`
`
`
`I IIIII IIIIIIII III
`
`US010783241B2
`
`( 12 ) United States Patent
`(12) United States Patent
`Crabtree et al .
`Crabtree et al.
`
`( 10 ) Patent No .: US 10,783,241 B2
`(10) Patent No.: US 10,783,241 B2
`( 45 ) Date of Patent :
`Sep. 22 , 2020
`Sep. 22, 2020
`(45) Date of Patent:
`
`( 54 ) SYSTEM AND METHODS FOR SANDBOXED
`(54) SYSTEM AND METHODS FOR SANDBOXED
`MALWARE ANALYSIS AND AUTOMATED
`MALWARE ANALYSIS AND AUTOMATED
`PATCH DEVELOPMENT , DEPLOYMENT
`PATCH DEVELOPMENT, DEPLOYMENT
`AND VALIDATION
`AND VALIDATION
`( 71 ) Applicant : QOMPLX , Inc. , Reston , VA ( US )
`(71) Applicant: QOMPLX, Inc., Reston, VA (US)
`( 72 ) Inventors : Jason Crabtree , Vienna , VA ( US ) ;
`(72)
`Inventors: Jason Crabtree, Vienna, VA (US);
`Andrew Sellers , Monument , CO ( US )
`Andrew Sellers, Monument, CO (US)
`( 73 ) Assignee : QOMPLX , INC . , Tysons , VA ( US )
`(73) Assignee: QOMPLX, INC., Tysons, VA (US)
`Subject to any disclaimer , the term of this
`( * ) Notice :
`(* ) Notice:
`Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`patent is extended or adjusted under 35
`U.S.C. 154 ( b ) by 209 days .
`U.S.C. 154(b) by 209 days.
`( 21 ) Appl . No .: 15 / 887,496
`(21) Appl. No.: 15/887,496
`( 22 ) Filed :
`Feb. 2 , 2018
`(22) Filed:
`Feb. 2, 2018
`( 65 )
`Prior Publication Data
`(65)
`Prior Publication Data
`Sep. 27 , 2018
`US 2018/0276372 A1
`US 2018/0276372 Al
`Sep. 27, 2018
`
`Related U.S. Application Data
`Related U.S. Application Data
`( 63 ) Continuation - in - part of application No. 15 / 818,733 ,
`(63) Continuation-in-part of application No. 15/818,733,
`Nov.
`20 ,
`2017 ,
`which is
`filed
`filed
`on Nov.
`20,
`2017, which
`is
`a
`on
`a
`( Continued )
`(Continued)
`
`( 51 ) Int . Ci .
`(51) Int. Cl.
`G06F 21/53
`G06F 21/53
`G06F 21/56
`G06F 21/56
`GO6F 21/57
`G06F 21/57
`GO6F 8/65
`G06F 8/65
`GO6F 9/455
`G06F 9/455
`H04L 29/06
`H04L 29/06
`
`( 52 ) U.S. Ci .
`(52) U.S. Cl.
`CPC
`CPC
`
`( 2013.01 )
`(2013.01)
`( 2013.01 )
`(2013.01)
`( 2013.01 )
`(2013.01)
`( 2018.01 )
`(2018.01)
`( 2018.01 )
`(2018.01)
`( 2006.01 )
`(2006.01)
`( Continued )
`(Continued)
`
`G06F 21/53 ( 2013.01 ) ; G06F 8/65
` G06F 21/53 (2013.01); G06F 8/65
`( 2013.01 ) ; G06F 9/455 ( 2013.01 ) ; G06F
`(2013.01); G06F 9/455 (2013.01); G06F
`21/566 ( 2013.01 ) ; G06F 21/577 ( 2013.01 ) ;
`21/566 (2013.01); G06F 21/577 (2013.01);
`
`G06Q 40/08 ( 2013.01 ) ; H04L 63/1425
`G06Q 40/08 (2013.01); H04L 63/1425
`( 2013.01 ) ; H04L 63/1433 ( 2013.01 ) ; GOOF
`(2013.01); H04L 63/1433 (2013.01); G06F
`2221/033 ( 2013.01 ) ; G06F 2221/2149
`2221/033 (2013.01); G06F 2221/2149
`( 2013.01 ) ; GOON 20/00 ( 2019.01 ) ; G06Q
`(2013.01); G06N 20/00 (2019.01); G06Q
`50/01 ( 2013.01 )
`50/01 (2013.01)
`( 58 ) Field of Classification Search
`(58) Field of Classification Search
`CPC . G06F 21/53 ; G06F 9/455 ; G06F 8/65 ; G06F
`CPC . G06F 21/53; G06F 9/455; G06F 8/65; G06F
`21/577 ; G06F 21/566 ; G06F 2221/2149 ;
`21/577; G06F 21/566; G06F 2221/2149;
`GO6F 2221/033 ; G06F 11/3058 ; H04L
`G06F 2221/033; G06F 11/3058; H04L
`63/1433 ; H04L 63/1425 ; G06Q 40/08 ;
`63/1433; H04L 63/1425; G06Q 40/08;
`G06Q 50/01 ; G06N 20/00
`G06Q 50/01; G06N 20/00
`See application file for complete search history .
`See application file for complete search history.
`References Cited
`References Cited
`
`( 56 )
`(56)
`
`U.S. PATENT DOCUMENTS
`U.S. PATENT DOCUMENTS
`7/2001 Weissinger
`6,256,544 B1
`7/2001 Weissinger
`6,256,544 B1
`9,141,360 B1 *
`9/2015 Chen
`9/2015 Chen
`9,141,360 B1 *
`( Continued )
`(Continued)
`FOREIGN PATENT DOCUMENTS
`FOREIGN PATENT DOCUMENTS
`
`G06F 8/52
` G06F 8/52
`
`10/2014
`WO
`2014159150 A1
`10/2014
`2014159150 Al
`WO
`WO
`2017075543 A1
`5/2017
`5/2017
`2017075543 Al
`WO
`Primary Examiner — Cheng - Feng Huang
`Primary Examiner — Cheng-Feng Huang
`( 74 ) Attorney , Agent , or Firm — Brian S. Boon ; Brian R.
`(74) Attorney, Agent, or Firm — Brian S. Boon; Brian R.
`Galvin ; Galvin Patent Law LLC
`Galvin; Galvin Patent Law LLC
`( 57 )
`ABSTRACT
`ABSTRACT
`(57)
`A system and methods for sandboxed malware analysis and
`A system and methods for sandboxed malware analysis and
`automated patch development , deployment and validation ,
`automated patch development, deployment and validation,
`that uses a business operating system , vulnerability scoring
`that uses a business operating system, vulnerability scoring
`engine , binary translation engine , sandbox simulation
`engine, binary translation engine, sandbox simulation
`engine , at least one network endpoint , at least one database ,
`engine, at least one network endpoint, at least one database,
`a network , and a combination of machine learning and
`a network, and a combination of machine learning and
`vulnerability probing techniques , to analyze software , locate
`vulnerability probing techniques, to analyze software, locate
`any vulnerabilities or malicious behavior , and attempt to
`any vulnerabilities or malicious behavior, and attempt to
`patch and prevent undesired behavior from occurring ,
`patch and prevent undesired behavior from occurring,
`autonomously .
`autonomously.
`2 Claims , 12 Drawing Sheets
`2 Claims, 12 Drawing Sheets
`
`5101
`5107
`
`520 vt
`520
`
`530v%_
`5301
`
`Translate target
`Translate target
`file into binary
`file into binary
`
`Transfer translated
`Transfer translated
`file to sandbox
`file to sandbox
`environment
`environment
`
`540 _
`540
`
`550
`550
`
`560 _
`560
`
`Execute file in
`Execute file in
`sandbox environment
`sandbox environment
`
`Examine executing
`Examine executing
`software for
`software for
`irregularities
`irregularities
`
`Probe for known or
`Probe for known or
`expected
`expected
`vulnerabilities
`vulnerabilities
`
`Learn new behaviors
`Learn new behaviors
`based on analysis of
`based on analysis of
`software
`software
`
`WIZ, Inc. EXHIBIT - 1046
`WIZ, Inc. v. Orca Security LTD.
`
`WIZ, Inc. EXHIBIT - 1046
`WIZ, Inc. v. Orca Security LTD.
`
`

`

`US 10,783,241 B2
`US 10,783,241 B2
`Page 2
`Page 2
`
`Related U.S. Application Data
`Related U.S. Application Data
`continuation - in - part of application No. 15 / 725,274 ,
`continuation-in-part of application No. 15/725,274,
`filed on Oct. 4 , 2017 , now Pat . No. 10,609,079 , which
`filed on Oct. 4, 2017, now Pat. No. 10,609,079, which
`is a continuation - in - part of application No. 15/655 ,
`is a continuation-in-part of application No. 15/655,
`113 , filed on Jul . 20 , 2017 , which is a continuation
`113, filed on Jul. 20, 2017, which is a continuation-
`in - part of application No. 157616,427 , filed on Jun . 7 ,
`in-part of application No. 15/616,427, filed on Jun. 7,
`2017 , and a continuation - in - part of application No.
`2017, and a continuation-in-part of application No.
`15 / 237,625 , filed on Aug. 15 , 2016 , now Pat . No.
`15/237,625, filed on Aug. 15, 2016, now Pat. No.
`10,248,910 , which is a continuation - in - part of appli
`10,248,910, which is a continuation-in-part of appli-
`cation No. 15 / 206,195 , filed on Jul . 8 , 2016 , which is
`cation No. 15/206,195, filed on Jul. 8, 2016, which is
`a continuation - in - part of application No. 15 / 186,453 ,
`a continuation-in-part of application No. 15/186,453,
`filed on Jun . 18 , 2016 , which is a continuation - in - part
`filed on Jun. 18, 2016, which is a continuation-in-part
`of application No. 15 / 166,158 , filed on May 26 , 2016 ,
`of application No. 15/166,158, filed on May 26, 2016,
`which is a continuation - in - part of application No.
`which is a continuation-in-part of application No.
`15 / 141,752 , filed on Apr. 28 , 2016 , which is a con
`15/141,752, filed on Apr. 28, 2016, which is a con-
`tinuation - in - part of application No. 15 / 091,563 , filed
`tinuation-in-part of application No. 15/091,563, filed
`on Apr. 5 , 2016 , now Pat . No. 10,204,147 , and a
`on Apr. 5, 2016, now Pat. No. 10,204,147, and a
`continuation - in - part of application No. 14 / 986,536 ,
`continuation-in-part of application No. 14/986,536,
`filed on Dec. 31 , 2015 , now Pat . No. 10,210,255 , and
`filed on Dec. 31, 2015, now Pat. No. 10,210,255, and
`a continuation - in - part of application No. 14 / 925,974 ,
`a continuation-in-part of application No. 14/925,974,
`filed on Oct. 28 , 2015 , application No. 15 / 887,496 ,
`filed on Oct. 28, 2015, application No. 15/887,496,
`which is a continuation - in - part of application No.
`which is a continuation-in-part of application No.
`15 / 823,285 , filed on Nov. 27 , 2017 , which is a con
`15/823,285, filed on Nov. 27, 2017, which is a con-
`tinuation - in - part of application No. 15 / 788,718 , filed
`tinuation-in-part of application No. 15/788,718, filed
`on Oct. 19 , 2017 , which is a continuation - in - part of
`on Oct. 19, 2017, which is a continuation-in-part of
`application No. 15 / 788,002 , filed on Oct. 19 , 2017 ,
`application No. 15/788,002, filed on Oct. 19, 2017,
`which is a continuation - in - part of application No.
`which is a continuation-in-part of application No.
`15 / 787,601 , filed on Oct. 18 , 2017 , which is a con
`15/787,601, filed on Oct. 18, 2017, which is a con-
`
`tinuation - in - part of application No. 15 / 616,427 , filed
`tinuation-in-part of application No. 15/616,427, filed
`on Jun . 7 , 2017 , which is a continuation - in - part of
`on Jun. 7, 2017, which is a continuation-in-part of
`application No. 14 / 925,974 , filed on Oct. 28 , 2015 .
`application No. 14/925,974, filed on Oct. 28, 2015.
`( 60 ) Provisional application No. 62 / 568,307 , filed on Oct.
`(60) Provisional application No. 62/568,307, filed on Oct.
`4 , 2017 , provisional application No. 62 / 568,305 , filed
`4, 2017, provisional application No. 62/568,305, filed
`on Oct. 4 , 2017 ,
`provisional application No.
`on Oct. 4, 2017, provisional application No.
`62 / 568,312 , filed on Oct. 4 , 2017 .
`62/568,312, filed on Oct. 4, 2017.
`( 51 ) Int . CI .
`(51) Int. Cl.
`G06Q 40/08
`G06Q 40/08
`GOON 20/00
`G06N 20/00
`G06Q 50/00
`G06Q 50/00
`
`( 56 )
`(56)
`
`( 2012.01 )
`(2012.01)
`( 2019.01 )
`(2019.01)
`( 2012.01 )
`(2012.01)
`References Cited
`References Cited
`U.S. PATENT DOCUMENTS
`U.S. PATENT DOCUMENTS
`12/2005 Sabharwal
`2005/0289072 A1
`12/2005 Sabharwal
`2005/0289072 Al
`1/2007 Venolia
`2007/0011659 Al
`1/2007 Venolia
`2007/0011659 Al
`2013/0097706 A1 *
`4/2013 Titonis
`4/2013 Titonis
`2013/0097706 Al *
`
`H04W 12/12
`H04W 12/12
`726/24
`726/24
`G06F 21/57
`GO6F 21/57
`726/17
`726/17
`
`HO4L 63/1433
`H04L 63/1433
`726/23
`726/23
`
`1/2016 Chen
`2016/0004858 A1 *
`2016/0004858 Al* 1/2016 Chen
`
`2016/0028758 Al
`2016/0028758 Al
`2016/0099960 A1 *
`2016/0099960 Al *
`
`1/2016 Ellis et al .
`1/2016 Ellis et al.
`4/2016 Gerritz
`4/2016 Gerritz
`
`2016/0275123 A1
`2016/0275123 Al
`2017/0126712 A1
`2017/0126712 Al
`2017/0139763 Al
`2017/0139763 Al
`2017/0149802 Al
`2017/0149802 Al
`* cited by examiner
`* cited by examiner
`
`9/2016 Lin et al .
`9/2016 Lin et al.
`5/2017 Crabtree et al .
`5/2017 Crabtree et al.
`5/2017 Ellwein
`5/2017 Ellwein
`5/2017 Huang et al .
`5/2017 Huang et al.
`
`

`

`U.S. Patent
`lualud °S11
`
`Sep. 22 , 2020
`
`Sheet 1 of 12
`Z1 Jo 1 WIN
`
`US 10,783,241 B2
`za trecn`ot sa
`
`112
`
`Administration
`Device
`
`Administration Device
`
`Sensor
`Device
`
`Sensor Device
`
`Data
`Stream
`Management
`Engine
`
`Data Stream Management Engine
`
`120
`
`120
`
`110a
`
`110a
`
`Network
`
`Network
`
`Sensor
`Device
`
`Sensor Device
`
`Sensor Device
`www 110b
`
`Sensor
`Device
`
`110b
`
`Web server
`Engine
`ic\\\.
`
`N 115
`
`\,1
`115
`
`server Engine
`Web
`
`Data
` 1* Archive
`Storage
`
`Data Archive Storage
`
`Multidimensional
`Time Series
`tow
`Data Store
`
`Series Data
`Store
`
`\
`
`4
`
`130
`
`130
`
`125
`
`125
`
`Multidimensional Time
`
`EITEEdfid-
`Query
`Interpreter
`
`Structured Query Interpreter
`
``- 135
`
`135
`
`110n
`
`110n
`
`Fig. 1
`
`Fig . 1
`
`

`

`U.S. Patent
`lualud °S11
`
`Sep. 22 , 2020
`
`Sheet 2 of 12
`Z1 JO Z WIN
`
`US 10,783,241 B2
`za trecn`ot sa
`
`3
`
`&
`
` =‘.
`Client
`access
`
`205
`Client access
`
`205
`
`2
`
`4/ 210
`
`210
`
`+++
`
`* 224
`
`web crawler module
`High volume
`
`volume web
`crawler
`module
`
`sional time
`series
`database
`
`215
`
`215
`
`2202
`
`Action
`outcome
`simulation
`module
`
`Action outcome simulation module
`
`230—
`fa-Servation,
`and state
`estimation
`' service
`'sr
`
`240
`
`240
`
`Automated planning service module
`230 Observation and
`state estimation service
`
`II service
`
`module
`
`225
`
`225
`
`247 ,
`
`' s
`
`, Autom-ated
`planning
`
`High bandwidth cloud interface
`
`bandwidth 14
`cloud
`interface
`
`r.
`
`2
`
`255\
`
`255
`
`DT-Fe-did
`computa-
`tional graph
`module
`
`}
`
`I I260
`
`1260
`
`' a
`
`transformer tran: former
`service
`module
`
`I '
`
`le
`transformer
`service
`module
`
`5
`Graph
`stack
`service
`
`Multidimen sional
`time series database
`Directed computa tional
`graph module
`250 Graph stack service
`Decomposab le transformer service module
`General transformer service module
`
`2
`
`245
`
`245
`
`2
`
`Fig. 2
`
`Fig . 2 .
`
`

`

`U.S. Patent
`lualud °S11
`
`Sep. 22 , 2020
`
`Sheet 3 of 12
`Z1 JO £ WIN
`
`US 10,783,241 B2
`za trecn`ot sa
`
`125
`
`125
`
`Multi-dimensional
`time-series database
`
`Multi - dimensional time - series
`database
`
`330
`
`330
`
`Device
`Endpoints
`
`Device Endpoints
`
`Internet
`
`Internet
`
`310
`
`310
`
`Task
`engine
`
`Task engine
`
`320
`
`320
`
`Scoring engine
`
`Scoring
`engine
`
`Fig. 3
`
`Fig . 3
`
`

`

`U.S. Patent
`lualud °S11
`
`Sep. 22 , 2020
`
`Sheet 4 of 12
`Z1 JO 17 1"11S
`
`US 10,783,241 B2
`za trecn`ot sa
`
`1
`I
`I
`
`1
`
`413
`Sandbox
`environment
`
`0101010101010140.
`
`Business OS
`412
`Binary file
`translation
`
`Business OS
`412
`
`Binary
`
`410
`
`410
`
`141/41 ,1
`
`411
`
`Kernel
`
`MOMMeddeddel
`
`413 Sandbox environment
`file translation
`Kernel
`
`1
`
`I
`
`I 411
`I
`I
`
`440
`
`440
`
`Score generation
`system
`
`generation system
`Score
`
`430
`
`430
`
`420
`
`420
`
`Network
`
`Network
`
`Database
`
`Database
`
`450
`
`450
`
`MINIM
`
`V alIVIV6
`
`
`
`453
`Endpoint n
`
`453
`
`Endpoint n
`
`452
`Endpoint 2
`
`452
`
`Endpoint 2
`
`Device endpoints
`
`Device
`endpoints
`
`451
`
`
`
`t&A
`
`x451
`
`I Endpoint 1
`
`| Endpoint 1
`
`Fig. 4
`
`Fig . 4
`
`

`

`U.S. Patent
`lualud °S11
`
`Sep. 22 , 2020
`
`Sheet 5 of 12
`Z1 JO S JamiS
`
`US 10,783,241 B2
`za trecn`ot sa
`
`Translate target
`file into binary
`I
`Transfer translated
`file to sandbox
`environment
`
`translated file to sandbox environment
`Transfer
`
`Translate
`target file
`into
`binary
`
`Execute file in
`sandbox environment
`
`file in sandbox
`environment
`
`Execute
`
`Examine executing
`software for
`irregularities
`
`executing software for irregularities
`Examine
`
`Probe for known or
`expected
`vulnerabilities
`
`known or expected vulnerabilities
`
`Probe
`for
`
`510`
`
`510 V
`
`520 _
`
`520
`
`530 _
`
`530
`
`540 _
`
`540
`
`550 _
`
`550
`
`560
`
`560
`
`Learn new behaviors
`based on analysis of
`software
`
`behaviors based on analysis of software
`Learn
`new
`
`Fig. 5
`
`Fig . 5
`
`

`

`U.S. Patent
`lualud °S11
`
`Sep. 22 , 2020
`
`Sheet 6 of 12
`Z1 .19 9 WIN
`
`US 10,783,241 B2
`za trecn`ot sa
`
`610
`
`610
`
`Endpoint instrumentation
`is installed on device
`
`Endpoint
`instrumentation is installed on device
`
`620
`
`620
`
`data is queried remotely
`Device
`
`Device data is queried
`remotely
`
`Device-specific data
`is sent back to OS
`
`Device - specific
`data is sent
`back to OS
`
`630 v),
`
`630
`
`640
`
`640
`
`Device data is used to
`analyze potential
`vulnerabilities for testing
`
`potential vulnerabilities for
`testing
`data is used to analyze
`
`Device
`
`Fig. 6
`
`Fig . 6
`
`

`

`U.S. Patent
`lualud °S11
`
`Sep. 22 , 2020
`
`Sheet 7 of 12
`ZI JO L WIN
`
`US 10,783,241 B2
`za trecn`ot sa
`
`710
`kek
`Vulnerabilities and exploits
`located in executed software
`are relayed to scoring engine
`
`exploits located in executed
`Vulnerabilities and
`software are
`relayed to scoring
`engine
`
`710
`
`720
`
`720
`
`Vulnerabilities and exploits are
`scored based on perceived
`criticality
`
`exploits are scored
`Vulnerabilities and
`based on perceived criticality
`
`730
`
`730
`
`Most critical vulnerabilities and
`exploits are schedule to be
`patched first
`
`schedule to be patched
`first
`and exploits
`are
`Most
`critical
`vulnerabilities
`
`Fig. 7
`
`Fig . 7
`
`

`

`U.S. Patent
`lualud °S11
`
`Sep. 22 , 2020
`
`Sheet 8 of 12
`Z1 JO 8 WIN
`
`US 10,783,241 B2
`za trecn`ot sa
`
`810
`
`810
`
`enhancements on vulnerable
`patching and security
`software
`Business OS attempts various
`
`Business OS attempts
`various patching and
`security enhancements on
`vulnerable software
`
`Failure
`
`Failure
`
`Success
`
`Success
`
`830 sk,"
`
`830
`
`OS learns to try other
`measures first in
`similar future instances
`
`first in similar
`other measures
`future
`instances
`OS learns to try
`
`820
`
`820
`
`OS uses reinforcement
`learning to test similar
`measures in the future
`
`similar measures in the
`future
`reinforcement learning to test
`OS uses
`
`840
`Iv\
`Patch or enhancement is
`sent to endpoint for
`deployment
`
`Patch or enhancement is sent to endpoint for deployment
`
`840
`
`Fig. 8
`
`Fig . 8
`
`

`

`U.S. Patent
`lualud °S11
`
`Sep. 22 , 2020
`
`Sheet 9 of 12
`Z1 JO 6 WIN
`
`US 10,783,241 B2
`za trecn`ot sa
`
`Interfaces
`
`Interfaces
`
`15 --I'
`
`15
`
`Remote
`Storage
`16
`
`Remote Storage h 91
`
`14
`
`14 r
`
`2
`
`13
`
`1413
`212
`Processor ( s )
`
`Processor(s)
`
`Fig. 9
`
`Fig . 9
`
`1 0
`
`10
`
`Local
`Storage
`
`Local Storage
`
`11
`
`114
`
`

`

`U.S. Patent
`lualud °S11
`
`Sep. 22 , 2020
`
`Sheet 10 of 12
`Z1 JO 01 WIN
`
`US 10,783,241 B2
`za trecn`ot sa
`
`8
`
`28
`
`Inputs
`
`Inputs
`
`Outputs
`
`27
`
`127 ? Memory
`ha 26
`125
`Outputs
`Storage
`
`Storage
`
`Memory
`
`Clients
`
`Clients
`
`24
`
`24
`
`Services
`
`Services
`
`23
`
`OSes
`
`OSes
`
`22
`
`21 NS\
`
`21 Processors
`
`Processors
`
`220
`
`20
`
`Fig. 10
`
`Fig . 10
`
`

`

`U.S. Patent
`wawa °S11
`
`Sep. 22 , 2020
`
`ZI Jo II WIN
`Sheet 11 of 12
`
`za trecn`ot sa
`US 10,783,241 B2
`
`Servers
`
`Servers
`
`32
`
`..200000006.
`
`Databases
`
`Databases
`
`1
`
`31
`
`Network ( s )
`
`Network.(s)
`
`Et Svcs
`
`Ext
`Svcs
`
`37
`
`37
`
`Clients
`
`Clients
`
`33
`
`Sec.
`
`Sec .
`
`36
`
`36
`
`30
`
`30
`
`Fig. 11
`
`Fig . 11
`
`34
`
`34
`
`35
`
`35 Config
`
`Con fig
`
`

`

`U.S. Patent
`lualud °S11
`
`Sep. 22 , 2020
`
`Sheet 12 of 12
`Z1 JO Z1 WIN
`
`US 10,783,241 B2
`za trecn`ot sa
`
`AC
`
`PSU
`
`46
`
`46
`
`45
`
`45
`
`42
`
`44
`
`NVM
`S ? IVM
`Mem
`
`•••••••••••••••••••••••••••••••••••••••••••••••••••
`
`Mem NVM
`
`48
`
`Yre
`
`51
`
`51
`arch
`48
`
`s ?
`
`/1,3
`
`43
`
`40
`
`40
`
`CPU
`
`CPU
`
`41
`
`54
`
`( 54
`
`NIC
`
`NIC
`
`11O
`
`I / O
`
`47
`
`47 Display
`
`Display
`
`53
`
`53
`HDD 152
`
`II DD
`
`52
`
`50
`
`5
`49
`
`(2
`49
`
`Fig. 12
`
`Fig . 12
`
`

`

`US 10,783,241 B2
`US 10,783,241 B2
`
`Field of the Art
`Field of the Art
`
`1
`1
`SYSTEM AND METHODS FOR SANDBOXED
`SYSTEM AND METHODS FOR SANDBOXED
`MALWARE ANALYSIS AND AUTOMATED
`MALWARE ANALYSIS AND AUTOMATED
`PATCH DEVELOPMENT , DEPLOYMENT
`PATCH DEVELOPMENT, DEPLOYMENT
`AND VALIDATION
`AND VALIDATION
`
`2
`2
`FOR SOFTWARE DEVELOPMENT ” , filed on Nov. 27 ,
`FOR SOFTWARE DEVELOPMENT", filed on Nov. 27,
`2017 , which is a continuation - in - part of U.S. patent appli
`2017, which is a continuation-in-part of U.S. patent appli-
`cation Ser . No. 15 / 788,718 titled “ DATA MONETIZATION
`cation Ser. No. 15/788,718 titled "DATA MONETIZATION
`AND EXCHANGE PLATFORM ” , filed on Oct. 19 , 2017 ,
`AND EXCHANGE PLATFORM", filed on Oct. 19, 2017,
`5 which claims benefit of , and priority to , U.S. provisional
`5 which claims benefit of, and priority to, U.S. provisional
`CROSS - REFERENCE TO RELATED
`patent application 62 / 568,307 titled “ DATA MONETIZA
`CROSS-REFERENCE TO RELATED
`patent application 62/568,307 titled "DATA MONETIZA-
`APPLICATIONS
`APPLICATIONS
`TION AND EXCHANGE PLATFORM ” , filed on Oct. 4 ,
`TION AND EXCHANGE PLATFORM", filed on Oct. 4,
`2017 , and is also a continuation - in - part of U.S. patent
`2017, and is also a continuation-in-part of U.S. patent
`This application is a continuation - in - part of Ser . No.
`application Ser . No. 15 / 788,002 titled “ ALGORITHM
`This application is a continuation-in-part of Ser. No.
`application Ser. No. 15/788,002 titled "ALGORITHM
`titled “ SYSTEM AND METHOD FOR 10 MONETIZATION AND EXCHANGE PLATFORM ” filed
`15 / 818,733 ,
`15/818,733,
`titled "SYSTEM AND METHOD FOR
`10 MONETIZATION AND EXCHANGE PLATFORM" filed
`CYBERSECURITY ANALYSIS AND SCORE GENERA on Oct. 19 , 2017 , which claims priority to U.S. provisional
`CYBERSECURITY ANALYSIS AND SCORE GENERA-
`on Oct. 19, 2017, which claims priority to U.S. provisional
`TION FOR INSURANCE PURPOSES ” , filed on Nov. 20 ,
`patent application 62 / 568,305 titled “ ALGORITHM MON
`TION FOR INSURANCE PURPOSES", filed on Nov. 20,
`patent application 62/568,305 titled "ALGORITHM MON-
`2017 , which is a continuation - in - part of Ser . No. 15/725 ,
`ETIZATION AND EXCHANGE PLATFORM ” , filed on
`2017, which is a continuation-in-part of Ser. No. 15/725,
`ETIZATION AND EXCHANGE PLATFORM", filed on
`274 , titled “ APPLICATION OF ADVANCED CYBERSE
`274, titled "APPLICATION OF ADVANCED CYBERSE-
`Oct. 4 , 2017 , and is also a continuation - in - part of U.S. patent
`Oct. 4, 2017, and is also a continuation-in-part of U.S. patent
`CURITY THREAT MITIGATION TO ROGUE DEVICES , 15 application Ser . No. 15 / 787,601 , titled “ METHOD AND
`CURITY THREAT MITIGATION TO ROGUE DEVICES,
`15 application Ser. No. 15/787,601, titled "METHOD AND
`PRIVILEGE ESCALATION , AND RISK - BASED VUL
`APPARATUS FOR CROWDSOURCED DATA GATHER
`PRIVILEGE ESCALATION, AND RISK-BASED VUL-
`APPARATUS FOR CROWDSOURCED DATA GATHER-
`NERABILITY AND PATCH MANAGEMENT ” , filed on
`ING , EXTRACTION , AND COMPENSATION ” , filed on
`NERABILITY AND PATCH MANAGEMENT", filed on
`ING, EXTRACTION, AND COMPENSATION", filed on
`Oct. 4 , 2017 , which is a continuation - in - part of U.S. patent
`Oct. 18 , 2017 , which claims priority to U.S. provisional
`Oct. 4, 2017, which is a continuation-in-part of U.S. patent
`Oct. 18, 2017, which claims priority to U.S. provisional
`application Ser . No. 15 / 655,113 ,
`titled “ ADVANCED
`patent application 62 / 568,312 titled “ METHOD AND
`application Ser. No. 15/655,113, titled "ADVANCED
`patent application 62/568,312 titled "METHOD AND
`CYBERSECURITY THREAT MITIGATION USING 20 APPARATUS FOR CROWDSOURCED DATA GATHER
`CYBERSECURITY THREAT MITIGATION USING
`20 APPARATUS FOR CROWDSOURCED DATA GATHER-
`BEHAVIORAL AND DEEP ANALYTICS ” , filed on Jul . 20 ,
`BEHAVIORAL AND DEEP ANALYTICS", filed on Jul. 20,
`ING , EXTRACTION , AND COMPENSATION ” , filed on
`ING, EXTRACTION, AND COMPENSATION", filed on
`2017 , which is a continuation - in - part of U.S. patent appli
`Oct. 4 , 2017 , and is also a continuation - in - part of U.S. patent
`2017, which is a continuation-in-part of U.S. patent appli-
`Oct. 4, 2017, and is also a continuation-in-part of U.S. patent
`cation Ser . No. 15 / 616,427 , titled “ RAPID PREDICTIVE
`application Ser . No. 15 / 616,427 titled “ RAPID PREDIC
`cation Ser. No. 15/616,427, titled "RAPID PREDICTIVE
`application Ser. No. 15/616,427 titled "RAPID PREDIC-
`ANALYSIS OF VERY LARGE DATA SETS USING AN TIVE ANALYSIS OF VERY LARGE DATA SETS USING
`ANALYSIS OF VERY LARGE DATA SETS USING AN
`TIVE ANALYSIS OF VERY LARGE DATA SETS USING
`ACTOR - DRIVEN DISTRIBUTED COMPUTATIONAL 25 AN ACTOR - DRIVEN DISTRIBUTED COMPUTA
`ACTOR-DRIVEN DISTRIBUTED COMPUTATIONAL
`25 AN ACTOR-DRIVEN DISTRIBUTED COMPUTA-
`GRAPH ” , filed on Jun . 7 , 2017 , and is also a continuation
`GRAPH", filed on Jun. 7, 2017, and is also a continuation-
`TIONAL GRAPH ” , filed on Jun . 7 , 2017 , which is a
`TIONAL GRAPH", filed on Jun. 7, 2017, which is a
`in - part of U.S. patent application Ser . No. 15 / 237,625 , titled
`continuation - in - part of U.S. patent application Ser . No.
`in-part of U.S. patent application Ser. No. 15/237,625, titled
`continuation-in-part of U.S. patent application Ser. No.
`“ DETECTION MITIGATION AND REMEDIATION OF
`"DETECTION MITIGATION AND REMEDIATION OF
`14 / 925,974 , titled “ RAPID PREDICTIVE ANALYSIS OF
`14/925,974, titled "RAPID PREDICTIVE ANALYSIS OF
`CYBERATTACKS EMPLOYING AN ADVANCED
`CYBERATTACKS EMPLOYING AN ADVANCED
`VERY LARGE DATA SETS USING THE DISTRIBUTED
`VERY LARGE DATA SETS USING THE DISTRIBUTED
`30 COMPUTATIONAL GRAPH ” , filed on Oct. 28 , 2015 , the
`CYBER - DECISION PLATFORM ” , filed on Aug. 15 , 2016 ,
`CYBER-DECISION PLATFORM", filed on Aug. 15, 2016,
`30 COMPUTATIONAL GRAPH", filed on Oct. 28, 2015, the
`entire specification of each of which is incorporated herein
`which is a continuation - in - part of U.S. patent application
`which is a continuation-in-part of U.S. patent application
`entire specification of each of which is incorporated herein
`Ser . No. 15 / 206,195 , titled " SYSTEM FOR AUTOMATED by reference .
`Ser. No. 15/206,195, titled "SYSTEM FOR AUTOMATED
`by reference.
`CAPTURE AND ANALYSIS OF BUSINESS INFORMA
`CAPTURE AND ANALYSIS OF BUSINESS INFORMA-
`TION FOR RELIABLE BUSINESS VENTURE OUT
`BACKGROUND OF THE INVENTION
`TION FOR RELIABLE BUSINESS VENTURE OUT-
`BACKGROUND OF THE INVENTION
`COME PREDICTION ” , filed on Jul . 8 , 2016 , which is a 35
`COME PREDICTION", filed on Jul. 8, 2016, which is a 35
`continuation in - part of U.S. patent application Ser . No.
`continuation in-part of U.S. patent application Ser. No.
`15 / 186,453 , titled “ SYSTEM FOR AUTOMATED CAP
`15/186,453, titled "SYSTEM FOR AUTOMATED CAP-
`The disclosure relates to the field of computer manage
`TURE AND ANALYSIS OF BUSINESS INFORMATION
`TURE AND ANALYSIS OF BUSINESS INFORMATION
`The disclosure relates to the field of computer manage-
`FOR RELIABLE BUSINESS VENTURE OUTCOME ment , and more particularly to the field of cybersecurity and
`FOR RELIABLE BUSINESS VENTURE OUTCOME
`ment, and more particularly to the field of cybersecurity and
`PREDICTION ” , filed on Jun . 18 , 2016 , which is a continu- 40 threat analytics .
`PREDICTION", filed on Jun. 18, 2016, which is a continu-
`40 threat analytics.
`ation - in - part of U.S. patent application Ser . No. 15 / 166,158 ,
`ation-in-part of U.S. patent application Ser. No. 15/166,158,
`Discussion of the State of the Art
`titled “ SYSTEM FOR AUTOMATED CAPTURE AND
`titled "SYSTEM FOR AUTOMATED CAPTURE AND
`Discussion of the State of the Art
`ANALYSIS OF BUSINESS INFORMATION FOR SECU
`ANALYSIS OF BUSINESS INFORMATION FOR SECU-
`RITY AND CLIENT - FACING INFRASTRUCTURE
`On Aug. 4 , 2016 , United States government's DEFENSE
`RITY AND CLIENT-FACING
`INFRASTRUCTURE
`On Aug. 4, 2016, United States government's DEFENSE
`RELIABILITY ” , filed on May 26 , 2016 , which is a con- 45 ADVANCED RESEARCH PROJECTS AGENCY
`RELIABILITY", filed on May 26, 2016, which is a con-
`45 ADVANCED RESEARCH
`PROJECTS AGENCY
`tinuation - in - part of U.S. patent application Ser . No. 15/141 ,
`( DARPA ) TM hosted an event in 2016 called the Cyber Grand
`tinuation-in-part of U.S. patent application Ser. No. 15/141,
`(DARPA)TM hosted an event in 2016 called the Cyber Grand
`752 , titled " SYSTEM FOR FULLY INTEGRATED CAP
`Challenge , aimed at creating an automatic defense system
`752, titled "SYSTEM FOR FULLY INTEGRATED CAP-
`Challenge, aimed at creating an automatic defense system
`TURE , AND ANALYSIS OF BUSINESS INFORMATION
`for network defense and vulnerability detection and patch
`TURE, AND ANALYSIS OF BUSINESS INFORMATION
`for network defense and vulnerability detection and patch-
`RESULTING IN PREDICTIVE DECISION MAKING
`ing . During the event numerous teams and individuals
`RESULTING IN PREDICTIVE DECISION MAKING
`ing. During the event numerous teams and individuals
`AND SIMULATION ” , filed on Apr. 28 , 2016 , which is a 50 competed to develop a system which could automatically
`AND SIMULATION", filed on Apr. 28, 2016, which is a
`so competed to develop a system which could automatically
`continuation - in - part of U.S. patent application Ser . No.
`detect vulnerabilities and exploits in software systems ,
`continuation-in-part of U.S. patent application Ser. No.
`detect vulnerabilities and exploits in software systems,
`15 / 091,563 , titled “ SYSTEM FOR CAPTURE , ANALYSIS
`develop a patch , and deploy the patch within a finite amount
`15/091,563, titled "SYSTEM FOR CAPTURE, ANALYSIS
`develop a patch, and deploy the patch within a finite amount
`AND STORAGE OF TIME SERIES DATA FROM SEN
`of time , in an effort to produce a highly robust system to
`AND STORAGE OF TIME SERIES DATA FROM SEN-
`of time, in an effort to produce a highly robust system to
`SORS WITH HETEROGENEOUS REPORT INTERVAL
`defend software systems from a variety of possible exploits
`SORS WITH HETEROGENEOUS REPORT INTERVAL
`defend software systems from a variety of possible exploits
`PROFILES ” , filed on Apr. 5 , 2016 , which is a continuation- 55 and malicious attacks . The competition was partially suc
`55 and malicious attacks. The competition was partially suc-
`PROFILES", filed on Apr. 5, 2016, which is a continuation-
`in - part of U.S. patent application Ser . No. 14 / 986,536 , titled
`cessful , with the submitted systems from each team com
`in-part of U.S. patent application Ser. No. 14/986,536, titled
`cessful, with the submitted systems from each team com-
`“ DISTRIBUTED SYSTEM FOR LARGE VOLUME DEEP
`peting automatically in a capture - the - flag style competition ,
`"DISTRIBUTED SYSTEM FOR LARGE VOLUME DEEP
`peting automatically in a capture-the-flag style competition,
`WEB DATA EXTRACTION ” , filed on Dec. 31 , 2015 ,
`and the competition in its entirety demonstrated that fully
`WEB DATA EXTRACTION", filed on Dec. 31, 2015,
`and the competition in its entirety demonstrated that fully
`which is a continuation - in - part of U.S. patent application
`autonomous network defense and exploitation is possible .
`which is a continuation-in-part of U.S. patent application
`autonomous network defense and exploitation is possible.
`Ser . No. 14 / 925,974 , titled “ RAPID PREDICTIVE ANALY- 60 No team's submission completed the competition with
`Ser. No. 14/925,974, titled "RAPID PREDICTIVE ANALY-
`60 No team's submission completed the competition with
`SIS OF VERY LARGE DATA SETS USING THE DIS
`100 % success in identifying vulnerabilities and exploits , and
`SIS OF VERY LARGE DATA SETS USING THE DIS-
`100% success in identifying vulnerabilities and exploits, and
`TRIBUTED COMPUTATIONAL GRAPH ” , filed on Oct.
`as of yet no such system is deployed for large scale or
`TRIBUTED COMPUTATIONAL GRAPH", filed on Oct.
`as of yet no such system is deployed for large scale or
`28 , 2015 , the entire specifications of each of which are
`commercial applications in automated analysis and defense
`28, 2015, the entire specifications of each of which are
`commercial applications in automated analysis and defense
`incorporated herein by reference .
`of networks and network - connected devices . Malware of
`incorporated herein by reference.
`of networks and network-connected devices. Malware of
`This application is a continuation - in - part of U.S. patent 65 today is continually being advanced in the area of memory
`This application is a continuation-in-part of U.S. patent
`65 today is continually being advanced in the area of memory
`application Ser . No. 15 / 823,285 titled “ META - INDEXING ,
`scanning , to evade detection from current anti - virus and
`application Ser. No. 15/823,285 titled "META-INDEXING,
`scanning, to evade detection from current anti-virus and
`SEARCH , COMPLIANCE , AND TEST FRAMEWORK antimalware software , and continually advancing and evolv
`SEARCH, COMPLIANCE, AND TEST FRAMEWORK
`antimalware software, and continually advancing and evolv-
`
`

`

`US 10,783,241 B2
`US 10,783,241 B2
`
`5
`
`4
`3
`4
`3
`FIG . 4 is a system diagram illustrating connections
`ing network and system defense techniques are required in
`FIG. 4 is a system diagram illustrating connections
`ing network and system defense techniques are required in
`between important components for analyzing software and
`order to keep up with the pace of advancement of malware
`between important components for analyzing software and
`order to keep up with the pace of advancement of malware
`network - connected endpoints , according to a preferred
`both today and in the future . Even until this competition , no
`network-connected endpoints, according to a preferred
`both today and in the future. Even until this competition, no
`aspect .
`system existed even for research applications which could
`aspect.
`system existed even for research applications which could
`FIG . 5 is a method diagram illustrating important steps in
`reliably identify and patch vulnerabilities and exploits in 5
`FIG. 5 is a method diagram illustrating important steps in
`reliably identify and patch vulnerabilities and exploits in
`detecting and analyzing software exploits or vulnerabilities ,
`software systems and networks before malware took advan
`detecting and analyzing software exploits or vulnerabilities,
`software systems and networks before malware took advan-
`according to a preferred aspect of the invention .
`tage of said vu