, Inc. | System, device and method for detecting a malicious attack based on communcations between remotely hosted virtual machines and malicious web servers |
US9432389B1 [en] | 2014-03-31 | 2016-08-30 | Fireeye, Inc. | System, apparatus and method for detecting a malicious attack based on static analysis of a multi-flow object |
US9430646B1 [en] | 2013-03-14 | 2016-08-30 | Fireeye, Inc. | Distributed systems and methods for automatically detecting unknown bots and botnets |
US9438623B1 [en] | 2014-06-06 | 2016-09-06 | Fireeye, Inc. | Computer exploit detection using heap spray pattern matching |
US9438613B1 [en] | 2015-03-30 | 2016-09-06 | Fireeye, Inc. | Dynamic content activation for automated analysis of embedded objects |
US9483644B1 [en] | 2015-03-31 | 2016-11-01 | Fireeye, Inc. | Methods for detecting file altering malware in VM based analysis |
US9495180B2 [en] | 2013-05-10 | 2016-11-15 | Fireeye, Inc. | Optimized resource allocation for virtual machines within a malware content detection system |
US9519782B2 [en] | 2012-02-24 | 2016-12-13 | Fireeye, Inc. | Detecting malicious network content |
US9536091B2 [en] | 2013-06-24 | 2017-01-03 | Fireeye, Inc. | System and method for detecting time-bomb malware |
US9565202B1 [en] | 2013-03-13 | 2017-02-07 | Fireeye, Inc. | System and method for detecting exfiltration content |
US9591015B1 [en] | 2014-03-28 | 2017-03-07 | Fireeye, Inc. | System and method for offloading packet processing and static analysis operations |
US9594904B1 [en] | 2015-04-23 | 2017-03-14 | Fireeye, Inc. | Detecting malware based on reflection |
US9594912B1 [en] | 2014-06-06 | 2017-03-14 | Fireeye, Inc. | Return-oriented programming detection |
US9628498B1 [en] | 2004-04-01 | 2017-04-18 | Fireeye, Inc. | System and method for bot detection |
US9628507B2 [en] | 2013-09-30 | 2017-04-18 | Fireeye, Inc. | Advanced persistent threat [APT] detection center |
US9626509B1 [en] | 2013-03-13 | 2017-04-18 | Fireeye, Inc. | Malicious content analysis with multi-version application support within single operating environment |
US9635039B1 [en] | 2013-05-13 | 2017-04-25 | Fireeye, Inc. | Classifying sets of malicious indicators for detecting command and control communications associated with malware |
US9690606B1 [en] | 2015-03-25 | 2017-06-27 | Fireeye, Inc. | Selective system call monitoring |
US9690936B1 [en] | 2013-09-30 | 2017-06-27 | Fireeye, Inc. | Multistage system and method for analyzing obfuscated content for malware |
US9690933B1 [en] | 2014-12-22 | 2017-06-27 | Fireeye, Inc. | Framework for classifying an object as malicious with machine learning for deploying updated predictive models |
US9736179B2 [en] | 2013-09-30 | 2017-08-15 | Fireeye, Inc. | System, apparatus and method for using malware analysis results to drive adaptive instrumentation of virtual machines to improve exploit detection |
US9742796B1 [en] | 2015-09-18 | 2017-08-22 | Palo Alto Networks, Inc. | Automatic repair of corrupt files for a detonation engine |
US9747446B1 [en] | 2013-12-26 | 2017-08-29 | Fireeye, Inc. | System and method for run-time object classification |
US9773112B1 [en] | 2014-09-29 | 2017-09-26 | Fireeye, Inc. | Exploit detection of malware and malware families |
US9824216B1 [en] | 2015-12-31 | 2017-11-21 | Fireeye, Inc. | Susceptible environment detection system |
US9825976B1 [en] | 2015-09-30 | 2017-11-21 | Fireeye, Inc. | Detection and classification of exploit kits |
US9824209B1 [en] | 2013-02-23 | 2017-11-21 | Fireeye, Inc. | Framework for efficient security coverage of mobile software applications that is usable to harden in the field code |
US9825989B1 [en] | 2015-09-30 | 2017-11-21 | Fireeye, Inc. | Cyber attack early warning system |
US9838417B1 [en] | 2014-12-30 | 2017-12-05 | Fireeye, Inc. | Intelligent context aware user interaction for malware detection |
US9888016B1 [en] | 2013-06-28 | 2018-02-06 | Fireeye, Inc. | System and method for detecting phishing using password prediction |
US9921978B1 [en] | 2013-11-08 | 2018-03-20 | Fireeye, Inc. | System and method for enhanced security of storage devices |
US9973531B1 [en] | 2014-06-06 | 2018-05-15 | Fireeye, Inc. | Shellcode detection |
US10027689B1 [en] | 2014-09-29 | 2018-07-17 | Fireeye, Inc. | Interactive infection visualization for improved exploit detection and signature generation for malware and malware families |
US10033747B1 [en] | 2015-09-29 | 2018-07-24 | Fireeye, Inc. | System and method for detecting interpreter-based exploit attacks |
US10050998B1 [en] | 2015-12-30 | 2018-08-14 | Fireeye, Inc. | Malicious message analysis system |
US10075455B2 [en] | 2014-12-26 | 2018-09-11 | Fireeye, Inc. | Zero-day rotating guest image profile |
US10084813B2 [en] | 2014-06-24 | 2018-09-25 | Fireeye, Inc. | Intrusion prevention and remedy system |
US10089461B1 [en] | 2013-09-30 | 2018-10-02 | Fireeye, Inc. | Page replacement code injection |
US10133863B2 [en] | 2013-06-24 | 2018-11-20 | Fireeye, Inc. | Zero-day discovery system |
US10133866B1 [en] | 2015-12-30 | 2018-11-20 | Fireeye, Inc. | System and method for triggering analysis of an object for malware in response to modification of that object |
US10148693B2 [en] | 2015-03-25 | 2018-12-04 | Fireeye, Inc. | Exploit detection system |
US10169585B1 [en] | 2016-06-22 | 2019-01-01 | Fireeye, Inc. | System and methods for advanced malware detection through placement of transition events |
US10176321B2 [en] | 2015-09-22 | 2019-01-08 | Fireeye, Inc. | Leveraging behavior-based rules for malware family classification |
US10192052B1 [en] | 2013-09-30 | 2019-01-29 | Fireeye, Inc. | System, apparatus and method for classifying a file as malicious using static scanning |
US10210329B1 [en] | 2015-09-30 | 2019-02-19 | Fireeye, Inc. | Method to detect application execution hijacking using memory protection |
US10242185B1 [en] | 2014-03-21 | 2019-03-26 | Fireeye, Inc. | Dynamic guest image creation and rollback |
US10284575B2 [en] | 2015-11-10 | 2019-05-07 | Fireeye, Inc. | Launcher for setting analysis environment variations for malware detection |
US10341365B1 [en] | 2015-12-30 | 2019-07-02 | Fireeye, Inc. | Methods and system for hiding transition events for malware detection |
US10417031B2 [en] | 2015-03-31 | 2019-09-17 | Fireeye, Inc. | Selective virtualization for security threat detection |
US10447728B1 [en] | 2015-12-10 | 2019-10-15 | Fireeye, Inc. | Technique for protecting guest processes using a layered virtualization architecture |
US10454950B1 [en] | 2015-06-30 | 2019-10-22 | Fireeye, Inc. | Centralized aggregation technique for detecting lateral movement of stealthy cyber-attacks |
US10462173B1 [en] | 2016-06-30 | 2019-10-29 | Fireeye, Inc. | Malware detection verification and enhancement by coordinating endpoint and malware detection systems |
US10474813B1 [en] | 2015-03-31 | 2019-11-12 | Fireeye, Inc. | Code injection technique for remediation at an endpoint of a network |
US10476906B1 [en] | 2016-03-25 | 2019-11-12 | Fireeye, Inc. | System and method for managing formation and modification of a cluster within a malware detection system |
US10491627B1 [en] | 2016-09-29 | 2019-11-26 | Fireeye, Inc. | Advanced malware detection using similarity analysis |
US10503904B1 [en] | 2017-06-29 | 2019-12-10 | Fireeye, Inc. | Ransomware detection and mitigation |
US10515214B1 [en] | 2013-09-30 | 2019-12-24 | Fireeye, Inc. | System and method for classifying malware within content created during analysis of a specimen |
US10523609B1 [en] | 2016-12-27 | 2019-12-31 | Fireeye, Inc. | Multi-vector malware detection and analysis |
US10528726B1 [en] | 2014-12-29 | 2020-01-07 | Fireeye, Inc. | Microvisor-based malware detection appliance architecture |
US10552610B1 [en] | 2016-12-22 | 2020-02-04 | Fireeye, Inc. | Adaptive virtual machine snapshot update framework for malware behavioral analysis |
US10554507B1 [en] | 2017-03-30 | 2020-02-04 | Fireeye, Inc. | Multi-level control for enhanced resource and object evaluation management of malware detection system |
US10565378B1 [en] | 2015-12-30 | 2020-02-18 | Fireeye, Inc. | Exploit of privilege detection framework |
US10572665B2 [en] | 2012-12-28 | 2020-02-25 | Fireeye, Inc. | System and method to create a number of breakpoints in a virtual machine via virtual machine trapping events |
US10581874B1 [en] | 2015-12-31 | 2020-03-03 | Fireeye, Inc. | Malware detection system with contextual analysis |
US10581879B1 [en] | 2016-12-22 | 2020-03-03 | Fireeye, Inc. | Enhanced malware detection for generated objects |
US10587647B1 [en] | 2016-11-22 | 2020-03-10 | Fireeye, Inc. | Technique for malware detection capability comparison of network security devices |
US10592678B1 [en] | 2016-09-09 | 2020-03-17 | Fireeye, Inc. | Secure communications between peers using a verified virtual trusted platform module |
US10601863B1 [en] | 2016-03-25 | 2020-03-24 | Fireeye, Inc. | System and method for managing sensor enrollment |
US10601865B1 [en] | 2015-09-30 | 2020-03-24 | Fireeye, Inc. | Detection of credential spearphishing attacks using email analysis |
US10601848B1 [en] | 2017-06-29 | 2020-03-24 | Fireeye, Inc. | Cyber-security system and method for weak indicator detection and correlation to generate strong indicators |
US10642753B1 [en] | 2015-06-30 | 2020-05-05 | Fireeye, Inc. | System and method for protecting a software component running in virtual machine using a virtualization layer |
US10671726B1 [en] | 2014-09-22 | 2020-06-02 | Fireeye Inc. | System and method for malware analysis using thread-level event monitoring |
US10671721B1 [en] | 2016-03-25 | 2020-06-02 | Fireeye, Inc. | Timeout management services |
US10701091B1 [en] | 2013-03-15 | 2020-06-30 | Fireeye, Inc. | System and method for verifying a cyberthreat |
US10706149B1 [en] | 2015-09-30 | 2020-07-07 | Fireeye, Inc. | Detecting delayed activation malware using a primary controller and plural time controllers |
US10713358B2 [en] | 2013-03-15 | 2020-07-14 | Fireeye, Inc. | System and method to extract and utilize disassembly features to classify software intent |
US10715542B1 [en] | 2015-08-14 | 2020-07-14 | Fireeye, Inc. | Mobile application risk analysis |
US10726127B1 [en] | 2015-06-30 | 2020-07-28 | Fireeye, Inc. | System and method for protecting a software component running in a virtual machine through virtual interrupts by the virtualization layer |
US10728263B1 [en] | 2015-04-13 | 2020-07-28 | Fireeye, Inc. | Analytic-based security monitoring system and method |
US10740456B1 [en] | 2014-01-16 | 2020-08-11 | Fireeye, Inc. | Threat-aware architecture |
US10747872B1 [en] | 2017-09-27 | 2020-08-18 | Fireeye, Inc. | System and method for preventing malware evasion |
US10785255B1 [en] | 2016-03-25 | 2020-09-22 | Fireeye, Inc. | Cluster configuration within a scalable malware detection system |
US10791138B1 [en] | 2017-03-30 | 2020-09-29 | Fireeye, Inc. | Subscription-based malware detection |
US10798112B2 [en] | 2017-03-30 | 2020-10-06 | Fireeye, Inc. | Attribute-controlled malware detection |
US10795991B1 [en] | 2016-11-08 | 2020-10-06 | Fireeye, Inc. | Enterprise search |
US10805346B2 [en] | 2017-10-01 | 2020-10-13 | Fireeye, Inc. | Phishing attack detection |
US10805340B1 [en] | 2014-06-26 | 2020-10-13 | Fireeye, Inc. | Infection vector and malware tracking with an interactive user display |
US10817606B1 [en] | 2015-09-30 | 2020-10-27 | Fireeye, Inc. | Detecting delayed activation malware using a run-time monitoring agent and time-dilation logic |
US10826931B1 [en] | 2018-03-29 | 2020-11-03 | Fireeye, Inc. | System and method for predicting and mitigating cybersecurity system misconfigurations |
US10846117B1 [en] | 2015-12-10 | 2020-11-24 | Fireeye, Inc. | Technique for establishing secure communication between host and guest processes of a virtualization architecture |
US10855700B1 [en] | 2017-06-29 | 2020-12-01 | Fireeye, Inc. | Post-intrusion detection of cyber-attacks during lateral movement within networks |
US10893059B1 [en] | 2016-03-31 | 2021-01-12 | Fireeye, Inc. | Verification and enhancement using detection systems located at the network periphery and endpoint devices |
US10893068B1 [en] | 2017-06-30 | 2021-01-12 | Fireeye, Inc. | Ransomware file modification prevention technique |
US10902119B1 [en] | 2017-03-30 | 2021-01-26 | Fireeye, Inc. | Data extraction system for malware analysis |
US10904286B1 [en] | 2017-03-24 | 2021-01-26 | Fireeye, Inc. | Detection of phishing attacks using similarity analysis |
US10956477B1 [en] | 2018-03-30 | 2021-03-23 | Fireeye, Inc. | System and method for detecting malicious scripts through natural language processing modeling |
US11003773B1 [en] | 2018-03-30 | 2021-05-11 | Fireeye, Inc. | System and method for automatically generating malware detection rule recommendations |
US11005860B1 [en] | 2017-12-28 | 2021-05-11 | Fireeye, Inc. | Method and system for efficient cybersecurity analysis of endpoint events |
US11075930B1 [en] | 2018-06-27 | 2021-07-27 | Fireeye, Inc. | System and method for detecting repetitive cybersecurity attacks constituting an email campaign |
US11108809B2 [en] | 2017-10-27 | 2021-08-31 | Fireeye, Inc. | System and method for analyzing binary code for malware classification using artificial neural network techniques |
US11113086B1 [en] | 2015-06-30 | 2021-09-07 | Fireeye, Inc. | Virtual system and method for securing external network connectivity |
US11182473B1 [en] | 2018-09-13 | 2021-11-23 | Fireeye Security Holdings Us Llc | System and method for mitigating cyberattacks against processor operability by a guest process |
US11200080B1 [en] | 2015-12-11 | 2021-12-14 | Fireeye Security Holdings Us Llc | Late load technique for deploying a virtualization layer underneath a running operating system |
US11228491B1 [en] | 2018-06-28 | 2022-01-18 | Fireeye Security Holdings Us Llc | System and method for distributed cluster configuration monitoring and management |
US11240275B1 [en] | 2017-12-28 | 2022-02-01 | Fireeye Security Holdings Us Llc | Platform and method for performing cybersecurity analyses employing an intelligence hub with a modular architecture |
US11244056B1 [en] | 2014-07-01 | 2022-02-08 | Fireeye Security Holdings Us Llc | Verification of trusted threat-aware visualization layer |
US11258806B1 [en] | 2019-06-24 | 2022-02-22 | Mandiant, Inc. | System and method for automatically associating cybersecurity intelligence to cyberthreat actors |
US11271955B2 [en] | 2017-12-28 | 2022-03-08 | Fireeye Security Holdings Us Llc | Platform and method for retroactive reclassification employing a cybersecurity-based global data store |
US11314859B1 [en] | 2018-06-27 | 2022-04-26 | FireEye Security Holdings, Inc. | Cyber-security system and method for detecting escalation of privileges within an access token |
US11316900B1 [en] | 2018-06-29 | 2022-04-26 | FireEye Security Holdings Inc. | System and method for automatically prioritizing rules for cyber-threat detection and mitigation |
US11368475B1 [en] | 2018-12-21 | 2022-06-21 | Fireeye Security Holdings Us Llc | System and method for scanning remote services to locate stored objects with malware |
US11392700B1 [en] | 2019-06-28 | 2022-07-19 | Fireeye Security Holdings Us Llc | System and method for supporting cross-platform data verification |
Families Citing this family [22]
* Cited by examiner, † Cited by third partyUS20060015940A1 [en] * | 2004-07-14 | 2006-01-19 | Shay Zamir | Method for detecting unwanted executables |
US7698744B2 [en] * | 2004-12-03 | 2010-04-13 | Whitecell Software Inc. | Secure system for allowing the execution of authorized computer program code |
US7571476B2 [en] * | 2005-04-14 | 2009-08-04 | Webroot Software, Inc. | System and method for scanning memory for pestware |
US7591016B2 [en] * | 2005-04-14 | 2009-09-15 | Webroot Software, Inc. | System and method for scanning memory for pestware offset signatures |
US7349931B2 [en] | 2005-04-14 | 2008-03-25 | Webroot Software, Inc. | System and method for scanning obfuscated files for pestware |
US7895651B2 [en] | 2005-07-29 | 2011-02-22 | Bit 9, Inc. | Content tracking in a network security system |
US8984636B2 [en] | 2005-07-29 | 2015-03-17 | Bit9, Inc. | Content extractor and analysis system |
US8272058B2 [en] | 2005-07-29 | 2012-09-18 | Bit 9, Inc. | Centralized timed analysis in a network security system |
US8190868B2 [en] | 2006-08-07 | 2012-05-29 | Webroot Inc. | Malware management through kernel detection |
US7870612B2 [en] * | 2006-09-11 | 2011-01-11 | Fujian Eastern Micropoint Info-Tech Co., Ltd | Antivirus protection system and method for computers |
US8434151B1 [en] * | 2008-01-04 | 2013-04-30 | International Business Machines Corporation | Detecting malicious software |
US8495735B1 [en] * | 2008-12-30 | 2013-07-23 | Uab Research Foundation | System and method for conducting a non-exact matching analysis on a phishing website |
US8468597B1 [en] * | 2008-12-30 | 2013-06-18 | Uab Research Foundation | System and method for identifying a phishing website |
US9396279B1 [en] | 2009-02-17 | 2016-07-19 | Jpmorgan Chase Bank, Na | Collaborative virtual markup |
EP2230616B1 [en] * | 2009-03-16 | 2017-10-25 | AO Kaspersky Lab | System and method for detecting multi-component malware |
US8590045B2 [en] * | 2009-10-07 | 2013-11-19 | F-Secure Oyj | Malware detection by application monitoring |
US8352522B1 [en] * | 2010-09-01 | 2013-01-08 | Trend Micro Incorporated | Detection of file modifications performed by malicious codes |
US8832835B1 [en] * | 2010-10-28 | 2014-09-09 | Symantec Corporation | Detecting and remediating malware dropped by files |
AU2012282792B2 [en] * | 2011-07-08 | 2015-07-30 | Uab Research Foundation | Syntactical fingerprinting |
US9104864B2 [en] | 2012-10-24 | 2015-08-11 | Sophos Limited | Threat detection through the accumulated detection of threat characteristics |
CN108804925B [en] * | 2015-05-27 | 2022-02-01 | 北京百度网讯科技有限公司 | Method and system for detecting malicious code |
KR101715759B1 [en] * | 2015-09-22 | 2017-03-15 | 한국전자통신연구원 | Apparatus and method for analysing malicious code in multi core environments |
Citations [3]
* Cited by examiner, † Cited by third partyUS6457008B1 [en] * | 1998-08-28 | 2002-09-24 | Oracle Corporation | Pluggable resource scheduling policies |
US6711583B2 [en] * | 1998-09-30 | 2004-03-23 | International Business Machines Corporation | System and method for detecting and repairing document-infecting viruses using dynamic heuristics |
US7093135B1 [en] * | 2000-05-11 | 2006-08-15 | Cybersoft, Inc. | Software virus detection methods and apparatus |
- 2003
- 2003-05-29 US US10/449,586 patent/US7231667B2/en active Active
Patent Citations [3]
* Cited by examiner, † Cited by third partyUS6457008B1 [en] * | 1998-08-28 | 2002-09-24 | Oracle Corporation | Pluggable resource scheduling policies |
US6711583B2 [en] * | 1998-09-30 | 2004-03-23 | International Business Machines Corporation | System and method for detecting and repairing document-infecting viruses using dynamic heuristics |
US7093135B1 [en] * | 2000-05-11 | 2006-08-15 | Cybersoft, Inc. | Software virus detection methods and apparatus |
Cited By [276]
* Cited by examiner, † Cited by third partyUS20070113281A1 [en] * | 2003-10-31 | 2007-05-17 | John Leach | Method used in the control of a physical system affected by threats |
US7539871B1 [en] * | 2004-02-23 | 2009-05-26 | Sun Microsystems, Inc. | System and method for identifying message propagation |
US7698730B2 [en] * | 2004-03-16 | 2010-04-13 | Riverbed Technology, Inc. | Service detection |
US20050206650A1 [en] * | 2004-03-16 | 2005-09-22 | Nazzal Robert N | Service detection |
US8204984B1 [en] | 2004-04-01 | 2012-06-19 | Fireeye, Inc. | Systems and methods for detecting encrypted bot command and control communication channels |
US10027690B2 [en] | 2004-04-01 | 2018-07-17 | Fireeye, Inc. | Electronic message analysis for malware detection |
US20080005782A1 [en] * | 2004-04-01 | 2008-01-03 | Ashar Aziz | Heuristic based capture with replay to virtual machine |
US10567405B1 [en] | 2004-04-01 | 2020-02-18 | Fireeye, Inc. | System for detecting a presence of malware from behavioral analysis |
US11082435B1 [en] | 2004-04-01 | 2021-08-03 | Fireeye, Inc. | System and method for threat detection and identification |
US8528086B1 [en] | 2004-04-01 | 2013-09-03 | Fireeye, Inc. | System and method of detecting computer worms |
US9628498B1 [en] | 2004-04-01 | 2017-04-18 | Fireeye, Inc. | System and method for bot detection |
US10165000B1 [en] | 2004-04-01 | 2018-12-25 | Fireeye, Inc. | Systems and methods for malware attack prevention by intercepting flows of information |
US10068091B1 [en] | 2004-04-01 | 2018-09-04 | Fireeye, Inc. | System and method for malware containment |
US10587636B1 [en] | 2004-04-01 | 2020-03-10 | Fireeye, Inc. | System and method for bot detection |
US10757120B1 [en] | 2004-04-01 | 2020-08-25 | Fireeye, Inc. | Malicious network content detection |
US9838411B1 [en] | 2004-04-01 | 2017-12-05 | Fireeye, Inc. | Subscriber based protection system |
US20100192223A1 [en] * | 2004-04-01 | 2010-07-29 | Osman Abdoul Ismael | Detecting Malicious Network Content Using Virtual Environment Components |
US10097573B1 [en] | 2004-04-01 | 2018-10-09 | Fireeye, Inc. | Systems and methods for malware defense |
US9591020B1 [en] | 2004-04-01 | 2017-03-07 | Fireeye, Inc. | System and method for signature generation |
US9516057B2 [en] | 2004-04-01 | 2016-12-06 | Fireeye, Inc. | Systems and methods for computer worm defense |
US8171553B2 [en] * | 2004-04-01 | 2012-05-01 | Fireeye, Inc. | Heuristic based capture with replay to virtual machine |
US11153341B1 [en] | 2004-04-01 | 2021-10-19 | Fireeye, Inc. | System and method for detecting malicious network content using virtual environment components |
US9027135B1 [en] | 2004-04-01 | 2015-05-05 | Fireeye, Inc. | Prospective client identification using malware attack detection |
US8291499B2 [en] | 2004-04-01 | 2012-10-16 | Fireeye, Inc. | Policy based capture with replay to virtual machine |
US9661018B1 [en] | 2004-04-01 | 2017-05-23 | Fireeye, Inc. | System and method for detecting anomalous behaviors using a virtual machine environment |
US20070250930A1 [en] * | 2004-04-01 | 2007-10-25 | Ashar Aziz | Virtual machine with dynamic data flow analysis |
US10623434B1 [en] | 2004-04-01 | 2020-04-14 | Fireeye, Inc. | System and method for virtual analysis of network data |
US8539582B1 [en] | 2004-04-01 | 2013-09-17 | Fireeye, Inc. | Malware containment and security analysis on connection |
US9912684B1 [en] | 2004-04-01 | 2018-03-06 | Fireeye, Inc. | System and method for virtual analysis of network data |
US8561177B1 [en] | 2004-04-01 | 2013-10-15 | Fireeye, Inc. | Systems and methods for detecting communication channels of bots |
US9356944B1 [en] | 2004-04-01 | 2016-05-31 | Fireeye, Inc. | System and method for detecting malicious traffic using a virtual machine configured with a select software environment |
US8584239B2 [en] | 2004-04-01 | 2013-11-12 | Fireeye, Inc. | Virtual machine with dynamic data flow analysis |
US8635696B1 [en] | 2004-04-01 | 2014-01-21 | Fireeye, Inc. | System and method of detecting time-delayed malicious traffic |
US8776229B1 [en] | 2004-04-01 | 2014-07-08 | Fireeye, Inc. | System and method of detecting malicious traffic while reducing false positives |
US8793787B2 [en] | 2004-04-01 | 2014-07-29 | Fireeye, Inc. | Detecting malicious network content using virtual environment components |
US9306960B1 [en] | 2004-04-01 | 2016-04-05 | Fireeye, Inc. | Systems and methods for unauthorized activity defense |
US10511614B1 [en] | 2004-04-01 | 2019-12-17 | Fireeye, Inc. | Subscription based malware detection under management system control |
US8881282B1 [en] | 2004-04-01 | 2014-11-04 | Fireeye, Inc. | Systems and methods for malware attack detection and identification |
US8898788B1 [en] | 2004-04-01 | 2014-11-25 | Fireeye, Inc. | Systems and methods for malware attack prevention |
US9282109B1 [en] | 2004-04-01 | 2016-03-08 | Fireeye, Inc. | System and method for analyzing packets |
US8984638B1 [en] | 2004-04-01 | 2015-03-17 | Fireeye, Inc. | System and method for analyzing suspicious network data |
US10284574B1 [en] | 2004-04-01 | 2019-05-07 | Fireeye, Inc. | System and method for threat detection and identification |
US9197664B1 [en] | 2004-04-01 | 2015-11-24 | Fire Eye, Inc. | System and method for malware containment |
US9106694B2 [en] | 2004-04-01 | 2015-08-11 | Fireeye, Inc. | Electronic message analysis for malware detection |
US9071638B1 [en] | 2004-04-01 | 2015-06-30 | Fireeye, Inc. | System and method for malware containment |
US8549638B2 [en] | 2004-06-14 | 2013-10-01 | Fireeye, Inc. | System and method of containing computer worms |
US9838416B1 [en] | 2004-06-14 | 2017-12-05 | Fireeye, Inc. | System and method of detecting malicious content |
US8006305B2 [en] | 2004-06-14 | 2011-08-23 | Fireeye, Inc. | Computer worm defense system and method |
US20060137012A1 [en] * | 2004-12-16 | 2006-06-22 | Aaron Jeffrey A | Methods and systems for deceptively trapping electronic worms |
US7810158B2 [en] * | 2004-12-16 | 2010-10-05 | At&T Intellectual Property I, L.P. | Methods and systems for deceptively trapping electronic worms |
US8418245B2 [en] * | 2006-01-18 | 2013-04-09 | Webroot Inc. | Method and system for detecting obfuscatory pestware in a computer memory |
US20070168982A1 [en] * | 2006-01-18 | 2007-07-19 | Horne Jefferson D | Method and system for detecting obfuscatory pestware in a computer memory |
US20070243357A1 [en] * | 2006-03-30 | 2007-10-18 | Ngk Insulators, Ltd. | Honeycomb structure and method of producing the same |
US8566946B1 [en] | 2006-04-20 | 2013-10-22 | Fireeye, Inc. | Malware containment on connection |
US8375444B2 [en] | 2006-04-20 | 2013-02-12 | Fireeye, Inc. | Dynamic signature creation and enforcement |
US7620992B2 [en] | 2007-10-02 | 2009-11-17 | Kaspersky Lab Zao | System and method for detecting multi-component malware |
US20090126016A1 [en] * | 2007-10-02 | 2009-05-14 | Andrey Sobko | System and method for detecting multi-component malware |
US20090126015A1 [en] * | 2007-10-02 | 2009-05-14 | Monastyrsky Alexey V | System and method for detecting multi-component malware |
US7559086B2 [en] | 2007-10-02 | 2009-07-07 | Kaspersky Lab, Zao | System and method for detecting multi-component malware |
US7614084B2 [en] | 2007-10-02 | 2009-11-03 | Kaspersky Lab Zao | System and method for detecting multi-component malware |
US20090089878A1 [en] * | 2007-10-02 | 2009-04-02 | Monastyrsky Alexey V | System and Method for Detecting Multi-Component Malware |
US20090089040A1 [en] * | 2007-10-02 | 2009-04-02 | Monastyrsky Alexey V | System and method for detecting multi-component malware |
US8990939B2 [en] | 2008-11-03 | 2015-03-24 | Fireeye, Inc. | Systems and methods for scheduling analysis of network content for malware |
US8850571B2 [en] | 2008-11-03 | 2014-09-30 | Fireeye, Inc. | Systems and methods for detecting malicious network content |
US9954890B1 [en] | 2008-11-03 | 2018-04-24 | Fireeye, Inc. | Systems and methods for analyzing PDF documents |
US9118715B2 [en] | 2008-11-03 | 2015-08-25 | Fireeye, Inc. | Systems and methods for detecting malicious PDF network content |
US9438622B1 [en] | 2008-11-03 | 2016-09-06 | Fireeye, Inc. | Systems and methods for analyzing malicious PDF network content |
US8997219B2 [en] | 2008-11-03 | 2015-03-31 | Fireeye, Inc. | Systems and methods for detecting malicious PDF network content |
US8935779B2 [en] | 2009-09-30 | 2015-01-13 | Fireeye, Inc. | Network-based binary file extraction and analysis for malware detection |
US8832829B2 [en] | 2009-09-30 | 2014-09-09 | Fireeye, Inc. | Network-based binary file extraction and analysis for malware detection |
US11381578B1 [en] | 2009-09-30 | 2022-07-05 | Fireeye Security Holdings Us Llc | Network-based binary file extraction and analysis for malware detection |
US20110078794A1 [en] * | 2009-09-30 | 2011-03-31 | Jayaraman Manni | Network-Based Binary File Extraction and Analysis for Malware Detection |
US20120150887A1 [en] * | 2010-12-08 | 2012-06-14 | Clark Christopher F | Pattern matching |
US10282548B1 [en] | 2012-02-24 | 2019-05-07 | Fireeye, Inc. | Method for detecting malware within network content |
US9519782B2 [en] | 2012-02-24 | 2016-12-13 | Fireeye, Inc. | Detecting malicious network content |
US10572665B2 [en] | 2012-12-28 | 2020-02-25 | Fireeye, Inc. | System and method to create a number of breakpoints in a virtual machine via virtual machine trapping events |
US10929266B1 [en] | 2013-02-23 | 2021-02-23 | Fireeye, Inc. | Real-time visual playback with synchronous textual analysis log display and event/time indexing |
US10019338B1 [en] | 2013-02-23 | 2018-07-10 | Fireeye, Inc. | User interface with real-time visual playback along with synchronous textual analysis log display and event/time index for anomalous behavior detection in applications |
US9009822B1 [en] | 2013-02-23 | 2015-04-14 | Fireeye, Inc. | Framework for multi-phase analysis of mobile applications |
US9824209B1 [en] | 2013-02-23 | 2017-11-21 | Fireeye, Inc. | Framework for efficient security coverage of mobile software applications that is usable to harden in the field code |
US9159035B1 [en] | 2013-02-23 | 2015-10-13 | Fireeye, Inc. | Framework for computer application analysis of sensitive information tracking |
US9792196B1 [en] | 2013-02-23 | 2017-10-17 | Fireeye, Inc. | Framework for efficient security coverage of mobile software applications |
US9176843B1 [en] | 2013-02-23 | 2015-11-03 | Fireeye, Inc. | Framework for efficient security coverage of mobile software applications |
US9195829B1 [en] | 2013-02-23 | 2015-11-24 | Fireeye, Inc. | User interface with real-time visual playback along with synchronous textual analysis log display and event/time index for anomalous behavior detection in applications |
US10296437B2 [en] | 2013-02-23 | 2019-05-21 | Fireeye, Inc. | Framework for efficient security coverage of mobile software applications |
US10181029B1 [en] | 2013-02-23 | 2019-01-15 | Fireeye, Inc. | Security cloud service framework for hardening in the field code of mobile software applications |
US9009823B1 [en] | 2013-02-23 | 2015-04-14 | Fireeye, Inc. | Framework for efficient security coverage of mobile software applications installed on mobile devices |
US8990944B1 [en] | 2013-02-23 | 2015-03-24 | Fireeye, Inc. | Systems and methods for automatically detecting backdoors |
US9594905B1 [en] | 2013-02-23 | 2017-03-14 | Fireeye, Inc. | Framework for efficient security coverage of mobile software applications using machine learning |
US9225740B1 [en] | 2013-02-23 | 2015-12-29 | Fireeye, Inc. | Framework for iterative analysis of mobile software applications |
US9367681B1 [en] | 2013-02-23 | 2016-06-14 | Fireeye, Inc. | Framework for efficient security coverage of mobile software applications using symbolic execution to reach regions of interest within an application |
US9355247B1 [en] | 2013-03-13 | 2016-05-31 | Fireeye, Inc. | File extraction from memory dump for malicious content analysis |
US9565202B1 [en] | 2013-03-13 | 2017-02-07 | Fireeye, Inc. | System and method for detecting exfiltration content |
US9626509B1 [en] | 2013-03-13 | 2017-04-18 | Fireeye, Inc. | Malicious content analysis with multi-version application support within single operating environment |
US10198574B1 [en] | 2013-03-13 | 2019-02-05 | Fireeye, Inc. | System and method for analysis of a memory dump associated with a potentially malicious content suspect |
US9104867B1 [en] | 2013-03-13 | 2015-08-11 | Fireeye, Inc. | Malicious content analysis using simulated user interaction without user involvement |
US9912698B1 [en] | 2013-03-13 | 2018-03-06 | Fireeye, Inc. | Malicious content analysis using simulated user interaction without user involvement |
US9934381B1 [en] | 2013-03-13 | 2018-04-03 | Fireeye, Inc. | System and method for detecting malicious activity based on at least one environmental property |
US10467414B1 [en] | 2013-03-13 | 2019-11-05 | Fireeye, Inc. | System and method for detecting exfiltration content |
US10848521B1 [en] | 2013-03-13 | 2020-11-24 | Fireeye, Inc. | Malicious content analysis using simulated user interaction without user involvement |
US11210390B1 [en] | 2013-03-13 | 2021-12-28 | Fireeye Security Holdings Us Llc | Multi-version application support and registration within a single operating system environment |
US10025927B1 [en] | 2013-03-13 | 2018-07-17 | Fireeye, Inc. | Malicious content analysis with multi-version application support within single operating environment |
US10200384B1 [en] | 2013-03-14 | 2019-02-05 | Fireeye, Inc. | Distributed systems and methods for automatically detecting unknown bots and botnets |
US10812513B1 [en] | 2013-03-14 | 2020-10-20 | Fireeye, Inc. | Correlation and consolidation holistic views of analytic data pertaining to a malware attack |
US9641546B1 [en] | 2013-03-14 | 2017-05-02 | Fireeye, Inc. | Electronic device for aggregation, correlation and consolidation of analysis attributes |
US10122746B1 [en] | 2013-03-14 | 2018-11-06 | Fireeye, Inc. | Correlation and consolidation of analytic data for holistic view of malware attack |
US9311479B1 [en] | 2013-03-14 | 2016-04-12 | Fireeye, Inc. | Correlation and consolidation of analytic data for holistic view of a malware attack |
US9430646B1 [en] | 2013-03-14 | 2016-08-30 | Fireeye, Inc. | Distributed systems and methods for automatically detecting unknown bots and botnets |
US9251343B1 [en] | 2013-03-15 | 2016-02-02 | Fireeye, Inc. | Detecting bootkits resident on compromised computers |
US10713358B2 [en] | 2013-03-15 | 2020-07-14 | Fireeye, Inc. | System and method to extract and utilize disassembly features to classify software intent |
US10701091B1 [en] | 2013-03-15 | 2020-06-30 | Fireeye, Inc. | System and method for verifying a cyberthreat |
US9495180B2 [en] | 2013-05-10 | 2016-11-15 | Fireeye, Inc. | Optimized resource allocation for virtual machines within a malware content detection system |
US10469512B1 [en] | 2013-05-10 | 2019-11-05 | Fireeye, Inc. | Optimized resource allocation for virtual machines within a malware content detection system |
US10033753B1 [en] | 2013-05-13 | 2018-07-24 | Fireeye, Inc. | System and method for detecting malicious activity and classifying a network communication based on different indicator types |
US10637880B1 [en] | 2013-05-13 | 2020-04-28 | Fireeye, Inc. | Classifying sets of malicious indicators for detecting command and control communications associated with malware |
US9635039B1 [en] | 2013-05-13 | 2017-04-25 | Fireeye, Inc. | Classifying sets of malicious indicators for detecting command and control communications associated with malware |
US9536091B2 [en] | 2013-06-24 | 2017-01-03 | Fireeye, Inc. | System and method for detecting time-bomb malware |
US10335738B1 [en] | 2013-06-24 | 2019-07-02 | Fireeye, Inc. | System and method for detecting time-bomb malware |
US10083302B1 [en] | 2013-06-24 | 2018-09-25 | Fireeye, Inc. | System and method for detecting time-bomb malware |
US10133863B2 [en] | 2013-06-24 | 2018-11-20 | Fireeye, Inc. | Zero-day discovery system |
US9888019B1 [en] | 2013-06-28 | 2018-02-06 | Fireeye, Inc. | System and method for detecting malicious links in electronic messages |
US9888016B1 [en] | 2013-06-28 | 2018-02-06 | Fireeye, Inc. | System and method for detecting phishing using password prediction |
US9300686B2 [en] | 2013-06-28 | 2016-03-29 | Fireeye, Inc. | System and method for detecting malicious links in electronic messages |
US10505956B1 [en] | 2013-06-28 | 2019-12-10 | Fireeye, Inc. | System and method for detecting malicious links in electronic messages |
US10218740B1 [en] | 2013-09-30 | 2019-02-26 | Fireeye, Inc. | Fuzzy hash of behavioral results |
US10192052B1 [en] | 2013-09-30 | 2019-01-29 | Fireeye, Inc. | System, apparatus and method for classifying a file as malicious using static scanning |
US9171160B2 [en] | 2013-09-30 | 2015-10-27 | Fireeye, Inc. | Dynamically adaptive framework and method for classifying malware using intelligent static, emulation, and dynamic analyses |
US10089461B1 [en] | 2013-09-30 | 2018-10-02 | Fireeye, Inc. | Page replacement code injection |
US9294501B2 [en] | 2013-09-30 | 2016-03-22 | Fireeye, Inc. | Fuzzy hash of behavioral results |
US9912691B2 [en] | 2013-09-30 | 2018-03-06 | Fireeye, Inc. | Fuzzy hash of behavioral results |
US9736179B2 [en] | 2013-09-30 | 2017-08-15 | Fireeye, Inc. | System, apparatus and method for using malware analysis results to drive adaptive instrumentation of virtual machines to improve exploit detection |
US10713362B1 [en] | 2013-09-30 | 2020-07-14 | Fireeye, Inc. | Dynamically adaptive framework and method for classifying malware using intelligent static, emulation, and dynamic analyses |
US10657251B1 [en] | 2013-09-30 | 2020-05-19 | Fireeye, Inc. | Multistage system and method for analyzing obfuscated content for malware |
US9690936B1 [en] | 2013-09-30 | 2017-06-27 | Fireeye, Inc. | Multistage system and method for analyzing obfuscated content for malware |
US11075945B2 [en] | 2013-09-30 | 2021-07-27 | Fireeye, Inc. | System, apparatus and method for reconfiguring virtual machines |
US9628507B2 [en] | 2013-09-30 | 2017-04-18 | Fireeye, Inc. | Advanced persistent threat [APT] detection center |
US10515214B1 [en] | 2013-09-30 | 2019-12-24 | Fireeye, Inc. | System and method for classifying malware within content created during analysis of a specimen |
US9910988B1 [en] | 2013-09-30 | 2018-03-06 | Fireeye, Inc. | Malware analysis in accordance with an analysis plan |
US10735458B1 [en] | 2013-09-30 | 2020-08-04 | Fireeye, Inc. | Detection center to detect targeted malware |
US9921978B1 [en] | 2013-11-08 | 2018-03-20 | Fireeye, Inc. | System and method for enhanced security of storage devices |
US9560059B1 [en] | 2013-11-21 | 2017-01-31 | Fireeye, Inc. | System, apparatus and method for conducting on-the-fly decryption of encrypted objects for malware detection |
US9189627B1 [en] | 2013-11-21 | 2015-11-17 | Fireeye, Inc. | System, apparatus and method for conducting on-the-fly decryption of encrypted objects for malware detection |
US9306974B1 [en] | 2013-12-26 | 2016-04-05 | Fireeye, Inc. | System, apparatus and method for automatically verifying exploits within suspect objects and highlighting the display information associated with the verified exploits |
US11089057B1 [en] | 2013-12-26 | 2021-08-10 | Fireeye, Inc. | System, apparatus and method for automatically verifying exploits within suspect objects and highlighting the display information associated with the verified exploits |
US10467411B1 [en] | 2013-12-26 | 2019-11-05 | Fireeye, Inc. | System and method for generating a malware identifier |
US10476909B1 [en] | 2013-12-26 | 2019-11-12 | Fireeye, Inc. | System, apparatus and method for automatically verifying exploits within suspect objects and highlighting the display information associated with the verified exploits |
US9756074B2 [en] | 2013-12-26 | 2017-09-05 | Fireeye, Inc. | System and method for IPS and VM-based detection of suspicious objects |
US9747446B1 [en] | 2013-12-26 | 2017-08-29 | Fireeye, Inc. | System and method for run-time object classification |
US10740456B1 [en] | 2014-01-16 | 2020-08-11 | Fireeye, Inc. | Threat-aware architecture |
US10534906B1 [en] | 2014-02-05 | 2020-01-14 | Fireeye, Inc. | Detection efficacy of virtual machine-based analysis with application specific events |
US9916440B1 [en] | 2014-02-05 | 2018-03-13 | Fireeye, Inc. | Detection efficacy of virtual machine-based analysis with application specific events |
US9262635B2 [en] | 2014-02-05 | 2016-02-16 | Fireeye, Inc. | Detection efficacy of virtual machine-based analysis with application specific events |
US10432649B1 [en] | 2014-03-20 | 2019-10-01 | Fireeye, Inc. | System and method for classifying an object based on an aggregated behavior results |
US9241010B1 [en] | 2014-03-20 | 2016-01-19 | Fireeye, Inc. | System and method for network behavior detection |
US11068587B1 [en] | 2014-03-21 | 2021-07-20 | Fireeye, Inc. | Dynamic guest image creation and rollback |
US10242185B1 [en] | 2014-03-21 | 2019-03-26 | Fireeye, Inc. | Dynamic guest image creation and rollback |
US9787700B1 [en] | 2014-03-28 | 2017-10-10 | Fireeye, Inc. | System and method for offloading packet processing and static analysis operations |
US9591015B1 [en] | 2014-03-28 | 2017-03-07 | Fireeye, Inc. | System and method for offloading packet processing and static analysis operations |
US11082436B1 [en] | 2014-03-28 | 2021-08-03 | Fireeye, Inc. | System and method for offloading packet processing and static analysis operations |
US10454953B1 [en] | 2014-03-28 | 2019-10-22 | Fireeye, Inc. | System and method for separated packet processing and static analysis |
US9223972B1 [en] | 2014-03-31 | 2015-12-29 | Fireeye, Inc. | Dynamically remote tuning of a malware content detection system |
US10341363B1 [en] | 2014-03-31 | 2019-07-02 | Fireeye, Inc. | Dynamically remote tuning of a malware content detection system |
US9432389B1 [en] | 2014-03-31 | 2016-08-30 | Fireeye, Inc. | System, apparatus and method for detecting a malicious attack based on static analysis of a multi-flow object |
US11297074B1 [en] | 2014-03-31 | 2022-04-05 | FireEye Security Holdings, Inc. | Dynamically remote tuning of a malware content detection system |
US9973531B1 [en] | 2014-06-06 | 2018-05-15 | Fireeye, Inc. | Shellcode detection |
US9594912B1 [en] | 2014-06-06 | 2017-03-14 | Fireeye, Inc. | Return-oriented programming detection |
US9438623B1 [en] | 2014-06-06 | 2016-09-06 | Fireeye, Inc. | Computer exploit detection using heap spray pattern matching |
US10084813B2 [en] | 2014-06-24 | 2018-09-25 | Fireeye, Inc. | Intrusion prevention and remedy system |
US10757134B1 [en] | 2014-06-24 | 2020-08-25 | Fireeye, Inc. | System and method for detecting and remediating a cybersecurity attack |
US9398028B1 [en] | 2014-06-26 | 2016-07-19 | Fireeye, Inc. | System, device and method for detecting a malicious attack based on communcations between remotely hosted virtual machines and malicious web servers |
US10805340B1 [en] | 2014-06-26 | 2020-10-13 | Fireeye, Inc. | Infection vector and malware tracking with an interactive user display |
US9838408B1 [en] | 2014-06-26 | 2017-12-05 | Fireeye, Inc. | System, device and method for detecting a malicious attack based on direct communications between remotely hosted virtual machines and malicious web servers |
US9661009B1 [en] | 2014-06-26 | 2017-05-23 | Fireeye, Inc. | Network-based malware detection |
US11244056B1 [en] | 2014-07-01 | 2022-02-08 | Fireeye Security Holdings Us Llc | Verification of trusted threat-aware visualization layer |
US9609007B1 [en] | 2014-08-22 | 2017-03-28 | Fireeye, Inc. | System and method of detecting delivery of malware based on indicators of compromise from different sources |
US9363280B1 [en] | 2014-08-22 | 2016-06-07 | Fireeye, Inc. | System and method of detecting delivery of malware using cross-customer data |
US10027696B1 [en] | 2014-08-22 | 2018-07-17 | Fireeye, Inc. | System and method for determining a threat based on correlation of indicators of compromise from other sources |
US10404725B1 [en] | 2014-08-22 | 2019-09-03 | Fireeye, Inc. | System and method of detecting delivery of malware using cross-customer data |
US10671726B1 [en] | 2014-09-22 | 2020-06-02 | Fireeye Inc. | System and method for malware analysis using thread-level event monitoring |
US9773112B1 [en] | 2014-09-29 | 2017-09-26 | Fireeye, Inc. | Exploit detection of malware and malware families |
US10027689B1 [en] | 2014-09-29 | 2018-07-17 | Fireeye, Inc. | Interactive infection visualization for improved exploit detection and signature generation for malware and malware families |
US10868818B1 [en] | 2014-09-29 | 2020-12-15 | Fireeye, Inc. | Systems and methods for generation of signature generation using interactive infection visualizations |
US10902117B1 [en] | 2014-12-22 | 2021-01-26 | Fireeye, Inc. | Framework for classifying an object as malicious with machine learning for deploying updated predictive models |
US9690933B1 [en] | 2014-12-22 | 2017-06-27 | Fireeye, Inc. | Framework for classifying an object as malicious with machine learning for deploying updated predictive models |
US10366231B1 [en] | 2014-12-22 | 2019-07-30 | Fireeye, Inc. | Framework for classifying an object as malicious with machine learning for deploying updated predictive models |
US10075455B2 [en] | 2014-12-26 | 2018-09-11 | Fireeye, Inc. | Zero-day rotating guest image profile |
US10528726B1 [en] | 2014-12-29 | 2020-01-07 | Fireeye, Inc. | Microvisor-based malware detection appliance architecture |
US10798121B1 [en] | 2014-12-30 | 2020-10-06 | Fireeye, Inc. | Intelligent context aware user interaction for malware detection |
US9838417B1 [en] | 2014-12-30 | 2017-12-05 | Fireeye, Inc. | Intelligent context aware user interaction for malware detection |
US10148693B2 [en] | 2015-03-25 | 2018-12-04 | Fireeye, Inc. | Exploit detection system |
US9690606B1 [en] | 2015-03-25 | 2017-06-27 | Fireeye, Inc. | Selective system call monitoring |
US10666686B1 [en] | 2015-03-25 | 2020-05-26 | Fireeye, Inc. | Virtualized exploit detection system |
US9438613B1 [en] | 2015-03-30 | 2016-09-06 | Fireeye, Inc. | Dynamic content activation for automated analysis of embedded objects |
US9483644B1 [en] | 2015-03-31 | 2016-11-01 | Fireeye, Inc. | Methods for detecting file altering malware in VM based analysis |
US10417031B2 [en] | 2015-03-31 | 2019-09-17 | Fireeye, Inc. | Selective virtualization for security threat detection |
US11294705B1 [en] | 2015-03-31 | 2022-04-05 | Fireeye Security Holdings Us Llc | Selective virtualization for security threat detection |
US9846776B1 [en] | 2015-03-31 | 2017-12-19 | Fireeye, Inc. | System and method for detecting file altering behaviors pertaining to a malicious attack |
US10474813B1 [en] | 2015-03-31 | 2019-11-12 | Fireeye, Inc. | Code injection technique for remediation at an endpoint of a network |
US10728263B1 [en] | 2015-04-13 | 2020-07-28 | Fireeye, Inc. | Analytic-based security monitoring system and method |
US9594904B1 [en] | 2015-04-23 | 2017-03-14 | Fireeye, Inc. | Detecting malware based on reflection |
US10642753B1 [en] | 2015-06-30 | 2020-05-05 | Fireeye, Inc. | System and method for protecting a software component running in virtual machine using a virtualization layer |
US10454950B1 [en] | 2015-06-30 | 2019-10-22 | Fireeye, Inc. | Centralized aggregation technique for detecting lateral movement of stealthy cyber-attacks |
US11113086B1 [en] | 2015-06-30 | 2021-09-07 | Fireeye, Inc. | Virtual system and method for securing external network connectivity |
US10726127B1 [en] | 2015-06-30 | 2020-07-28 | Fireeye, Inc. | System and method for protecting a software component running in a virtual machine through virtual interrupts by the virtualization layer |
US10715542B1 [en] | 2015-08-14 | 2020-07-14 | Fireeye, Inc. | Mobile application risk analysis |
US9742796B1 [en] | 2015-09-18 | 2017-08-22 | Palo Alto Networks, Inc. | Automatic repair of corrupt files for a detonation engine |
US10505975B2 [en] | 2015-09-18 | 2019-12-10 | Palo Alto Networks, Inc. | Automatic repair of corrupt files for a detonation engine |
US10176321B2 [en] | 2015-09-22 | 2019-01-08 | Fireeye, Inc. | Leveraging behavior-based rules for malware family classification |
US10033747B1 [en] | 2015-09-29 | 2018-07-24 | Fireeye, Inc. | System and method for detecting interpreter-based exploit attacks |
US10887328B1 [en] | 2015-09-29 | 2021-01-05 | Fireeye, Inc. | System and method for detecting interpreter-based exploit attacks |
US10601865B1 [en] | 2015-09-30 | 2020-03-24 | Fireeye, Inc. | Detection of credential spearphishing attacks using email analysis |
US10706149B1 [en] | 2015-09-30 | 2020-07-07 | Fireeye, Inc. | Detecting delayed activation malware using a primary controller and plural time controllers |
US10210329B1 [en] | 2015-09-30 | 2019-02-19 | Fireeye, Inc. | Method to detect application execution hijacking using memory protection |
US11244044B1 [en] | 2015-09-30 | 2022-02-08 | Fireeye Security Holdings Us Llc | Method to detect application execution hijacking using memory protection |
US9825989B1 [en] | 2015-09-30 | 2017-11-21 | Fireeye, Inc. | Cyber attack early warning system |
US9825976B1 [en] | 2015-09-30 | 2017-11-21 | Fireeye, Inc. | Detection and classification of exploit kits |
US10873597B1 [en] | 2015-09-30 | 2020-12-22 | Fireeye, Inc. | Cyber attack early warning system |
US10817606B1 [en] | 2015-09-30 | 2020-10-27 | Fireeye, Inc. | Detecting delayed activation malware using a run-time monitoring agent and time-dilation logic |
US10284575B2 [en] | 2015-11-10 | 2019-05-07 | Fireeye, Inc. | Launcher for setting analysis environment variations for malware detection |
US10834107B1 [en] | 2015-11-10 | 2020-11-10 | Fireeye, Inc. | Launcher for setting analysis environment variations for malware detection |
US10447728B1 [en] | 2015-12-10 | 2019-10-15 | Fireeye, Inc. | Technique for protecting guest processes using a layered virtualization architecture |
US10846117B1 [en] | 2015-12-10 | 2020-11-24 | Fireeye, Inc. | Technique for establishing secure communication between host and guest processes of a virtualization architecture |
US11200080B1 [en] | 2015-12-11 | 2021-12-14 | Fireeye Security Holdings Us Llc | Late load technique for deploying a virtualization layer underneath a running operating system |
US10581898B1 [en] | 2015-12-30 | 2020-03-03 | Fireeye, Inc. | Malicious message analysis system |
US10050998B1 [en] | 2015-12-30 | 2018-08-14 | Fireeye, Inc. | Malicious message analysis system |
US10872151B1 [en] | 2015-12-30 | 2020-12-22 | Fireeye, Inc. | System and method for triggering analysis of an object for malware in response to modification of that object |
US10133866B1 [en] | 2015-12-30 | 2018-11-20 | Fireeye, Inc. | System and method for triggering analysis of an object for malware in response to modification of that object |
US10341365B1 [en] | 2015-12-30 | 2019-07-02 | Fireeye, Inc. | Methods and system for hiding transition events for malware detection |
US10565378B1 [en] | 2015-12-30 | 2020-02-18 | Fireeye, Inc. | Exploit of privilege detection framework |
US10445502B1 [en] | 2015-12-31 | 2019-10-15 | Fireeye, Inc. | Susceptible environment detection system |
US10581874B1 [en] | 2015-12-31 | 2020-03-03 | Fireeye, Inc. | Malware detection system with contextual analysis |
US9824216B1 [en] | 2015-12-31 | 2017-11-21 | Fireeye, Inc. | Susceptible environment detection system |
US10671721B1 [en] | 2016-03-25 | 2020-06-02 | Fireeye, Inc. | Timeout management services |
US10616266B1 [en] | 2016-03-25 | 2020-04-07 | Fireeye, Inc. | Distributed malware detection system and submission workflow thereof |
US10785255B1 [en] | 2016-03-25 | 2020-09-22 | Fireeye, Inc. | Cluster configuration within a scalable malware detection system |
US10476906B1 [en] | 2016-03-25 | 2019-11-12 | Fireeye, Inc. | System and method for managing formation and modification of a cluster within a malware detection system |
US10601863B1 [en] | 2016-03-25 | 2020-03-24 | Fireeye, Inc. | System and method for managing sensor enrollment |
US10893059B1 [en] | 2016-03-31 | 2021-01-12 | Fireeye, Inc. | Verification and enhancement using detection systems located at the network periphery and endpoint devices |
US10169585B1 [en] | 2016-06-22 | 2019-01-01 | Fireeye, Inc. | System and methods for advanced malware detection through placement of transition events |
US11240262B1 [en] | 2016-06-30 | 2022-02-01 | Fireeye Security Holdings Us Llc | Malware detection verification and enhancement by coordinating endpoint and malware detection systems |
US10462173B1 [en] | 2016-06-30 | 2019-10-29 | Fireeye, Inc. | Malware detection verification and enhancement by coordinating endpoint and malware detection systems |
US10592678B1 [en] | 2016-09-09 | 2020-03-17 | Fireeye, Inc. | Secure communications between peers using a verified virtual trusted platform module |
US10491627B1 [en] | 2016-09-29 | 2019-11-26 | Fireeye, Inc. | Advanced malware detection using similarity analysis |
US10795991B1 [en] | 2016-11-08 | 2020-10-06 | Fireeye, Inc. | Enterprise search |
US10587647B1 [en] | 2016-11-22 | 2020-03-10 | Fireeye, Inc. | Technique for malware detection capability comparison of network security devices |
US10581879B1 [en] | 2016-12-22 | 2020-03-03 | Fireeye, Inc. | Enhanced malware detection for generated objects |
US10552610B1 [en] | 2016-12-22 | 2020-02-04 | Fireeye, Inc. | Adaptive virtual machine snapshot update framework for malware behavioral analysis |
US10523609B1 [en] | 2016-12-27 | 2019-12-31 | Fireeye, Inc. | Multi-vector malware detection and analysis |
US10904286B1 [en] | 2017-03-24 | 2021-01-26 | Fireeye, Inc. | Detection of phishing attacks using similarity analysis |
US10791138B1 [en] | 2017-03-30 | 2020-09-29 | Fireeye, Inc. | Subscription-based malware detection |
US10554507B1 [en] | 2017-03-30 | 2020-02-04 | Fireeye, Inc. | Multi-level control for enhanced resource and object evaluation management of malware detection system |
US10848397B1 [en] | 2017-03-30 | 2020-11-24 | Fireeye, Inc. | System and method for enforcing compliance with subscription requirements for cyber-attack detection service |
US10902119B1 [en] | 2017-03-30 | 2021-01-26 | Fireeye, Inc. | Data extraction system for malware analysis |
US10798112B2 [en] | 2017-03-30 | 2020-10-06 | Fireeye, Inc. | Attribute-controlled malware detection |
US11399040B1 [en] | 2017-03-30 | 2022-07-26 | Fireeye Security Holdings Us Llc | Subscription-based malware detection |
US10601848B1 [en] | 2017-06-29 | 2020-03-24 | Fireeye, Inc. | Cyber-security system and method for weak indicator detection and correlation to generate strong indicators |
US10855700B1 [en] | 2017-06-29 | 2020-12-01 | Fireeye, Inc. | Post-intrusion detection of cyber-attacks during lateral movement within networks |
US10503904B1 [en] | 2017-06-29 | 2019-12-10 | Fireeye, Inc. | Ransomware detection and mitigation |
US10893068B1 [en] | 2017-06-30 | 2021-01-12 | Fireeye, Inc. | Ransomware file modification prevention technique |
US10747872B1 [en] | 2017-09-27 | 2020-08-18 | Fireeye, Inc. | System and method for preventing malware evasion |
US10805346B2 [en] | 2017-10-01 | 2020-10-13 | Fireeye, Inc. | Phishing attack detection |
US11108809B2 [en] | 2017-10-27 | 2021-08-31 | Fireeye, Inc. | System and method for analyzing binary code for malware classification using artificial neural network techniques |
US11271955B2 [en] | 2017-12-28 | 2022-03-08 | Fireeye Security Holdings Us Llc | Platform and method for retroactive reclassification employing a cybersecurity-based global data store |
US11005860B1 [en] | 2017-12-28 | 2021-05-11 | Fireeye, Inc. | Method and system for efficient cybersecurity analysis of endpoint events |
US11240275B1 [en] | 2017-12-28 | 2022-02-01 | Fireeye Security Holdings Us Llc | Platform and method for performing cybersecurity analyses employing an intelligence hub with a modular architecture |
US10826931B1 [en] | 2018-03-29 | 2020-11-03 | Fireeye, Inc. | System and method for predicting and mitigating cybersecurity system misconfigurations |
US11003773B1 [en] | 2018-03-30 | 2021-05-11 | Fireeye, Inc. | System and method for automatically generating malware detection rule recommendations |
US10956477B1 [en] | 2018-03-30 | 2021-03-23 | Fireeye, Inc. | System and method for detecting malicious scripts through natural language processing modeling |
US11075930B1 [en] | 2018-06-27 | 2021-07-27 | Fireeye, Inc. | System and method for detecting repetitive cybersecurity attacks constituting an email campaign |
US11314859B1 [en] | 2018-06-27 | 2022-04-26 | FireEye Security Holdings, Inc. | Cyber-security system and method for detecting escalation of privileges within an access token |
US11228491B1 [en] | 2018-06-28 | 2022-01-18 | Fireeye Security Holdings Us Llc | System and method for distributed cluster configuration monitoring and management |
US11316900B1 [en] | 2018-06-29 | 2022-04-26 | FireEye Security Holdings Inc. | System and method for automatically prioritizing rules for cyber-threat detection and mitigation |
US11182473B1 [en] | 2018-09-13 | 2021-11-23 | Fireeye Security Holdings Us Llc | System and method for mitigating cyberattacks against processor operability by a guest process |
US11368475B1 [en] | 2018-12-21 | 2022-06-21 | Fireeye Security Holdings Us Llc | System and method for scanning remote services to locate stored objects with malware |
US11258806B1 [en] | 2019-06-24 | 2022-02-22 | Mandiant, Inc. | System and method for automatically associating cybersecurity intelligence to cyberthreat actors |
US11392700B1 [en] | 2019-06-28 | 2022-07-19 | Fireeye Security Holdings Us Llc | System and method for supporting cross-platform data verification |
Also Published As
US20040243829A1 [en] | 2004-12-02 |
Similar Documents
US7231667B2 [en] | 2007-06-12 | System and method for computer virus detection utilizing heuristic analysis |
Baliga et al. | 2010 | Detecting kernel-level rootkits using data structure invariants |
Zhang et al. | 2015 | Dexhunter: toward extracting hidden code from packed android applications |
RU2698776C2 [en] | 2019-08-29 | Method of maintaining database and corresponding server |
Egele et al. | 2008 | A survey on automated dynamic malware-analysis techniques and tools |
Kil et al. | 2009 | Remote attestation to dynamic system properties: Towards providing complete system integrity evidence |
Kirda et al. | 2006 | Behavior-based Spyware Detection. |
Dinaburg et al. | 2008 | Ether: malware analysis via hardware virtualization extensions |
US20150067763A1 [en] | 2015-03-05 | Hardware and software execution profiling |
Böhne | 2008 | Pandora’s bochs: Automatic unpacking of malware |
Kapravelos et al. | 2011 | Escape from monkey island: Evading high-interaction honeyclients |
Xuan et al. | 2009 | Toward revealing kernel malware behavior in virtual execution environments |
Blackthorne et al. | 2016 | {AVLeak}: Fingerprinting Antivirus Emulators through {Black-Box} Testing |
Fattori et al. | 2015 | Hypervisor-based malware protection with accessminer |
WO2004075060A1 [en] | 2004-09-02 | Computer virus detection device |
Dai et al. | 2010 | Behavior-based malware detection on mobile phone |
Prakash et al. | 2014 | On the trustworthiness of memory analysis—an empirical study from the perspective of binary execution |
Zaki et al. | 2014 | Unveiling the kernel: Rootkit discovery using selective automated kernel memory differencing |
Yin et al. | 2012 | Automatic malware analysis: An emulator based approach |
Javaheri et al. | 2018 | A framework for recognition and confronting of obfuscated malwares based on memory dumping and filter drivers |
Wu et al. | 2018 | Iotprotect: Highly deployable whitelist-based protection for low-cost internet-of-things devices |
Brodbeck | 2012 | Covert android rootkit detection: Evaluating linux kernel level rootkits on the android operating system |
Lengyel | 2015 | Malware Collection and Analysis via Hardware Virtualization |
Al-Saleh | 2011 | Fine-grained reasoning about the security and usability trade-off in modern security tools |
Paakkola | 2020 | Assessing performance overhead of Virtual Machine Introspection and its suitability for malware analysis |
Legal Events
2003-11-10 | AS | Assignment | Owner name: COMPUTER ASSOCIATES THINK, INC., NEW YORK Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:JORDAN, MYLES;REEL/FRAME:014682/0044 Effective date: 20031013 |
2007-05-23 | STCF | Information on status: patent grant | Free format text: PATENTED CASE |
2010-11-10 | FPAY | Fee payment | Year of fee payment: 4 |
2014-11-13 | FPAY | Fee payment | Year of fee payment: 8 |
2018-11-29 | MAFP | Maintenance fee payment | Free format text: PAYMENT OF MAINTENANCE FEE, 12TH YEAR, LARGE ENTITY [ORIGINAL EVENT CODE: M1553]; ENTITY STATUS OF PATENT OWNER: LARGE ENTITY Year of fee payment: 12 |