System and method for separated packet processing and static analysis

US 10,454,953 B1
Filed: 10/09/2017
Issued: 10/22/2019
Est. Priority Date: 03/28/2014
Status: Active Grant

First Claim

Patent Images

1. A server, comprising:

a first blade server including a first processing unit and a filtering logic that, when executed by the first processing unit, is configured to receive a first plurality of objects and identify, without execution of any object of the first plurality of objects, at least a first object of the first plurality of objects having characteristics associated with a malicious attack; and

a second blade server communicatively coupled to the first blade server, the second blade server includes a second processing unit being different from the first processing unit, the second processing unit to (i) process at least the first object provided from the first blade server when the first object includes characteristics associated with a malicious attack, (ii) monitor at least behaviors of the first object during processing, and (iii) determine whether any of the monitored behaviors correspond to activities indicative that the first object is associated with a malicious attack.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to one embodiment, a system features a network security device and a cloud computing service. The network security device is configured to determine whether an object includes one or more characteristics associated with a malicious attack. The cloud computing service, communicatively coupled to and remotely located from the network security device, includes virtual execution logic that, upon execution by a processing unit deployed as part of the cloud computing service and after the network security device determining that the object includes the one or more characteristics associated with the malicious attack, processes the object and monitors for behaviors of at least the object suggesting the object is associated with a malicious attack.

Citations

33 Claims

1. A server, comprising:
- a first blade server including a first processing unit and a filtering logic that, when executed by the first processing unit, is configured to receive a first plurality of objects and identify, without execution of any object of the first plurality of objects, at least a first object of the first plurality of objects having characteristics associated with a malicious attack; and
  
  a second blade server communicatively coupled to the first blade server, the second blade server includes a second processing unit being different from the first processing unit, the second processing unit to (i) process at least the first object provided from the first blade server when the first object includes characteristics associated with a malicious attack, (ii) monitor at least behaviors of the first object during processing, and (iii) determine whether any of the monitored behaviors correspond to activities indicative that the first object is associated with a malicious attack.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The server of claim 1, wherein the second blade server further comprising reporting logic that, when executed by the second processing unit, issues an alert message identifying at least the first object being associated with a malicious attack.
  - 3. The server of claim 2, wherein the alert message includes a text message.
  - 4. The server of claim 1, wherein the second blade server being implemented as part of a cloud computing service.
  - 5. The server of claim 1, wherein the first blade server to perform one or more exploit signature checks that include a comparison of one or more pre-stored exploit signatures to content of the first object.
  - 6. The server of claim 1, wherein the first blade server to perform an heuristic analysis that analyzes the first object using metadata or attributes of the first object to determine whether a certain portion of the first object has characteristics that suggest the first object is associated with a malicious attack.
  - 7. The server of claim 1, wherein the second blade server includes at least one virtual machine that is configured to process the content within at least the first object.
  - 8. The server of claim 1, wherein the one or more characteristics further comprise a particular source address that is associated with a known exploit.
  - 9. The server of claim 1, wherein the one or more characteristics further comprise a particular destination address that is associated with a known exploit.

10. A system, comprising:
- a network security device configured to determine whether an object includes one or more characteristics associated with a malicious attack without execution of the object, the one or more characteristics include at least a Uniform Resource Locator (URL) that suggests the object is associated with a known exploit; and
  
  a cloud computing service communicatively coupled to and remotely located from the network security device, the cloud computing service including a virtual execution logic that, upon execution of the object by a processing unit deployed as part of the cloud computing service and, after the network security device determining that content of the object includes the one or more characteristics associated with the malicious attack, monitors for behaviors of the object suggesting the object is associated with a malicious attack.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The system of claim 10, wherein the cloud computing service further comprising reporting logic that, when executed by the processing unit, transmits an alert message to a network administrator, user, or another entity upon identifying at least the object being associated with a malicious attack.
  - 12. The system of claim 10, wherein the network security device to perform one or more exploit signature checks that include a comparison of one or more pre-stored exploit signatures to the content of the object.
  - 13. The system of claim 10, wherein the network security device to perform an heuristic analysis that analyzes the object using metadata or attributes of the object to determine whether a certain portion of the object has characteristics that suggest the object is associated with a malicious attack.
  - 14. The system of claim 10, wherein the virtual execution logic that, upon execution by the processing unit, includes at least one virtual machine that is configured to process the object.
  - 15. The system of claim 10, wherein the virtual execution logic is deployed within a dynamic analysis engine implemented within the cloud computing service.
  - 16. The system of claim 15, wherein the dynamic analysis engine includes one or more software modules being executed by the processing unit within the cloud computing service that are configured to process the object and monitor for the behaviors of the object.
  - 17. The system of claim 16, wherein the processing unit is a virtual processor.

18. A system, comprising:
- a network security device configured to determine whether an object includes one or more characteristics associated with a malicious attack without execution of the object, the one or more characteristics include a particular source address that suggests the object is associated with a known exploit; and
  
  a cloud computing service communicatively coupled to and remotely located from the network security device, the cloud computing service including a virtual execution logic that, upon execution of the object by a processing unit deployed as part of the cloud computing service and, after the network security device determining that content of the object includes the one or more characteristics associated with the malicious attack, monitors for behaviors of the object suggesting the object is associated with a malicious attack.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 30)
- - 19. The system of claim 18, wherein the cloud computing service further comprising reporting logic that, when executed by the processing unit, transmits an alert message to a network administrator, user, or another entity upon identifying at least the object being associated with a malicious attack.
  - 20. The system of claim 18, wherein the network security device to perform one or more exploit signature checks that include a comparison of one or more pre-stored exploit signatures to the content of the object.
  - 21. The system of claim 18, wherein the network security device to perform an heuristic analysis that analyzes the object using metadata or attributes of the object to determine whether a certain portion of the object has characteristics that suggest the object is associated with a malicious attack.
  - 22. The system of claim 18, wherein the virtual execution logic that, upon execution by the processing unit, includes at least one virtual machine that is configured to process the object.
  - 23. The system of claim 18, wherein the virtual execution logic is deployed within a dynamic analysis engine implemented within the cloud computing service.
  - 24. The system of claim 23, wherein the dynamic analysis engine includes one or more software modules being executed by the processing unit within the cloud computing service that are configured to process the object and monitor for the behaviors of the object.
  - 25. The system of claim 24, wherein the processing unit is a virtual processor.
  - 30. The system of claim 20, wherein the virtual execution logic that, upon execution by the processing unit, includes at least one virtual machine that is configured to process the object.

26. A system, comprising:
- a network security device configured to determine whether an object includes one or more characteristics associated with a malicious attack without execution of the object, the one or more characteristics include a particular destination address that suggests the object is associated with a known exploit; and
  
  a cloud computing service communicatively coupled to and remotely located from the network security device, the cloud computing service including a virtual execution logic that, upon execution of the object by a processing unit deployed as part of the cloud computing service and, after the network security device determining that content of the object includes the one or more characteristics associated with the malicious attack, monitors for behaviors of the object suggesting the object is associated with a malicious attack.
- View Dependent Claims (27, 28, 29, 31, 32, 33)
- - 27. The system of claim 26, wherein the cloud computing service further comprising reporting logic that, when executed by the processing unit, transmits an alert message to a network administrator, user, or another entity upon identifying at least the object being associated with a malicious attack.
  - 28. The system of claim 26, wherein the network security device to perform one or more exploit signature checks that include a comparison of one or more pre-stored exploit signatures to the content of the object.
  - 29. The system of claim 26, wherein the network security device to perform an heuristic analysis that analyzes the object using metadata or attributes of the object to determine whether a certain portion of the object has characteristics that suggest the object is associated with a malicious attack.
  - 31. The system of claim 26, wherein the virtual execution logic is deployed within a dynamic analysis engine implemented within the cloud computing service.
  - 32. The system of claim 31, wherein the dynamic analysis engine includes one or more software modules being executed by the processing unit within the cloud computing service that are configured to process the object and monitor for the behaviors of the object.
  - 33. The system of claim 32, wherein the processing unit is a virtual processor.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
FireEye, Inc. (Alphabet Inc.)
Inventors
Amin, Muhammad, Mehmood, Masood, Ramaswamy, Ramaswamy, Challa, Madhusudan, Karandikar, Shrikrishna
Primary Examiner(s)
Smithers, Matthew

Application Number

US15/728,436
Time in Patent Office

743 Days
Field of Search
US Class Current
CPC Class Codes

H04L 61/4511   using domain name system [DNS]

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04L 67/01   Protocols

System and method for separated packet processing and static analysis

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for separated packet processing and static analysis

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links