Virtual machine with dynamic data flow analysis

US 20070250930A1
Filed: 06/19/2006
Published: 10/25/2007
Est. Priority Date: 04/01/2004
Status: Active Grant

First Claim

Patent Images

1. An unauthorized activity capture system comprising:

a tap configured to copy network data from a communication network; and

a controller coupled to the tap and configured to receive the copy of the network data from the tap, analyze the copy of the network data with a heuristic to determine if the network data is suspicious, flag the network data as suspicious based on the heuristic determination, and concurrently simulate transmission of the network data to a plurality of destination devices.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A suspicious activity capture system can comprise a tap configured to copy network data from a communication network, and a controller coupled to the tap. The controller is configured to receive the copy of the network data from the tap, analyze the copy of the network data with a heuristic to determine if the network data is suspicious, flag the network data as suspicious based on the heuristic determination, and concurrently simulate transmission of the network data to a plurality of destination devices.

675 Citations

27 Claims

1. An unauthorized activity capture system comprising:
- a tap configured to copy network data from a communication network; and
  
  a controller coupled to the tap and configured to receive the copy of the network data from the tap, analyze the copy of the network data with a heuristic to determine if the network data is suspicious, flag the network data as suspicious based on the heuristic determination, and concurrently simulate transmission of the network data to a plurality of destination devices.
- View Dependent Claims (2, 3, 4)
- - 2. The system of claim 1 wherein the heuristic is configured to detect the network data sent to an unassigned internet protocol address.
  - 3. The system of claim 1 wherein the tap is further configured to copy other network data from the communication network.
  - 4. The system of claim 3 wherein the controller is further configured to receive the copy of the other network data from the tap, analyze the copy of the other network data with a heuristic to determine if the network data is suspicious, flag the other network data as suspicious based on the heuristic determination, concurrently simulate transmission of the second network data to an other plurality of destination devices, and concurrently analyze a first response from the plurality of destination devices and a second response form the other plurality of destination devices.

5. An unauthorized activity capture system comprising:
- a tap configured to copy network data from a communication network; and
  
  a controller configured to receive the copy of the network data from the tap, analyze the copy of the network data with a heuristic, retrieve a plurality of virtual machines, configure a first replayer to concurrently replicate the network data to the plurality of virtual machines, and analyze a first response by any of the plurality of virtual machines to identify unauthorized activity.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13)
- - 6. The system of claim 5 wherein the controller is configured to concurrently analyze a first response by any of the plurality of virtual machines and a second response by at least one other of the plurality of virtual machines to identify unauthorized activity.
  - 7. The system of claim 5 wherein the heuristic is configured to detect the network data sent to an unassigned internet protocol address.
  - 8. The system of claim 5 wherein the unauthorized activity is the result of malware associated with the network data.
  - 9. The system of claim 5 wherein the unauthorized activity is the result of a hacker associated with the network data.
  - 10. The system of claim 5 wherein the network data is replicated between the replayer and the plurality of virtual machines over a virtual switch.
  - 11. The system of claim 5 wherein the tap is further configured to copy other network data from the communication network.
  - 12. The system of claim 11 wherein the controller is further configured to receive the copy of the other network data from the tap, analyze the copy of the other network data with a heuristic, retrieve an other plurality of virtual machines, configure a second replayer to concurrently replicate the other network data to the other plurality of virtual machines, and concurrently analyze a first response by any of the plurality of virtual machines and a second response by any of the other plurality of virtual machines to identify unauthorized activity.
  - 13. The system of claim 12 wherein the controller further comprises a virtual machine pool configured to store the plurality of virtual machines and the other plurality of virtual machines.

14. An unauthorized activity capture method comprising:
- copying network data from a communication network;
  
  analyzing the copied network data with a heuristic to determine if the network data is suspicious; and
  
  concurrently orchestrating the transmission of the network data to a plurality of destination devices to identify unauthorized activity.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 15. The method of claim 14 wherein concurrently orchestrating the transmission of the network data to a plurality of destination devices comprises:
    - retrieving a plurality of virtual machines configured to receive the network data;
      
      configuring a first replayer to concurrently transmit the network data to the plurality of virtual machines; and
      
      analyzing a first response by any of the plurality of virtual machines to identify unauthorized activity.
  - 16. The method of claim 14 further comprising:
    - copying other network data from the communication network;
      
      analyzing the copied other network data with a heuristic to determine if the other network data is suspicious;
      
      concurrently orchestrating the transmission of the other network data to an other plurality of destination devices; and
      
      concurrently analyzing a first response to the network data and a second response to the other network data to identify unauthorized activity.
  - 17. The method of claim 15 further comprising:
    - retrieving an other plurality of virtual machines configured to receive the other network data;
      
      configuring a second replayer to concurrently transmit the other network data to the other plurality of virtual machines; and
      
      concurrently analyzing the first response by any of the plurality of virtual machines and a second response by any of the other plurality of virtual machines to identify unauthorized activity.
  - 18. The method of claim 15 further comprising concurrently analyzing the first response by any of the plurality of virtual machines and a second response by any other of the plurality of virtual machines.
  - 19. The method of claim 14 wherein the heuristic is configured to detect the network data sent to an unassigned internet protocol address.
  - 20. The method of claim 14 wherein identifying the unauthorized activity includes identifying malware associated with the network data.
  - 21. The method of claim 14 wherein identifying the unauthorized activity includes identifying of a hacker associated with the network data.
  - 22. The method of claim 15 wherein the network data is transmitted between the replayer and the virtual machine over a virtual switch.
  - 23. The method of claim 15 wherein retrieving the virtual machine includes accessing a virtual machine pool.

24. A computer readable medium comprising:
- computer readable code configured to direct a processor to copy network data from a communication network, analyze the copied network data with a heuristic to determine if the network data is suspicious, and concurrently orchestrate transmission of the network data to a plurality of destination device to identify unauthorized activity.
- View Dependent Claims (25, 26, 27)
- - 25. The computer readable medium of claim 24 wherein concurrently orchestrating transmission of the network data comprises directing the processor to retrieve a plurality of virtual machines configured to receive the network data, configure a replayer to concurrently transmit the network data to the plurality of virtual machines, and concurrently simulate the transmission of the network data to the plurality of virtual machines.
  - 26. The computer readable medium of claim 25 wherein the computer readable code is further configured to direct a processor to copy other network data from a communication network, analyze the copied other network data with a heuristic to determine if the network data is suspicious, concurrently orchestrate transmission of the other network data to an other plurality of destination device to identify unauthorized activity, and concurrently analyze a first response to the network data and a second response to the other network data.
  - 27. The computer readable medium of claim 26 wherein concurrently analyzing a first response to the other network data and a second response to the other network data comprises directing the processor to retrieve an other plurality of virtual machines configured to receive the network data, configure a replayer to concurrently transmit the other network data to the other plurality of virtual machines, simulate the transmission of the other network data to the other plurality of virtual machines, and concurrently analyze a first response of any of the plurality of virtual machines and a second response of any of the other plurality of virtual machines to identify unauthorized activity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Aziz, Ashar, Radhakrishnan, Ramesh, Ismael, Osman

Granted Patent

US 8,584,239 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 9/45533   Hypervisors; Virtual machin...

H04L 63/14   for detecting or protecting...

H04L 63/1433   Vulnerability analysis

H04L 63/145   the attack involving the pr...

H04L 63/1491   using deception as counterm...

H04L 63/20   for managing network securi...

Virtual machine with dynamic data flow analysis

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

675 Citations

27 Claims

Specification

Use Cases

Quick Links

Others

Virtual machine with dynamic data flow analysis

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

675 Citations

27 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others