Apparatus and method for acceleration of malware security applications through pre-filtering

US 20060174345A1
Filed: 11/30/2005
Published: 08/03/2006
Est. Priority Date: 11/30/2004
Status: Abandoned Application

First Claim

Patent Images

1. A data classification system configured to identify and process malicious data in electronic data, the system comprising:

a data flow module configured to generate a first processed data stream from an input data stream, the data flow module being further configured to receive a third meta data from a reporting module and to generate a third processed data stream from the received input data stream and the third meta data;

a first processing stage configured to receive the first processed data stream and to generate a second processed data stream and a first meta data from the first processed data stream;

a second processing stage configured to receive the second processed data stream and generate a second meta data therefrom; and

a reporting module configured to receive the first meta data and the second meta data and to generate the third meta data.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A data classification system identifies and processes malicious data that may be present in a received data stream. The system includes at least two stages, and a data flow module. The data flow module derives, from an input data stream, a first processed data stream that is transmitted to the first processing stage. The first processing stage derives, from the first processed data stream, a second processed data stream that is transmitted to the second processing stage. The first and second processing stages optionally derive meta data from the data they receive.

86 Citations

View as Search Results

46 Claims

1. A data classification system configured to identify and process malicious data in electronic data, the system comprising:
- a data flow module configured to generate a first processed data stream from an input data stream, the data flow module being further configured to receive a third meta data from a reporting module and to generate a third processed data stream from the received input data stream and the third meta data;
  
  a first processing stage configured to receive the first processed data stream and to generate a second processed data stream and a first meta data from the first processed data stream;
  
  a second processing stage configured to receive the second processed data stream and generate a second meta data therefrom; and
  
  a reporting module configured to receive the first meta data and the second meta data and to generate the third meta data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34)
- - 2. The system of claim 1 wherein the first processing stage is further configured to classify data included in the first processed data stream into a first classification result defined as being one of at least a first or second classifications types.
  - 3. The system of claim 2 wherein said first classification type represents benign data and said second classification type includes potentially malicious data.
  - 4. The system of claim 3 wherein said first meta data includes the first classification result.
  - 5. The system of claim 4 wherein said second processed data stream includes at least a part of the first processed data stream if the first classification result includes the second classifications type, wherein said second processed data streams excludes at least a part of the first processed data stream if the first classification result includes the first classifications type.
  - 6. The system of claim 1 wherein the second processing stage is further configured to classify data included in the second processed data stream into a second classification result defined as being one of at least a first or second classification types.
  - 7. The system of claim 6 wherein said first classification type represents benign data, and wherein said second classification data type represents malicious data.
  - 8. The system of claim 7 wherein said second meta data includes the second classification result.
  - 9. The system of claim 1 wherein said reporting module is further configured to generate one of a clean or infected signal from the first and second meta data, wherein said clean or infected signal is included in the third meta data.
  - 10. The system of claim 9 wherein the third processed data stream includes a part of the input data stream if the third meta data includes the clean signal.
  - 11. The system of claim 9 wherein the third processed data stream excludes a part of the input data stream if the third meta data includes the infected signal.
  - 12. The system of claim 13 further comprising:
    - an events and logs module configured to receive and process events and logs data generated from the received input data stream and third meta data by the data flow module.
  - 13. The system of claim 1 further comprising:
    - a third processing stage configured to receive and process a fourth processed data stream generated from the received input data stream and third meta data by the data flow module.
  - 14. The system of claim 13 wherein said third processing stage is further configured to quarantine the fourth processed data stream, wherein said fourth processed data stream includes at least a part of the input data stream.
  - 15. The system of claim 1 wherein said data flow module is further configured to output a fourth meta data generated from the received input data stream and the third meta data, wherein said fourth meta data includes a clean or infected signal, and wherein said third meta includes a clean or infected signal, generated from the third meta data further comprising:
    - a disinfection module configured to receive the third processed data stream and the fourth meta data and to generate, in response, a fifth processed data stream.
  - 16. The system of claim 15 wherein if the fourth meta data includes the infected signal then the disinfection module processes malicious data included in the received third processed data stream using the fourth meta data, wherein said processing of malicious data by the disinfection module renders the malicious data included in the third processed data stream harmless, wherein said fourth meta data includes malicious data information generated from malicious data information included in the third meta data, wherein said reporting module derives malicious data information included in the third meta data from the first and second meta data, wherein the rendered harmless data and the third processed data stream is included in the fifth processed data stream.
  - 17. The system of claim 16 wherein said first processing stage is further configured to generate malicious data information using the received first processed data stream, the first processing stage being configured to include the malicious data information in the first meta data, wherein said first meta data is transmitted to the reporting module.
  - 18. The system of claim 16 wherein said second processing stage is further configured to generate malicious data information using the received second processed data stream, the second processing stage being configured to include the malicious data information in the second meta data, wherein said second meta data is transmitted to the reporting module.
  - 19. The system of claim 16 wherein said disinfection module renders the data included in the fifth processed data stream harmless by removing the malicious data.
  - 20. The system of claim 15 wherein said disinfection module is further configured to include a part of the input data stream in the fifth processed data stream if the fourth meta data includes a clean signal.
  - 21. The system of claim 2 wherein said first processing stage is configured to classify the first processed data stream using at least a first set of rules, wherein said second processing stage is configured to classify the second processed data stream using at least a second set of rules, wherein said first set of rules is derived from the second set of rules.
  - 22. The system of claim 2 wherein said input data stream includes one or more network packets.
  - 23. The system of claim 2 wherein said input data stream includes one or more e-mail messages.
  - 24. The system of claim 2 wherein said input data stream includes HTTP traffic.
  - 25. The system of claim 2 wherein said input data stream includes XML-encoded network traffic and other data.
  - 26. The system of claim 2 wherein said input data stream includes Voice-over-IP (VoIP) network traffic, instant messaging traffic, and telephony traffic.
  - 27. The system of claim 2 wherein said input data stream includes files provided by a memory storage device.
  - 28. The system of claim 27 wherein said memory storage device includes primary storage devices, secondary storage devices, random access memories, hard disks and tape drives.
  - 29. The system of claim 2 wherein said first processing stage is further configured to generate the first processed data stream using a first processor if the first processed data stream includes a first type of data stream, the first processing stage being configured to generate the first processed data stream using a second processor if the first processed data stream includes a second type of data stream.
  - 30. The system of claim 2 wherein said second processing stage is further configured to generate the second processed data stream using a third processor if the second processed data stream includes a third type of data stream, the second processing stage being configured to generate the second processed data stream using a fourth processor if the second processed data stream includes a fourth type of data stream.
  - 31. The system of claim 2 wherein said system is further configured to identify and process viruses, spyware and other malware.
  - 32. The system of claim 2 wherein said data flow module is an HTTP proxy.
  - 33. The system of claim 2 wherein said first processing stage further comprises a security device configured to perform security processing, the security device including one or more hardware logic, wherein said hardware logic is configured to perform high speed data processing.
  - 34. The system of claim 33 wherein said hardware logic is reconfigurable.

35. A method for identifying and processing malicious data in electronic data, the method comprising:
- receiving an input data stream, processing the input data stream to generate a first processed data stream, processing the first processed data stream to generate a second processed data stream and a first meta data, processing the second processed data stream to generate a second meta data, processing the first meta data and the second meta data to generate a third meta data, and processing the third meta data and the input data stream to generate a fourth meta data and a third processed data stream.
- View Dependent Claims (36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46)
- - 36. The method of claim 35 wherein the processing of the first processed data stream includes classifying data in the first processed data stream as one of at least a first or second data classifications, wherein said first data classification represents benign data, wherein said second data classification represents potentially malicious data, wherein at least one of the first or second data classifications is included in the generated first meta data.
  - 37. The method of claim 36 wherein the second processed data stream includes a part of the data included in the first processed data stream if the result of classifying the first processed data stream represents potentially malicious data, wherein the second processed data stream excludes a part of the data included the first processed data stream if the result of classifying the first processed data stream represents benign data.
  - 38. The method of claim 35 wherein the processing of the second processed data stream includes classifying data included in the second processed data stream as one of at least a first or second data classifications, wherein said first data classification represents benign data, wherein said second data classification represents malicious data, wherein at least one of first or second data classifications is included in the generated second meta data.
  - 39. The method of claim 35 wherein said third meta data includes a clean or infected signal generated from the first meta data and the second meta data.
  - 40. The method of claim 39 wherein said third processed data stream includes a part of the data included in the input data stream if said signal included in the third meta data is the clean signal, wherein said third processed data stream excludes does not include a part of the data included the input data stream if said signal included in the third meta data is the infected signal.
  - 41. The method of claim 35 further comprising:
    - processing the input data stream and the third meta data to generate a fourth processed data stream, said fourth processed data stream including at least a part of the input data stream; and
      
      quarantining the data in the fourth processed data stream.
  - 42. The method of claim 35 further comprising:
    - generating a fourth meta data by processing the input data stream and the third meta data, wherein said fourth meta data contains at least a clean or an infected signal; and
      
      generating a fifth processed data stream from the third processed data stream and the fourth meta data, wherein if said third processed data stream includes a first form of malicious data then the fifth processed data stream does not include the first form of malicious data.
  - 43. The method of claim 35 wherein said processing of the first processed data stream utilizes at least a first set of rules, wherein said processing of the second processed data stream utilizes at least a second set of rules, wherein said first set of rules is derived from the second set of rules.
  - 44. The method of claim 35 wherein the input data stream includes one or more of networks packets, e-mail messages, HTTP traffic, XML-encoded data, Voice-over-IP-data, instant messaging data, telephony data, data from a memory storage device, wherein said memory storage device includes one or more of primary storage devices, secondary storage devices, random access memories, hard disks and tape drives.
  - 45. The method of claim 35 wherein said processing of each of one or more of the input data stream, the first processed data stream and the second processed data stream includes one or more processing steps carried out in accordance with type of data contained therein.
  - 46. The method of claim 35 wherein the malicious data identified is selected from a group consisting of viruses, spyware or malware.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Sensory Networks, Inc. (Intel Corporation)
Inventors
Duthie, Peter, Williams, Darren, Gould, Stephen, Tan, Teewoon, Flanagan, Michael, Barrie, Robert Matthew, Bisroev, Peter

Application Number

US11/291,511
Publication Number

US 20060174345A1
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 21/562   Static detection

G06F 21/564   by virus signature recognition

G06Q 10/107   Computer-aided management o...

H04L 51/212   using filtering or selectiv...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

Apparatus and method for acceleration of malware security applications through pre-filtering

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

86 Citations

46 Claims

Specification

Solutions

Use Cases

Quick Links

Apparatus and method for acceleration of malware security applications through pre-filtering

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

86 Citations

46 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links