Timeout management services
First Claim
1. A sensor configured to operate in cooperation with a cluster of computing nodes including a first computing node that conducts at least a malware analysis directed to an object submitted to the cluster where the malware analysis includes a behavioral analysis of the object, the sensor comprising:
- a processor; and
a memory communicatively coupled to the processor, the memory comprisesresult aggregation logic that, during execution by the processor, is configured to access a first data store associated with the cluster for retrieval of results of a malware analysis of metadata associated with the object, andtimeout monitoring logic communicatively coupled to the result aggregation logic, the timeout monitoring logic, during execution by the processor, is configured to (a) determine that a timeout event has occurred when (i) a timeout period associated with the object that identifies a duration of time for completing the malware analysis on the object by the cluster has expired as determined, by the first computing node, when a duration of retention of the metadata associated with the object in the first data store exceeds a timeout value included as part of the metadata, and (ii) no results of the malware analysis of the object have been stored in the first data store as provided by the result aggregation logic, and (b) report information associated with the timeout event to a management system that is configured to aggregate timeout events including the timeout event and further determine that the sensor is operating in an overloaded state based on a number of timeout events determined by the timeout monitoring logic within a prescribed time period.
7 Assignments
0 Petitions
Accused Products
Abstract
A scalable, threat detection system features computing nodes including a first computing node and a second computing node operating as a cluster. Each computing node features an analysis coordinator and an object analyzer. The analysis coordinator is configured to conduct an analysis of metadata associated with a suspicious object that is to be analyzed for malware, where the metadata being received from a remotely located network device and to store a portion of the metadata within a data store. The object analyzer is configured to retrieve the portion of the metadata from the data store, monitor a duration of retention of the metadata in the data store, and determine whether a timeout event has occurred for the object associated with the metadata based on retention of the metadata within the data store that exceeds a timeout value included as part of the metadata associated with the suspicious object for malware.
-
Citations
30 Claims
-
1. A sensor configured to operate in cooperation with a cluster of computing nodes including a first computing node that conducts at least a malware analysis directed to an object submitted to the cluster where the malware analysis includes a behavioral analysis of the object, the sensor comprising:
a processor; and a memory communicatively coupled to the processor, the memory comprises result aggregation logic that, during execution by the processor, is configured to access a first data store associated with the cluster for retrieval of results of a malware analysis of metadata associated with the object, and timeout monitoring logic communicatively coupled to the result aggregation logic, the timeout monitoring logic, during execution by the processor, is configured to (a) determine that a timeout event has occurred when (i) a timeout period associated with the object that identifies a duration of time for completing the malware analysis on the object by the cluster has expired as determined, by the first computing node, when a duration of retention of the metadata associated with the object in the first data store exceeds a timeout value included as part of the metadata, and (ii) no results of the malware analysis of the object have been stored in the first data store as provided by the result aggregation logic, and (b) report information associated with the timeout event to a management system that is configured to aggregate timeout events including the timeout event and further determine that the sensor is operating in an overloaded state based on a number of timeout events determined by the timeout monitoring logic within a prescribed time period. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
-
18. A sensor configured to operate in cooperation with at least a first computing node of a cluster of computing nodes that conduct malware analyses directed to objects received by the sensor, the sensor comprising:
-
a processor; and a memory communicatively coupled to the processor, the memory includes a first timeout monitoring unit implemented to monitor for timeout events occurring during the malware analyses of information associated with the received objects that may signify the sensor is operating in an overloaded state in conducting the malware analyses to transmit at least a portion of the information associated with the timeout events to a management system, wherein a timeout event of the timeout events occurs when (i) a timeout period associated with one of the received objects identifying a duration of time for completing a malware analysis of the malware analyses on the one of the received objects has expired, as determined by the first computing node, when a duration of retention of metadata associated with the one of the received objects exceeds a timeout value included as part of the metadata, and (ii) no results of the malware analysis on the one of the received objects are detected, and wherein the sensor receives a message from the management system suggesting a change in subscription level to increase malware analysis capabilities of the sensor from a current subscription level responsive, at least in part, to the management system identifying, based on the timeout events, that the sensor is operating in the overloaded state. - View Dependent Claims (19, 20, 21)
-
-
22. A sensor configured to operate in cooperation with at least a first computing node of a cluster of computing nodes that conducts at least a malware analysis directed to an object submitted to the cluster, the sensor comprising:
-
a hardware processor; result aggregation logic that, upon execution by the hardware processor deployed within the sensor, is configured to access a first data store associated with the cluster for retrieval of results of a malware analysis of metadata associated with the object; and timeout monitoring logic communicatively coupled to the result aggregation logic, the timeout monitoring logic, during execution by the hardware processor, is configured to (a) determine that a timeout event has occurred when (i) a time period associated with the object that identifies a duration of time for completing the malware analysis on the object by the cluster has expired as determined, by the first computing node, when a duration of retention of the metadata associated with the object in the first data store exceeds a timeout value included as part of the metadata and (ii) information associated with the object has not been timely submitted by the sensor to the cluster or received by the sensor after being processed by the cluster before expiration of the time period, and (b) report information associated with the timeout event to a management system that is configured to aggregate timeout events from the sensor, including the timeout event, to determine whether the sensor is operating in an overloaded state based on a number of timeout events determined by the timeout monitoring logic within a prescribed time period. - View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30)
-
Specification