Systems and methods for malware detection and scanning

US 10,395,031 B2
Filed: 12/30/2010
Issued: 08/27/2019
Est. Priority Date: 12/30/2010
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, operating in a hub computing device, for malware scanning and detection, the method comprising:

receiving, by the hub computing device from a separate controller computing device, a malware scan request having;

a first portion that includes an identification of a target website, anda second portion that includes instructions to scan the target website;

identifying, by the hub computing device, a plurality of first spoke honeypot computing devices for performing the malware scan request on the target website, wherein;

at least one first spoke honeypot computing device of the plurality of first spoke honeypot computing devices is separate from the hub computing device,at least one first spoke honeypot computing device is configured to use a second spoke honeypot computing device as a proxy, andthe second spoke honeypot computing device appears to originate from a different address than the plurality of first spoke honeypot computing devices;

sending, by the hub computing device to the plurality of first spoke honeypot computing devices, the malware scan request received from the controller computing device, wherein at least one first spoke honeypot computing device of the plurality of first spoke honeypot computing devices is configured to route the malware scan request to the second spoke honeypot computing device;

receiving, by the hub computing device from at least one first spoke honeypot computing device of the plurality of first spoke honeypot computing devices, a first set of results associated with performing the malware scan request, wherein performing the malware scan request includes visiting the target website by at least one first spoke honeypot computing device of the plurality of first spoke honeypot computing devices or by the second spoke honeypot computing device; and

sending, to the controller computing device, the first set of results associated with performing the malware scan request.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are provided for malware scanning and detection. In one exemplary embodiment, the method includes a hub computing device that receives, from a controller computing device, a scan request, and identifies spoke computing devices for performing the scan request. The method performed by the hub computing device also includes sending to the identified spoke computing devices, the scan request, receiving, from the spoke computing devices, results associated with the scan request, and sending, to the controller computing device, the results associated with the scan request.

36 Citations

View as Search Results

24 Claims

1. A computer-implemented method, operating in a hub computing device, for malware scanning and detection, the method comprising:
- receiving, by the hub computing device from a separate controller computing device, a malware scan request having;
  
  a first portion that includes an identification of a target website, anda second portion that includes instructions to scan the target website;
  
  identifying, by the hub computing device, a plurality of first spoke honeypot computing devices for performing the malware scan request on the target website, wherein;
  
  at least one first spoke honeypot computing device of the plurality of first spoke honeypot computing devices is separate from the hub computing device,at least one first spoke honeypot computing device is configured to use a second spoke honeypot computing device as a proxy, andthe second spoke honeypot computing device appears to originate from a different address than the plurality of first spoke honeypot computing devices;
  
  sending, by the hub computing device to the plurality of first spoke honeypot computing devices, the malware scan request received from the controller computing device, wherein at least one first spoke honeypot computing device of the plurality of first spoke honeypot computing devices is configured to route the malware scan request to the second spoke honeypot computing device;
  
  receiving, by the hub computing device from at least one first spoke honeypot computing device of the plurality of first spoke honeypot computing devices, a first set of results associated with performing the malware scan request, wherein performing the malware scan request includes visiting the target website by at least one first spoke honeypot computing device of the plurality of first spoke honeypot computing devices or by the second spoke honeypot computing device; and
  
  sending, to the controller computing device, the first set of results associated with performing the malware scan request.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computer-implemented method of claim 1, further comprising:
    - sending, to the controller computing device, an acknowledgement message after receiving the malware scan request.
  - 3. The computer-implemented method of claim 1, further comprising:
    - sending, to the plurality of first spoke honeypot computing devices, an acknowledgement message after receiving the first set of results associated with the malware scan request.
  - 4. The computer-implemented method of claim 1, wherein identifying the plurality of first spoke honeypot computing devices for performing the malware scan request comprises:
    - identifying the plurality of first spoke honeypot computing devices for performing the malware scan request based on a workload determination.
  - 5. The computer-implemented method of claim 1, wherein the identification of the target website includes a target universal resource locator (URL).
  - 6. The computer-implemented method of claim 1, wherein the second spoke honeypot computing device is a proxy for the plurality of first spoke honeypot computing devices, and wherein the second spoke honeypot computing device comprises a different internet protocol (IP) address than any first spoke honeypot computing device included in the plurality of first spoke honeypot computing devices.
  - 7. The computer-implemented method of claim 1, wherein the performing the malware scan request comprises identifying obfuscated executable code in network traffic, identifying cross-site scripting attacks, or both.
  - 8. The computer-implemented method of claim 1, wherein the plurality of first spoke honeypot computing devices and the second spoke honeypot computing device are in different netblocks of internet protocol (IP) addresses.

9. A hub computing apparatus for malware scanning and detection, the apparatus comprising:
- at least one memory to store data and instructions; and
  
  at least one processor configured to access memory and to execute instructions to;
  
  receive, from a separate controller computing device, a scan request having;
  
  a first portion that includes an identification of a target website, anda second portion that includes instructions to scan the target website;
  
  identify a plurality of first spoke honeypot computing devices for performing the scan request on the target website, wherein;
  
  at least one first spoke honeypot computing device of the plurality of first spoke honeypot computing devices is separate from the hub computing apparatus,at least one first spoke honeypot computing device is configured to use a second spoke honeypot computing device as a proxy, andthe second spoke honeypot computing device appears to originate from a different address than the plurality of first spoke honeypot computing devices;
  
  send, to the plurality of first spoke honeypot computing devices, the scan request received from the controller computing device, wherein at least one of the plurality of first spoke honeypot computing devices is configured to route the scan request to the second spoke honeypot computing device;
  
  receive, from at least one of the plurality of first spoke honeypot computing devices, a first set of results associated with performing the scan request, wherein performing the scan request includes visiting the target website by at least one first spoke honeypot computing device of the plurality of first spoke honeypot computing devices or by the second spoke honeypot computing device; and
  
  send, to the controller computing device, the first set of results associated with performing the scan request.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The hub computing apparatus of claim 9, wherein the at least one processor is configured to:
    - send, to the controller computing device, an acknowledgement message after receiving the scan request.
  - 11. The hub computing apparatus of claim 9, wherein the at least one processor is configured to:
    - send, to the plurality of first spoke honeypot computing devices, an acknowledgement message after receiving the first set of results associated with the scan request.
  - 12. The hub computing apparatus of claim 9, wherein when the at least one processor is configured to identify the plurality of first spoke honeypot computing devices for performing the scan request, the processor is further configured to:
    - identify the plurality of first spoke honeypot computing devices for performing the scan request based on a workload determination.
  - 13. The hub computing apparatus of claim 9, wherein the identification of the target website includes a uniform resource locater (URL).
  - 14. The hub computing apparatus of claim 9, wherein the scan request is a malware scan request.

15. A computer-implemented method, operating in a plurality of first spoke honeypot computing devices, for malware scanning and detection, the method comprising:
- receiving, by the plurality of first spoke honeypot computing devices, from a hub computing device separate from the plurality of first spoke honeypot computing devices, a scan request having;
  
  a first portion that includes an identification of a target website, anda second portion that includes instructions to scan the target website,wherein the first spoke honeypot computing device is configured to use a second spoke honeypot computing device as a proxy, andwherein the second spoke honeypot computing device appears to originate from a different address than the plurality of first spoke honeypot computing devices;
  
  routing the scan request to the second spoke honeypot computing device;
  
  performing, by the first spoke honeypot computing device, analysis of the target website according to the instructions included in the scan request, wherein the analysis of the target website includes visiting the target website by the first spoke honeypot computing device or by the second spoke honeypot computing device;
  
  storing, in a database associated with the plurality of first spoke honeypot computing devices, a first set of results associated with the analysis of the target website; and
  
  sending, by the first spoke honeypot computing device to the hub computing device, the first set of results of the analysis.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The computer-implemented method of claim 15, further including:
    - performing, via a set of one or more virtual machines operating in the plurality of first spoke honeypot computing devices, the analysis according to the instructions included in the scan request, wherein the analysis includes monitoring (API) calls on the set of one or more virtual machines; and
      
      logging the analysis into a first file, wherein the first file includes the first set of results of the analysis of the target website.
  - 17. The computer-implemented method of claim 15, wherein the identification of the target website includes a universal resource locator (URL) of the target website.
  - 18. The computer-implemented method of claim 17, wherein performing the analysis according to the instructions included in the scan request includes:
    - visiting the target website based on the URL included in the scan request;
      
      observe one or more malicious actions made by the target website; and
      
      performing malware analysis of the target website.
  - 19. The computer-implemented method of claim 15, wherein the scan request is a malware scan request.

20. A plurality of spoke honeypot computing apparatuses for malware scanning and detection, each of the spoke computing apparatuses comprising:
- at least one memory to store data and instructions; and
  
  at least one processor configured to access the at least one memory and, when executing the instructions, to;
  
  receive, by a plurality of first spoke honeypot computing apparatuses, from a hub computing device separate from the first spoke honeypot computing apparatus, a scan request having;
  
  a first portion that includes an identification of a target website, anda second portion that includes instructions to scan the target website,wherein at least one first spoke honeypot computing apparatus of the plurality of first spoke honeypot computing apparatuses is configured to use a second spoke honeypot computing apparatus as a proxy, andwherein the second spoke honeypot computing apparatus appears to originate from a different address source than the plurality of first spoke honeypot computing apparatuses;
  
  route the scan request to the second spoke honeypot computing apparatus;
  
  perform analysis of the target website according to the instructions included in the scan request, wherein performing the scan request includes the first spoke honeypot computing apparatus or the second spoke honeypot computing apparatus visiting the target website;
  
  store, in a database associated with the plurality of first spoke honeypot computing apparatus, results of the analysis of the target website; and
  
  send, to the hub computing device, the results of the analysis of the target website.
- View Dependent Claims (21, 22, 23, 24)
- - 21. The first spoke honeypot computing apparatus of claim 20, wherein the at least one processor is configured to:
    - perform, via a virtual machine, the analysis according to the instructions included in the scan request.
  - 22. The first spoke honeypot computing apparatus of claim 20, wherein the identification of the target website includes a universal resource locator (URL) of the target website.
  - 23. The first spoke honeypot computing apparatus of claim 22, wherein when the at least one processor is configured to perform the analysis according to the scan request, the at least one processor is configured to:
    - perform malware analysis of the target website associated with the URL included in the scan request.
  - 24. The first spoke honeypot computing apparatus of claim 20, wherein the scan request is a malware scan request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
VeriSign, Inc.
Original Assignee
VeriSign, Inc.
Inventors
Shyamsunder, Karthik, Tonn, Trevor, Thomas, Ralph, Holmes, Alexander, Krahulec, James, Sunkara, Srinivas
Primary Examiner(s)
Parsons, Theodore C

Application Number

US12/982,540
Publication Number

US 20120174225A1
Time in Patent Office

3,162 Days
Field of Search

726 24, 726 22, 713188
US Class Current
CPC Class Codes

G06F 21/56   Computer malware detection ...

G06F 21/566   Dynamic detection, i.e. det...

H04L 63/14   for detecting or protecting...

H04L 63/1433   Vulnerability analysis

H04L 63/145   the attack involving the pr...

H04L 63/1491   using deception as counterm...

Systems and methods for malware detection and scanning

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

36 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for malware detection and scanning

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

36 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links