Systems and methods for malware defense
First Claim
1. A malware defense system comprising:
- a first malware containment system; and
a second malware containment system communicatively coupled to the first malware containment system,wherein each malware containment system of a plurality of malware containment systems including the first malware containment system and the second malware containment system comprisinga sensor implemented in a computing device and configured to generate a malware identifier for a malware propagating within a communication network, the sensor comprisingan alternate computer network to analyze communications traffic being filtered from the communication network; and
a controller configured to monitor the alternate computer network, and to generate the malware identifier based on anomalous behavior caused within the alternate computer network by the malware, the controller to generate of the malware identifier by at least (i) generating a sequence of network activities based on an orchestrated pattern and (ii) determining the malware identifier by comparing observed behavior in the alternate computer network with orchestrated behavior expected from the orchestrated pattern; and
a blocking system in communication with the sensor over the communication network and configured to receive the malware identifier from the sensor to block the propagation of the malware within the communication network.
5 Assignments
0 Petitions
Accused Products
Abstract
One embodiment of the invention is directed to a method for defending against a cyberattack. The method involves filtering communications traffic propagating over a communication network and analyzing the filtered communications traffic within an alternate computer network, which is communicatively coupled to the communication network. Upon detection of malware within the filtered communications traffic, a malware identifier is generated based on anomalous behavior caused within the alternate computer network by the malware. The generating of the malware identifier includes (i) generating a sequence of network activities within the alternate computer network based on an orchestrated pattern and (ii) determining the malware identifier by comparing observed behavior in the alternate computer network with orchestrated behavior expected from the orchestrated pattern. Thereafter, the propagation of the malware over the communication network is blocked.
747 Citations
44 Claims
-
1. A malware defense system comprising:
-
a first malware containment system; and a second malware containment system communicatively coupled to the first malware containment system, wherein each malware containment system of a plurality of malware containment systems including the first malware containment system and the second malware containment system comprising a sensor implemented in a computing device and configured to generate a malware identifier for a malware propagating within a communication network, the sensor comprising an alternate computer network to analyze communications traffic being filtered from the communication network; and a controller configured to monitor the alternate computer network, and to generate the malware identifier based on anomalous behavior caused within the alternate computer network by the malware, the controller to generate of the malware identifier by at least (i) generating a sequence of network activities based on an orchestrated pattern and (ii) determining the malware identifier by comparing observed behavior in the alternate computer network with orchestrated behavior expected from the orchestrated pattern; and a blocking system in communication with the sensor over the communication network and configured to receive the malware identifier from the sensor to block the propagation of the malware within the communication network. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A method for defending against a cyberattack, comprising:
-
filtering communications traffic propagating over a communication network; analyzing the filtered communications traffic within an alternate computer network communicatively coupled to the communication network; detecting malware within the filtered communications traffic; generating a malware identifier based on anomalous behavior caused within the alternate computer network by the malware, the generating of the malware identifier comprises (i) generating a sequence of network activities within the alternate computer network based on an orchestrated pattern and (ii) determining the malware identifier by comparing observed behavior in the alternate computer network with orchestrated behavior expected from the orchestrated pattern; and blocking the propagation of the malware over the communication network. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
-
-
33. A non-transitory machine readable medium having embodied thereon executable code, the executable code being executable by a processor to perform a malware defense method comprising:
-
filtering communications traffic propagating over a communication network; analyzing the filtered communications traffic within an alternate computer network communicatively coupled to the communication network; detecting malware within the filtered communications traffic; generating a malware identifier based on anomalous behavior caused within the alternate computer network by the malware, the generating of the malware identifier comprises (i) generating a sequence of network activities within the alternate computer network based on an orchestrated pattern and (ii) determining the malware identifier by comparing observed behavior in the alternate computer network with orchestrated behavior expected from the orchestrated pattern; and blocking the propagation of the malware over the communication network. - View Dependent Claims (34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44)
-
Specification