Heuristic based capture with replay to virtual machine

US 20080005782A1
Filed: 04/20/2006
Published: 01/03/2008
Est. Priority Date: 04/01/2004
Status: Active Grant

First Claim

Patent Images

1. An unauthorized activity capture system comprising:

a tap configured to copy network data from a communication network; and

a controller coupled to the tap and configured to receive the copy of the network data from the tap, analyze the copy of the network data with a heuristic to flag the network data as suspicious, and simulate transmission of the network data to a destination device.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A suspicious activity capture system can comprise a tap configured to copy network data from a communication network, and a controller coupled to the tap. The controller is coupled to the tap and is configured to receive the copy of the network data from the tap, analyze the copy of the network data with a heuristic to flag the network data as suspicious, and simulate transmission of the network data to a destination device.

630 Citations

26 Claims

1. An unauthorized activity capture system comprising:
- a tap configured to copy network data from a communication network; and
  
  a controller coupled to the tap and configured to receive the copy of the network data from the tap, analyze the copy of the network data with a heuristic to flag the network data as suspicious, and simulate transmission of the network data to a destination device.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The unauthorized activity capture system of claim 1 wherein the heuristic is configured to detect unknown source devices.
  - 3. The unauthorized activity capture system of claim 1 wherein the heuristic is configured to detect the network data sent to an unassigned internet protocol address.
  - 4. The unauthorized activity capture system of claim 1 wherein the heuristic is configured to detect the network data sent to an unassigned port address.
  - 5. The unauthorized activity capture system of claim 1 wherein the controller further comprises a policy engine configured to flag the network data as suspicious based on comparing the network data to policies.
  - 6. The unauthorized activity capture system of claim 1 wherein the controller further comprises a virtual machine pool configured to store the virtual machine.

7. An unauthorized activity capture system comprising:
- a tap configured to copy network data from a communication network; and
  
  a controller configured to receive the copy of the network data from the tap, analyze the copy of the network data with a heuristic, retrieve a virtual machine, configure a replayer to replicate the network data to the virtual machine, and identify unauthorized activity by analyzing a response from the virtual machine to the network data.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14)
- - 8. The unauthorized activity capture system of claim 7 wherein the heuristic is configured to detect unknown source devices.
  - 9. The unauthorized activity capture system of claim 7 wherein the heuristic is configured to detect the network data sent to an unassigned internet protocol address.
  - 10. The unauthorized activity capture system of claim 7 wherein the heuristic is configured to detect the network data sent to a previously unused port address.
  - 11. The unauthorized activity capture system of claim 7 wherein the unauthorized activity is the result of malware associated with the network data.
  - 12. The unauthorized activity capture system of claim 7 wherein the unauthorized activity is the result of a hacker associated with the network data.
  - 13. The unauthorized activity capture system of claim 7 wherein the controller further comprises a virtual machine pool configured to store the virtual machine.
  - 14. The unauthorized activity capture system of claim 7 wherein the network data is replicated between the replayer and the virtual machine over a virtual switch.

15. An unauthorized activity capture method comprising:
- copying network data from a communication network;
  
  analyzing the copied network data with a heuristic to flag the network data as suspicious; and
  
  orchestrating the transmission of the network data to a destination device to identify unauthorized activity.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 16. The method of claim 15 wherein orchestrating the transmission of the network data comprises:
    - retrieving a virtual machine configured to receive the network data;
      
      configuring a replayer to transmit the network data to the virtual machine; and
      
      simulating the transmission of the network data to the virtual machine.
  - 17. The method of claim 15 wherein the heuristic is configured to detect unknown source devices.
  - 18. The method of claim 15 wherein the heuristic is configured to detect the network data sent to an unassigned dark internet protocol address.
  - 19. The method of claim 15 wherein the heuristic is configured to detect the network data sent to a previously unused port address.
  - 20. The method of claim 15 wherein identifying the unauthorized activity includes identifying malware associated with the network data.
  - 21. The method of claim 15 wherein identifying the unauthorized activity includes identifying of a hacker associated with the network data.
  - 22. The method of claim 15 wherein retrieving the virtual machine includes accessing a virtual machine pool.
  - 23. The method of claim 15 wherein the network data is transmitted between the replayer sand the virtual machine over a virtual switch.
  - 24. The method of claim 15 wherein analyzing the copied network data flags the network data as suspicious by comparing the copied network data to policies within a policy engine.

25. A computer readable medium comprising:
- computer readable code configured to direct a processor to copy network data from a communication network, analyze the copied network data with a heuristic to flag the network data as suspicious, and orchestrate transmission of the network data to a destination device to identify unauthorized activity.
- View Dependent Claims (26)
- - 26. The computer readable medium of claim 25 wherein orchestrating transmission of the network data comprises directing the processor to retrieve a virtual machine configured to receive the network data, configure a replayer to transmit the network data to the virtual machine, and simulate the transmission of the network data to the virtual machine.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Aziz, Ashar

Granted Patent

US 8,171,553 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/3
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 2009/45591   Monitoring or debugging sup...

G06F 2009/45595   Network integration; Enabli...

G06F 21/53   by executing in a restricte...

G06F 21/55   Detecting local intrusion o...

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/034   Test or assess a computer o...

G06F 9/45537   Provision of facilities of ...

G06F 9/45558   Hypervisor-specific managem...

G06Q 20/10   specially adapted for elect...

H04L 63/0227   Filtering policies mail mes...

H04L 63/10   for controlling access to d...

H04L 63/101   Access control lists [ACL]

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/145   the attack involving the pr...

H04L 63/1491 : using deception as counterm...

H04L 63/20 : for managing network securi...

View All

Heuristic based capture with replay to virtual machine

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

630 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Heuristic based capture with replay to virtual machine

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

630 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links