FILE TRAJECTORY VISUALIZATION
Publication Date: 2017-Feb-02
The IP.com Prior Art Database
Presented herein are techniques for an interactive file trajectory visualization. The visualization shows behavior of files that may potentially threaten network security.
Copyright 2017 Cisco Systems, Inc. 1
FILE TRAJECTORY VISUALIZATION
AUTHORS: Raj Mirajkar
CISCO SYSTEMS, INC.
Presented herein are techniques for an interactive file trajectory visualization. The
visualization shows behavior of files that may potentially threaten network security.
A malicious file infiltrates a computer file system to modify/delete/create/etc.
activities and/or processes within the system. The malicious file spreads potentially
harmful code/viruses into a user network, causing the network security to weaken enough
that an external agent may hack into the network and compromise sensitive information.
As such, potentially malicious activities and/or processes should be monitored to
determine whether they are potentially harmful to the user network.
One task of an information technology (IT) network security analyst/investigator
is to keep the network for which they are responsible safe from security threats. To this
end, one useful technique is called “sandboxing.” A sandbox is a security mechanism for
separating running programs, and is often used to execute untested or untrusted programs
or code. A user submits a potentially malicious file (e.g., from the user network) to the
sandbox for analysis.
After the network security analyst/investigator submits suspicious files into a
sandboxing tool, the tool may produce a detailed (e.g., 500-pages) data-heavy report.
This report is time-consuming and/or labor intensive for the user to analyze. It can take
up to several days to analyze a single report. However, there are hundreds of these data-
heavy reports, each of which the user should analyze to gain meaningful insights into the
user threat landscape. While the user is analyzing these reports, threats in the network
may have already started spreading, creating a bottleneck effect. As such, provided herein
are techniques for an interactive file trajectory visualization that shows behavior that may
Copyright 2017 Cisco Systems, Inc. 2
potentially threaten the security of one or more files. In particular, the techniques allow a
user to efficiently analyze sandbox results.
In an example, the visualization exploits behavioral patterns to determine whether
a given behavior by a particular file is suspicious/malicious. If the visualization
determines that a file is suspicious/malicious, the program may mark the file as exhibiting
these programs and visually notify the IT analyst/investigator that the file may be
As mentioned above, a given file in a given file system may perform an activity.
The file may perform, in the file system, thousands of activities, each of which has an
associated timestamp. Also, a behavioral classification team may analyze malicious
behaviors and maintain a repository for each behavior. Each behavior may have an
associated threat score. In one example, the threat score ranges from 0-99, whe...