Multi-level control for enhanced resource and object evaluation management of malware detection system

US 10,554,507 B1
Filed: 09/29/2017
Issued: 02/04/2020
Est. Priority Date: 03/30/2017
Status: Active Grant

First Claim

Patent Images

1. A malware detection system, comprising:

a portal providing access over a network to displayable data that allows each customer of a plurality of customer to (i) register with and obtain a subscription to the malware detection system and (ii) produce subscription information including a plurality of service attributes that correspond to one or more subscription requirements;

a subscription review service communicatively coupled with the portal, the subscription review service comprises a data store configured to store the subscription information including the plurality of service attributes for each customer of the plurality of customers, wherein each subscription information includes a customer identifier and at least one identifier associated with a source operable to submit one or more objects to the malware detection system for analysis;

a cloud broker communicatively coupled with the subscription review service and including a first processor and a first memory, the first memory includes analysis selection logic that, upon execution by the first processor, selects a cluster of a plurality of clusters to receive an object of the one or more objects from the source, wherein the cloud broker being located in a public network; and

a cluster broker communicatively coupled with and remotely located from the cloud broker and being part of or in communication with the selected cluster of the plurality of clusters, the cluster broker, including a second processor and a second memory, to select an object analyzer of the selected cluster to analyze the object submitted by the source to determine whether the analyzed object is associated with a cyber-attack, wherein the cluster broker being located in a private network;

wherein the cloud broker including enforcement logic, stored in the first memory that, upon execution by the first processor, enforces compliance with the plurality of service attributes from the subscription information.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computerized method for enforcing compliance to a subscription for object evaluation service by a malware detection system is described. Enforcement logic receives operational metadata from the malware detection system. The operational metadata includes metadata associated with operations performed on objects submitted to the malware detection system by the one or more customers. For each customer, the operational metadata associated with operations performed on data submitted by the customer is analyzed for comparison with a plurality of service attributes associated with the subscription for the customer. Responsive to detecting that the customer is failing to comply with one or more service attributes of the plurality of service attributes, performing, by the enforcement logic, an operation to remedy (i) a failure by the customer in complying with the subscription requirements for the customer or (ii) a failure by the malware detection system in providing the customer with object evaluation service that satisfies the subscription requirements for the customer.

Citations

41 Claims

1. A malware detection system, comprising:
- a portal providing access over a network to displayable data that allows each customer of a plurality of customer to (i) register with and obtain a subscription to the malware detection system and (ii) produce subscription information including a plurality of service attributes that correspond to one or more subscription requirements;
  
  a subscription review service communicatively coupled with the portal, the subscription review service comprises a data store configured to store the subscription information including the plurality of service attributes for each customer of the plurality of customers, wherein each subscription information includes a customer identifier and at least one identifier associated with a source operable to submit one or more objects to the malware detection system for analysis;
  
  a cloud broker communicatively coupled with the subscription review service and including a first processor and a first memory, the first memory includes analysis selection logic that, upon execution by the first processor, selects a cluster of a plurality of clusters to receive an object of the one or more objects from the source, wherein the cloud broker being located in a public network; and
  
  a cluster broker communicatively coupled with and remotely located from the cloud broker and being part of or in communication with the selected cluster of the plurality of clusters, the cluster broker, including a second processor and a second memory, to select an object analyzer of the selected cluster to analyze the object submitted by the source to determine whether the analyzed object is associated with a cyber-attack, wherein the cluster broker being located in a private network;
  
  wherein the cloud broker including enforcement logic, stored in the first memory that, upon execution by the first processor, enforces compliance with the plurality of service attributes from the subscription information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 2. The malware detection system of claim 1, wherein the portal is a web portal being accessible over the network being a public network to enable a first customer of the plurality of customers to modify the subscription information associated with the subscription of the first customer, and the data store of the subscription review service to store the subscription information for the first customer.
  - 3. The malware detection system of claim 1, wherein the enforcement logic of the cloud broker, upon execution by the first processor, enforces (i) compliance by a first customer of the plurality of customers to operate in accordance with a first plurality of service attributes corresponding to subscription requirements associated with the subscription of the first customer and (ii) compliance by a second customer of the plurality of customers to operate in accordance with a second plurality of service attributes corresponding to subscription requirements associated with the subscription of the second customer.
  - 4. The system of claim 3, wherein the enforcement logic of the cloud broker to enforce compliance by the first customer by at least (i) analyzing whether operational metadata gathered from operations performed on data submissions provided by the source associated with the first customer to the selected cluster complies with the first plurality of service attributes, and (ii) responsive to detecting the customer failing to comply with the first plurality of service attributes, performing an operation to address a failure by the first customer to comply with the first plurality of service attributes.
  - 5. The malware detection system of claim 4, wherein the enforcement logic of the cloud broker analyzing whether the operational metadata complies with the first plurality of service attributes by at least determining whether the operational metadata indicates that a first rate or number of data submissions from the first customer to the selected cluster within a prescribed period of time exceeds a second rate or number of data submissions being one of the first plurality of service attributes.
  - 6. The malware detection system of claim 4, wherein the enforcement logic of the cloud broker analyzing whether the operational metadata complies with the first plurality of service attributes by at least determining whether the operational metadata indicates that the selected cluster resides within a geographic location as set by a service attribute of the plurality of service attributes associated with the subscription of the first customer.
  - 7. The malware detection system of claim 3, wherein the enforcement logic of the cloud broker performing an operation to address a failure by the first customer to comply with the first plurality of service attributes associated with the subscription of the first customer by at least transmitting an alert to an administrator for the first customer by the enforcement logic, the alert providing suggested measures for altering the subscription of the first customer to increase a first rate or number of data submissions in accordance with the subscription to coincide with a number of data submissions being provided by the first customer over the prescribed period of time to the cloud-based malware detection system.
  - 8. The malware detection system of claim 7, wherein the data submissions comprises either (i) metadata associated with the one or more objects for analysis by the selected cluster or (ii) the one or more objects.
  - 9. The malware detection system of claim 3, wherein the source includes a sensor communicatively coupled to the cloud broker and the subscription review service, the sensor including analysis logic operable in a network device communicatively coupled to the cloud broker and the subscription review service, to capture network traffic, perform a preliminary analysis on the network traffic to identify suspicious traffic, and provide one or more objects extracted from the suspicious traffic to the malware detection system for further analysis by the selected cluster to determine whether the one or more objects are associated with a cyber- attack.
  - 10. The malware detection system of claim 9, wherein the enforcement logic of the cloud broker performing an operation to address a failure by the first customer to comply with the first plurality of service attributes associated with the subscription of the first customer by at least forcing a re-enrollment of the sensor by altering communications from the sensor associated with the first customer from the selected cluster to a second cluster of the plurality of clusters being different than the selected cluster.
  - 11. The malware detection system of claim 9, wherein the enforcement logic of the cloud broker performing an operation to address an failure by the first customer to comply with the first plurality of service attributes associated with the subscription of the first customer by at least forcing a re-enrollment of at least one sensor other than the sensor associated with the first customer by maintaining a communication session between the sensor and the selected cluster, terminating a communication session between the at least one sensor and the selected cluster, and establishing a communication between the at least one sensor and a second cluster of the plurality of clusters being different than the selected cluster.
  - 12. The malware detection system of claim 9, wherein the sensor is a virtual sensor operable on a third processor different than the first processor of the cloud broker and the second processor of the cluster broker and stored within a third memory different than the first memory of the cloud broker and the second memory of the cluster broker.
  - 13. The malware detection system of claim 1, wherein the cloud broker comprises reporting logic that, upon execution by the first processor, transmits a result of the analysis of the object by the selected cluster in determining whether the object is associated with a cyber-attack.
  - 14. The malware detection system of claim 1, wherein the cloud broker to select the cluster of the plurality of clusters based at least in part on the one or more service attributes of the plurality of service attributes associated with the subscription of the first customer and operational metadata including metadata associated with operations of the plurality of clusters.
  - 15. The malware detection system of claim 1 wherein the object analyzer comprises at least one virtual machine to monitor behaviors resulting from processing of the one or more objects.
  - 16. The malware detection system of claim 1, wherein the cluster comprises a cluster management system communicatively coupled with the cluster broker to enforce compliance with the one or more subscription requirements.
  - 17. The malware detection system of claim 16, wherein the plurality of service attributes associated with the subscription to the malware detection system includes one or more bandwidth attributes including (i) a maximum number or a maximum rate of data submissions to the selected cluster by the source or (ii) a maximum number or a maximum rate of data submissions from a customer of the plurality of customers.
  - 18. The malware detection system of claim 16, wherein the plurality of service attributes associated with the subscription to the malware detection system includes a geographic restriction on any of the plurality of clusters selected to analyze data from the cluster selected by a customer associated with the source.
  - 19. The malware detection system of claim 1, wherein the cluster broker causing the object analyzer to analyze the object by at least performing one or more intra-cluster analyses including (i) analyzing metadata associated with a first object of the one or more objects and determining whether the first object has been previously analyzed for malware, and (ii) loading the metadata onto a queue for subsequent removal by the object analyzer and use of the metadata to retrieve the first object from the source upon determining that the first object has not been previously analyzed for malware.
  - 20. The malware detection system of claim 1, wherein the cluster broker comprises logic to enforce compliance to a subscription of one of the plurality of customers associated with the source based on analysis of the plurality of service attributes for the one of the plurality of customers and operational metadata gathered from operations performed on data submissions provided by the source associated with the one of the plurality of customers to the selected cluster.
  - 21. The malware detection system of claim 1, wherein the enforcement logic of the cloud broker is configured to enforce compliance based on an analysis of the operational metadata associated with the plurality of clusters and the plurality of service attributes associated with subscriptions for each of the plurality of customers.
  - 22. The malware detection system of claim 1, wherein the enforcement logic of the cloud broker to enforce compliance by a customer of the plurality of customers by at least (i) analyzing whether operational metadata gathered from operations performed on data submissions provided by source associated with the customer to the selected cluster complies with the plurality of service attributes associated with the subscription of the customer, and (ii) responsive to detecting the customer failing to comply with one or more service attributes of the plurality of service attributes, determining whether an operation to address a detected failure by the customer in complying with one or more of the plurality of service attributes is dependent on a subscription tier of the customer.
  - 23. The malware detection system of claim 1, wherein the cloud broker is configured to conduct one or more intra-cluster analyses including receiving metadata associated with the object for analysis and assigning a priority of analysis for the object associated with the metadata,wherein the metadata includes information for use by the broker compute node in assigning the priority of analysis for the object associated with the metadata prior to placement of the metadata within a queue awaiting retrieval by the object analyzer for subsequent retrieval of the object.
  - 24. The malware detection system of claim 23, wherein the metadata includes one or more service attributes for use by the broker compute node to compute and assign the priority in analysis of the object.
  - 25. The malware detection system of claim 23, wherein the metadata includes a tag that identifies the metadata being submitted from the source is to be assigned to a first priority level that is greater than a second priority level assigned to non-tagged metadata without a tag.

26. A computerized method for enforcing compliance to subscription requirements, the method comprising:
- receiving, by enforcement logic, operational metadata from a malware detection system including one or more clusters configured to analyze one or more objects submitted by one or more customers to determine whether the one or more analyzed object is associated with a cyber-attack, the operational metadata being metadata associated with operations performed on the one or more objects submitted to the malware detection system by the one or more customers; and
  
  for each customer of the one or more customers,analyzing the operational metadata associated with operations performed on one or more objects submitted by the customer based on with a plurality of service attributes associated with a subscription for the customer, the plurality of service attributes corresponding to subscription requirements for the customer, andresponsive to detecting that the customer is failing to comply with one or more service attributes of the plurality of service attributes, performing an operation to remedy (i) a failure by the customer in complying with the subscription requirements for the customer or (ii) a failure by the malware detection system in providing the customer with resources to satisfy the subscription requirements.
- View Dependent Claims (27, 28, 29, 30, 31)
- - 27. The computerized method of claim 26, wherein responsive to the failure by the malware detection system in providing the customer with resources to satisfy the subscription requirements for the customer, modifying the malware detection system by increasing a number of clusters of the plurality of clusters.
  - 28. The computerized method of claim 26, wherein responsive to the failure by the malware detection system in providing the customer with resources to satisfy the subscription requirements for the customer, modifying the malware detection system by adding one or more clusters at a geographic location as required by the subscription requirement for the cluster.
  - 29. The computerized method of claim 26, wherein responsive to the failure by the customer in complying with the subscription requirements for the customer, transmitting an alert to an administrator providing suggested measures for altering the subscription of the customer to increase a rate or a number of objects to be processed by the malware detection system over a prescribed period of time, provided that the non-compliant subscription requirement is directed to the rate or the number of objects to be processed by the malware detection system over the prescribed period of time.
  - 30. The computerized method of claim 29, wherein further responsive to the failure by the customer in complying with the subscription requirements for the customer, halting or reducing a rate a or number of objects to be processed by the malware detection system until the customer alters the subscription so that the current activity by the customer is in compliance with the subscription requirements.
  - 31. The computerized method of claim 26, wherein the one or more customers corresponding to a plurality of customers and the enforcement logic providing multi-tenancy through a cloud-based service.

32. A non-transitory storage medium including software that, during execution by a processor, enforces compliance to subscription requirements by performing operations comprising:
- receiving, by enforcement logic, operational metadata being metadata associated with operations performed on data submitted to a malware detection system, the malware detection system includes one or more clusters configured to analyze the data to determine whether the data is associated with a cyber-attack;
  
  analyzing the operational metadata associated with operations performed on the data submitted by a customer based on a plurality of service attributes associated with a subscription for the customer, the plurality of service attributes corresponding to subscription requirements for the customer; and
  
  responsive to detecting that the customer is failing to comply with one or more service attributes of the plurality of service attributes, performing an operation to remedy (i) a failure by the customer in complying with the subscription requirements for the customer or (ii) a failure by the malware detection system in providing the customer with resources to satisfy the subscription requirements.
- View Dependent Claims (33, 34, 35, 36, 37)
- - 33. The non-transitory storage medium of claim 32, wherein the software, during execution, is configured to, based on the failure by the malware detection system in providing the customer with resources to satisfy the subscription requirements for the customer, modify the malware detection system by increasing a number of clusters of the plurality of clusters.
  - 34. The non-transitory storage medium of claim 32, wherein the software, during execution, is configured to, based on the failure by the malware detection system in providing the customer with resources to satisfy the subscription requirements for the customer, modify the malware detection system by adding one or more clusters at a geographic location as required by the subscription requirement for the cluster.
  - 35. The non-transitory storage medium of claim 32, wherein the software, during execution, is configured to, based on the failure by the malware detection system in complying with the subscription requirements for the customer, transmit an alert to an administrator providing suggested measures for altering the subscription of the customer to increase a rate or a number of objects to be processed by the malware detection system over a prescribed period of time, provided that the non-compliant subscription requirement is directed to the rate or the number of objects to be processed by the malware detection system over the prescribed period of time.
  - 36. The non-transitory storage medium of claim 32, wherein the software, during execution, is configured to, based on the failure by the customer in complying with the subscription requirements for the customer, halt or reduce a rate or a number of objects to be processed by the malware detection system until the customer alters the subscription so that the current activity by the customer is in compliance with the subscription requirements.
  - 37. The non-transitory storage medium of claim 32, wherein the software, during execution, is configured to receive and analyze the operational metadata associated with operations performed on the data submitted by the customer and perform iterative operations for one or more other customers other than the customer in supporting a multi-tenancy.

38. A subscription review service deployed within a malware detection system, comprising:
- a data store storing subscription information including a plurality of service attributes for each customer of a plurality of customers, wherein each subscription information includes a customer identifier and at least one identifier associated with a sensor operable to submit one or more objects to the malware detection system for analysis;
  
  licensing logic that, during execution, receives software license credentials from the sensor associated with the customer, the software license credentials include service policy level information; and
  
  enrollment logic, upon receipt of the software license credentials, to control access to the malware detection system by the sensor, the enrollment logic being configured to (i) receive an enrollment request message, including at least an identifier of the sensor and an identifier of the customer, (ii) authenticate the sensor, and (iii) return a network address for accessing a cloud broker being logic that is configured to select one of a plurality of clusters for analysis of the one or more objects to determine whether any of the one or more objects system is associated with a cyber-attack.
- View Dependent Claims (39, 40, 41)
- - 39. The subscription review service of claim 38, wherein the network address corresponds to a Uniform Resource Locator (URL) for accessing the cloud broker.
  - 40. The subscription review service of claim 38, wherein the enrollment logic generates a mapping between the identifier of the sensor, the identifier of the customer and the subscription information.
  - 41. The subscription review service of claim 38, wherein the service policy level information includes the identifier of the customer for use in accessing the subscription information associated with the customer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
FireEye, Inc. (Alphabet Inc.)
Inventors
Siddiqui, Mumtaz, Radhakrishnan, Manju, Otvagin, Alexander
Primary Examiner(s)
McNally, Michael S

Application Number

US15/721,630
Time in Patent Office

858 Days
Field of Search

726 24
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/56   Computer malware detection ...

G06F 21/562   Static detection

G06F 21/57   Certifying or maintaining t...

G06Q 30/0201   Market modelling; Market an...

H04L 41/5067   Customer-centric QoS measur...

H04L 63/1408   by monitoring network traff...

H04L 63/1433   Vulnerability analysis

H04L 67/025   for remote control or remot...

H04L 67/10   in which an application is ...

H04L 67/12   specially adapted for propr...

Multi-level control for enhanced resource and object evaluation management of malware detection system

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

41 Claims

Specification

Solutions

Use Cases

Quick Links

Multi-level control for enhanced resource and object evaluation management of malware detection system

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

41 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links