System for detecting a presence of malware from behavioral analysis
First Claim
Patent Images
1. A system comprising:
- a first network device, including a memory device, configured to analyze network traffic propagating over a communication network and determines whether the network traffic includes one or more characteristics associated with malware;
a sensor communicatively coupled to and remotely located from the first network device, the sensor includes (i) one or more computing systems each including at least one virtual machine that processes information associated with the analyzed network traffic and (ii) logic that (a) monitors behavior of at least a first virtual machine of a first computing system of the one or more computing systems during processing of the information associated with the analyzed network traffic, (b) identifies data associated with the monitored behavior, (c) compares the data to data expected during processing of the information, and (d) detects a potential presence of the malware in the first virtual machine in response to the data differing from the expected data; and
a sensor manager communicatively coupled to the sensor, the sensor manager to generate an identifier for detecting the malware in additional network traffic propagating over the communication network.
7 Assignments
0 Petitions
Accused Products
Abstract
A system for detecting malware is described. The system features a traffic analysis device and a network device. The traffic analysis device is configured to receive data over a communication network, selectively filter the data, and output a first portion of the data to the network device. The network device is communicatively coupled with and remotely located from the traffic analysis device. The network device features software that, upon execution, (i) monitors behaviors of one or more virtual machines processing the first portion of the data received as output from the traffic analysis device, and (ii) detects, based on the monitored behaviors, a presence of malware in the first virtual machine.
-
Citations
60 Claims
-
1. A system comprising:
-
a first network device, including a memory device, configured to analyze network traffic propagating over a communication network and determines whether the network traffic includes one or more characteristics associated with malware; a sensor communicatively coupled to and remotely located from the first network device, the sensor includes (i) one or more computing systems each including at least one virtual machine that processes information associated with the analyzed network traffic and (ii) logic that (a) monitors behavior of at least a first virtual machine of a first computing system of the one or more computing systems during processing of the information associated with the analyzed network traffic, (b) identifies data associated with the monitored behavior, (c) compares the data to data expected during processing of the information, and (d) detects a potential presence of the malware in the first virtual machine in response to the data differing from the expected data; and a sensor manager communicatively coupled to the sensor, the sensor manager to generate an identifier for detecting the malware in additional network traffic propagating over the communication network. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A system comprising:
-
a traffic analysis device, including a memory device, to receive and analyze data propagating over a communication network in order to determine whether the data includes one or more characteristics associated with malware; a network device in communication with and remotely located from the traffic analysis device, the network device comprises; a memory storage device to store one or more software profiles, and a controller operating in cooperation with one or more virtual machines that are based on software modules stored within the memory storage device, the controller to (i) monitor one or more behaviors of at least a first virtual machine of the one or more virtual machines processing information associated with the data received from the traffic analysis device in response to the traffic analysis device determining whether the data includes one or more characteristics associated with malware, (ii) identify data associated with the one or more monitored behaviors, (iii) compare the data to data expected during processing of the information, and (iv) detect a presence of malware in the first virtual machine in response to the data differing from the expected data; and a sensor manager communicatively coupled to the network device, the sensor manager to generate an identifier for detecting the malware in additional network traffic propagating over the communication network. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38)
-
-
39. A system comprising:
-
a traffic analysis device, including a memory device, to receive data, selectively filter the data, and output a first portion of the data received over a communication network; a sensor in communication with and remotely located from the traffic analysis device, the network device comprises software that, upon execution, (i) monitors behavior of a first virtual machine of one or more virtual machines processing the first portion of the data received as output from the traffic analysis device, (ii) identifies data associated with the monitored behavior, (iii) compares the data to data expected during processing of the information, and (iv) detects, based on the monitored behavior, a potential presence of malware in the first virtual machine; and a sensor manager communicatively coupled to the sensor, the sensor manager to generate an identifier for detecting the malware in additional network traffic propagating over the communication network. - View Dependent Claims (40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51)
-
-
52. A system comprising:
-
a sensor including software that, upon execution, (i) monitors behaviors of a first virtual machine of one or more virtual machines processing a first portion of data received over a communication network, (ii) identifies data associated with the monitored behaviors, (iii) compares the data to data expected during processing of the information, and (iv) detects, based on the monitored behaviors, a potential presence of malware in the first virtual machine in response to the data differing from the expected data; and a sensor manager communicatively coupled to the sensor via the communication network, the sensor manager to determine propagation of the malware over the communication network to ascertain whether the malware is associated with a targeted attack or is associated with an attempted infection of multiple network devices coupled to the communication network. - View Dependent Claims (53, 54, 55, 56, 57, 58, 59, 60)
-
Specification