System for detecting a presence of malware from behavioral analysis

US 10,567,405 B1
Filed: 08/01/2016
Issued: 02/18/2020
Est. Priority Date: 04/01/2004
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a first network device, including a memory device, configured to analyze network traffic propagating over a communication network and determines whether the network traffic includes one or more characteristics associated with malware;

a sensor communicatively coupled to and remotely located from the first network device, the sensor includes (i) one or more computing systems each including at least one virtual machine that processes information associated with the analyzed network traffic and (ii) logic that (a) monitors behavior of at least a first virtual machine of a first computing system of the one or more computing systems during processing of the information associated with the analyzed network traffic, (b) identifies data associated with the monitored behavior, (c) compares the data to data expected during processing of the information, and (d) detects a potential presence of the malware in the first virtual machine in response to the data differing from the expected data; and

a sensor manager communicatively coupled to the sensor, the sensor manager to generate an identifier for detecting the malware in additional network traffic propagating over the communication network.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for detecting malware is described. The system features a traffic analysis device and a network device. The traffic analysis device is configured to receive data over a communication network, selectively filter the data, and output a first portion of the data to the network device. The network device is communicatively coupled with and remotely located from the traffic analysis device. The network device features software that, upon execution, (i) monitors behaviors of one or more virtual machines processing the first portion of the data received as output from the traffic analysis device, and (ii) detects, based on the monitored behaviors, a presence of malware in the first virtual machine.

736 Citations

60 Claims

1. A system comprising:
- a first network device, including a memory device, configured to analyze network traffic propagating over a communication network and determines whether the network traffic includes one or more characteristics associated with malware;
  
  a sensor communicatively coupled to and remotely located from the first network device, the sensor includes (i) one or more computing systems each including at least one virtual machine that processes information associated with the analyzed network traffic and (ii) logic that (a) monitors behavior of at least a first virtual machine of a first computing system of the one or more computing systems during processing of the information associated with the analyzed network traffic, (b) identifies data associated with the monitored behavior, (c) compares the data to data expected during processing of the information, and (d) detects a potential presence of the malware in the first virtual machine in response to the data differing from the expected data; and
  
  a sensor manager communicatively coupled to the sensor, the sensor manager to generate an identifier for detecting the malware in additional network traffic propagating over the communication network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. The system of claim 1, wherein the network traffic includes a plurality of data packets configured in accordance with a Hyper Text Transfer Protocol (HTTP) protocol.
  - 3. The system of claim 1, wherein the logic monitoring the behaviors of at least the first virtual machine includes a controller communicatively coupled to the one or more computing systems, where the controller is further configured to generate a signature to detect the malware in network traffic propagating over the communication network that is different from the analyzed network traffic.
  - 4. The system of claim 1, wherein the sensor manager to correlate differences between the data and the expected data to generate the identifier.
  - 5. The system of claim 1, wherein one or more characteristics associated with malware includes a sequence of network communications that are characteristic of malware.
  - 6. The system of claim 1, wherein the one or more computing systems of the sensor operate as a virtual computer network and the at least one virtual machine associated with each of the one or more computing systems includes a driver software that supports message exchanges between other virtual machines within the virtual computer network.
  - 7. The system of claim 1, wherein the at least one virtual machine of a first computing device of the one or more computing devices comprises a software profile includes an operating system or a software program associated with the processing of the information associated with the analyzed network traffic in the at least one virtual machine.
  - 8. The system of claim 7, wherein the software profile being updated automatically by a controller of the sensor by at least modifying an operating system or a software program to reflect an alternative version, release number or patch of the operating system or the software program.
  - 9. The system of claim 1, wherein the logic automatically updates a software profile associated with any of the at least one virtual machine in response to obtaining an update to the software profile.
  - 10. The system of claim 1, wherein the first network device is communicatively coupled to the second network device via a first network.
  - 11. The system of claim 1, wherein the sensor manager to correlate anomalous behaviors represented by the data to generate the identifier.
  - 12. The system of claim 1, wherein the sensor is configured to monitor the behavior of the first virtual machine by at least monitoring a behavior of the information associated with the analyzed network traffic during processing of the information.
  - 13. The system of claim 1, wherein the sensor is configured to monitor the behavior of the first virtual machine by at least monitoring network activities conducted by the information being processed within the first virtual machine.
  - 14. The system of claim 1, wherein the identifier generated by the sensor manager is based on the behavior monitored during processing of the information within the first virtual machine.
  - 15. The system of claim 1, wherein the identifier generated by the sensor manager includes a signature that characterizes at least one anomalous behavior of the malware.
  - 16. The system of claim 15, wherein the signature includes information associated with a plurality of ports along with data identified as a portion of malware directed to exploit each of the plurality of ports.
  - 17. The system of claim 1, wherein the identifier generated by the sensor manager includes a vector that characterizes either at least one anomalous behavior of the malware or a propagation path traveled by the malware over the communication network.
  - 18. The system of claim 1, wherein the first network device comprises a traffic analysis device coupled to the communication network.
  - 19. The system of claim 1, wherein the sensor corresponds to one or more software modules and one or more hardware modules.
  - 20. The system of claim 1, wherein the one or more computing systems includes hardware and software included as part of a computer.

21. A system comprising:
- a traffic analysis device, including a memory device, to receive and analyze data propagating over a communication network in order to determine whether the data includes one or more characteristics associated with malware;
  
  a network device in communication with and remotely located from the traffic analysis device, the network device comprises;
  
  a memory storage device to store one or more software profiles, anda controller operating in cooperation with one or more virtual machines that are based on software modules stored within the memory storage device, the controller to (i) monitor one or more behaviors of at least a first virtual machine of the one or more virtual machines processing information associated with the data received from the traffic analysis device in response to the traffic analysis device determining whether the data includes one or more characteristics associated with malware, (ii) identify data associated with the one or more monitored behaviors, (iii) compare the data to data expected during processing of the information, and (iv) detect a presence of malware in the first virtual machine in response to the data differing from the expected data; and
  
  a sensor manager communicatively coupled to the network device, the sensor manager to generate an identifier for detecting the malware in additional network traffic propagating over the communication network.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38)
- - 22. The system of claim 21, wherein the controller of the network device automatically updates a first software profile of the one or more software profiles in response to obtaining an update to the first software profile, the first software profile associated with any of the one or more virtual machines and is further configured to generate a signature to detect the malware in network traffic propagating over the communication network that is different from the data received by the traffic analysis device.
  - 23. The system of claim 21, wherein the one or more virtual machines within the network device collectively operate as a virtual computer network and each of the one or more virtual machines includes a driver software that supports message exchanges between the one or more virtual machines within the virtual computer network.
  - 24. The system of claim 21, wherein the controller of the network device monitors the one or more behaviors of at least the first virtual machine by logging data from messages initiated by the first virtual machine.
  - 25. The system of claim 21, wherein the traffic analysis device identifies a type of data received from the communication network before determining whether to send the data to network device.
  - 26. The system of claim 25, wherein the controller of the network device selects an orchestration pattern based on the type of data identified by the traffic analysis device and coordinates network activities by the one or more virtual machines based on the selected orchestration pattern.
  - 27. The system of claim 26, wherein the selected orchestration pattern is configured to identify one or more ports accessible by the first virtual machine during processing of the data received from the traffic analysis device.
  - 28. The system of claim 27, wherein the controller of the network device detects the presence of malware in the first virtual machine in response to identifying the first virtual machine accesses a port other than the one or more ports identified by the orchestration pattern.
  - 29. The system of claim 21, wherein the traffic analysis device operates to filter the data that includes one or more characteristics associated with malware from other data within the network traffic.
  - 30. The system of claim 22, wherein first software profile includes an operating system or a software program associated with the processing of the information associated with the analyzed network traffic in the one or more virtual machines.
  - 31. The system of claim 21, wherein the sensor is communicatively coupled to the traffic analysis device via a network.
  - 32. The system of claim 21, wherein the data is different from the expected data based on one or more anomalous behaviors identified as part of the one or more monitored behaviors.
  - 33. The system of claim 21, wherein the controller of the network device is configured to monitor the one or more behaviors of the first virtual machine by at least monitoring a behavior of the information associated with the data received from the traffic analysis device.
  - 34. The system of claim 21, wherein the controller of the network device is configured to monitor the one or more behaviors of the first virtual machine by at least monitoring network activities conducted by the information.
  - 35. The system of claim 21, wherein the identifier generated by the sensor manager is based on the one or more behaviors monitored during processing of the information within the first virtual machine.
  - 36. The system of claim 21, wherein the identifier generated by the sensor manager includes a signature that characterizes at least one anomalous behavior of the malware.
  - 37. The system of claim 21, wherein the identifier generated by the sensor manager includes a vector that characterizes either at least one anomalous behavior of the malware or a propagation path traveled by the malware over the communication network.
  - 38. The system of claim 21, wherein the network device comprises a sensor.

39. A system comprising:
- a traffic analysis device, including a memory device, to receive data, selectively filter the data, and output a first portion of the data received over a communication network;
  
  a sensor in communication with and remotely located from the traffic analysis device, the network device comprises software that, upon execution, (i) monitors behavior of a first virtual machine of one or more virtual machines processing the first portion of the data received as output from the traffic analysis device, (ii) identifies data associated with the monitored behavior, (iii) compares the data to data expected during processing of the information, and (iv) detects, based on the monitored behavior, a potential presence of malware in the first virtual machine; and
  
  a sensor manager communicatively coupled to the sensor, the sensor manager to generate an identifier for detecting the malware in additional network traffic propagating over the communication network.
- View Dependent Claims (40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51)
- - 40. The system of claim 39, wherein the traffic analysis device selectively filters the data by precluding a second portion of the data from propagating from a communication network to a controller associated with the sensor.
  - 41. The system of claim 39, wherein the sensor comprises a plurality of computing systems each including at least one virtual machine of the one or more virtual machines, the plurality of computing systems are coupled to each other over a network different than the communication network, and the first portion of the data being processed by a first virtual machine of a first computing system of the plurality of computing systems.
  - 42. The system of claim 39, wherein the one or more virtual machines being configured with a software profile including an operating system or a software program component associated with the processing of the information associated with the analyzed network traffic in the one or more virtual machines.
  - 43. The system of claim 42, wherein the sensor comprises a controller, the controller to automatically update the software profile by at least modifying an operating system or a software program component to reflect an alternative version, release number or patch of the operating system or the software program.
  - 44. The system of claim 39, wherein the software, upon execution and responsive to the sensor obtaining an update to a software profile, automatically updates the software profile, the software profile associated with any of the one or more virtual machines.
  - 45. The system of claim 39, wherein the sensor is communicatively coupled to the traffic analysis device via a communication network.
  - 46. The system of claim 39, wherein the sensor is configured to monitor the behavior of the first virtual machine by at least monitoring a behavior of the information associated with the analyzed network traffic during processing of the information.
  - 47. The system of claim 39, wherein the sensor is configured to monitor the behavior of the first virtual machine by at least monitoring network activities conducted by the information being processed within the first virtual machine.
  - 48. The system of claim 39, wherein the identifier generated by the sensor manager is based on the behavior monitored during processing of the first portion of the data received as the output from the traffic analysis device.
  - 49. The system of claim 39, wherein the identifier generated by the sensor manager includes a signature that characterizes the data associated that corresponds to the expected data previously conducted by and detected for the malware.
  - 50. The system of claim 49, wherein the signature includes information associated with a plurality of ports along with data identified as a portion of malware directed to exploit each of the plurality of ports.
  - 51. The system of claim 39, wherein the identifier generated by the sensor manager includes a vector that characterizes either at least one anomalous behavior of the malware or a propagation path traveled by the malware over the communication network.

52. A system comprising:
- a sensor including software that, upon execution, (i) monitors behaviors of a first virtual machine of one or more virtual machines processing a first portion of data received over a communication network, (ii) identifies data associated with the monitored behaviors, (iii) compares the data to data expected during processing of the information, and (iv) detects, based on the monitored behaviors, a potential presence of malware in the first virtual machine in response to the data differing from the expected data; and
  
  a sensor manager communicatively coupled to the sensor via the communication network, the sensor manager to determine propagation of the malware over the communication network to ascertain whether the malware is associated with a targeted attack or is associated with an attempted infection of multiple network devices coupled to the communication network.
- View Dependent Claims (53, 54, 55, 56, 57, 58, 59, 60)
- - 53. The system of claim 52 further comprising:
    - a traffic analysis device to selectively filter the data by precluding a second portion of the data from propagating from the communication network to a controller associated with the network device.
  - 54. The system of claim 52, wherein the network device comprises a plurality of computing systems each including at least one virtual machine of the one or more virtual machines, the computing systems are coupled to each other over a network different than the communication network, and the first portion of the data being processed by a first virtual machine of a first computing system of the plurality of computing systems.
  - 55. The system of claim 52, wherein the identifier generated by the sensor manager is based on the behavior monitored during processing of the information within the first virtual machine.
  - 56. The system of claim 52, wherein the data different from the expected data based on one or more anomalous behaviors identified as part of the one or more monitored behaviors.
  - 57. The system of claim 52, wherein the sensor is configured to monitor the behaviors of the first virtual machine by at least monitoring behavior of the information associated with the data received from the traffic analysis device.
  - 58. The system of claim 52, wherein the sensor is configured to monitor the behaviors of the first virtual machine by at least monitoring network activities conducted by the information.
  - 59. The system of claim 52, wherein the identifier generated by the sensor manager is based on the behavior monitored during processing of the information within the first virtual machine.
  - 60. The system of claim 52, wherein the sensor is configured to monitor the behaviors of the first virtual machine by at least monitoring a behavior of the first portion of data associated with the analyzed network traffic during processing of the information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Aziz, Ashar
Primary Examiner(s)
Dolly, Kendall

Application Number

US15/225,669
Time in Patent Office

1,296 Days
Field of Search
US Class Current
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 2009/45591   Monitoring or debugging sup...

G06F 2009/45595   Network integration; Enabli...

G06F 9/45558   Hypervisor-specific managem...

H04L 63/0245   Filtering by information in...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

H04L 63/1458   Denial of Service

H04L 63/1491   using deception as counterm...

System for detecting a presence of malware from behavioral analysis

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

736 Citations

60 Claims

Specification

Solutions

Use Cases

Quick Links

System for detecting a presence of malware from behavioral analysis

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

736 Citations

60 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links