System and method for securing a network from zero-day vulnerability exploits

US 20090241190A1
Filed: 03/24/2008
Published: 09/24/2009
Est. Priority Date: 03/24/2008
Status: Active Grant

First Claim

Patent Images

1. A method of securing a network from vulnerability exploits, comprising the steps of:

a traffic analysis engine receiving a plurality of packets destined for an internal operating system;

said traffic analysis engine selectively forwarding said packets to at least one virtual machine emulating said internal operating system;

said virtual machine processing each forwarded packet;

a rapid analysis engine identifying a malicious packet from said processed packets; and

said rapid analysis engine creating a new signature to identify said malicious packet.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of securing a network from vulnerability exploits, including the steps of a traffic analysis engine receiving a plurality of packets destined for an internal operating system; the traffic analysis engine selectively forwarding the packets to at least one virtual machine emulating the internal operating system; the virtual machine processing each forwarded packet; a rapid analysis engine identifying a malicious packet from the processed packets; and the rapid analysis engine creating a new signature to identify the malicious packet.

393 Citations

20 Claims

1. A method of securing a network from vulnerability exploits, comprising the steps of:
- a traffic analysis engine receiving a plurality of packets destined for an internal operating system;
  
  said traffic analysis engine selectively forwarding said packets to at least one virtual machine emulating said internal operating system;
  
  said virtual machine processing each forwarded packet;
  
  a rapid analysis engine identifying a malicious packet from said processed packets; and
  
  said rapid analysis engine creating a new signature to identify said malicious packet.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1 further comprising the steps of:
    - said traffic analysis engine comparing each said packet being received to at least one signature defined in an intrusion prevention system;
      
      if any said packet being compared does not match any said at least one signature, said traffic analysis engine forwarding each said packet to said virtual machine emulating said internal operating system.
  - 3. The method of claim 1 further comprising the step of:
    - adding said new signature to said intrusion prevention system.
  - 4. The method of claim 1 further comprising the step of:
    - displaying said new signature to an output device.
  - 5. The method of claim 1 further comprising the step of:
    - recording the execution of at least one of said receiving, said comparing, said forwarding, said processing, said identifying, and said creating steps in a memory.
  - 6. The method of claim 1 further comprising the steps of:
    - defining a predetermined time period;
      
      storing each said packet being forwarded in a buffer, said buffer providing storage for a plurality of packets;
      
      if any said packets remains in said buffer for said time period, deleting said packets from said buffer;
      
      said rapid analysis engine monitoring performance of said virtual machine; and
      
      if said rapid analysis engine detects failure of said virtual machine, said rapid analysis engine analyzing said packets in said buffer and identifying said malicious packet from said buffer packets.
  - 7. The method of claim 6 further comprising the step of:
    - said virtual machine sending a status report to said rapid analysis engine through a private network connection linking said virtual machine to said rapid analysis engine.
  - 8. The method of claim 6 further comprising the steps of:
    - identifying at least one non-malicious packet; and
      
      deleting each said non-malicious packet from said buffer.
  - 9. The method of claim 6 further comprising the step of:
    - recording the execution of at least one of said defining, said storing, said deleting, said monitoring, and said analyzing steps in a memory.
  - 10. The method of claim 1 further comprising the step of:
    - if any said packet being compared does not match any said at least one signature, said traffic analysis engine forwarding each said packet to said internal operating system.
  - 11. The method of claim 1 further comprising the step of:
    - sending at least one of said signatures in said intrusion prevention system to said internal operating system.
  - 12. The method of claim 1 further comprising the step of:
    - an administrator creating said virtual machine using a graphical user interface.
  - 13. The method of claim 12 further comprising the step of:
    - creating an access control list within said traffic analysis engine, wherein said list specifies packets said virtual machine is not configured to process.
  - 14. The method of claim 13 further comprising the step of:
    - said traffic analysis engine filtering said packets being forwarded using said access control list.

15. A computer program product comprising:
- a computer-readable medium comprising;
  
  codes for causing a traffic analysis engine to receive a plurality of packets destined for an internal operating system;
  
  codes for causing said traffic analysis to selectively forward said packets to at least one virtual machine emulating said internal operating system;
  
  codes for causing said virtual machine to process each said packet;
  
  codes for causing said rapid analysis engine to identify a malicious packet from said packets being processed; and
  
  codes for causing said rapid analysis engine to create a new signature to identify said malicious packet.
- View Dependent Claims (16, 17)
- - 16. The computer-readable medium of claim 15 further comprising:
    - codes for causing said new signature to be added to said intrusion prevention system.
  - 17. The computer-readable medium of claim 15 further comprising:
    - codes for causing said new signature to be displayed to an output device.

18. A system for securing a network from vulnerability exploits, comprising:
- at least one virtual machine emulating an internal operating system;
  
  a traffic analysis engine, wherein said traffic analysis engine receives a plurality of packets and selectively forwards said packets to said virtual machine; and
  
  a rapid analysis engine, wherein said rapid analysis engine monitors said virtual machine and upon said virtual machine failing, said rapid analysis engine identifies a malicious packet being processed on said virtual machine and creates a signature based on said malicious packet.
- View Dependent Claims (19, 20)
- - 19. The system of claim 18 wherein said at least one virtual machine includes a monitoring and reporting tool.
  - 20. The system of claim 18 further comprising:
    - an incoming network card providing communication between said system and an external source; and
      
      an outgoing network card providing communication between said system and said internal operating system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lionra Technologies Limited (Atlantic IP Services Limited)
Original Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Inventors
Wong, Patrick Choy Ming, Todd, Michael, Koster, Scott Robert

Granted Patent

US 9,264,441 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/552   involving long-term monitor...

G06F 21/564   by virus signature recognition

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/2101   Auditing as a secondary aspect

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04L 63/1491   using deception as counterm...

System and method for securing a network from zero-day vulnerability exploits

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

393 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for securing a network from zero-day vulnerability exploits

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

393 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links