Systems and methods for malware defense

US 10,097,573 B1
Filed: 12/04/2017
Issued: 10/09/2018
Est. Priority Date: 04/01/2004
Status: Active Grant

First Claim

Patent Images

1. A malware defense system comprising:

a first malware containment system; and

a second malware containment system communicatively coupled to the first malware containment system,wherein each malware containment system of a plurality of malware containment systems including the first malware containment system and the second malware containment system comprisinga sensor implemented in a computing device and configured to generate a malware identifier for a malware propagating within a communication network, the sensor comprisingan alternate computer network to analyze communications traffic being filtered from the communication network; and

a controller configured to monitor the alternate computer network, and to generate the malware identifier based on anomalous behavior caused within the alternate computer network by the malware, the controller to generate of the malware identifier by at least (i) generating a sequence of network activities based on an orchestrated pattern and (ii) determining the malware identifier by comparing observed behavior in the alternate computer network with orchestrated behavior expected from the orchestrated pattern; and

a blocking system in communication with the sensor over the communication network and configured to receive the malware identifier from the sensor to block the propagation of the malware within the communication network.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

One embodiment of the invention is directed to a method for defending against a cyberattack. The method involves filtering communications traffic propagating over a communication network and analyzing the filtered communications traffic within an alternate computer network, which is communicatively coupled to the communication network. Upon detection of malware within the filtered communications traffic, a malware identifier is generated based on anomalous behavior caused within the alternate computer network by the malware. The generating of the malware identifier includes (i) generating a sequence of network activities within the alternate computer network based on an orchestrated pattern and (ii) determining the malware identifier by comparing observed behavior in the alternate computer network with orchestrated behavior expected from the orchestrated pattern. Thereafter, the propagation of the malware over the communication network is blocked.

747 Citations

44 Claims

1. A malware defense system comprising:
- a first malware containment system; and
  
  a second malware containment system communicatively coupled to the first malware containment system,wherein each malware containment system of a plurality of malware containment systems including the first malware containment system and the second malware containment system comprisinga sensor implemented in a computing device and configured to generate a malware identifier for a malware propagating within a communication network, the sensor comprisingan alternate computer network to analyze communications traffic being filtered from the communication network; and
  
  a controller configured to monitor the alternate computer network, and to generate the malware identifier based on anomalous behavior caused within the alternate computer network by the malware, the controller to generate of the malware identifier by at least (i) generating a sequence of network activities based on an orchestrated pattern and (ii) determining the malware identifier by comparing observed behavior in the alternate computer network with orchestrated behavior expected from the orchestrated pattern; and
  
  a blocking system in communication with the sensor over the communication network and configured to receive the malware identifier from the sensor to block the propagation of the malware within the communication network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The malware defense system of claim 1 further comprising:
    - a management system in communication with the plurality of malware containment systems and configured to obtain the malware identifier from a sensor of the first malware containment system of the plurality of malware containment systems and distribute the malware identifier to a malware blocking system of a second malware containment system of the plurality of malware containment systems.
  - 3. The malware defense system of claim 2, wherein the management system automatically distributes the malware identifier to the malware blocking system of the second malware containment system.
  - 4. The malware defense system of claim 2, wherein the management system charges a fee to a subscriber associated with the second malware containment system for distributing the malware identifier to the malware blocking system of the second malware containment system.
  - 5. The malware defense system of claim 1, wherein the alternate computer network replays communications traffic filtered from the communication network, the filtered communications traffic being characteristic of malware.
  - 6. The malware defense system of claim 1, wherein the alternate computer network is transparent to and separate from the communication network.
  - 7. The malware defense system of claim 1, wherein the malware identifier comprises a signature.
  - 8. The malware defense system of claim 7, wherein the signature comprises a Uniform Resource Locator (URL) and the malware blocking system is capable of filtering by URL.
  - 9. The malware defense system of claim 7, wherein the signature is for use by an inline signature based intrusion detection system, the signature being shared with the inline signature based intrusion detection system.
  - 10. The malware defense system of claim 7, wherein the signature comprises an action control list (ACL) entry for a network device capable of filtering network traffic, the signature being shared with the network device.
  - 11. The malware defense system of claim 1, wherein the controller of each malware containment system is further configured to generate a recovery script.
  - 12. The malware defense system of claim 1, wherein the controller of each malware containment system is further configured to copy at least a portion of communications traffic from the communication network.
  - 13. The malware defense system of claim 12, wherein the controller of each malware containment system is further configured to suppress return traffic generated by the at least a portion of network traffic copied from the communication network.
  - 14. The malware defense system of claim 1, wherein the alternate computer network comprises a virtual computer system using machine virtualization technologies.
  - 15. The malware defense system of claim 1, wherein the anomalous behavior caused within the alternate computer network includes a behavior that deviates from the orchestrated behavior.

16. A method for defending against a cyberattack, comprising:
- filtering communications traffic propagating over a communication network;
  
  analyzing the filtered communications traffic within an alternate computer network communicatively coupled to the communication network;
  
  detecting malware within the filtered communications traffic;
  
  generating a malware identifier based on anomalous behavior caused within the alternate computer network by the malware, the generating of the malware identifier comprises (i) generating a sequence of network activities within the alternate computer network based on an orchestrated pattern and (ii) determining the malware identifier by comparing observed behavior in the alternate computer network with orchestrated behavior expected from the orchestrated pattern; and
  
  blocking the propagation of the malware over the communication network.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
- - 17. The method of claim 16 further comprising distributing the malware identifier to a malware containment system remotely located from the alternative computer network.
  - 18. The method of claim 17 further comprising blocking the malware from propagating in a second communication network associated with the malware containment system.
  - 19. The method of claim 17, wherein the distributing of the malware identifier is performed automatically.
  - 20. The method of claim 17, wherein the distributing of the malware identifier is performed by a management system.
  - 21. The method of claim 17, wherein the distributing of the malware identifier comprises charging a fee to a subscriber associated with the malware containment system.
  - 22. The method of claim 16, wherein the generating of the sequence of network activities based on the orchestrated pattern comprises controlling, by a controller, operations of one or more computing systems of the alternate computer network to orchestrate the sequence of the network activities.
  - 23. The method of claim 16, wherein the alternate computer network is transparent to and separate from the communication network.
  - 24. The method of claim 16, wherein the detecting of the malware further comprises copying at least a portion of network traffic from the communication network characteristic of the malware for analysis by the alternate computer network.
  - 25. The method of claim 16, wherein generating the malware identifier further comprises generating a signature of the malware.
  - 26. The method of claim 16 further comprising generating a recovery script.
  - 27. The method of claim 16, wherein the alternate computer network comprises a virtual computer system using machine virtualization technologies.
  - 28. The method of claim 16, wherein the analyzing of the filtered communications traffic within an alternate computer network comprises selecting at least one computing system within the alternate computer network with a software profile or a hardware profile of a host computing system to which the communications traffic is directed.
  - 29. The method of claim 28, wherein the at least one computing system is a virtual computing system.
  - 30. The method of claim 16, wherein the malware identifier is a signature associated with the malware.
  - 31. The method of claim 16, wherein the malware is generated based on the anomalous behavior being a behavior that deviates from the orchestrated behavior.
  - 32. The method of claim 16, wherein the analyzing of the filtered communications traffic within an alternate computer network comprises selecting at least one computing system within the alternate computer network with a software profile or a hardware profile of a host computing system to which the communications traffic is directed.

33. A non-transitory machine readable medium having embodied thereon executable code, the executable code being executable by a processor to perform a malware defense method comprising:
- filtering communications traffic propagating over a communication network;
  
  analyzing the filtered communications traffic within an alternate computer network communicatively coupled to the communication network;
  
  detecting malware within the filtered communications traffic;
  
  generating a malware identifier based on anomalous behavior caused within the alternate computer network by the malware, the generating of the malware identifier comprises (i) generating a sequence of network activities within the alternate computer network based on an orchestrated pattern and (ii) determining the malware identifier by comparing observed behavior in the alternate computer network with orchestrated behavior expected from the orchestrated pattern;
  
  andblocking the propagation of the malware over the communication network.
- View Dependent Claims (34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44)
- - 34. The non-transitory machine readable medium of claim 33, wherein the executable code, when performing the malware defense method, further performs operations comprising:
    - distributing the malware identifier to a malware containment system remotely located from the alternative computer network.
  - 35. The non-transitory machine readable medium of claim 34, wherein the distributing of the malware identifier is performed automatically.
  - 36. The non-transitory machine readable medium of claim 34, wherein the distributing of the malware identifier is performed by a management system.
  - 37. The non-transitory machine readable medium of claim 34, wherein the distributing of the malware identifier comprises charging a fee to a subscriber associated with the malware containment system.
  - 38. The non-transitory machine readable medium of claim 33, wherein the executable code, when performing the malware defense method, further performs operations comprising:
    - blocking the malware from propagating in a second communication network associated with the malware containment system.
  - 39. The non-transitory machine readable medium of claim 33, wherein the executable code, when performing operations of generating the sequence of network activities based on the orchestrated pattern further performs one or more operations of controlling operations of one or more computing systems of the alternate computer network to orchestrate the sequence of the network activities.
  - 40. The non-transitory machine readable medium of claim 33, wherein the alternate computer network is transparent to and separate from the communication network.
  - 41. The non-transitory machine readable medium of claim 33, wherein the executable code, when performing operations of detecting of the malware further comprises copying at least a portion of network traffic from the communication network characteristic of the malware for analysis by the alternate computer network.
  - 42. The non-transitory machine readable medium of claim 33, wherein the executable code, when performing operations of generating the malware identifier including generating a signature of the malware.
  - 43. The non-transitory machine readable medium of claim 33, wherein the executable code, when performing the malware defense method, further performs operations comprising:
    - generating a recovery script.
  - 44. The non-transitory machine readable medium of claim 33, wherein the alternate computer network comprises a virtual computer system using machine virtualization technologies.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Aziz, Ashar
Primary Examiner(s)
CHEN, SHIN HON

Application Number

US15/831,312
Time in Patent Office

309 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 2009/45591   Monitoring or debugging sup...

G06F 2009/45595   Network integration; Enabli...

G06F 21/53   by executing in a restricte...

G06F 21/55   Detecting local intrusion o...

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/034   Test or assess a computer o...

G06F 9/45537   Provision of facilities of ...

G06F 9/45558   Hypervisor-specific managem...

G06Q 20/10   specially adapted for elect...

H04L 63/0227   Filtering policies mail mes...

H04L 63/10   for controlling access to d...

H04L 63/101   Access control lists [ACL]

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/145   the attack involving the pr...

H04L 63/1491 : using deception as counterm...

H04L 63/20 : for managing network securi...

View All

Systems and methods for malware defense

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

747 Citations

44 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for malware defense

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

747 Citations

44 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links