Policy Based Capture with Replay to Virtual Machine
First Claim
Patent Images
1. An unauthorized activity capture system comprising:
- a tap configured to copy network data from a communication network; and
a controller coupled to the tap and configured to receive the copy of the network data from the tap, compare the copy of the network data to at least one policy to determine if the copy of the network data has one or more characteristics of a computer worm, flag at least a portion of the copy of the network data as suspicious by flagging the at least a portion of the copy of the network data for replay in an analysis environment based upon the determination that the at least a portion of the compared copy of the network data has one or more characteristics of a computer worm, and replay transmission of the suspicious, flagged network data copied from the communication network to a destination device.
7 Assignments
0 Petitions
Accused Products
Abstract
A suspicious activity capture system can comprise a tap configured to copy network data from a communication network, and a controller. The controller is coupled to the tap and is configured to receive the copy of the network data from the tap, analyze the copy of the network data to flag the network data as suspicious, and simulate transmission of the network data to a destination device.
-
Citations
30 Claims
-
1. An unauthorized activity capture system comprising:
-
a tap configured to copy network data from a communication network; and a controller coupled to the tap and configured to receive the copy of the network data from the tap, compare the copy of the network data to at least one policy to determine if the copy of the network data has one or more characteristics of a computer worm, flag at least a portion of the copy of the network data as suspicious by flagging the at least a portion of the copy of the network data for replay in an analysis environment based upon the determination that the at least a portion of the compared copy of the network data has one or more characteristics of a computer worm, and replay transmission of the suspicious, flagged network data copied from the communication network to a destination device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. An unauthorized activity capture system comprising:
-
a tap configured to copy network data from a communication network; and a controller configured to receive the copy of the network data from the tap, compare the copy of the network data to at least one policy within a policy engine to determine if the copy of the network data has one or more characteristics of a computer worm, flag at least a portion of the copy of the network data as suspicious by flagging the at least a portion of the copy of the network data for replay in an analysis environment based upon the determination that the at least a portion of the analyzed copy of the network data has one or more characteristics of a computer worm, retrieve a virtual machine, configure a replayer to replicate the flagged at least a portion of the compared copy of the network data which contains suspicious activity to the virtual machine, and identify unauthorized activity by analyzing a behavior of the virtual machine in response to the replication of the flagged at least a portion of the compared copy of the network data. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. An unauthorized activity capture method comprising:
-
copying network data from a communication network; comparing the copied network data to at least one policy to determine if the copied network data has one or more characteristics of a computer worm; flagging at least a portion of the copied network data as suspicious by flagging the at least a portion of the copy of the network data for replay in an analysis environment based upon the determination that the at least a portion of the compared copied network data has one or more characteristics of a computer worm; and replaying transmission of the flagged at least a portion of the compared copied network data which was copied from the communication network to a destination device to identify unauthorized activity based on playback of the flagged suspicious at least a portion of the compared copy of the network data. - View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
-
-
30. A non-transitory computer readable medium comprising:
computer readable code configured to direct a processor to copy network data from a communication network, compare the copied network data to at least one policy within a policy engine to determine if the copied network data has one or more characteristics of a computer worm, flag at least a portion of the compared copied network data as suspicious by flagging the at least a portion of the copy of the network data for replay in an analysis environment based upon the determination that the at least a portion of the compared copied network data has one or more characteristics of a computer worm, and replay transmission of the flagged suspicious at least a portion of the compared copied network data copied from the network to a destination device to identify unauthorized activity based on playback of the flagged suspicious at least a portion of the compared copied network data.
Specification