DYNAMIC SIGNATURE CREATION AND ENFORCEMENT

US 20120331553A1
Filed: 07/28/2006
Published: 12/27/2012
Est. Priority Date: 04/20/2006
Status: Active Grant

First Claim

Patent Images

1. A dynamic signature creation and enforcement system comprising:

a tap configured to copy network data from a communication network; and

a controller coupled to the tap and configured to receive the copy of the network data from the tap, analyze the copy of the network data with a heuristic to determine if a portion of the copy of the network data is suspicious, flag the portion of the copy of the network data as suspicious based on the heuristic determination, replay transmission of the portion of the copy of the network data that was flagged as suspicious to a destination device to identify unauthorized activity, generate an unauthorized activity signature based on the identification, and transmit the unauthorized activity signature to a digital device configured to enforce the unauthorized activity signature;

wherein to replay transmission of the portion of the copy of the network data that was flagged as suspicious to a destination device the controller is further configured to retrieve a virtual machine configured to receive the portion of the copy of the network data that was flagged as suspicious, configure a replayer to transmit the portion of the copy of the network data that was flagged as suspicious to the virtual machine, receive a response from the virtual machine, the response based on the virtual machine'"'"'s processing of the portion of the copy of the network data that was flagged as suspicious, and analyze the response by the virtual machine to identify unauthorized activity.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A dynamic signature creation and enforcement system can comprise a tap configured to copy network data from a communication network, and a controller coupled to the tap. The controller is configured to receive the copy of the network data from the tap, analyze the copy of the network data with a heuristic to determine if the network data is suspicious, flag the network data as suspicious based on the heuristic determination, simulate transmission of the network data to a destination device to identify unauthorized activity, generate an unauthorized activity signature based on the identification, and transmit the unauthorized activity signature to a digital device configured to enforce the unauthorized activity signature.

313 Citations

25 Claims

1. A dynamic signature creation and enforcement system comprising:
- a tap configured to copy network data from a communication network; and
  
  a controller coupled to the tap and configured to receive the copy of the network data from the tap, analyze the copy of the network data with a heuristic to determine if a portion of the copy of the network data is suspicious, flag the portion of the copy of the network data as suspicious based on the heuristic determination, replay transmission of the portion of the copy of the network data that was flagged as suspicious to a destination device to identify unauthorized activity, generate an unauthorized activity signature based on the identification, and transmit the unauthorized activity signature to a digital device configured to enforce the unauthorized activity signature;
  
  wherein to replay transmission of the portion of the copy of the network data that was flagged as suspicious to a destination device the controller is further configured to retrieve a virtual machine configured to receive the portion of the copy of the network data that was flagged as suspicious, configure a replayer to transmit the portion of the copy of the network data that was flagged as suspicious to the virtual machine, receive a response from the virtual machine, the response based on the virtual machine'"'"'s processing of the portion of the copy of the network data that was flagged as suspicious, and analyze the response by the virtual machine to identify unauthorized activity.
- View Dependent Claims (3, 4)
- - 3. The system of claim 1 wherein the controller is further configured to:
    - receive other network data from the communication network;
      
      scan the other network data for unauthorized activity based on the unauthorized activity signature; and
      
      block the other network data based on the scan.
  - 4. The system of claim 1 wherein the controller is further configured to:
    - store the unauthorized activity signature; and
      
      send the unauthorized activity signature to another digital device.

2. (canceled)

5. A dynamic signature creation and enforcement system comprising:
- a tap configured to copy network data from a communication network; and
  
  a controller coupled to the tap and configured to receive the copied network data from the tap, analyze at least a portion of the copy of the network data that is flagged as suspicious, the portion of the copy of the network data analyzed with a heuristic, retrieve a virtual machine, configure a replayer to replay a portion of the copy of the network data that was flagged as suspicious to the virtual machine, analyze a response by the virtual machine to identify unauthorized activity as a result of playback of the copy of the network data that was flagged as suspicious, generate an unauthorized activity signature based on the identification, and transmit the unauthorized activity signature to a digital device configured to enforce the unauthorized activity signature.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12)
- - 6. The system of claim 5 wherein the controller is further configured to:
    - receive other network data from the communication network;
      
      scan the other network data for unauthorized activity based on the unauthorized activity signature; and
      
      block the other network data based on the scan.
  - 7. The system of claim 5 wherein the network data comprises a packet.
  - 8. The system of claim 5 wherein the digital device is a router, a gateway, a switch, a bridge, a controller server, or another controller.
  - 9. The system of claim 5 wherein the controller is further configured to:
    - store the unauthorized activity signature; and
      
      send the unauthorized activity signature to another digital device.
  - 10. The system of claim 5 wherein the controller is further configured to transmit the copied network data between the replayer and the virtual machine over a virtual switch.
  - 11. The system of claim 5 wherein the controller is further configured to retrieve the virtual machine by accessing a virtual machine pool.
  - 12. The system of claim 5 wherein the unauthorized activity is the result of malware associated with the network data.

13. A dynamic signature creation and enforcement method comprising:
- copying network data from a communication network;
  
  analyzing the copied network data with a heuristic to determine if any portion of the copy of the network data is suspicious;
  
  replaying the transmission of the suspicious network data to a destination device to identify unauthorized activity, wherein replaying the transmission of the suspicious network data to a destination device comprisesretrieving a virtual machine configured to receive the suspicious network data;
  
  configuring a replayer to transmit the suspicious network data to the virtual machine; and
  
  analyzing a response by the virtual machine to identify unauthorized activity;
  
  generating an unauthorized activity signature based on the identification; and
  
  transmitting the unauthorized activity signature to a digital device configured to enforce the unauthorized activity signature.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
- - 15. The method of claim 13 wherein the suspicious network data is transmitted between the replayer and the virtual machine over a virtual switch.
  - 16. The method of claim 13 wherein retrieving the virtual machine includes accessing a virtual machine pool.
  - 17. The method of claim 13 further comprising:
    - receiving other network data from the communication network;
      
      scanning the other network data for unauthorized activity based on the unauthorized activity signature; and
      
      blocking the other network data based on the scan.
  - 18. The method of claim 13 wherein the network data comprises a packet.
  - 19. The method of claim 13 wherein the digital device is a router, a gateway, a switch, a bridge, a controller server, or another controller.
  - 20. The method of claim 13 further comprising:
    - storing the unauthorized activity signature; and
      
      sending the unauthorized activity signature to another digital device.
  - 21. The method of claim 13 wherein the unauthorized activity is the result of malware associated with the network data.

14. (canceled)

22. A non-transitory computer readable medium comprising:
- computer readable code configured to direct a processor to copy network data from a communication network, analyze the copied network data with a heuristic to determine if any portion of the copy of the network data is suspicious, replay transmission of the portion of the copy of the network data that was flagged as suspicious to a destination device to identify unauthorized activity, generate an unauthorized activity signature based on the identification, and transmit the unauthorized activity signature to a digital device configured to enforce the unauthorized activity signature;
  
  wherein replaying transmission of the suspicious network data comprises directing the processor to retrieve a virtual machine configured to receive the suspicious network data, configure a replayer to transmit the suspicious network data to the virtual machine, and simulate the transmission of the suspicious network data to the virtual machine.
- View Dependent Claims (24, 25)
- - 24. The non-transitory computer readable medium of claim 22 wherein the computer readable code is further configured to receive other network data from the communication network, scan the other network data for unauthorized activity based on the unauthorized activity signature, and block the other network data based on the scan.
  - 25. The non-transitory computer readable medium of claim 22 wherein the computer readable code is further configured to store the unauthorized activity signature and send the unauthorized activity signature to another digital device.

23. (canceled)

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Aziz, Ashar, Radhakrishnan, Ramesh, Lai, Wei-Lung, Manni, Jayaraman

Granted Patent

US 8,375,444 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 9/455   Emulation; Interpretation; ...

H04L 63/145   the attack involving the pr...

H04L 63/1491   using deception as counterm...

DYNAMIC SIGNATURE CREATION AND ENFORCEMENT

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

313 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

DYNAMIC SIGNATURE CREATION AND ENFORCEMENT

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

313 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links