Timeout management services

US 10,671,721 B1
Filed: 12/27/2016
Issued: 06/02/2020
Est. Priority Date: 03/25/2016
Status: Active Grant

First Claim

Patent Images

1. A sensor configured to operate in cooperation with a cluster of computing nodes including a first computing node that conducts at least a malware analysis directed to an object submitted to the cluster where the malware analysis includes a behavioral analysis of the object, the sensor comprising:

a processor; and

a memory communicatively coupled to the processor, the memory comprisesresult aggregation logic that, during execution by the processor, is configured to access a first data store associated with the cluster for retrieval of results of a malware analysis of metadata associated with the object, andtimeout monitoring logic communicatively coupled to the result aggregation logic, the timeout monitoring logic, during execution by the processor, is configured to (a) determine that a timeout event has occurred when (i) a timeout period associated with the object that identifies a duration of time for completing the malware analysis on the object by the cluster has expired as determined, by the first computing node, when a duration of retention of the metadata associated with the object in the first data store exceeds a timeout value included as part of the metadata, and (ii) no results of the malware analysis of the object have been stored in the first data store as provided by the result aggregation logic, and (b) report information associated with the timeout event to a management system that is configured to aggregate timeout events including the timeout event and further determine that the sensor is operating in an overloaded state based on a number of timeout events determined by the timeout monitoring logic within a prescribed time period.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A scalable, threat detection system features computing nodes including a first computing node and a second computing node operating as a cluster. Each computing node features an analysis coordinator and an object analyzer. The analysis coordinator is configured to conduct an analysis of metadata associated with a suspicious object that is to be analyzed for malware, where the metadata being received from a remotely located network device and to store a portion of the metadata within a data store. The object analyzer is configured to retrieve the portion of the metadata from the data store, monitor a duration of retention of the metadata in the data store, and determine whether a timeout event has occurred for the object associated with the metadata based on retention of the metadata within the data store that exceeds a timeout value included as part of the metadata associated with the suspicious object for malware.

Citations

30 Claims

1. A sensor configured to operate in cooperation with a cluster of computing nodes including a first computing node that conducts at least a malware analysis directed to an object submitted to the cluster where the malware analysis includes a behavioral analysis of the object, the sensor comprising:
- a processor; and
  
  a memory communicatively coupled to the processor, the memory comprisesresult aggregation logic that, during execution by the processor, is configured to access a first data store associated with the cluster for retrieval of results of a malware analysis of metadata associated with the object, andtimeout monitoring logic communicatively coupled to the result aggregation logic, the timeout monitoring logic, during execution by the processor, is configured to (a) determine that a timeout event has occurred when (i) a timeout period associated with the object that identifies a duration of time for completing the malware analysis on the object by the cluster has expired as determined, by the first computing node, when a duration of retention of the metadata associated with the object in the first data store exceeds a timeout value included as part of the metadata, and (ii) no results of the malware analysis of the object have been stored in the first data store as provided by the result aggregation logic, and (b) report information associated with the timeout event to a management system that is configured to aggregate timeout events including the timeout event and further determine that the sensor is operating in an overloaded state based on a number of timeout events determined by the timeout monitoring logic within a prescribed time period.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The sensor of claim 1, wherein the timeout period being the duration of time assigned for completing the malware analysis on the object is based, at least in part, on a data type of the object where the timeout period assigned for the object of a first data type is longer in duration than the timeout period assigned for the object of a second data type.
  - 3. The sensor of claim 1, wherein the timeout period is either (i) dynamic being based on one or more of a plurality of factors, including a system load and a queue length for metadata associated with objects awaiting malware analyses by the cluster, or (ii) based, at least in part, on a subscription level determined for the sensor.
  - 4. The sensor of claim 1 further comprising:
    - notification logic communicatively coupled to the timeout monitoring logic that, upon execution by the processor, is configured to receive information associated with a timeout event for the malware analysis of the metadata associated with the object.
  - 5. The sensor of claim 1, wherein the timeout monitoring logic determines whether a timeout event has occurred and notifies the processor operating within the sensor of the timeout event.
  - 6. The sensor of claim 1 further comprising monitoring logic that, when executed by the processor, computes the timeout value representing an amount of time left for processing the object and completing the malware analysis of the metadata associated with the object upon transmission of the object to the cluster, the timeout value being based on the timeout period.
  - 7. The sensor of claim 6, wherein the timeout monitoring logic is configured to remove the metadata associated with the object stored in the first data store in response to the timeout monitoring logic detecting the timeout event for the object.
  - 8. The sensor of claim 6 further comprising notification logic to receive results of the malware analysis on the metadata associated with the object and alter an entry in a second data store associated with aggregated metadata when no timeout event has been experienced during processing of the object.
  - 9. The sensor of claim 1, wherein the processor is configured to upload one or more messages to a management system that include reporting information associated with an aggregate of one or more timeout events detected by the timeout monitoring logic, the reporting information includes at least three of (i) a sensor identifier;
    - (ii) a timestamp that denotes a time of receipt of the object or time of detection of a level of suspicious that necessitated analysis of the object by the cluster;
      
      (iii) the timeout value that denotes an amount of time allocated by the sensor to complete the malware analysis of the object;
      
      (iv) representative content of the suspicious object; and
      
      (v) an identifier of the object.
  - 10. The sensor of claim 1, wherein the processor determines whether to resubmit the object for analysis by the cluster, where the determination is based, at least in part, on a type of object or a level of suspiciousness associated with the object.
  - 11. The sensor of claim 1 being communicatively coupled to at least the first computing node of the computing nodes and the first computing node comprises:
    - a hardware processor; and
      
      a non-transitory storage medium communicatively coupled to the hardware processor, the storage medium comprisesa first analysis coordinator that, when executed by the hardware processor, is configured to conduct an analysis of the metadata associated with the object that is to be analyzed for malware, the metadata being received from a remotely located network device and to store a portion of the metadata within the first data store, anda first object analyzer that, when executed by the hardware processor, is configured to retrieve the portion of the metadata from the first data store, monitor the duration of retention of the metadata in the first data store, and determine whether the timeout event has occurred for the object associated with the metadata based on retention of the metadata within the first data store for the duration exceeding the timeout value included as part of the metadata associated with the suspicious object for malware.
  - 12. The sensor of claim 11, wherein the timeout value included as part of the portion of the metadata identifies an amount of time remaining from the timeout period allocated to complete malware analysis of the object.
  - 13. The sensor of claim 1, wherein the results of the malware analysis on the object include information that identifies the metadata associated with the object has not been timely processed by a computing node of the cluster of computing nodes, including the first computing node, during malware analysis of the object.
  - 14. The sensor of claim 1 being communicatively coupled to the management system, the management system being configured to cause the sensor to commence a re-enrollment process that includes at least sending a message to an administrator suggesting a change in tier subscription by the sensor in response to the sensor operating in the overloaded state.
  - 15. The sensor of claim 1, wherein the timeout monitoring logic further determines whether timeout events have occurred for a plurality of objects under analysis, including the object, due to failure by the sensor to timely upload metadata associated with the plurality of objects, including the metadata associated with the object, for analysis.
  - 16. The sensor of claim 15, wherein the timeout monitoring logic is configured to report information associated with the timeout events to the management system, the management system to aggregate the timeout events and further determine that the sensor is operating in the overloaded state based on a frequency of occurrences of the timeout events over the prescribed time period.
  - 17. The sensor of claim 15, wherein the management system to cause the sensor to commence a re-enrollment process in response to the sensor operating in the overloaded state, the re-enrollment process causing the sensor to establish communications with a second cluster different than the cluster.

18. A sensor configured to operate in cooperation with at least a first computing node of a cluster of computing nodes that conduct malware analyses directed to objects received by the sensor, the sensor comprising:
- a processor; and
  
  a memory communicatively coupled to the processor, the memory includes a first timeout monitoring unit implemented to monitor for timeout events occurring during the malware analyses of information associated with the received objects that may signify the sensor is operating in an overloaded state in conducting the malware analyses to transmit at least a portion of the information associated with the timeout events to a management system,wherein a timeout event of the timeout events occurs when (i) a timeout period associated with one of the received objects identifying a duration of time for completing a malware analysis of the malware analyses on the one of the received objects has expired, as determined by the first computing node, when a duration of retention of metadata associated with the one of the received objects exceeds a timeout value included as part of the metadata, and (ii) no results of the malware analysis on the one of the received objects are detected, andwherein the sensor receives a message from the management system suggesting a change in subscription level to increase malware analysis capabilities of the sensor from a current subscription level responsive, at least in part, to the management system identifying, based on the timeout events, that the sensor is operating in the overloaded state.
- View Dependent Claims (19, 20, 21)
- - 19. The sensor of claim 18, wherein the overloaded state signifies the sensor is unable to conduct a preliminary analysis of incoming information and the timeout events are occurring due to a failure by the sensor to timely upload data submissions including the metadata associated with the one of the received objects for analysis.
  - 20. The sensor of claim 18, wherein the information associated with the timeout events is transmitted to the management system to issue a signal for the sensor to commence a re-enrollment process in response to the management system determining that the sensor is operating in the overloaded state.
  - 21. The sensor of claim 20, wherein the re-enrollment process causes the sensor to establish a communicative coupling with another cluster.

22. A sensor configured to operate in cooperation with at least a first computing node of a cluster of computing nodes that conducts at least a malware analysis directed to an object submitted to the cluster, the sensor comprising:
- a hardware processor;
  
  result aggregation logic that, upon execution by the hardware processor deployed within the sensor, is configured to access a first data store associated with the cluster for retrieval of results of a malware analysis of metadata associated with the object; and
  
  timeout monitoring logic communicatively coupled to the result aggregation logic, the timeout monitoring logic, during execution by the hardware processor, is configured to (a) determine that a timeout event has occurred when (i) a time period associated with the object that identifies a duration of time for completing the malware analysis on the object by the cluster has expired as determined, by the first computing node, when a duration of retention of the metadata associated with the object in the first data store exceeds a timeout value included as part of the metadata and (ii) information associated with the object has not been timely submitted by the sensor to the cluster or received by the sensor after being processed by the cluster before expiration of the time period, and (b) report information associated with the timeout event to a management system that is configured to aggregate timeout events from the sensor, including the timeout event, to determine whether the sensor is operating in an overloaded state based on a number of timeout events determined by the timeout monitoring logic within a prescribed time period.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30)
- - 23. The sensor of claim 22, wherein the time period being the duration of time assigned for completing the malware analysis is based, at least in part, on a data type of the object where the time period assigned for the object of a first data type is longer in duration than the time period assigned for the object of a second data type.
  - 24. The sensor of claim 22, wherein the time period is either (i) based on one or more of a plurality of factors, including a system load and a queue length for metadata associated with objects awaiting the malware analysis by the cluster, or (ii) based, at least in part, on a subscription level determined for the sensor.
  - 25. The sensor of claim 22 further comprising:
    - notification logic communicatively coupled to the timeout monitoring logic that, upon execution by the hardware processor, is configured to receive information associated with the timeout event for malware analysis of metadata associated with the object.
  - 26. The sensor of claim 22, wherein the timeout monitoring logic determines whether the timeout event has occurred and notifies the hardware processor operating within the sensor of the timeout event.
  - 27. The sensor of claim 22 further comprising monitoring logic that, when executed by the hardware processor, computes the timeout value representing an amount of time left for processing the object and completing the malware analysis of the metadata associated with the object upon transmission of the object to the cluster, the timeout value being based on the time period.
  - 28. The sensor of claim 27, wherein the timeout monitoring logic to remove the metadata associated with the object stored in the first data store in response to the timeout monitoring logic detecting the timeout event for the object.
  - 29. The sensor of claim 27 further comprising notification logic to receive results of the malware analysis on the metadata associated with the object and alter an entry in a second data store associated with aggregated metadata when no timeout event has been experienced during processing of the object.
  - 30. The sensor of claim 22, wherein the timeout monitoring logic is configured to report information associated with the timeout events to the management system, the management system to aggregate the timeout events and further determine that the sensor is operating in the overloaded state based on a frequency of occurrences of the timeout events over the prescribed time period.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
FireEye, Inc. (Alphabet Inc.)
Inventors
Otvagin, Alexander, Siddiqui, Mumtaz
Primary Examiner(s)
Lagor, Alexander
Assistant Examiner(s)
Louie, Howard H.

Application Number

US15/390,930
Time in Patent Office

1,253 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/552   involving long-term monitor...

G06F 21/56   Computer malware detection ...

G06F 21/57   Certifying or maintaining t...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/033   Test or assess software

G06F 2221/2151   Time stamp

H04L 63/145   the attack involving the pr...

H04W 12/128   Anti-malware arrangements, ...

Timeout management services

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Timeout management services

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links