Distributed malware detection system and submission workflow thereof
First Claim
1. A computerized method performed by a distributed malware detection system, the method comprising:
- intercepting, by a sensor operating as a network device, traffic in a first network;
performing, by the sensor, a preliminary analysis on each of a plurality of objects extracted from the traffic to identify one or more suspicious objects included in the traffic and store metadata associated with the one or more suspicious objects, the one or more suspicious objects include a first suspicious object;
sending, by the sensor, over a second network, at least the first suspicious object and metadata associated with the first suspicious object to an analysis coordinator of a first computing node of a plurality of computing nodes forming a cluster, the cluster includes the plurality of computing nodes interconnected by a third network;
performing, by an object analyzer of a second computing node of the plurality of computing nodes deployed as part of the cluster, a malware analysis on the first suspicious object of the one or more suspicious objects received by the cluster, the second computing node being different from the first computing node;
sending, over the second network, results of the malware analysis to the sensor; and
sending, by the sensor to a management system, security information associated with at least the first suspicious object in the event the malware analysis indicates the first suspicious object is associated with a cybersecurity attack.
7 Assignments
0 Petitions
Accused Products
Abstract
A submission process for a malware detection system including one or more sensors and a cluster including one or more computing nodes is described. The process includes the sensor that determines whether a prior malware analysis has been conducted on any previously submitted object matching the object under analysis. If not, the process determines whether the object is suspicious, namely a first probability of the first object being associated with malware. If suspicious, metadata associated with the suspicious object is sent to an analysis coordinator of a first computing node of the cluster. The metadata is used in determining whether a prior malware analysis has been previously conducted within the cluster on any object that matches the suspicious object. The metadata is also used in fetching, by an object analyzer of the same or a different computing node of the cluster, the suspicious object from the sensor for malware analysis.
-
Citations
28 Claims
-
1. A computerized method performed by a distributed malware detection system, the method comprising:
-
intercepting, by a sensor operating as a network device, traffic in a first network; performing, by the sensor, a preliminary analysis on each of a plurality of objects extracted from the traffic to identify one or more suspicious objects included in the traffic and store metadata associated with the one or more suspicious objects, the one or more suspicious objects include a first suspicious object; sending, by the sensor, over a second network, at least the first suspicious object and metadata associated with the first suspicious object to an analysis coordinator of a first computing node of a plurality of computing nodes forming a cluster, the cluster includes the plurality of computing nodes interconnected by a third network; performing, by an object analyzer of a second computing node of the plurality of computing nodes deployed as part of the cluster, a malware analysis on the first suspicious object of the one or more suspicious objects received by the cluster, the second computing node being different from the first computing node; sending, over the second network, results of the malware analysis to the sensor; and sending, by the sensor to a management system, security information associated with at least the first suspicious object in the event the malware analysis indicates the first suspicious object is associated with a cybersecurity attack. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 17)
-
-
12. A computerized method performed by a distributed malware detection system, the method comprising:
-
intercepting, by a sensor operating as a network device, traffic in a first network; performing, by the sensor, a preliminary analysis on each of a plurality of objects extracted from the traffic to identify suspicious objects included in the traffic and store metadata associated with the suspicious objects, wherein the performing of the preliminary analysis on each of the plurality of objects comprises (i) determining whether a first object of the plurality of objects has at least a first probability of being associated with malware, and (ii) determining whether the first object has at least a second probability greater than the first probability that the first object is associated with malware in response to determining that the first object corresponds to a second object of the plurality of objects that has been previously determined to be associated with malware; sending, by the sensor, over a second network, the suspicious objects and metadata associated with the suspicious objects to a cluster, the cluster includes the plurality of computing nodes interconnected by a third network and each computing device includes one or more processors; performing, by an object analyzer deployed as part of the cluster, a malware analysis on the suspicious objects received by the cluster; sending, over the second network, results of the malware analysis to the sensor; and sending, by the sensor to a management system, security information associated a malware analysis for the second object as the security information associated with the malware analysis for the first object.
-
-
13. A computerized method performed by a distributed malware detection system, the method comprising:
-
intercepting, by a sensor operating as a network device, traffic in a first network; performing, by the sensor, a preliminary analysis on each of a plurality of objects extracted from the traffic to identify suspicious objects included in the traffic and store metadata associated with the suspicious objects; sending, by the sensor, over a second network, the suspicious objects and the metadata associated with the suspicious objects to a cluster, the cluster includes the plurality of computing nodes interconnected by a third network, wherein the sending of the suspicious objects and the metadata associated with the suspicious objects further comprises; receiving metadata associated with a first suspicious object of the suspicious objects by an analysis coordinator of a first computing node of the cluster, and queuing, by the analysis coordinator, a portion of the received metadata for subsequent retrieval by the object analyzer, the object analyzer being operationally located at either (i) the first computing node of the cluster or (ii) a second computing node of the cluster different from the first computing node; performing, by an object analyzer deployed as part of the cluster, a malware analysis on the suspicious objects received by the cluster; sending, over the second network, results of the malware analysis to the sensor; and sending, by the sensor to a management system, security information associated with the suspicious objects in the event the malware analysis indicates any of the suspicious objects is associated with malware. - View Dependent Claims (14, 15, 16)
-
-
18. A distributed malware detection system comprising:
-
one or more sensors, each sensor of the one or more sensors and includes processor and a storage medium and is operationally located to intercept traffic in an associated network or sub-network, wherein each sensor of the one or more sensors to perform a preliminary analysis on a plurality of objects extracted from the traffic of the associated network to identify suspicious objects included in the traffic and store metadata associated with the suspicious objects; and a cluster including a plurality of computing nodes, each computing node of the plurality of computing nodes includes an analysis coordinator and an object analyzer, the plurality of computing nodes includes at least a first computing node operating as a broker computing node in which a first analysis coordinator of the first computing node is placed in an active state and at least a second computing node operating as an analytic computing node in which an analysis coordinator of the second computing node is placed in an inactive state, wherein the first analysis coordinator of the first computing node of the plurality of computing node is communicatively coupled with the one or more sensors to receive, over a second network, at least the metadata associated with the suspicious objects, and wherein a first object analyzer of either (i) the first computing node or (ii) a second computing node of the plurality of computing nodes to perform malware analysis on the suspicious objects received by the cluster from the one or more sensors and to return results of the malware analyses to corresponding sensors of the one or more sensors that provided the suspicious objects. - View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
-
Specification