The Prior Art Database and Publishing service will be updated on Sunday, February 25th, from 1-3pm ET. You may experience brief service interruptions during that time.
Browse Prior Art Database


IP.com Disclosure Number: IPCOM000249082D
Publication Date: 2017-Feb-02
Document File: 6 page(s) / 520K

Publishing Venue

The IP.com Prior Art Database

Related People

Raj Mirajkar: AUTHOR


Presented herein are techniques for an interactive file trajectory visualization. The visualization shows behavior of files that may potentially threaten network security.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 53% of the total text.

Copyright 2017 Cisco Systems, Inc. 1


AUTHORS: Raj Mirajkar



Presented herein are techniques for an interactive file trajectory visualization. The

visualization shows behavior of files that may potentially threaten network security.


A malicious file infiltrates a computer file system to modify/delete/create/etc.

activities and/or processes within the system. The malicious file spreads potentially

harmful code/viruses into a user network, causing the network security to weaken enough

that an external agent may hack into the network and compromise sensitive information.

As such, potentially malicious activities and/or processes should be monitored to

determine whether they are potentially harmful to the user network.

One task of an information technology (IT) network security analyst/investigator

is to keep the network for which they are responsible safe from security threats. To this

end, one useful technique is called “sandboxing.” A sandbox is a security mechanism for

separating running programs, and is often used to execute untested or untrusted programs

or code. A user submits a potentially malicious file (e.g., from the user network) to the

sandbox for analysis.

After the network security analyst/investigator submits suspicious files into a

sandboxing tool, the tool may produce a detailed (e.g., 500-pages) data-heavy report.

This report is time-consuming and/or labor intensive for the user to analyze. It can take

up to several days to analyze a single report. However, there are hundreds of these data-

heavy reports, each of which the user should analyze to gain meaningful insights into the

user threat landscape. While the user is analyzing these reports, threats in the network

may have already started spreading, creating a bottleneck effect. As such, provided herein

are techniques for an interactive file trajectory visualization that shows behavior that may

Copyright 2017 Cisco Systems, Inc. 2

potentially threaten the security of one or more files. In particular, the techniques allow a

user to efficiently analyze sandbox results.

In an example, the visualization exploits behavioral patterns to determine whether

a given behavior by a particular file is suspicious/malicious. If the visualization

determines that a file is suspicious/malicious, the program may mark the file as exhibiting

these programs and visually notify the IT analyst/investigator that the file may be


As mentioned above, a given file in a given file system may perform an activity.

The file may perform, in the file system, thousands of activities, each of which has an

associated timestamp. Also, a behavioral classification team may analyze malicious

behaviors and maintain a repository for each behavior. Each behavior may have an

associated threat score. In one example, the threat score ranges from 0-99, whe...